ETag-aware conditional poll + Go 1.26 bump

[smartinov]

Hey — small PR to add ETag-aware conditional polling to the loader, plus the Go bump that makes Green Tea GC reachable for downstream services.

What this is for

We've been hitting a sharp edge with --poll=true: the URL-in-body skip works great when the upstream returns a stable URL, but the moment the upstream uses signed URLs (which change every request) every poll downloads and re-applies the whole repo even when nothing has changed. ETag is the standard HTTP fix for exactly this — server tags responses with a stable revision, client sends If-None-Match, server returns 304 Not Modified if unchanged, and we skip the body entirely.

Importantly: this change is purely additive. If your upstream doesn't speak ETag, nothing changes.

How the loader behaves now

• First poll after process start: no If-None-Match (we haven't seen an ETag yet). Same wire as today.
• Server sends ETag on a 200: we remember it. Same response handling otherwise.
• Subsequent poll: we send If-None-Match: <last seen>. If the server replies 304 Not Modified we skip the body read entirely. If it replies 200 with a new ETag, we update our copy and proceed.
• Server doesn't send ETag at all, ever: `lastETag` stays empty, no `If-None-Match` is ever sent on the wire, behaviour is byte-for-byte the same as before.
• The existing URL-in-body skip is still there and still works as a fallback for non-ETag-aware upstreams.

What's in the diff

• `pkg/repo/repo.go` — one new field on `Repo`: `lastETag string`. Zero-value safe so the constructor doesn't change.
• `pkg/repo/loader.go` — the `if r.poll { ... }` block in `update()` now does the conditional-request dance.
• `pkg/repo/loader_test.go` — new test file covering the four cases the change introduces:
  • upstream never sends ETag, loader behaves like today
  • upstream sends ETag, second call gets `304`, body is skipped
  • upstream changes ETag, loader picks up the new one
  • first call must not include `If-None-Match`
• `go.mod` — bumped from `1.25.4` to `1.26.0`. Two latent format-string bugs (`%q` used with `int` arguments in `responses/error.go` and `pkg/repo/loader.go`) that Go 1.26's stricter vet now refuses to compile are fixed in the same commit.
• `.golangci.yml` — `go:` analysis version bumped to match.

Test plan

• `go build ./...` passes
• `go test ./... -race` passes (all existing tests plus the four new ones)
• The new tests run with `t.Parallel()` and use `httptest.Server`, no global state.

A note on the Go bump

Some downstream services (us included) want to enable Green Tea GC via `GOEXPERIMENT=greentea`, which is a build-time experiment that Go 1.25+ understands. Bumping the toolchain here unblocks that without forcing every downstream to also fork. Happy to split the bump into a separate PR if you'd prefer.

Let me know if anything in the design rubs you wrong — happy to iterate.

Rolled-in dependency bumps

To ship a single secure, up-to-date PR rather than three serialized ones, this branch also rolls up the open Dependabot bumps. The same upgrades land here at the highest (newest) version from each:

• alpine 3.22.0 → 3.22.2 in build/buildx.Dockerfile (supersedes chore(deps): bump alpine from 3.22.0 to 3.22.2 in /build in the docker-update group #69)
• gomod-update group: foomo/keel 0.22.0→0.22.1, cobra 1.10.1→1.10.2, gocloud.dev 0.43.0→0.44.0 (supersedes chore(deps): bump the gomod-update group across 1 directory with 5 updates #73)
• gomod-security group: golang.org/x/net 0.47→0.52, golang.org/x/sync 0.18→0.20, go-jose/v4 4.1.3→4.1.4 (GHSA-78h2-9frx-2jm8 — JWE decryption panic), AWS SDK + otel bumps (supersedes chore(deps): bump the gomod-security group across 1 directory with 5 updates #77)

go test ./... -race and golangci-lint run ./... (v2.11.4) both clean against the rolled-up go.mod.

PRs #69, #73, #77 will be closed once this merges.