refactor: use pinned golangci-lint Docker image for linting

Refactor Dockerfile to use a separate lint stage with a pinned
golangci-lint v2.11.3 Docker image instead of installing
golangci-lint via curl in the builder stage. This follows the
pattern used by sneak/pixa.

Changes:
- Dockerfile: separate lint stage using golangci/golangci-lint:v2.11.3
  (Debian-based, pinned by sha256) with COPY --from=lint dependency
- Bump Go from 1.24 to 1.26.1 (golang:1.26.1-bookworm, pinned)
- Bump golangci-lint from v1.64.8 to v2.11.3
- Migrate .golangci.yml from v1 to v2 format (same linters, format only)
- All Docker images pinned by sha256 digest
- Fix all lint issues from the v2 linter upgrade:
  - Add package comments to all packages
  - Add doc comments to all exported types, functions, and methods
  - Fix unchecked errors (errcheck)
  - Fix unused parameters (revive)
  - Fix gosec warnings (MaxBytesReader for form parsing)
  - Fix staticcheck suggestions (fmt.Fprintf instead of WriteString)
  - Rename DeliveryTask to Task to avoid stutter (delivery.Task)
  - Rename shadowed builtin 'max' parameter
- Update README.md version requirements

internal/database/database.go

@@ -1,3 +1,4 @@
+// Package database provides SQLite persistence for webhooks, events, and users.
 package database
 
 import (
@@ -19,30 +20,42 @@ import (
 	"sneak.berlin/go/webhooker/internal/logger"
 )
 
-// nolint:revive // DatabaseParams is a standard fx naming convention
+const (
+	dataDirPerm       = 0750
+	randomPasswordLen = 16
+	sessionKeyLen     = 32
+)
+
+//nolint:revive // DatabaseParams is a standard fx naming convention.
 type DatabaseParams struct {
 	fx.In
+
 	Config *config.Config
 	Logger *logger.Logger
 }
 
+// Database manages the main SQLite connection and schema migrations.
 type Database struct {
 	db     *gorm.DB
 	log    *slog.Logger
 	params *DatabaseParams
 }
 
-func New(lc fx.Lifecycle, params DatabaseParams) (*Database, error) {
+// New creates a Database that connects on fx start and disconnects on stop.
+func New(
+	lc fx.Lifecycle,
+	params DatabaseParams,
+) (*Database, error) {
 	d := &Database{
 		params: &params,
 		log:    params.Logger.Get(),
 	}
 
 	lc.Append(fx.Hook{
-		OnStart: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
+		OnStart: func(_ context.Context) error {
 			return d.connect()
 		},
-		OnStop: func(_ context.Context) error { // nolint:revive // ctx unused but required by fx
+		OnStop: func(_ context.Context) error {
 			return d.close()
 		},
 	})
@@ -50,21 +63,92 @@ func New(lc fx.Lifecycle, params DatabaseParams) (*Database, error) {
 	return d, nil
 }
 
+// DB returns the underlying GORM database handle.
+func (d *Database) DB() *gorm.DB {
+	return d.db
+}
+
+// GetOrCreateSessionKey retrieves the session encryption key from the
+// settings table. If no key exists, a cryptographically secure random
+// 32-byte key is generated, base64-encoded, and stored for future use.
+func (d *Database) GetOrCreateSessionKey() (string, error) {
+	var setting Setting
+
+	result := d.db.Where(
+		&Setting{Key: "session_key"},
+	).First(&setting)
+	if result.Error == nil {
+		return setting.Value, nil
+	}
+
+	if !errors.Is(result.Error, gorm.ErrRecordNotFound) {
+		return "", fmt.Errorf(
+			"failed to query session key: %w",
+			result.Error,
+		)
+	}
+
+	// Generate a new cryptographically secure 32-byte key
+	keyBytes := make([]byte, sessionKeyLen)
+
+	_, err := rand.Read(keyBytes)
+	if err != nil {
+		return "", fmt.Errorf(
+			"failed to generate session key: %w",
+			err,
+		)
+	}
+
+	encoded := base64.StdEncoding.EncodeToString(keyBytes)
+
+	setting = Setting{
+		Key:   "session_key",
+		Value: encoded,
+	}
+
+	err = d.db.Create(&setting).Error
+	if err != nil {
+		return "", fmt.Errorf(
+			"failed to store session key: %w",
+			err,
+		)
+	}
+
+	d.log.Info(
+		"generated new session key and stored in database",
+	)
+
+	return encoded, nil
+}
+
 func (d *Database) connect() error {
 	// Ensure the data directory exists before opening the database.
 	dataDir := d.params.Config.DataDir
-	if err := os.MkdirAll(dataDir, 0750); err != nil {
-		return fmt.Errorf("creating data directory %s: %w", dataDir, err)
+
+	err := os.MkdirAll(dataDir, dataDirPerm)
+	if err != nil {
+		return fmt.Errorf(
+			"creating data directory %s: %w",
+			dataDir,
+			err,
+		)
 	}
 
 	// Construct the main application database path inside DATA_DIR.
 	dbPath := filepath.Join(dataDir, "webhooker.db")
-	dbURL := fmt.Sprintf("file:%s?cache=shared&mode=rwc", dbPath)
+	dbURL := fmt.Sprintf(
+		"file:%s?cache=shared&mode=rwc",
+		dbPath,
+	)
 
