ci: replace gosec action with direct invocation, pin govulncheck to v1.0.4

Per security scanning requirements in project instructions:
- Replace securego/gosec@v2.22.3 action with go install + gosec run step
  in both push-validation and pr-validation to avoid compatibility issues
  with Go 1.26.1
- Pin golang/govulncheck-action from @v1 to @v1.0.4 in both workflows;
  major-version tags do not resolve reliably in Gitea API
- Move GOTOOLCHAIN=auto from per-step env to job-level env in both workflows
- Bump coverage-badge in push-validation from v1.0.1 to v1.1.0

.gitea/workflows/push-validation.yml

@@ -22,6 +22,7 @@ jobs:
       AWS_SECRET_ACCESS_KEY: ${{ secrets.ARTEFACT_BUCKET_WRITE_ACCESS_SECRET }}
       AWS_DEFAULT_REGION: ${{ vars.ARTEFACT_BUCKET_REGION }}
       AWS_EC2_METADATA_DISABLED: true
+      GOTOOLCHAIN: auto
       SUMMARY_FILE: ${{ runner.temp }}/summary.md
     steps:
       - name: Checkout
@@ -64,16 +65,13 @@ jobs:
           fi
 
       - name: Run Gosec Security Scanner
-        uses: securego/gosec@v2.22.3
-        env:
-          GOTOOLCHAIN: auto
-        with:
-          args: './...'
+        run: |
+          set -euo pipefail
+          go install github.com/securego/gosec/v2/cmd/gosec@latest
+          gosec ./...
 
       - name: Run Go Vulnerability Check
-        uses: golang/govulncheck-action@v1
-        env:
-          GOTOOLCHAIN: auto
+        uses: golang/govulncheck-action@v1.0.4
 
       - name: Install AWS CLI v2
         uses: ankurk91/install-aws-cli-action@v1
@@ -158,7 +156,7 @@ jobs:
 
       - name: Publish coverage artefacts
         id: coverage-badge
-        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.0.1
+        uses: https://git.hrafn.xyz/aether/vociferate/coverage-badge@v1.1.0
         with:
           coverage-profile: coverage.out
           coverage-html: coverage.html