Update go version and dependencies

.editorconfig

@@ -0,0 +1,41 @@
+# http://editorconfig.org
+
+# A special property that should be specified at the top of the file outside of any sections.
+# Set to true to stop .editorconfig file search on the current file.
+root                        = true
+
+[*]
+charset                     = utf-8
+trim_trailing_whitespace    = true
+insert_final_newline        = true
+indent_style                = space
+indent_size                 = 2
+continuation_indent_size    = 2
+max_line_length             = 120
+
+[*.sh]
+end_of_line                 = lf
+
+# shfmt options, equivalent to: -ln=bash -bn -ci -sr
+shell_variant               = bash
+binary_next_line            = true
+switch_case_indent          = true
+space_redirects             = true
+
+[*.{bat,cmd,ps1}]
+end_of_line                 = crlf
+
+[*.go]
+indent_style                = tab
+indent_size                 = 4
+
+[*.py]
+indent_size                 = 4
+continuation_indent_size    = 4
+
+[Makefile]
+indent_style                = tab
+end_of_line                 = lf
+
+[.gitmodules]
+indent_style                = tab

.envrc

@@ -1,5 +1,34 @@
+#!/usr/bin/env bash
+
 watch_file .tool-versions
 
 asdf_has golang || asdf plugin-add golang
+asdf_has editorconfig-checker || asdf plugin-add editorconfig-checker
+asdf_has hadolint || asdf plugin-add hadolint
+asdf_has python || asdf plugin-add python
 asdf install | sed '/is already installed/d'
 use asdf
+
+has pipx || use pipx
+has pre-commit \
+  || pipx install 'pre-commit>=4.3'
+has detect-secrets \
+  || pipx install 'detect-secrets>=1.5'
+
+use pre-commit
+
+# Install Go tools using go install for better Go module integration
+has gomarkdoc \
+  || go install github.com/princjef/gomarkdoc/cmd/[email protected]
+has gosec \
+  || go install github.com/securego/gosec/v2/cmd/[email protected]
+has golangci-lint \
+  || go install github.com/golangci/golangci-lint/cmd/[email protected]
+has govulncheck \
+  || go install golang.org/x/vuln/cmd/[email protected]
+has goimports \
+  || go install golang.org/x/tools/cmd/[email protected]
+has gocyclo \
+  || go install github.com/fzipp/gocyclo/cmd/[email protected]
+
+layout python-venv

.github/workflows/docker-publish.yml

@@ -1,3 +1,4 @@
+---
 name: Docker
 
 # This workflow uses actions that are not certified by GitHub.
@@ -7,11 +8,11 @@ name: Docker
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
     # Publish semver tags as releases.
-    tags: [ 'v*.*.*' ]
+    tags: ['v*.*.*']
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 env:
   # Use docker.io for Docker Hub if empty
@@ -29,13 +30,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v5
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@28218f9b04b4f3f62068d7b6ce6ca5b26e35336c
+        uses: docker/login-action@v3.5.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -45,14 +46,14 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        uses: docker/metadata-action@v5.8.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        uses: docker/build-push-action@v6.18.0
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

.gitignore

@@ -5,7 +5,26 @@
 *.iws
 *.iml
 out/
-vendor/ 
+
+### Go template
+# Binaries for programs and plugins
+*.exe
+*.exe~
+*.dll
+*.so
+*.dylib
+
+# Test binary, built with `go test -c`
+*.test
+
+# Output of the go coverage tool, specifically when used with LiteIDE
+*.out
+
+# Dependency directories (comment the line below if you want to checkin your vendor folder)
+vendor/
+
+# Go workspace file
+go.work
 
 ### Node template
 # Logs
@@ -69,5 +88,15 @@ build/
 *#
 #*
 
+### vscode
+.vscode/
+
 ### Direnv
-.direnv/
+.direnv/
+
+### Project specific
+.cache/
+
+# Security scanning reports
+gosec-report.json
+gosec-report.sarif

.pre-commit-config.yaml

@@ -0,0 +1,78 @@
+---
+default_stages:
+  - pre-commit
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks.git
+    rev: v5.0.0
+    hooks:
+      - id: trailing-whitespace
+        files: \.(conf|j2|js|json|rb|md|py|sh|tf|tm?pl|txt|yaml|yml|go)$
+      - id: check-case-conflict
+      - id: check-json
+      - id: check-toml
+      - id: check-yaml
+      - id: end-of-file-fixer
+        exclude: '^\.idea/.*$'
+  - repo: https://github.com/adrienverge/yamllint.git
+    rev: v1.35.1
+    hooks:
+      - id: yamllint
+  - repo: https://github.com/Yelp/detect-secrets.git
+    rev: v1.5.0
+    hooks:
+      - id: detect-secrets
+        args:
+          - '--baseline'
+          - '.secrets.baseline'
+          - '--exclude-secrets'
+          - '.*fake.*'
+        exclude: 'package-lock\.json$|Pipfile\.lock$|poetry\.lock$|go\.sum$|^.secrets.baseline$'
+  - repo: https://github.com/hadolint/hadolint
+    rev: v2.13.1-beta
+    hooks:
+      - id: hadolint
+  - repo: https://github.com/editorconfig-checker/editorconfig-checker.python
+    rev: 3.0.3
+    hooks:
+      - id: editorconfig-checker-system
+        alias: ec
+  # Go-specific hooks
+  - repo: https://github.com/dnephin/pre-commit-golang
+    rev: v0.5.1
+    hooks:
+      - id: go-fmt
+      - id: go-vet
+      - id: go-imports
+      - id: go-cyclo
+        args: [-over=15]
+      - id: go-mod-tidy
+      - id: go-unit-tests
+      - id: golangci-lint
+  - repo: local
+    hooks:
+      - id: gosec
+        name: gosec security scanner
+        entry: gosec
+        language: system
+        files: '\.go$'
+        pass_filenames: false
+        args: ['./...']
+      - id: go-no-replacement
+        name: Avoid committing debug statements
+        entry: 'github\.com/(docker|prometheus)/'
+        language: fail
+        files: go\.(mod|sum)$
+      - id: govulncheck
+        name: govulncheck
+        entry: govulncheck
+        language: system
+        files: '\.go$'
+        pass_filenames: false
+        args: ['./...']
+      - id: gomarkdoc
+        name: Generate Go documentation
+        entry: gomarkdoc
+        language: system
+        files: '\.go$'
+        pass_filenames: false
+        args: ['--embed', '--include-unexported', '--output', 'README.md', './...']

.secrets.baseline

@@ -0,0 +1,127 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {},
+  "generated_at": "2025-08-13T20:35:50Z"
+}

.tool-versions

@@ -1 +1,4 @@
-golang 1.22.5
+golang 1.24.6
+editorconfig-checker 3.4.0
+hadolint 2.12.0
+python 3.13.6

.yamllint

@@ -0,0 +1,10 @@
+---
+extends: default
+
+rules:
+  line-length:
+    max: 120
+  indentation:
+    spaces: 2
+  truthy:
+    allowed-values: ['true', 'false', 'on', 'off']