chore: add missing CI validation checks (fmt, mod, gosec, govulncheck)

- Add go fmt validation to enforce consistent code formatting
- Add go mod tidy and verify checks for module hygiene
- Add gosec security analysis for static security scanning
- Add govulncheck for dependency vulnerability detection
- Reorganize regex variables with clarifying comments
- Follows documented validation sequence from copilot-instructions.md

internal/vociferate/vociferate.go

@@ -23,11 +23,15 @@ const (
 	defaultUnreleasedTemplate = "### Breaking\n\n### Added\n\n### Changed\n\n### Removed\n\n### Fixed\n"
 )
 
-var releasedSectionRe = regexp.MustCompile(`(?m)^## \[(\d+\.\d+\.\d+)\] - `)
-var linkedReleasedSectionRe = regexp.MustCompile(`(?m)^## \[(\d+\.\d+\.\d+)\](?:\([^\n)]*\))? - `)
-var unreleasedHeadingRe = regexp.MustCompile(`(?m)^## \[Unreleased\](?:\([^\n)]*\))?\n`)
-var releaseHeadingRe = regexp.MustCompile(`(?m)^## \[(\d+\.\d+\.\d+)\](?:\([^\n)]*\))? - `)
-var refLinkLineRe = regexp.MustCompile(`^\[[^\]]+\]: \S`)
+// Pre-compiled regex patterns used for changelog parsing.
+// These are read-only after initialization.
+var (
+	releasedSectionRe       = regexp.MustCompile(`(?m)^## \[(\d+\.\d+\.\d+)\] - `)
+	linkedReleasedSectionRe = regexp.MustCompile(`(?m)^## \[(\d+\.\d+\.\d+)\](?:\([^\n)]*\))? - `)
+	unreleasedHeadingRe     = regexp.MustCompile(`(?m)^## \[Unreleased\](?:\([^\n)]*\))?\n`)
+	releaseHeadingRe        = regexp.MustCompile(`(?m)^## \[(\d+\.\d+\.\d+)\](?:\([^\n)]*\))? - `)
+	refLinkLineRe           = regexp.MustCompile(`^\[[^\]]+\]: \S`)
+)
 
 type Options struct {
 	// VersionFile is the path to the file that stores the current version,