docs: record gosec and govulncheck-action version pin

.gitea/workflows/prepare-release.yml

@@ -49,12 +49,12 @@ jobs:
           go mod verify
 
       - name: Run gosec security analysis
-        uses: securego/gosec@v2
+        uses: securego/gosec@v2.22.4
         with:
           args: ./...
 
       - name: Run govulncheck
-        uses: golang/govulncheck-action@v1
+        uses: golang/govulncheck-action@v1.1.4
         with:
           go-package: ./...
           cache: true

.gitea/workflows/push-validation.yml

@@ -45,12 +45,12 @@ jobs:
           go mod verify
 
       - name: Run gosec security analysis
-        uses: securego/gosec@v2
+        uses: securego/gosec@v2.22.4
         with:
           args: ./...
 
       - name: Run govulncheck
-        uses: golang/govulncheck-action@v1
+        uses: golang/govulncheck-action@v1.1.4
         with:
           go-package: ./...
           cache: true

CHANGELOG.md

@@ -37,6 +37,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 
 - Fixed `decorate-pr/action.yml` YAML validation by extracting PR comment rendering into `decorate-pr/build-comment.sh`, removing the duplicated changelog extraction step, and correcting the gate failure output reference.
 - Fixed docs-only detection in `decorate-pr` changelog gate: file list was iterated in a piped subshell so `docs_only` never propagated to the parent scope; replaced pipe with process substitution.
+- Pinned `securego/gosec` and `golang/govulncheck-action` to concrete version tags (`v2.22.4` and `v1.1.4`) so self-hosted Gitea runners can resolve them via direct git clone without relying on the GitHub Actions floating-tag API.
 
 ## [1.0.2] - 2026-03-21