[Sync] Update project files from source repository (44a1cf8)

[mrz1836]

What Changed

• GitHub Actions security improvements: Moved sensitive tokens from inline usage to environment variables in setup-go-with-cache/action.yml and parse-env/action.yml to prevent token exposure in logs
• Removed GONOSUMCHECK configuration: Eliminated the conditional setting of GONOSUMCHECK environment variable in the private module authentication step
• Version updates: Updated MAGE_X_GOLANGCI_LINT_VERSION from v2.10.1 to v2.11.1 in .github/env/10-mage-x.env
• Added security permissions: Added explicit contents: read permissions to multiple workflow files (codeql-analysis.yml, fortress-security-scans.yml, fortress.yml, scorecard.yml) and pre-commit environment configuration

Why It Was Necessary

• Prevent accidental token exposure in GitHub Actions logs by storing sensitive values in environment variables rather than inline expressions
• Follow security best practices by explicitly declaring minimal required permissions for GitHub Actions workflows
• Keep tooling dependencies up-to-date with the latest golangci-lint version for improved linting capabilities

Testing Performed

• Verify GitHub Actions workflows successfully authenticate with private Go modules using the refactored token handling
• Confirm golangci-lint v2.11.1 executes correctly in CI pipelines
• Validate that explicit permissions do not break existing workflow functionality

Impact / Risk

• Low Risk: Changes are focused on security hardening and minor version updates without altering core functionality
• Security Improvement: Reduced risk of token exposure in logs and more restrictive workflow permissions following principle of least privilege
• Potential Impact: Removal of GONOSUMCHECK configuration may affect projects that previously relied on this environment variable being set automatically

[Copilot]

Pull request overview

Syncs GitHub Actions and CI configuration from the source repository, focusing on tightening workflow permissions, reducing token exposure in logs, and updating tool versions used by GoFortress CI.

Changes:

• Refactored composite actions to pass sensitive values via env: (instead of inline expressions) and removed GONOSUMCHECK auto-configuration.
• Updated CodeQL action SHAs and bumped golangci-lint versions used by pre-commit and MAGE-X.
• Adjusted workflow permissions (notably for Gitleaks PR commenting) and updated the govulncheck Go toolchain version.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/scorecard.yml	Bumps CodeQL upload-sarif action pin (but workflow/job permissions need to allow checkout).
.github/workflows/fortress.yml	Grants pull-requests: write to the security reusable-workflow call for PR commenting.
.github/workflows/fortress-security-scans.yml	Switches Gitleaks to github.token, adjusts permissions; removed passing github-token into Go setup (breaking private module auth).
.github/workflows/codeql-analysis.yml	Updates CodeQL init/autobuild/analyze action pins.
.github/env/10-pre-commit.env	Bumps pre-commit golangci-lint version.
.github/env/10-mage-x.env	Bumps MAGE-X golangci-lint version.
.github/env/00-core.env	Bumps GOVULNCHECK Go version.
.github/actions/setup-go-with-cache/action.yml	Moves private module token handling into an environment variable; removes GONOSUMCHECK setup.
.github/actions/parse-env/action.yml	Moves env-json input into env: to avoid inline expansion.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.