audit: comprehensive hygiene, bug fixes, and new features

.github/workflows/binary-release.yml

@@ -37,7 +37,11 @@ jobs:
         run: |
           go mod download
           go test -v ./...
-
+
+      - name: Security scan (gosec)
+        run: |
+          docker run --rm -v ${{ github.workspace }}:/src -w /src securego/gosec:v2.22.4 gosec ./...
+
       - name: Build for multiple platforms
         run: |
           mkdir -p dist

.github/workflows/docker-image.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0  # Fetch all history for proper versioning
 
@@ -49,40 +49,41 @@ jobs:
           echo "TIMESTAMP=$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> $GITHUB_ENV
 
       - name: Set up Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@v5
         with:
           go-version: '1.24'
 
       - name: Static analysis (gofmt, go vet)
         run: |
-          docker run --rm -v ${{ github.workspace }}:/src -w /src golang:1.24 sh -c "gofmt -l . || true; go vet ./... || true"
+          docker run --rm -v ${{ github.workspace }}:/src -w /src golang:1.24 sh -c \
+            'GOFMT_OUT=$(gofmt -l .); [ -z "$GOFMT_OUT" ] || (echo "$GOFMT_OUT"; exit 1); go vet ./...'
 
       - name: Security scan (gosec)
         run: |
-          docker run --rm -v ${{ github.workspace }}:/src -w /src securego/gosec:latest gosec ./...
+          docker run --rm -v ${{ github.workspace }}:/src -w /src securego/gosec:v2.22.4 gosec ./...
 
       - name: Run unit tests (inside Docker)
         run: |
           docker run --rm -v ${{ github.workspace }}:/src -w /src golang:1.24 go test -v -race ./...
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@v3
 
       - name: Log in to the Container registry
         # Only login when we'll be pushing (main branch or tags, never on PR)
         if: (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')) && github.event_name != 'pull_request'
-        uses: docker/login-action@v4
+        uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@v5
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
@@ -95,7 +96,7 @@ jobs:
             type=sha,prefix=,suffix=,format=short
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v7
+        uses: docker/build-push-action@v6
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm/v7