From 302acbe9bb8fc599bb537a15017b3a3eaac6ac76 Mon Sep 17 00:00:00 2001
From: Micheal Wilkinson <micheal.wilkinson@createfuture.com>
Date: Sat, 21 Mar 2026 13:22:34 +0000
Subject: [PATCH] docs: document ci marketplace actions and formatting check

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7f6330c..c141213 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,8 +15,10 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 
 ### Changed
 
+- CI security scanning now uses GitHub Marketplace actions (`secureCodeBox/gosec-action` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
+- Code formatting validation added to CI pipelines: pushes and pull requests with code not matching `go fmt ./...` output will be rejected.
 - Dependencies updated to resolve security vulnerabilities: `cloudflare/circl` to v1.6.3, `go-git/v5` to v5.17.0, `golang.org/x/crypto` to v0.49.0, and `golang.org/x/net` to v0.52.0.
-- CI workflows now include explicit caching for Go modules, build artifacts, and security tool binaries to reduce pipeline execution time.
+- CI workflows now include explicit caching for Go modules and build artifacts to reduce pipeline execution time.
 - Security hardening: file and directory creation now uses restrictive permissions (`0o750` for directories, `0o600` for files) instead of world-accessible defaults. Executable wrapper scripts are created with restricted permissions and then explicitly made executable via `chmod`.
 - Security: `Open()` now executes the editor directly without shell intermediary to prevent injection through the `$EDITOR` environment variable.