Per security scanning requirements in project instructions:
- Replace securego/gosec@v2.22.3 action with go install + gosec run step
in both push-validation and pr-validation to avoid compatibility issues
with Go 1.26.1
- Pin golang/govulncheck-action from @v1 to @v1.0.4 in both workflows;
major-version tags do not resolve reliably in Gitea API
- Move GOTOOLCHAIN=auto from per-step env to job-level env in both workflows
- Bump coverage-badge in push-validation from v1.0.1 to v1.1.0
dd1d802605