Move the govulncheck job from security.yml into ci.yml and add it to
the ci-status gate so it shares the CI concurrency group and is covered
by the single required check. Drop the now-redundant security.yml.
Preserve security hardening and version updates that main applied to the
now-removed lint.yml/test.yml: pin actions by commit SHA, bump Go matrix
to 1.25.10/1.26.x, golangci-lint to v2.12.2, and add read-only
permissions.