chore: update Go deps and CI runtime

[clawford-bot]

Summary

• update the main Go module dependencies and refresh go.sum
• bump the Docker builder/runtime base images to current Go 1.25 / Alpine 3.23 tags
• update GitHub Actions checkout/buildx/login actions to Node 24-compatible majors

Verification

• go test ./...
• parsed .github/workflows/ci.yml with Python yaml.safe_load
• Docker build could not be run locally because docker is not installed on this host

Summary by CodeRabbit

• Chores
  • Updated application dependencies to newer versions for improved stability and maintenance.
  • Upgraded CI/CD workflow and Docker build infrastructure.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request upgrades infrastructure and build dependencies: GitHub Actions versions in the CI workflow are bumped to newer releases, Docker builder stages use pinned Alpine versions for reproducibility, and multiple Go module dependencies across HTTP clients, databases, templating, and observability libraries are updated to their latest versions.

Changes

Cohort / File(s)	Summary
CI Workflow .github/workflows/ci.yml	Upgrades GitHub Actions versions: actions/checkout (v4→v5), docker/setup-buildx-action (v3→v4), and docker/login-action (v3→v4). Step logic and inputs remain unchanged.
Docker Configuration Dockerfile	Pins Alpine versions in both build stages: builder golang:1.25-alpine → golang:1.25.9-alpine3.23, and runtime alpine:3.20 → alpine:3.23.4 for reproducible builds.
Go Module Dependencies go.mod	Updates direct dependencies including templ (0.3.977→0.3.1001), chi/v5 (5.2.3→5.2.5), pgx/v5 (5.8.0→5.9.2), golang.org/x/net (0.48.0→0.53.0), and google.golang.org/api (0.258.0→0.276.0). Advances OpenTelemetry stack, Google auth libraries, and gRPC to newer versions. Adds indirect github.com/cespare/xxhash/v2.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 Hop hop, the versions dance,
Alpine pins meet Docker's prance,
Dependencies fresh, from chi to chi,
GitHub Actions reach the sky!
All in sync, reproducible and bright, 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: update Go deps and CI runtime' accurately summarizes the main changes: updating Go dependencies and CI-related runtime components (Docker base images and GitHub Actions).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-go-deps-node24

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Line 19: Replace mutable major-version tags for GitHub Actions with their
pinned full commit SHAs: find usages like actions/checkout@v5 (and other actions
using `@v4/`@v5 such as the ones noted) and update them to the corresponding full
commit SHA for the specific release you want to lock to; ensure you fetch the
canonical SHA from the action's GitHub repo (Releases/Tags) and replace the tag
reference (e.g., actions/checkout@v5) with actions/checkout@<full-commit-sha> to
pin the workflow to an immutable commit.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d48737ec-f939-4791-9c4e-a87cf096a425

📥 Commits

Reviewing files that changed from the base of the PR and between feb78f2 and feda776.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• Dockerfile
• go.mod

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What do current GitHub Actions security best practices recommend for pinning actions (major tags vs full commit SHA), and does that guidance apply to official actions like actions/checkout and docker/* actions?

💡 Result:

Current GitHub Actions security best practices strongly recommend pinning all actions to a full-length commit SHA rather than major tags (e.g., @v4). This is the only way to ensure an immutable reference, mitigating supply chain attacks where tags can be moved to malicious commits. Major tags are mutable and risky even from trusted sources. This guidance applies universally, including to official GitHub actions like actions/checkout and docker/* (e.g., docker/login, docker/build-push-action). Official docs state the risk exists if a bad actor gains repo access, and examples consistently show SHA pinning for these actions. GitHub provides policies to enforce SHA pinning org-wide, and even pins actions/checkout's own workflows to SHAs. While official actions have lower compromise risk due to GitHub's security, SHA pinning is still recommended for maximum security and reproducibility. Use tools like Dependabot to automate SHA updates.

Citations:

• 1: https://docs.github.com/en/actions/reference/security/secure-use
• 2: https://docs.github.com/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions
• 3: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions
• 4: https://github.blog/security/supply-chain-security/securing-the-open-source-supply-chain-across-github
• 5: https://zeonedge.com/blog/github-actions-security-hardening-supply-chain-attacks
• 6: Pin GitHub Actions to commit SHAs instead of version tags ankitects/anki#4722
• 7: https://github.com/actions/checkout/pull/1776](https:/redirect.github.com/actions/checkout/pull/1776)

---

Pin GitHub Actions to commit SHAs instead of major version tags.

Major version tags (@v5, @v4) are mutable and can be retargeted to malicious commits. GitHub's security guidance strongly recommends pinning to full commit SHAs for supply-chain integrity. This applies to all actions, including official ones like actions/checkout and docker/* actions.

Also applies to: 50-50, 53-53

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 19, Replace mutable major-version tags for
GitHub Actions with their pinned full commit SHAs: find usages like
actions/checkout@v5 (and other actions using `@v4/`@v5 such as the ones noted) and
update them to the corresponding full commit SHA for the specific release you
want to lock to; ensure you fetch the canonical SHA from the action's GitHub
repo (Releases/Tags) and replace the tag reference (e.g., actions/checkout@v5)
with actions/checkout@<full-commit-sha> to pin the workflow to an immutable
commit.

[gemini-code-assist]

Code Review

This pull request updates the Dockerfile to use Go 1.25.9 and Alpine 3.23.4 for the build and runtime environments. It also includes a comprehensive update of Go dependencies, notably bumping templ, chi, and pgx to newer versions. I have no feedback to provide.