fix: Implement dependency digest tracking for nightly builds

- Updated Docker Compose files to use digest-pinned images for CI contexts.
- Enhanced Dockerfile to pin Go tool installations and verify external downloads with SHA256 checksums.
- Added Renovate configuration for tracking Go tool versions and digest updates.
- Introduced a new design document outlining the architecture and data flow for dependency tracking.
- Created tasks and requirements documentation to ensure compliance with the new digest pinning policy.
- Updated security documentation to reflect the new digest pinning policy and exceptions.

scripts/install-go-1.25.6.sh

@@ -43,7 +43,8 @@ echo "Installed go: $(go version)"
 
 # Optionally install gopls
 echo "Installing gopls..."
-go install golang.org/x/tools/gopls@latest
+# renovate: datasource=go depName=golang.org/x/tools
+go install golang.org/x/tools/gopls@v0.41.0
 
 GOPLS_PATH="$GOPATH/bin/gopls"
 if [ -f "$GOPLS_PATH" ]; then

scripts/security-scan.sh

@@ -19,7 +19,8 @@ echo "🔒 Running local security scan..."
 # Check if govulncheck is installed
 if ! command -v govulncheck &> /dev/null; then
     echo -e "${YELLOW}Installing govulncheck...${NC}"
-    go install golang.org/x/vuln/cmd/govulncheck@latest
+    # renovate: datasource=go depName=golang.org/x/vuln
+    go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
 fi
 
 # Run govulncheck on backend Go code