chore(docker): wire all workflows to single-source version ARGs

The Dockerfile already centralizes all version pins into top-level ARGs
(GO_VERSION, ALPINE_IMAGE, CROWDSEC_VERSION, EXPR_LANG_VERSION, XNET_VERSION).
This change closes the remaining gaps so those ARGs are the single source of
truth end-to-end:

- nightly-build.yml now resolves the Alpine image digest at build time and
  passes ALPINE_IMAGE as a build-arg, matching the docker-build.yml pattern.
  Previously, nightly images were built with the Dockerfile ARG default and
  without a pinned digest, making runtime Alpine differ from docker-build.yml.

- six CI workflows (quality-checks, codecov-upload, benchmark, e2e-tests-split,
  release-goreleaser, codeql) declared a GO_VERSION env var but their setup-go
  steps ignored it and hardcoded the version string directly. They now reference
  ${{ env.GO_VERSION }}, so Renovate only needs to update one value per file
  and the env var actually serves its purpose.

- codeql.yml had no GO_VERSION env var at all; one is now added alongside the
  existing GOTOOLCHAIN: auto entry.

When Renovate bumps Go, it updates the env var at the top of each workflow and
the Dockerfile ARG — zero manual hunting required.

.github/workflows/benchmark.yml

@@ -37,7 +37,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: "1.26.1"
+          go-version: ${{ env.GO_VERSION }}
 
           cache-dependency-path: backend/go.sum
 

.github/workflows/codecov-upload.yml

@@ -47,7 +47,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: "1.26.1"
+          go-version: ${{ env.GO_VERSION }}
 
           cache-dependency-path: backend/go.sum
 

.github/workflows/codeql.yml

@@ -15,6 +15,7 @@ concurrency:
 
 env:
   GOTOOLCHAIN: auto
+  GO_VERSION: '1.26.1'
 
 permissions:
   contents: read
@@ -64,7 +65,7 @@ jobs:
         if: matrix.language == 'go'
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: 1.26.1
+          go-version: ${{ env.GO_VERSION }}
           cache-dependency-path: backend/go.sum
 
       - name: Verify Go toolchain and build

.github/workflows/docker-build.yml

@@ -121,10 +121,11 @@ jobs:
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
       - name: Resolve Alpine base image digest
         if: steps.skip.outputs.skip_build != 'true'
-        id: caddy
+        id: alpine
         run: |
-          docker pull alpine:3.23.3
-          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' alpine:3.23.3)
+          ALPINE_TAG=$(grep -m1 'ARG ALPINE_IMAGE=' Dockerfile | sed 's/ARG ALPINE_IMAGE=alpine://' | cut -d'@' -f1)
+          docker pull "alpine:${ALPINE_TAG}"
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "alpine:${ALPINE_TAG}")
           echo "image=$DIGEST" >> "$GITHUB_OUTPUT"
 
       - name: Log in to GitHub Container Registry
@@ -271,7 +272,7 @@ jobs:
               --build-arg "VERSION=${{ steps.meta.outputs.version }}"
               --build-arg "BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}"
               --build-arg "VCS_REF=${{ env.TRIGGER_HEAD_SHA }}"
-              --build-arg "CADDY_IMAGE=${{ steps.caddy.outputs.image }}"
+              --build-arg "ALPINE_IMAGE=${{ steps.alpine.outputs.image }}"
               --iidfile /tmp/image-digest.txt
               .
             )

.github/workflows/e2e-tests-split.yml

@@ -144,7 +144,7 @@ jobs:
         if: steps.resolve-image.outputs.image_source == 'build'
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: "1.26.1"
+          go-version: ${{ env.GO_VERSION }}
 
           cache: true
           cache-dependency-path: backend/go.sum

.github/workflows/nightly-build.yml

@@ -167,6 +167,14 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
 
+      - name: Resolve Alpine base image digest
+        id: alpine
+        run: |
+          ALPINE_TAG=$(grep -m1 'ARG ALPINE_IMAGE=' Dockerfile | sed 's/ARG ALPINE_IMAGE=alpine://' | cut -d'@' -f1)
+          docker pull "alpine:${ALPINE_TAG}"
+          DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' "alpine:${ALPINE_TAG}")
+          echo "image=$DIGEST" >> "$GITHUB_OUTPUT"
+
       - name: Log in to GitHub Container Registry
         uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2  # v4.0.0
         with:
@@ -210,6 +218,7 @@ jobs:
             VERSION=nightly-${{ github.sha }}
             VCS_REF=${{ github.sha }}
             BUILD_DATE=${{ github.event.repository.pushed_at }}
+            ALPINE_IMAGE=${{ steps.alpine.outputs.image }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
           provenance: true

.github/workflows/quality-checks.yml

@@ -33,7 +33,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: "1.26.1"
+          go-version: ${{ env.GO_VERSION }}
 
           cache-dependency-path: backend/go.sum
 
@@ -140,7 +140,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: "1.26.1"
+          go-version: ${{ env.GO_VERSION }}
 
           cache-dependency-path: backend/go.sum
 

.github/workflows/release-goreleaser.yml

@@ -47,7 +47,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6
         with:
-          go-version: "1.26.1"
+          go-version: ${{ env.GO_VERSION }}
 
           cache-dependency-path: backend/go.sum