refactor: use pinned golangci-lint Docker image for linting (#55)

Closes [issue #50](#50)

## Summary

Refactors the Dockerfile to use a separate lint stage with a pinned golangci-lint Docker image, following the pattern used by [sneak/pixa](https://git.eeqj.de/sneak/pixa). This replaces the previous approach of installing golangci-lint via curl in the builder stage.

## Changes

### Dockerfile
- **New `lint` stage** using `golangci/golangci-lint:v2.11.3` (Debian-based, pinned by sha256 digest) as a separate build stage
- **Builder stage** depends on lint via `COPY --from=lint /src/go.sum /dev/null` — build won't proceed unless linting passes
- **Go bumped** from 1.24 to 1.26.1 (`golang:1.26.1-bookworm`, pinned by sha256)
- **golangci-lint bumped** from v1.64.8 to v2.11.3
- All three Docker images (golangci-lint, golang, alpine) pinned by sha256 digest
- Debian-based golangci-lint image used (not Alpine) because mattn/go-sqlite3 CGO does not compile on musl (off64_t)

### Linter Config (.golangci.yml)
- Migrated from v1 to v2 format (`version: "2"` added)
- Removed linters no longer available in v2: `gofmt` (handled by `make fmt-check`), `gosimple` (merged into `staticcheck`), `typecheck` (always-on in v2)
- Same set of linters enabled — no rules weakened

### Code Fixes (all lint issues from v2 upgrade)
- Added package comments to all packages
- Added doc comments to all exported types, functions, and methods
- Fixed unchecked errors flagged by `errcheck` (sqlDB.Close, os.Setenv in tests, resp.Body.Close, fmt.Fprint)
- Fixed unused parameters flagged by `revive` (renamed to `_`)
- Fixed `gosec` G120 warnings: added `http.MaxBytesReader` before `r.ParseForm()` calls
- Fixed `staticcheck` QF1012: replaced `WriteString(fmt.Sprintf(...))` with `fmt.Fprintf`
- Fixed `staticcheck` QF1003: converted if/else chain to tagged switch
- Renamed `DeliveryTask` → `Task` to avoid package stutter (`delivery.Task` instead of `delivery.DeliveryTask`)
- Renamed shadowed builtin `max` parameter to `upperBound` in `cryptoRandInt`
- Used `t.Setenv` instead of `os.Setenv` in tests (auto-restores)

### README.md
- Updated version requirements: Go 1.26+, golangci-lint v2.11+
- Updated Dockerfile description in project structure

## Verification

`docker build .` passes cleanly — formatting check, linting, all tests, and build all succeed.

Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de>
Reviewed-on: #55
Co-authored-by: clawbot <clawbot@noreply.example.org>
Co-committed-by: clawbot <clawbot@noreply.example.org>

internal/database/password_test.go

@@ -1,11 +1,15 @@
-package database
+package database_test
 
 import (
 	"strings"
 	"testing"
+
+	"sneak.berlin/go/webhooker/internal/database"
 )
 
 func TestGenerateRandomPassword(t *testing.T) {
+	t.Parallel()
+
 	tests := []struct {
 		name   string
 		length int
@@ -18,109 +22,172 @@ func TestGenerateRandomPassword(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			password, err := GenerateRandomPassword(tt.length)
+			t.Parallel()
+
+			password, err := database.GenerateRandomPassword(
+				tt.length,
+			)
 			if err != nil {
-				t.Fatalf("GenerateRandomPassword() error = %v", err)
+				t.Fatalf(
+					"GenerateRandomPassword() error = %v",
+					err,
+				)
 			}
 
 			if len(password) != tt.length {
-				t.Errorf("Password length = %v, want %v", len(password), tt.length)
+				t.Errorf(
+					"Password length = %v, want %v",
+					len(password), tt.length,
+				)
 			}
 
-			// For passwords >= 4 chars, check complexity
-			if tt.length >= 4 {
-				hasUpper := false
-				hasLower := false
-				hasDigit := false
-				hasSpecial := false
-
-				for _, char := range password {
-					switch {
-					case char >= 'A' && char <= 'Z':
-						hasUpper = true
-					case char >= 'a' && char <= 'z':
-						hasLower = true
-					case char >= '0' && char <= '9':
-						hasDigit = true
-					case strings.ContainsRune("!@#$%^&*()_+-=[]{}|;:,.<>?", char):
-						hasSpecial = true
-					}
-				}
-
-				if !hasUpper || !hasLower || !hasDigit || !hasSpecial {
-					t.Errorf("Password lacks required complexity: upper=%v, lower=%v, digit=%v, special=%v",
-						hasUpper, hasLower, hasDigit, hasSpecial)
-				}
-			}
+			checkPasswordComplexity(
+				t, password, tt.length,
+			)
 		})
 	}
 }
 
