ci: pin govulncheck install to v1.1.4 (#41)

[ilmoniemi]

What

Replaces go install golang.org/x/vuln/cmd/govulncheck@latest in the security job of .github/workflows/ci.yml with an explicit @v1.1.4 pin, plus a # Tracks: comment matching the pinning convention already used by the Trivy action in image-scan (#68) and the Dockerfile base-image digests (#32).

Single-line change (with surrounding comment block); no Go source touched.

Issue

Closes #41.

Version chosen

v1.1.4 — re-verified at implementation time against https://api.github.com/repos/golang/vuln/releases as the current latest non-prerelease tag (matches the spec-time selection). No newer stable tag is available, so no bump from the spec's value was needed.

Testing

• go vet ./... — clean.
• go test -race ./... — pass.
• The PR check itself is the acceptance test for AC#2: the security job will resolve @v1.1.4 through proxy.golang.org, install the pinned binary, and run govulncheck ./... against the current go.mod. If the pin exists and is functionally compatible, the job goes green.

Architecture compliance

Follows docs/specs/architecture/41-pin-govulncheck-version.md verbatim:

• Edits only line 36 of ci.yml (with a # Tracks: comment block above the step, mirroring the image-scan job's structure).
• Uses a semver tag rather than a commit SHA — the spec's § Why a semver tag, not a commit SHA or pseudo-version rationale applies (Go's sum.golang.org checksum DB provides immutability for go install that uses: references in GitHub Actions lack).
• Leaves gosec@latest on the line above untouched (explicitly out of scope per ticket and spec).
• No .renovaterc change required — Renovate already tracks explicit-version go install lines via its gomodTags manager.

Security-sensitive

This ticket carries the security-sensitive label and the spec includes a ## Security review section (verdict: PASS). The change tightens a trust boundary by replacing a moving reference with a checksum-verified immutable one; no new trust surface introduced.

[ilmoniemi]

Code Review: #41

Decision: PASS

Findings

None.

Summary

Single-line pin of golang.org/x/vuln/cmd/govulncheck from @latest to @v1.1.4 in .github/workflows/ci.yml:43, with a multi-line # Tracks: comment block (lines 35-41) that mirrors the convention established by the Trivy pin in the adjacent image-scan job. Implementation matches the spec verbatim.

Security-sensitive checks:

• Spec carries a ## Security review section with PASS verdict and findings list — required precondition met.
• Diff applies security goggles: no tokens/secrets in logs, no file ops, no subprocess interpolation (the run: line is a fixed shell command with no ${{ … }}), no crypto, no new network destinations. The change strictly tightens the trust boundary — it reduces the set of artefacts that can land in CI from "whatever upstream tags as latest" to a single checksummed module version verified against sum.golang.org.
• gosec @latest on line 34 remains untouched — explicitly out of scope per the ticket's Technical Notes and the spec's Out of scope section. Correct call.

AC verification:

• AC#1 — .github/workflows/ci.yml:43 references @v1.1.4, an explicit immutable version. ✓
• AC#2 — CI passes on this PR: security job green at 55s after installing govulncheck@v1.1.4 and running govulncheck ./... against the current go.mod. ✓

Optional follow-ups noted in the spec (already deferred, not blockers): (a) pin gosec analogously; (b) consider a tools.go pattern if a third tool needs pinning; (c) a CI lint that rejects @latest in .github/workflows/*.yml.