refactor: use pinned golangci-lint Docker image for linting

Refactor Dockerfile to use a separate lint stage with a pinned
golangci-lint v2.11.3 Docker image instead of installing
golangci-lint via curl in the builder stage. This follows the
pattern used by sneak/pixa.

Changes:
- Dockerfile: separate lint stage using golangci/golangci-lint:v2.11.3
  (Debian-based, pinned by sha256) with COPY --from=lint dependency
- Bump Go from 1.24 to 1.26.1 (golang:1.26.1-bookworm, pinned)
- Bump golangci-lint from v1.64.8 to v2.11.3
- Migrate .golangci.yml from v1 to v2 format (same linters, format only)
- All Docker images pinned by sha256 digest
- Fix all lint issues from the v2 linter upgrade:
  - Add package comments to all packages
  - Add doc comments to all exported types, functions, and methods
  - Fix unchecked errors (errcheck)
  - Fix unused parameters (revive)
  - Fix gosec warnings (MaxBytesReader for form parsing)
  - Fix staticcheck suggestions (fmt.Fprintf instead of WriteString)
  - Rename DeliveryTask to Task to avoid stutter (delivery.Task)
  - Rename shadowed builtin 'max' parameter
- Update README.md version requirements

internal/middleware/middleware.go

@@ -1,3 +1,4 @@
+// Package middleware provides HTTP middleware for logging, auth, CORS, and metrics.
 package middleware
 
 import (
@@ -19,7 +20,7 @@ import (
 	"sneak.berlin/go/webhooker/internal/session"
 )
 
-// nolint:revive // MiddlewareParams is a standard fx naming convention
+//nolint:revive // MiddlewareParams is a standard fx naming convention.
 type MiddlewareParams struct {
 	fx.In
 	Logger  *logger.Logger
@@ -28,12 +29,16 @@ type MiddlewareParams struct {
 	Session *session.Session
 }
 
+// Middleware provides HTTP middleware for logging, CORS, auth, and metrics.
 type Middleware struct {
 	log     *slog.Logger
 	params  *MiddlewareParams
 	session *session.Session
 }
 
+// New creates a Middleware from the provided fx parameters.
+//
+//nolint:revive // lc parameter is required by fx even if unused.
 func New(lc fx.Lifecycle, params MiddlewareParams) (*Middleware, error) {
 	s := new(Middleware)
 	s.params = &params
@@ -71,9 +76,7 @@ func (lrw *loggingResponseWriter) WriteHeader(code int) {
 	lrw.ResponseWriter.WriteHeader(code)
 }
 
-// type Middleware func(http.Handler) http.Handler
-// this returns a Middleware that is designed to do every request through the
-// mux, note the signature:
+// Logging returns middleware that logs each HTTP request with timing and metadata.
 func (s *Middleware) Logging() func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -107,6 +110,7 @@ func (s *Middleware) Logging() func(http.Handler) http.Handler {
 	}
 }
 
+// CORS returns middleware that sets CORS headers (permissive in dev, no-op in prod).
 func (s *Middleware) CORS() func(http.Handler) http.Handler {
 	if s.params.Config.IsDev() {
 		// In development, allow any origin for local testing.
@@ -152,6 +156,7 @@ func (s *Middleware) RequireAuth() func(http.Handler) http.Handler {
 	}
 }
 
+// Metrics returns middleware that records Prometheus HTTP metrics.
 func (s *Middleware) Metrics() func(http.Handler) http.Handler {
 	mdlw := ghmm.New(ghmm.Config{
 		Recorder: metrics.NewRecorder(metrics.Config{}),
@@ -161,6 +166,7 @@ func (s *Middleware) Metrics() func(http.Handler) http.Handler {
 	}
 }
 
+// MetricsAuth returns middleware that protects metrics endpoints with basic auth.
 func (s *Middleware) MetricsAuth() func(http.Handler) http.Handler {
 	return basicauth.New(
 		"metrics",

internal/middleware/middleware_test.go

@@ -417,7 +417,7 @@ func TestMetricsAuth_NoCredentials(t *testing.T) {
 	}
 
 	var called bool
-	handler := m.MetricsAuth()(http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+	handler := m.MetricsAuth()(http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {
 		called = true
 	}))