CodeQL and golangci-lint workflows use retired/EOL action versions

[dolph]

Summary

Two CI workflows pin to action versions that GitHub has retired or that are years out of date:

.github/workflows/codeql-analysis.yml:

- uses: actions/checkout@v2                  # v2 retired
- uses: github/codeql-action/init@v1         # v1 retired by GitHub
- uses: github/codeql-action/autobuild@v1    # v1 retired
- uses: github/codeql-action/analyze@v1      # v1 retired

.github/workflows/golangci-lint.yml:

- uses: actions/checkout@v2                  # v2 retired
- uses: golangci/golangci-lint-action@v2     # v2 from 2021; current is v6+

GitHub has deprecated v1 of the CodeQL action and Node 12-based actions; these jobs are either silently failing, emitting deprecation warnings, or running in degraded mode. The ci.yml workflow correctly uses actions/checkout@v6 and actions/setup-go@v6, so the inconsistency is purely in these two older files.

Impact (Maintainer: High)

• Static-analysis coverage (CodeQL, golangci-lint) may not actually be running; the security signal is therefore false.
• New contributors checking the green check-marks will trust analyses that did not execute.

Suggested Fix

• Bump actions/checkout to @v6 in both workflows.
• Bump github/codeql-action/* to @v3 (current stable major).
• Bump golangci/golangci-lint-action to @v6 and pin a specific golangci-lint version (version: v1.59 or current) — version: latest is brittle because it picks up new linters on every run.
• Add actions/setup-go@v6 step to the golangci-lint workflow (the action needs Go installed; relying on the action's default Go version is fragile).
• Verify each workflow runs green after the bump.

Files

• .github/workflows/codeql-analysis.yml
• .github/workflows/golangci-lint.yml