feat: migrate to CI catalog, bump Go 1.24, add security scanning

Andrew Dunnrequested to merge
chore/catalog-migration-go-1.24 into main

Summary

  • Replace hand-rolled build/sign/publish (117 lines) with pipeline/binary@v1.1.0 catalog component
  • Bump Go from 1.22 to 1.24
  • Add SAST, Secret Detection, Dependency Scanning templates
  • Replace Alpine with UBI9-minimal in pages job
  • Pin glab CLI to v1.92.1
  • Add Renovate config

What changed

The entire build + publish pipeline (cross-compile, checksums, cosign sign-blob, curl upload to package registry) is now handled by one catalog component include. The release job stays project-specific because it has custom asset links.

Before: 178 lines, all hand-rolled After: 80 lines, catalog-backed with security scanning

Merge request reports