Fix failing CI checks

- Add gosec G704/G705 to exclusions (CLI inherently makes HTTP
  requests to user-configured API URLs)
- Bump Go 1.23 → 1.24 to resolve stdlib vulnerabilities flagged
  by govulncheck
- Replace gitleaks-action (requires paid license) with direct
  gitleaks CLI invocation
- Add CodeQL autobuild step between init and analyze

Author: jeremy

.github/workflows/security.yml

@@ -21,9 +21,13 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: gitleaks/gitleaks-action@ff98106e4c7b2bc287b24eaf42907196329070c7 # v2
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install gitleaks
+        run: |
+          VERSION=$(curl -sL https://api.github.com/repos/gitleaks/gitleaks/releases/latest | jq -r .tag_name)
+          curl -sSfL "https://github.com/gitleaks/gitleaks/releases/download/${VERSION}/gitleaks_${VERSION#v}_linux_x64.tar.gz" | tar -xz
+          sudo mv gitleaks /usr/local/bin/
+      - name: Run gitleaks
+        run: gitleaks detect --source . --verbose --config .gitleaks.toml
 
   trivy:
     name: Trivy vulnerability scan
@@ -75,4 +79,5 @@ jobs:
         with:
           languages: go
           config-file: .github/codeql/codeql-config.yml
+      - uses: github/codeql-action/autobuild@v3
       - uses: github/codeql-action/analyze@v3

.golangci.yml

@@ -44,6 +44,10 @@ linters:
         - G501
         # File operations on user-provided paths are inherent to a CLI
         - G304
+        # CLI is an HTTP client — requests to user-configured API URLs are expected
+        - G704
+        # CLI renders API responses to terminal, not a browser context
+        - G705
     revive:
       rules:
         - name: blank-imports

.mise.toml

@@ -1,2 +1,2 @@
 [tools]
-go = "1.23"
+go = "1.24"

go.mod

@@ -1,6 +1,6 @@
 module github.com/basecamp/fizzy-cli
 
-go 1.23.0
+go 1.24.0
 
 require (
 	github.com/charmbracelet/huh v0.8.0