sync(ci): update tool versions and test matrix config (#275)

Author: mrz1836

.github/env/00-core.env

@@ -30,6 +30,7 @@ GO_SECONDARY_VERSION=1.24.x
 
 # Govulncheck-specific Go version for vulnerability scanning
 GOVULNCHECK_GO_VERSION=1.25.7
+#GOVULNCHECK_GO_VERSION=1.26.0 # Coming soon!
 
 # ================================================================================================
 # 📦 GO MODULE CONFIGURATION

.github/env/10-coverage.env

@@ -32,7 +32,7 @@ GO_COVERAGE_PROVIDER=internal
 CODECOV_TOKEN_REQUIRED=false
 
 # Go Coverage Tool Version
-GO_COVERAGE_VERSION=v1.3.1
+GO_COVERAGE_VERSION=v1.3.4
 GO_COVERAGE_USE_LOCAL=false
 
 # ================================================================================================

.github/env/10-mage-x.env

@@ -61,7 +61,7 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea
 
 MAGE_X_GITLEAKS_VERSION=8.30.0
 MAGE_X_GOFUMPT_VERSION=v0.9.2
-MAGE_X_GOLANGCI_LINT_VERSION=v2.8.0
+MAGE_X_GOLANGCI_LINT_VERSION=v2.9.0
 MAGE_X_GORELEASER_VERSION=v2.13.3
 MAGE_X_GOVULNCHECK_VERSION=v1.1.4
 MAGE_X_GO_SECONDARY_VERSION=1.24.x
@@ -71,7 +71,7 @@ MAGE_X_NANCY_VERSION=v1.2.0
 MAGE_X_STATICCHECK_VERSION=2025.1.1
 MAGE_X_SWAG_VERSION=v1.16.6
 MAGE_X_YAMLFMT_VERSION=v0.21.0
-MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260112171951-5abaabe9f1bd
+MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260211190930-8161c38c6cdc
 MAGE_X_MAGE_VERSION=v1.15.0
 
 # ================================================================================================

.github/env/10-pre-commit.env

@@ -52,7 +52,7 @@ GO_PRE_COMMIT_ALL_FILES=true
 # 🛠️ TOOL VERSIONS
 # ================================================================================================
 
-GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.8.0
+GO_PRE_COMMIT_GOLANGCI_LINT_VERSION=v2.9.0
 GO_PRE_COMMIT_FUMPT_VERSION=v0.9.2
 GO_PRE_COMMIT_GOIMPORTS_VERSION=latest
 GO_PRE_COMMIT_GITLEAKS_VERSION=v8.30.0

.github/workflows/fortress-test-matrix.yml

@@ -248,8 +248,8 @@ jobs:
             echo "🏁 Running tests with race detection (timeout: $TEST_TIMEOUT)..."
           else
             TEST_TIMEOUT="${TEST_TIMEOUT_UNIT:-20m}"
-            TEST_TYPE="unit"
-            echo "🏁 Running tests without coverage or race detection (timeout: $TEST_TIMEOUT)..."
+            TEST_TYPE="short"
+            echo "🏁 Running short tests (skipping integration tests) (timeout: $TEST_TIMEOUT)..."
           fi
 
           # magex CI mode auto-detects GitHub Actions and produces structured output

.github/workflows/pull-request-management-fork.yml

@@ -3,7 +3,7 @@
 #
 #  Purpose: Automate labeling, assignment, and welcoming of pull requests for forked PRs.
 #
-#  Configuration: All settings are loaded from modular .github/env/ files for
+#  Configuration: All settings are loaded from .env.base and .env.custom files for
 #  centralized management across all workflows.
 #
 #  Triggers: Pull request events (opened, reopened, ready for review, closed, synchronize)
@@ -108,7 +108,7 @@ concurrency:
 # --------------------------------------------------------------------
 # Environment Variables
 # --------------------------------------------------------------------
-# Note: Configuration variables are loaded from modular .github/env/ files
+# Note: Configuration variables are loaded from .env.base and .env.custom files
 
 jobs:
   # ------------------------------------------------------------
@@ -117,8 +117,6 @@ jobs:
   load-env:
     name: 🌍 Load Environment (Base Repo)
     runs-on: ubuntu-latest
-    # Early exit: Skip entire workflow for same-repo PRs (handled by main workflow)
-    if: github.event.pull_request.head.repo.full_name != github.repository
     # No write perms here
     permissions:
       contents: read
@@ -127,14 +125,14 @@ jobs:
     steps:
       # ┌─────────────────────────────────────────────────────────────────────┐
       # │ SECURITY SCANNERS: This checkout is SAFE despite pull_request_target│
-      # │                                                                     │
-      # │ Justification:                                                      │
+      # │                                                                      │
+      # │ Justification:                                                       │
       # │  - Only checks out TRUSTED base branch (ref: github.base_ref)       │
       # │  - NEVER checks out PR head code from untrusted fork                │
       # │  - Implements recommended two-workflow security pattern             │
       # │  - Uses sparse checkout (minimal attack surface)                    │
       # │  - No executable code from PR is ever run                           │
-      # │                                                                     │
+      # │                                                                      │
       # │ Pattern: Two-workflow security model (see SECURITY.md)              │
       # │ References: githubactions:S7631, semgrep:github-actions-checkout    │
       # └─────────────────────────────────────────────────────────────────────┘