chore(ci): replace manual security tools with marketplace actions and add go fmt check

- Replace `go install` of gosec/govulncheck with secureCodeBox/gosec-action and golang/govulncheck-action
- Actions handle their own caching; remove explicit security tools cache step
- Add code formatting check using `go fmt ./...` to reject pushes/PRs with incorrect formatting
- Formatting check runs before security scanning for faster feedback

.gitea/workflows/pr-validation.yml

@@ -45,16 +45,6 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-go-modules-
 
-      - name: Cache security tools
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cache/go-build
-            ~/go/bin
-          key: ${{ runner.os }}-go-security-tools-${{ hashFiles('**/go.mod', '**/go.sum') }}
-          restore-keys: |
-            ${{ runner.os }}-go-security-tools-
-
       - name: Verify module hygiene
         run: |
           set -euo pipefail
@@ -157,11 +147,23 @@ jobs:
             exit 1
           fi
 
-      - name: Run security analysis
+      - name: Check code formatting
         run: |
           set -euo pipefail
-          "$(go env GOPATH)/bin/gosec" ./...
-          "$(go env GOPATH)/bin/govulncheck" ./...
+          fmt_output=$(go fmt ./...)
+          if [[ -n "$fmt_output" ]]; then
+            echo "Code formatting check failed. The following files need formatting:" >&2
+            echo "$fmt_output" >&2
+            exit 1
+          fi
+
+      - name: Run Gosec Security Scanner
+        uses: secureCodeBox/gosec-action@v1
+        with:
+          args: './...'
+
+      - name: Run Go Vulnerability Check
+        uses: golang/govulncheck-action@v1
 
       - name: Generate coverage badge
         env: