refactor: use pinned golangci-lint Docker image for linting

Refactor Dockerfile to use a separate lint stage with a pinned
golangci-lint v2.11.3 Docker image instead of installing
golangci-lint via curl in the builder stage. This follows the
pattern used by sneak/pixa.

Changes:
- Dockerfile: separate lint stage using golangci/golangci-lint:v2.11.3
  (Debian-based, pinned by sha256) with COPY --from=lint dependency
- Bump Go from 1.24 to 1.26.1 (golang:1.26.1-bookworm, pinned)
- Bump golangci-lint from v1.64.8 to v2.11.3
- Migrate .golangci.yml from v1 to v2 format (same linters, format only)
- All Docker images pinned by sha256 digest
- Fix all lint issues from the v2 linter upgrade:
  - Add package comments to all packages
  - Add doc comments to all exported types, functions, and methods
  - Fix unchecked errors (errcheck)
  - Fix unused parameters (revive)
  - Fix gosec warnings (MaxBytesReader for form parsing)
  - Fix staticcheck suggestions (fmt.Fprintf instead of WriteString)
  - Rename DeliveryTask to Task to avoid stutter (delivery.Task)
  - Rename shadowed builtin 'max' parameter
- Update README.md version requirements

internal/middleware/ratelimit_test.go

@@ -1,90 +1,147 @@
-package middleware
+package middleware_test
 
 import (
+	"context"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
 	"sneak.berlin/go/webhooker/internal/config"
+	"sneak.berlin/go/webhooker/internal/middleware"
 )
 
 func TestLoginRateLimit_AllowsGET(t *testing.T) {
 	t.Parallel()
+
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 
 	var callCount int
-	handler := m.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		callCount++
-		w.WriteHeader(http.StatusOK)
-	}))
+
+	handler := m.LoginRateLimit()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			callCount++
+
+			w.WriteHeader(http.StatusOK)
+		},
+	))
 
 	// GET requests should never be rate-limited
-	for i := 0; i < 20; i++ {
-		req := httptest.NewRequest(http.MethodGet, "/pages/login", nil)
+	for i := range 20 {
+		req := httptest.NewRequestWithContext(
+			context.Background(),
+			http.MethodGet, "/pages/login", nil,
+		)
 		req.RemoteAddr = "192.168.1.1:12345"
+
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
-		assert.Equal(t, http.StatusOK, w.Code, "GET request %d should pass", i)
+
+		assert.Equal(
+			t, http.StatusOK, w.Code,
+			"GET request %d should pass", i,
+		)
 	}
+
 	assert.Equal(t, 20, callCount)
 }
 
 func TestLoginRateLimit_LimitsPOST(t *testing.T) {
 	t.Parallel()
+
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 
 	var callCount int
-	handler := m.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		callCount++
-		w.WriteHeader(http.StatusOK)
-	}))
+
+	handler := m.LoginRateLimit()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			callCount++
+
+			w.WriteHeader(http.StatusOK)
+		},
+	))
 
 	// First loginRateLimit POST requests should succeed
-	for i := 0; i < loginRateLimit; i++ {
-		req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	for i := range middleware.LoginRateLimitConst {
+		req := httptest.NewRequestWithContext(
+			context.Background(),
+			http.MethodPost, "/pages/login", nil,
+		)
 		req.RemoteAddr = "10.0.0.1:12345"
+
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
-		assert.Equal(t, http.StatusOK, w.Code, "POST request %d should pass", i)
+
+		assert.Equal(
+			t, http.StatusOK, w.Code,
+			"POST request %d should pass", i,
+		)
 	}
 
 	// Next POST should be rate-limited
-	req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost, "/pages/login", nil,
+	)
 	req.RemoteAddr = "10.0.0.1:12345"
+
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
-	assert.Equal(t, http.StatusTooManyRequests, w.Code, "POST after limit should be 429")
-	assert.Equal(t, loginRateLimit, callCount)
+
+	assert.Equal(
+		t, http.StatusTooManyRequests, w.Code,
+		"POST after limit should be 429",
+	)
+	assert.Equal(t, middleware.LoginRateLimitConst, callCount)
 }
 
 func TestLoginRateLimit_IndependentPerIP(t *testing.T) {
 	t.Parallel()
+
 	m, _ := testMiddleware(t, config.EnvironmentDev)
 
-	handler := m.LoginRateLimit()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
-		w.WriteHeader(http.StatusOK)
-	}))
+	handler := m.LoginRateLimit()(http.HandlerFunc(
+		func(w http.ResponseWriter, _ *http.Request) {
+			w.WriteHeader(http.StatusOK)
+		},
+	))
 
 	// Exhaust limit for IP1
-	for i := 0; i < loginRateLimit; i++ {
-		req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	for range middleware.LoginRateLimitConst {
+		req := httptest.NewRequestWithContext(
+			context.Background(),
+			http.MethodPost, "/pages/login", nil,
+		)
 		req.RemoteAddr = "1.2.3.4:12345"
+
 		w := httptest.NewRecorder()
 		handler.ServeHTTP(w, req)
 	}
 
 	// IP1 should be rate-limited
-	req := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	req := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost, "/pages/login", nil,
+	)
 	req.RemoteAddr = "1.2.3.4:12345"
+
 	w := httptest.NewRecorder()
 	handler.ServeHTTP(w, req)
+
 	assert.Equal(t, http.StatusTooManyRequests, w.Code)
 
 	// IP2 should still be allowed
-	req2 := httptest.NewRequest(http.MethodPost, "/pages/login", nil)
+	req2 := httptest.NewRequestWithContext(
+		context.Background(),
+		http.MethodPost, "/pages/login", nil,
+	)
 	req2.RemoteAddr = "5.6.7.8:12345"
+
 	w2 := httptest.NewRecorder()
 	handler.ServeHTTP(w2, req2)
-	assert.Equal(t, http.StatusOK, w2.Code, "different IP should not be affected")
+
+	assert.Equal(
+		t, http.StatusOK, w2.Code,
+		"different IP should not be affected",
+	)
 }