docs: add design document for gitleaks integration

Update Go module dependencies to latest versions.
Fix checkmake install path and remove yamllint go install
(yamllint is a Python tool, not installable via go install).

.github/CODEOWNERS

@@ -1 +0,0 @@
-* ivuorinen

.github/actions/setup/action.yml

@@ -10,7 +10,7 @@ runs:
   using: "composite"
   steps:
     - name: Set up Go
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
       with:
         go-version-file: ".go-version"
         cache: true

.github/workflows/build-test-publish.yml

@@ -57,7 +57,7 @@ jobs:
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: test-results
           path: test-results.json
@@ -122,7 +122,7 @@ jobs:
           done
 
       - name: Upload artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: gibidify-${{ matrix.goos }}-${{ matrix.goarch }}
           path: dist/*
@@ -147,7 +147,7 @@ jobs:
           token: ${{ github.token }}
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Log in to GitHub Container Registry
         run: |

.github/workflows/codeql.yml

@@ -1,34 +1,40 @@
 ---
-# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-name: "CodeQL"
+name: CodeQL Analysis
 
 on:
   push:
-    branches: ["main"]
+    branches: [main, develop]
   pull_request:
-    branches: ["main"]
-  schedule:
-    - cron: "30 1 * * 0"
-  merge_group:
+    branches: [main, develop]
 
 permissions: {}
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze Code
     runs-on: ubuntu-latest
+
     permissions:
-      actions: read
-      contents: read
-      packages: read
       security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ["actions", "go"]
+      contents: read
+      actions: read
+
     steps:
-      - name: CodeQL Analysis
-        uses: ivuorinen/actions/codeql-analysis@1da3a0e79fcd7da6bed9ee1979f1449ba11f58f9 # v2026.03.14
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Setup Go
+        uses: ./.github/actions/setup
         with:
-          language: ${{ matrix.language }}
-          queries: security-and-quality
+          token: ${{ github.token }}
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
+        with:
+          languages: go
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0

.github/workflows/pr-lint.yml

@@ -29,4 +29,4 @@ jobs:
         with:
           token: ${{ github.token }}
 
-      - uses: ivuorinen/actions/pr-lint@1da3a0e79fcd7da6bed9ee1979f1449ba11f58f9 # v2026.03.14
+      - uses: ivuorinen/actions/pr-lint@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73 # v2026.01.21

.github/workflows/security.yml

@@ -33,12 +33,12 @@ jobs:
 
       # Security Scanning with gosec
       - name: Run gosec Security Scanner
-        uses: securego/gosec@bb17e422fc34bf4c0a2e5cab9d07dc45a68c040c # v2.24.7
+        uses: securego/gosec@424fc4cd9c82ea0fd6bee9cd49c2db2c3cc0c93f # v2.22.11
         with:
           args: "-fmt sarif -out gosec-results.sarif ./..."
 
       - name: Upload gosec results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
+        uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
         if: always()
         with:
           sarif_file: gosec-results.sarif
@@ -87,7 +87,7 @@ jobs:
 
       # Upload artifacts for review
       - name: Upload security scan results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         if: always()
         with:
           name: security-scan-results

.github/workflows/sync-labels.yml

@@ -22,4 +22,4 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
-      - uses: ivuorinen/actions/sync-labels@1da3a0e79fcd7da6bed9ee1979f1449ba11f58f9 # v2026.03.14
+      - uses: ivuorinen/actions/sync-labels@f98ae7cd7d0feb1f9d6b01de0addbb11414cfc73 # v2026.01.21

.go-version

@@ -1 +1 @@
-1.26.1
+1.25.5

.pre-commit-config.yaml

@@ -3,7 +3,7 @@
 # For more hooks, see https://pre-commit.com/hooks.html
 repos:
   - repo: https://github.com/editorconfig-checker/editorconfig-checker.python
-    rev: 3.6.1
+    rev: 3.6.0
     hooks:
       - id: editorconfig-checker
         alias: ec

Dockerfile

@@ -1,5 +1,5 @@
 # Use a minimal base image
-FROM alpine:3.23.3
+FROM alpine:3.23.2
 
 # Add user
 RUN useradd -ms /bin/bash gibidify

fileproc/resource_monitor_concurrency.go

@@ -51,7 +51,7 @@ func (rm *ResourceMonitor) CreateFileProcessingContext(parent context.Context) (
 		return parent, func() {}
 	}
 
-	return context.WithTimeout(parent, rm.fileProcessingTimeout) // #nosec G118 - cancel returned to caller
+	return context.WithTimeout(parent, rm.fileProcessingTimeout)
 }
 
 // CreateOverallProcessingContext creates a context with overall processing timeout.
@@ -64,5 +64,5 @@ func (rm *ResourceMonitor) CreateOverallProcessingContext(parent context.Context
 		return parent, func() {}
 	}
 
-	return context.WithTimeout(parent, rm.overallTimeout) // #nosec G118 - cancel returned to caller
+	return context.WithTimeout(parent, rm.overallTimeout)
 }

go.mod

@@ -1,8 +1,6 @@
 module github.com/ivuorinen/gibidify
 
-go 1.25.0
-
-toolchain go1.26.1
+go 1.25
 
 require (
 	github.com/fatih/color v1.18.0
@@ -10,7 +8,7 @@ require (
 	github.com/schollz/progressbar/v3 v3.19.0
 	github.com/sirupsen/logrus v1.9.4
 	github.com/spf13/viper v1.21.0
-	golang.org/x/text v0.35.0
+	golang.org/x/text v0.33.0
 	gopkg.in/yaml.v3 v3.0.1
 )
 

go.sum

@@ -62,8 +62,8 @@ golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
 golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
 golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
-golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=