A presubmit similar to k8s verify-vendor.sh would ensure that all merged PRs leave the vendor directory in a healthy state.

All that is needed is something like:

export TMP="$(mktemp -d)"
go mod vendor -o "$TMP"
export RESULT=0
if ! _out="$(diff -Naupr vendor $TMP)"; then RESULT=1; fi

I'd be happy to open a PR add this as a presubmit, but I'm not certain where it belongs.