This commit adjusts the following parts of the GitHub Actions configuration
for this repo:

* Report test coverage to Coveralls via github.com/mattn/goveralls
* Bump versions of actions/setup-go and actions/checkout to prevent "Node.js
  16 actions are deprecated" warnings
* Simplify installation command for golint
* Include coverage badge in README

The previous commit d314bf3 added support for @cert-authority lines, but
technically broke backwards compatibility due to changing the return type of
one exported method. This commit adjusts that previous commit's new logic to
restore backwards compatibility, and makes additional changes as follows:

* Introduce new exported type HostKeyDB, which handles @cert-authority lines
  correctly and is returned by NewDB; old exported type HostKeyCallback (which
  is returned by New) omits that handling. Git-specific use-cases can likely
  remain with using New, since Git forges typically don't support CAs. Non-Git
  use-cases, such as general-purpose SSH clients, should consider switching to
  NewDB to get the CA logic.

* When NewDB re-reads the known_hosts files to implement the CA support, it
  only re-reads each file a single time (vs potentially multiple times at
  callback execution time in d314bf3), and it reads using buffered IO similar
  to x/crypto/ssh/knownhosts.

* This package's PublicKey struct now exports its Cert boolean field, vs
  keeping it private in d314bf3.

* Refactor the RSA-to-algo expansion logic to simplify its handling in the CA
  situation.

* Add test coverage for all new behaviors and @cert-authority logic.

* Add new exported method HostKeyCallback.ToDB, to provide a mechanism for
  callers who want to conditionally enable or disable CA support, while still
  using a *HostKeyDB for both cases.

* Clarify many doc string comments.

* Add new exported function WriteKnownHostCA for writing a @cert-authority
  line to a known_hosts file. Previously this logic was in a test helper, but
  it could be useful to others, so let's export it outside of the tests.

Backwards-compatible support for @cert-authority, implemented in a new HostKeyDB type, created with constructor NewDB.

In OpenSSH, wildcard host pattern entries in a known_hosts file can match
hosts regardless of their port number. However, x/crypto/ssh/knownhosts does
not follow this behavior, instead requiring strict port equality; see bug
golang/go#52056 for background.

This commit implements a workaround in skeema/knownhosts, which is enabled
when using the NewDB constructor. Conceptually, the workaround works like
this:

* At constructor time, when re-reading the known_hosts file (originally to
  look for @cert-authority lines), also look for lines that have wildcards
  in the host pattern and no port number specified. Track these lines in a
  new field of the HostKeyDB struct for later use.

* When a host key callback returns no matches (KeyError with empty Want slice)
  and the host had a nonstandard (non-22) port number, try the callback again,
  this time manipulating the host arg to be on port 22.

* If this second call returned nil error, that means the host key now matched
  a known_hosts entry on port 22, so consider the host as known.

* If this second call returned a KeyError with non-empty Want slice, filter
  down the resulting keys to only correspond to lines with known wildcards,
  using the preprocessed information from the first step. This ensures we
  aren't incorrectly returning non-wildcard entries among the Want slice.

The implementation for the latter 3 bullets gets embedded directly in the
host key callback returned by HostKeyDB.HostKeyCallback, by way of some
nested callback wrapping. This only happens if the first bullet actually
found at least one wildcard in the file.