Dependabot and Workflow Hardening

[piceri]

This changes adds the following changes to increase security posture towards supply chain style attacks:

• Add three day cooldown to Dependabot updates
• Be consistent in Dependabot grouping
• Add GOFLAG -mod=readonly

[Copilot]

Pull request overview

This PR hardens the repository’s supply-chain posture by enforcing Go module immutability during CI runs and delaying Dependabot update PR creation until new releases have aged for a short cooldown period.

Changes:

• Set GOFLAGS: "-mod=readonly" for Go-based GitHub Actions jobs to prevent implicit go.mod/go.sum edits during CI.
• Add a cooldown period of 3 days to Dependabot updates across configured ecosystems.
• Extend Dependabot grouping consistency by adding a minor-patch group to Docker updates.

Show a summary per file

File	Description
.github/workflows/lint.yml	Adds GOFLAGS=-mod=readonly to the lint job to ensure module files aren’t modified in CI.
.github/workflows/build.yml	Adds GOFLAGS=-mod=readonly to build and test jobs for the same immutability guarantee during compilation/tests.
.github/dependabot.yml	Adds a 3-day cooldown to updates and aligns Docker updates with existing minor/patch grouping.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 3/3 changed files
• Comments generated: 0