fix: resolve 9 vulnerabilities, upgrade to Go 1.26.0, and update dev tools

[pranav-new-relic]

Problem

Trivy security scan identified 9 vulnerabilities (1 LOW, 8 MEDIUM) in tools/go.mod:

• CVE-2025-54410 (LOW): docker/docker 27.3.1 (firewalld bridge isolation)
• CVE-2026-25934 (MEDIUM): go-git/go-git/v5 5.13.0 (data integrity issue)
• CVE-2025-11065, GHSA-fv92-fjc5-jj9h (MEDIUM): go-viper/mapstructure/v2 2.2.1 (sensitive info leak)
• CVE-2026-22703 (MEDIUM): sigstore/cosign/v2 2.2.4 (verification accepts any valid Rekor entry)
• CVE-2026-23831, CVE-2026-24117 (MEDIUM): sigstore/rekor 1.3.6 (DoS and SSRF)
• CVE-2026-24137 (MEDIUM): sigstore/sigstore 1.8.3 (arbitrary file writes)
• CVE-2025-58058 (MEDIUM): ulikunitz/xz 0.5.14 (memory leak)

Solution

1. Go Toolchain Upgrade

• Upgraded from Go 1.24.0/toolchain 1.24.11 to Go 1.26.0
• Updated go.mod and tools/go.mod to use Go 1.26.0
• Ensures compatibility with latest security patches and language improvements

2. Development Tools Upgrade

• goreleaser: v2.2.0 → v2.13.3 (security fixes and v2 improvements)
• golangci-lint: v2.1.2 → v2.9.0 (latest linting rules and fixes)
• .goreleaser.yml already compatible with v2 (no changes needed)

3. Vulnerability Fixes via Replace Directives

Added strategic replace directives to force secure versions of transitive dependencies:

• github.com/go-git/go-git/v5 → v5.16.5 (CVE-2026-25934 fix)
• github.com/go-viper/mapstructure/v2 → v2.4.0 (CVE-2025-11065, GHSA-fv92-fjc5-jj9h fixes)
• github.com/sigstore/cosign/v2 → v2.6.2 (CVE-2026-22703 fix)
• github.com/sigstore/rekor → v1.5.0 (CVE-2026-23831, CVE-2026-24117 fixes)
• github.com/sigstore/sigstore → v1.10.4 (CVE-2026-24137 fix)
• github.com/ulikunitz/xz → v0.5.15 (CVE-2025-58058 fix)
• github.com/theupdateframework/go-tuf/v2 → v2.4.1 (additional security fixes)
• github.com/anchore/quill → v0.5.1 (goreleaser v2 compatibility)
• github.com/charmbracelet/x/cellbuf → v0.0.15 (goreleaser v2 compatibility)

4. CI/CD Updates

Updated all GitHub Actions workflows to use Go 1.26.x:

• compile.yml: 1.24.x → 1.26.x
• generate.yml: 1.24.x → 1.26.x
• graphql-schema.yml: 1.24.x → 1.26.x
• release.yml: 1.24.x → 1.26.x
• test.yml: 1.24.x → 1.26.x

5. Code Quality Fixes

• Fixed misspelling in pkg/testhelpers/config.go: "configration" → "configuration"
• Import formatting updates from golangci-lint/goimports in test files

Validation

All checks pass:

• ✅ make compile - builds successfully with Go 1.26.0
• ✅ make lint - 0 linting issues
• ✅ trivy fs . - 0 vulnerabilities (was 9)
• ✅ No breaking changes to library functionality

Result

• All 9 vulnerabilities resolved (9 → 0)
• Go toolchain upgraded to latest stable version (1.26.0)
• Development tools upgraded with security fixes
• CI/CD pipelines updated for Go 1.26.x
• Code quality improved with typo fixes

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 33.08%. Comparing base (0f58ddd) to head (8a49913).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1372   +/-   ##
=======================================
  Coverage   33.08%   33.08%           
=======================================
  Files         136      136           
  Lines        6256     6256           
=======================================
  Hits         2070     2070           
  Misses       3989     3989           
  Partials      197      197           

Flag	Coverage Δ
unit	33.08% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.