ci: fix govulncheck (pin v1.3.0) + bump Go to 1.26.4

[bobakemamian]

Fixes the govulncheck job, which has been failing on main and every open PR since early May. Two distinct problems — the second was hidden behind the first.

1. govulncheck was crashing (pin v1.3.0)

go install ...@latest floated to govulncheck v1.4.0, which bundles x/tools v0.46.0. That version panics during symbol-level call-graph analysis when it hits a generic type parameter under Go 1.26:

panic: ForEachElement called on type containing *types.TypeParam
  golang.org/x/tools@v0.46.0/internal/typesinternal/element.go:130
  → go/ssa.(*Program).RuntimeTypes
  → golang.org/x/vuln@v1.4.0/internal/vulncheck.callGraph

GO_VERSION and the go directive hadn't changed since the initial commit, so the floating tool version was the only moving part. Pinned to v1.3.0 (x/tools v0.44.0), the last release before the regression — verified locally that v1.4.0 panics and v1.3.0 completes with full symbol-level reachability analysis. Matches the repo's existing pin convention (cf. gitleaks); Dependabot can bump it once upstream ships the x/tools fix.

2. Pinned Go was behind on security patches (bump 1.26.2 → 1.26.4)

Once govulncheck actually ran, it reported four reachable stdlib vulnerabilities that 1.26.2 is exposed to — the crash had been masking them:

CVE	Package	Fixed in	Reachable via
GO-2026-4918	net/http (HTTP/2 infinite loop)	1.26.3	engine.executeHTTP, cmd.downloadAsset
GO-2026-4971	net	1.26.3	engine.executeHTTP, webhook.NewServer
GO-2026-5037	crypto/x509	1.26.4	webhook.NewServer (TLS)
GO-2026-5039	net/textproto	1.26.4	webhook.NewServer (header parsing)

1.26.4 is the latest 1.26 patch and clears all four. This is the same bump-to-clear-stdlib-CVEs pattern already documented in the GO_VERSION comment.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions workflows (CI, auto-release, docs sync, and releases) to use Go 1.26.4 instead of 1.26.2 for continued security and consistency across pipelines.
  • Pinned the vulnerability scanning tool to a specific release (instead of using “latest”) to improve build reproducibility, while avoiding a known issue with that toolchain combination.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 1daa27b5-b8e0-40bf-84c1-953f1392304c

📥 Commits

Reviewing files that changed from the base of the PR and between 9659b04 and 86bacc8.

📒 Files selected for processing (3)

• .github/workflows/auto-release.yml
• .github/workflows/docs-sync.yml
• .github/workflows/release.yml

✅ Files skipped from review due to trivial changes (2)

• .github/workflows/auto-release.yml
• .github/workflows/docs-sync.yml

---

📝 Walkthrough

Walkthrough

The CI workflow updates the base Go toolchain from 1.26.2 to 1.26.4 to address specific CVEs. The govulncheck install step is pinned to v1.3.0 instead of @latest, with comments explaining Dependabot management and documenting why v1.4.0 is avoided due to a generics-related panic under Go 1.26. Three dependent workflows (auto-release.yml, docs-sync.yml, release.yml) are updated to match the new Go version.

Changes

CI Dependency and Tool Version Updates

Layer / File(s)	Summary
Update CI Go version and pin govulncheck with explanations .github/workflows/ci.yml	GO_VERSION upgraded from 1.26.2 to 1.26.4 with updated CVE comments. govulncheck install changed from @latest to pinned v1.3.0, with added comments explaining Dependabot management and a known v1.4.0 generics symbol-analysis panic under Go 1.26.
Synchronize dependent workflows to CI Go version .github/workflows/auto-release.yml, .github/workflows/docs-sync.yml, .github/workflows/release.yml	Three workflows update their actions/setup-go configurations from Go 1.26.2 to 1.26.4 to stay synchronized with the primary CI workflow's GO_VERSION.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 One version to rule them all, four workflows in the hall,
One point two six point four we call, CVEs patched and squared away,
Generics panics we evade, with Dependabot's careful aid,
A synchronized upgrade, bundled patch, hooray! 🎯

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the two main changes: fixing govulncheck by pinning it to v1.3.0 and bumping Go to 1.26.4 to address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/pin-govulncheck

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 19-24: The GO_VERSION has been updated to 1.26.4 in the ci.yml
workflow to address security vulnerabilities, but the release.yml workflow still
pins GO_VERSION to 1.26.2. Update the GO_VERSION variable in the release
workflow to 1.26.4 to ensure consistent and secure Go versions across both the
CI and release build paths.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 0973210e-0716-40a8-8862-4f98fcd486c0

📥 Commits

Reviewing files that changed from the base of the PR and between d3c6a6d and 9659b04.

📒 Files selected for processing (1)

• .github/workflows/ci.yml