+func checkPasswordComplexity(
+	t *testing.T,
+	password string,
+	length int,
+) {
+	t.Helper()
+
+	// For passwords >= 4 chars, check complexity
+	if length < 4 {
+		return
+	}
+
+	flags := classifyChars(password)
+
+	if !flags[0] || !flags[1] || !flags[2] || !flags[3] {
+		t.Errorf(
+			"Password lacks required complexity: "+
+				"upper=%v, lower=%v, digit=%v, special=%v",
+			flags[0], flags[1], flags[2], flags[3],
+		)
+	}
+}
+
+func classifyChars(s string) [4]bool {
+	var flags [4]bool // upper, lower, digit, special
+
+	for _, char := range s {
+		switch {
+		case char >= 'A' && char <= 'Z':
+			flags[0] = true
+		case char >= 'a' && char <= 'z':
+			flags[1] = true
+		case char >= '0' && char <= '9':
+			flags[2] = true
+		case strings.ContainsRune(
+			"!@#$%^&*()_+-=[]{}|;:,.<>?",
+			char,
+		):
+			flags[3] = true
+		}
+	}
+
+	return flags
+}
+
 func TestGenerateRandomPasswordUniqueness(t *testing.T) {
+	t.Parallel()
+
 	// Generate multiple passwords and ensure they're different
 	passwords := make(map[string]bool)
+
 	const numPasswords = 100
 
-	for i := 0; i < numPasswords; i++ {
-		password, err := GenerateRandomPassword(16)
+	for range numPasswords {
+		password, err := database.GenerateRandomPassword(16)
 		if err != nil {
-			t.Fatalf("GenerateRandomPassword() error = %v", err)
+			t.Fatalf(
+				"GenerateRandomPassword() error = %v",
+				err,
+			)
 		}
 
 		if passwords[password] {
-			t.Errorf("Duplicate password generated: %s", password)
+			t.Errorf(
+				"Duplicate password generated: %s",
+				password,
+			)
 		}
+
 		passwords[password] = true
 	}
 }
 
 func TestHashPassword(t *testing.T) {
+	t.Parallel()
+
 	password := "testPassword123!"
 
-	hash, err := HashPassword(password)
+	hash, err := database.HashPassword(password)
 	if err != nil {
 		t.Fatalf("HashPassword() error = %v", err)
 	}
 
 	// Check that hash has correct format
 	if !strings.HasPrefix(hash, "$argon2id$") {
-		t.Errorf("Hash doesn't have correct prefix: %s", hash)
+		t.Errorf(
+			"Hash doesn't have correct prefix: %s",
+			hash,
+		)
 	}
 
 	// Verify password
-	valid, err := VerifyPassword(password, hash)
+	valid, err := database.VerifyPassword(password, hash)
 	if err != nil {
 		t.Fatalf("VerifyPassword() error = %v", err)
 	}
+
 	if !valid {
-		t.Error("VerifyPassword() returned false for correct password")
+		t.Error(
+			"VerifyPassword() returned false " +
+				"for correct password",
+		)
 	}
 
 	// Verify wrong password fails
-	valid, err = VerifyPassword("wrongPassword", hash)
+	valid, err = database.VerifyPassword(
+		"wrongPassword", hash,
+	)
 	if err != nil {
 		t.Fatalf("VerifyPassword() error = %v", err)
 	}
+
 	if valid {
-		t.Error("VerifyPassword() returned true for wrong password")
+		t.Error(
+			"VerifyPassword() returned true " +
+				"for wrong password",
+		)
 	}
 }
 
 func TestHashPasswordUniqueness(t *testing.T) {
+	t.Parallel()
+
 	password := "testPassword123!"
 
-	// Same password should produce different hashes due to salt
-	hash1, err := HashPassword(password)
+	// Same password should produce different hashes
+	hash1, err := database.HashPassword(password)
 	if err != nil {
 		t.Fatalf("HashPassword() error = %v", err)
 	}
 
-	hash2, err := HashPassword(password)
+	hash2, err := database.HashPassword(password)
 	if err != nil {
 		t.Fatalf("HashPassword() error = %v", err)
 	}
 
 	if hash1 == hash2 {
-		t.Error("Same password produced identical hashes (salt not working)")
+		t.Error(
+			"Same password produced identical hashes " +
+				"(salt not working)",
+		)
 	}
 }