ci: refresh validation tooling

[steipete]

Summary

• update golangci-lint action v9.2.1 and linter v2.12.2
• update gofumpt v0.10.0, gosec v2.27.1, deadcode v0.46.0, and govulncheck v1.4.0
• update GoReleaser action v7.2.2 in CI and release workflows
• apply the single formatting-only line wrap required by gofumpt v0.10.0

Staticcheck, setup-go, and gitleaks were already current.

Verification

• actionlint
• updated gofumpt and deadcode: clean
• govulncheck v1.4.0: no vulnerabilities found
• gosec v2.27.1: zero issues
• GOWORK=off go test -count=1 ./...
• Codex autoreview: clean, no accepted/actionable findings

No release or version change.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 19, 2026, 7:16 AM ET / 11:16 UTC.

Summary
The PR bumps CI and release validation tool versions in GitHub Actions and applies one gofumpt line wrap in a backup test helper.

Reproducibility: not applicable. This PR is a tooling refresh, not a bug report with runtime reproduction steps. The relevant checks are diff inspection plus CI/actionlint/tool execution evidence.

Review metrics: 2 noteworthy metrics.

• Automation refs: 8 version refs changed in 2 workflows. The PR primarily changes CI and release execution paths rather than product code.
• Go code changes: 1 formatting-only test helper wrap. The only non-workflow change is gofumpt formatting required by the updated toolchain.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🐚 platinum hermit
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• [P2] Let the changed lint, test, release-check, and CodeQL jobs complete before merge.

Risk before merge

• [P1] The release workflow runs GoReleaser with contents: write and the bumped action version; PR CI exercises a snapshot release-check, but the tagged/workflow_dispatch publish path and Homebrew tap dispatch are not fully exercised until a real release.

Maintainer options:

1. Merge after workflow checks (recommended)
   After lint, test, release-check, and CodeQL complete successfully, maintainers can accept that the actual tagged release path is covered by snapshot validation plus the small action bump.
2. Hold for release-path proof
   If maintainers want stricter release assurance, hold the PR until v7.2.2 is exercised on a dry-run or non-production release path that covers workflow_dispatch/tag behavior.

Next step before merge

• No automated repair is needed; the remaining action is normal maintainer review, CI completion, and acceptance of the release automation bump.

Security
Cleared: The diff bumps existing GitHub Action and Go tool refs without adding new permissions, secrets, dependency sources, lifecycle hooks, or downloaded executables beyond the existing workflow pattern.

Review details

Best possible solution:

Land the focused version bumps after the changed workflow checks pass and maintainers accept the release workflow coverage, without adding release-note or version churn.

Do we have a high-confidence way to reproduce the issue?

Not applicable: this PR is a tooling refresh, not a bug report with runtime reproduction steps. The relevant checks are diff inspection plus CI/actionlint/tool execution evidence.

Is this the best way to solve the issue?

Yes: the PR keeps the change narrow by bumping existing tool/action refs and applying only the formatting change required by gofumpt. The only remaining maintainer choice is release-workflow confidence, not a different implementation path.

AGENTS.md: not found in the target repository.

Codex review notes: model internal, reasoning high; reviewed against 3f92390ffb32.

Label changes

Label changes:

• add P3: This is low-risk CI/release tooling maintenance with no product runtime behavior change.
• add merge-risk: 🚨 automation: The diff changes GitHub Actions tooling, including the privileged release workflow, so green normal tests do not fully prove the release path.
• add proof: sufficient: Contributor real behavior proof is sufficient. The PR body reports after-change terminal validation for actionlint, updated analyzers, govulncheck, gosec, and Go tests; GitHub also shows several live PR checks already passing.
• add rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• add status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body reports after-change terminal validation for actionlint, updated analyzers, govulncheck, gosec, and Go tests; GitHub also shows several live PR checks already passing.

Label justifications:

• P3: This is low-risk CI/release tooling maintenance with no product runtime behavior change.
• merge-risk: 🚨 automation: The diff changes GitHub Actions tooling, including the privileged release workflow, so green normal tests do not fully prove the release path.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🐚 platinum hermit and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body reports after-change terminal validation for actionlint, updated analyzers, govulncheck, gosec, and Go tests; GitHub also shows several live PR checks already passing.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body reports after-change terminal validation for actionlint, updated analyzers, govulncheck, gosec, and Go tests; GitHub also shows several live PR checks already passing.

Evidence reviewed

What I checked:

• PR diff updates validation tooling: The diff updates golangci-lint-action, the golangci-lint binary, gofumpt, gosec, deadcode, govulncheck, and the CI GoReleaser action. (.github/workflows/ci.yml:31, 14fd9d013162)
• PR diff updates release tooling: The release workflow GoReleaser action is bumped from v7.1.0 to v7.2.2. (.github/workflows/release.yml:40, 14fd9d013162)
• Only Go code change is formatting: The non-workflow change is a gofumpt-required wrap around append(os.Environ(), ...) in a test helper. (internal/backup/backup_test.go:611, 14fd9d013162)
• Current main still has old refs: Current main still uses golangci-lint-action v9.2.0, golangci-lint v2.11.1, older analyzer versions, govulncheck v1.3.0, and GoReleaser action v7.1.0, so the PR is not already implemented there. (.github/workflows/ci.yml:31, 3f92390ffb32)
• New action tags exist: The proposed golangci-lint-action v9.2.1 and GoReleaser action v7.2.2 tags resolve upstream.
• New Go tool tags exist: The proposed gofumpt v0.10.0, gosec v2.27.1, deadcode v0.46.0, and govulncheck v1.4.0 tags resolve upstream.

Likely related people:

• steipete: Git blame and log show Peter Steinberger authored the current workflow baselines, the recent checkout-action workflow update, and the backup test helper being reformatted. (role: recent area contributor; confidence: high; commits: 49930fd7e801, 3f92390ffb32, e07a15d9b42f; files: .github/workflows/ci.yml, .github/workflows/release.yml, internal/backup/backup_test.go)
• joshp123: The merged native-Go rewrite touched the CI workflow and owns the current deadcode install line that this PR updates. (role: adjacent workflow contributor; confidence: medium; commits: 9ef3b111c008; files: .github/workflows/ci.yml, .github/workflows/release.yml)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[steipete]

Landed as 3e856ba.

Verification:

• local actionlint, updated gofumpt, and updated deadcode: passed
• govulncheck v1.4.0: no vulnerabilities found
• gosec v2.27.1: zero issues
• local full Go tests: passed
• Codex autoreview: clean, no accepted/actionable findings
• exact-head checks: CI lint/test/deps/secrets, Docker smoke, Go and Actions CodeQL, and GoReleaser snapshot passed

The only source change is the formatting-only line wrap required by gofumpt v0.10.0.