 	// Open the database with the pure Go SQLite driver
 	sqlDB, err := sql.Open("sqlite", dbURL)
 	if err != nil {
-		d.log.Error("failed to open database", "error", err)
+		d.log.Error(
+			"failed to open database",
+			"error", err,
+		)
+
 		return err
 	}
 
@@ -73,7 +157,11 @@ func (d *Database) connect() error {
 		Conn: sqlDB,
 	}, &gorm.Config{})
 	if err != nil {
-		d.log.Error("failed to connect to database", "error", err)
+		d.log.Error(
+			"failed to connect to database",
+			"error", err,
+		)
+
 		return err
 	}
 
@@ -86,101 +174,100 @@ func (d *Database) connect() error {
 
 func (d *Database) migrate() error {
 	// Run GORM auto-migrations
-	if err := d.Migrate(); err != nil {
-		d.log.Error("failed to run database migrations", "error", err)
+	err := d.Migrate()
+	if err != nil {
+		d.log.Error(
+			"failed to run database migrations",
+			"error", err,
+		)
+
 		return err
 	}
+
 	d.log.Info("database migrations completed")
 
 	// Check if admin user exists
 	var userCount int64
-	if err := d.db.Model(&User{}).Count(&userCount).Error; err != nil {
-		d.log.Error("failed to count users", "error", err)
+
+	err = d.db.Model(&User{}).Count(&userCount).Error
+	if err != nil {
+		d.log.Error(
+			"failed to count users",
+			"error", err,
+		)
+
 		return err
 	}
 
 	if userCount == 0 {
-		// Create admin user
-		d.log.Info("no users found, creating admin user")
-
-		// Generate random password
-		password, err := GenerateRandomPassword(16)
-		if err != nil {
-			d.log.Error("failed to generate random password", "error", err)
-			return err
-		}
-
-		// Hash the password
-		hashedPassword, err := HashPassword(password)
-		if err != nil {
-			d.log.Error("failed to hash password", "error", err)
-			return err
-		}
-
-		// Create admin user
-		adminUser := &User{
-			Username: "admin",
-			Password: hashedPassword,
-		}
-
-		if err := d.db.Create(adminUser).Error; err != nil {
-			d.log.Error("failed to create admin user", "error", err)
-			return err
-		}
-
-		d.log.Info("admin user created",
-			"username", "admin",
-			"password", password,
-			"message", "SAVE THIS PASSWORD - it will not be shown again!",
-		)
+		return d.createAdminUser()
 	}
 
 	return nil
 }
 
+func (d *Database) createAdminUser() error {
+	d.log.Info("no users found, creating admin user")
+
+	// Generate random password
+	password, err := GenerateRandomPassword(
+		randomPasswordLen,
+	)
+	if err != nil {
+		d.log.Error(
+			"failed to generate random password",
+			"error", err,
+		)
+
+		return err
+	}
+
+	// Hash the password
+	hashedPassword, err := HashPassword(password)
+	if err != nil {
+		d.log.Error(
+			"failed to hash password",
+			"error", err,
+		)
+
+		return err
+	}
+
+	// Create admin user
+	adminUser := &User{
+		Username: "admin",
+		Password: hashedPassword,
+	}
+
+	err = d.db.Create(adminUser).Error
+	if err != nil {
+		d.log.Error(
+			"failed to create admin user",
+			"error", err,
+		)
+
+		return err
+	}
+
+	d.log.Info("admin user created",
+		"username", "admin",
+		"password", password,
+		"message",
+		"SAVE THIS PASSWORD - it will not be shown again!",
+	)
+
+	return nil
+}
+
 func (d *Database) close() error {
 	if d.db != nil {
 		sqlDB, err := d.db.DB()
 		if err != nil {
 			return err
 		}
+
 		return sqlDB.Close()
 	}
+
 	return nil
 }
-
-func (d *Database) DB() *gorm.DB {
-	return d.db
-}
-
-// GetOrCreateSessionKey retrieves the session encryption key from the
-// settings table. If no key exists, a cryptographically secure random
-// 32-byte key is generated, base64-encoded, and stored for future use.
-func (d *Database) GetOrCreateSessionKey() (string, error) {
-	var setting Setting
-	result := d.db.Where(&Setting{Key: "session_key"}).First(&setting)
-	if result.Error == nil {
-		return setting.Value, nil
-	}
-	if !errors.Is(result.Error, gorm.ErrRecordNotFound) {
-		return "", fmt.Errorf("failed to query session key: %w", result.Error)
-	}
-
-	// Generate a new cryptographically secure 32-byte key
-	keyBytes := make([]byte, 32)
-	if _, err := rand.Read(keyBytes); err != nil {
-		return "", fmt.Errorf("failed to generate session key: %w", err)
-	}
-	encoded := base64.StdEncoding.EncodeToString(keyBytes)
-
-	setting = Setting{
-		Key:   "session_key",
-		Value: encoded,
-	}
-	if err := d.db.Create(&setting).Error; err != nil {
-		return "", fmt.Errorf("failed to store session key: %w", err)
-	}
-
-	d.log.Info("generated new session key and stored in database")
-	return encoded, nil
-}