chore(go): harden ci process workflows

.gitea/workflows/push-validation.yml

@@ -22,6 +22,7 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
       AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
       AWS_EC2_METADATA_DISABLED: true
+      SUMMARY_FILE: ${{ runner.temp }}/summary.md
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -34,6 +35,13 @@ jobs:
           cache: true
           cache-dependency-path: go.sum
 
+      - name: Verify module hygiene
+        run: |
+          set -euo pipefail
+          go mod tidy
+          git diff --exit-code go.mod go.sum
+          go mod verify
+
       - name: Install security tools
         run: |
           set -euo pipefail
@@ -186,8 +194,15 @@ jobs:
             echo
             echo '### Package Coverage'
             cat coverage-packages.md
-          } >> "$GITHUB_STEP_SUMMARY"
+          } >> "$SUMMARY_FILE"
 
       - name: Run behavior suite on main pushes
         if: ${{ github.ref == 'refs/heads/main' }}
         run: ./script/run-behavior-suite-docker.sh
+
+      - name: Summary
+        if: ${{ always() }}
+        run: |
+          if [[ -f "$SUMMARY_FILE" ]]; then
+            cat "$SUMMARY_FILE" >> "$GITHUB_STEP_SUMMARY"
+          fi