chore: bump Go toolchain to 1.26.3

[abtreece]

Summary

Bumps the Go toolchain from 1.26.2 → 1.26.3 to patch 5 HIGH stdlib CVEs that Trivy is currently flagging on every dependabot PR's security-scan job:

• CVE-2026-33811 — LookupCNAME (cgo resolver) on long CNAME
• CVE-2026-33814 — HTTP/2 SETTINGS frame infinite loop
• CVE-2026-39820 — mail.ParseAddress / ParseAddressList
• CVE-2026-39836 — Windows Dial/LookupPort NUL byte panic
• CVE-2026-42499 — consumePhrase DoS

All dependabot PRs (#613, #614, #616) have been failing security-scan against the v1.26.2 stdlib even though their dep bumps are otherwise clean. This bump unblocks them.

Files updated

• go.mod (toolchain go1.26.3)
• .tool-versions
• docker/Dockerfile.build
• 5 GitHub Actions workflows (codecov, release, cross-platform, e2e-tests, integration-tests)
• Docs: README.md, docs/development.md, docs/docker.md, docs/installation.md
• CHANGELOG

Test plan

• CI green across all workflows (build, tests, integration, docker security-scan)
• confd --version from built binary reports go1.26.3

[Copilot]

Pull request overview

Bumps the pinned Go toolchain patch version from go1.26.2 to go1.26.3 across the module, CI, Docker build image, and documentation to address stdlib CVEs currently flagged by security scanning.

Changes:

• Update go.mod toolchain directive and .tool-versions to Go 1.26.3.
• Update CI workflows and Docker build base image to use Go 1.26.3.
• Update docs/README and changelog to reflect the new toolchain version.

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
README.md	Updates documented required Go toolchain version to 1.26.3.
go.mod	Pins toolchain to go1.26.3.
docs/installation.md	Updates build-from-source guidance and Docker snippet to 1.26.3.
docs/docker.md	Updates multi-stage Docker example base image to 1.26.3.
docs/development.md	Updates dev prerequisites and install snippet to 1.26.3.
docker/Dockerfile.build	Updates CI build image to golang:1.26.3-alpine.
CHANGELOG	Records the Go toolchain bump and referenced CVEs.
.tool-versions	Updates asdf golang version to 1.26.3.
.github/workflows/release.yml	Updates setup-go version to 1.26.3.
.github/workflows/integration-tests.yml	Updates setup-go version to 1.26.3 in all jobs.
.github/workflows/e2e-tests.yml	Updates setup-go version to 1.26.3.
.github/workflows/cross-platform.yml	Updates setup-go version to 1.26.3.
.github/workflows/codecov.yml	Updates setup-go version to 1.26.3.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[abtreece]

Good catch — fixed in bc27053. Each CVE now uses the full CVE-2026-NNNNN form for searchability.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 71.01%. Comparing base (9837764) to head (bc27053).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #617      +/-   ##
==========================================
+ Coverage   70.96%   71.01%   +0.05%     
==========================================
  Files          53       53              
  Lines        5682     5682              
==========================================
+ Hits         4032     4035       +3     
+ Misses       1422     1419       -3     
  Partials      228      228              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.