docs: note scanner toolchain compatibility fix

.gitea/workflows/pr-validation.yml

@@ -154,11 +154,15 @@ jobs:
 
       - name: Run Gosec Security Scanner
         uses: securego/gosec@v2.22.3
+        env:
+          GOTOOLCHAIN: auto
         with:
           args: './...'
 
       - name: Run Go Vulnerability Check
         uses: golang/govulncheck-action@v1
+        env:
+          GOTOOLCHAIN: auto
 
       - name: Generate coverage badge
         env:

.gitea/workflows/push-validation.yml

@@ -65,11 +65,15 @@ jobs:
 
       - name: Run Gosec Security Scanner
         uses: securego/gosec@v2.22.3
+        env:
+          GOTOOLCHAIN: auto
         with:
           args: './...'
 
       - name: Run Go Vulnerability Check
         uses: golang/govulncheck-action@v1
+        env:
+          GOTOOLCHAIN: auto
 
       - name: Install AWS CLI v2
         uses: ankurk91/install-aws-cli-action@v1

CHANGELOG.md

@@ -17,6 +17,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.
+- CI security scanner compatibility: gosec and govulncheck action steps now set `GOTOOLCHAIN=auto` so repositories requiring newer Go versions are analyzed successfully.
 - Code formatting validation added to CI pipelines: pushes and pull requests with code not matching `go fmt ./...` output will be rejected.
 - Applied `go fmt` normalization to core tests (`list_test.go` and `track_test.go`) to satisfy the new formatting gate.
 - Dependencies updated to resolve security vulnerabilities: `cloudflare/circl` to v1.6.3, `go-git/v5` to v5.17.0, `golang.org/x/crypto` to v0.49.0, and `golang.org/x/net` to v0.52.0.