Merge branch 'development' into renovate/go-1.x

.github/workflows/auto-changelog.yml

@@ -10,8 +10,8 @@ jobs:
   update-draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
       - name: Draft Release
         uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}

.github/workflows/auto-versioning.yml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
 
@@ -60,28 +60,42 @@ jobs:
           # Export the tag for downstream steps
           echo "tag=${TAG}" >> $GITHUB_OUTPUT
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
+
+      - name: Determine tag
+        id: determine_tag
+        run: |
+          # Prefer created tag output; if empty fallback to semver version
+          TAG="${{ steps.create_tag.outputs.tag }}"
+          if [ -z "$TAG" ]; then
+            # semver.version contains a tag value like 'vX.Y.Z' or fallback 'v0.0.0'
+            VERSION_RAW="${{ steps.semver.outputs.version }}"
+            VERSION_NO_V="${VERSION_RAW#v}"
+            TAG="v${VERSION_NO_V}"
+          fi
+          echo "Determined tag: $TAG"
+          echo "tag=$TAG" >> $GITHUB_OUTPUT
 
       - name: Check for existing GitHub Release
         id: check_release
         run: |
-          TAG=${{ steps.create_tag.outputs.tag }}
+          TAG=${{ steps.determine_tag.outputs.tag }}
           echo "Checking for release for tag: ${TAG}"
-          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
+          STATUS=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${CHARON_TOKEN}" -H "Accept: application/vnd.github+json" "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/tags/${TAG}") || true
           if [ "${STATUS}" = "200" ]; then
             echo "exists=true" >> $GITHUB_OUTPUT
           else
             echo "exists=false" >> $GITHUB_OUTPUT
           fi
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
 
       - name: Create GitHub Release (tag-only, no workspace changes)
         if: ${{ steps.semver.outputs.changed && steps.check_release.outputs.exists == 'false' }}
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
-          tag_name: ${{ steps.create_tag.outputs.tag }}
-          name: Release ${{ steps.create_tag.outputs.tag }}
+          tag_name: ${{ steps.determine_tag.outputs.tag }}
+          name: Release ${{ steps.determine_tag.outputs.tag }}
           body: ${{ steps.semver.outputs.release_notes }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}

.github/workflows/benchmark.yml

@@ -24,7 +24,7 @@ jobs:
     name: Performance Regression Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Set up Go
         uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
@@ -42,7 +42,7 @@ jobs:
           name: Go Benchmark
           tool: 'go'
           output-file-path: backend/output.txt
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.CHARON_TOKEN }}
           auto-push: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }}
           # Show alert with commit comment on detection of performance regression
           alert-threshold: '150%'

.github/workflows/codecov-upload.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
 
@@ -47,7 +47,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
 

.github/workflows/codeql.yml

@@ -31,7 +31,7 @@ jobs:
         language: [ 'go', 'javascript-typescript' ]
     steps:
       - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@fe4161a26a8629af62121b670040955b330f9af2 # v4

.github/workflows/docker-lint.yml

@@ -14,7 +14,7 @@ jobs:
   hadolint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Run Hadolint
         uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0

.github/workflows/docker-publish.yml

@@ -169,7 +169,7 @@ jobs:
         uses: github/codeql-action/upload-sarif@fe4161a26a8629af62121b670040955b330f9af2 # v4.31.6
         with:
           sarif_file: 'trivy-results.sarif'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.CHARON_TOKEN }}
 
       - name: Create summary
         if: steps.skip.outputs.skip_build != 'true'
@@ -279,7 +279,7 @@ jobs:
     if: github.event_name == 'pull_request'
     steps:
       - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       - name: Build image locally for PR
         run: |

.github/workflows/docs.yml

@@ -29,7 +29,7 @@ jobs:
     steps:
       # Step 1: Get the code
       - name: 📥 Checkout code
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
 
       # Step 2: Set up Node.js (for building any JS-based doc tools)
       - name: 🔧 Set up Node.js

.github/workflows/quality-checks.yml

@@ -55,7 +55,7 @@ jobs:
         continue-on-error: false
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@e7fa5ac41e1cf5b7d48e45e42232ce7ada589601 # v9.1.0
+        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
         with:
           version: latest
           working-directory: backend
@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Set up Node.js
-        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: '24.11.1'
           cache: 'npm'

.github/workflows/release-goreleaser.yml

@@ -13,13 +13,13 @@ jobs:
   goreleaser:
     runs-on: ubuntu-latest
     env:
-      # Use the built-in GITHUB_TOKEN by default for GitHub API operations.
+      # Use the built-in CHARON_TOKEN by default for GitHub API operations.
       # If you need to provide a PAT with elevated permissions, add a CHARON_TOKEN secret
       # at the repo or organization level and update the env here accordingly.
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      CHARON_TOKEN: ${{ secrets.CHARON_TOKEN }}
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 0
 
@@ -47,7 +47,8 @@ jobs:
         with:
           version: 0.13.0
 
-      # GITHUB_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+      # CHARON_TOKEN is set from CHARON_TOKEN or CPMP_TOKEN (fallback), defaulting to GITHUB_TOKEN
+
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6

.github/workflows/renovate.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repository
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
         with:
           fetch-depth: 1
       - name: Choose Renovate Token

.github/workflows/renovate_prune.yml

@@ -26,15 +26,15 @@ jobs:
         run: |
           if [ -n "${{ secrets.CHARON_TOKEN }}" ]; then
             echo "Using CHARON_TOKEN" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CHARON_TOKEN }}" >> $GITHUB_ENV
           else
             echo "Using CPMP_TOKEN fallback" >&2
-            echo "GITHUB_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
+            echo "CHARON_TOKEN=${{ secrets.CPMP_TOKEN }}" >> $GITHUB_ENV
           fi
       - name: Prune renovate branches
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
-          github-token: ${{ env.GITHUB_TOKEN }}
+          github-token: ${{ env.CHARON_TOKEN }}
           script: |
             const owner = context.repo.owner;
             const repo = context.repo.repo;