[Sync] Update project files from source repository (9def984)

[mrz1836]

What Changed

• Refactored parse-env action to use environment variable for ENV_JSON input instead of inline shell variable assignment
• Added new github-token input parameter to setup-go-with-cache action with description "GitHub token for private module authentication (only used when GOPRIVATE is set in environment)"
• Added conditional step "Configure private module authentication" in setup-go-with-cache action that configures git authentication using the token and sets GONOSUMDB environment variable when both GOPRIVATE and github-token are present
• Added github-token input parameter to warm-cache action matching the same description and requirement pattern as in setup-go-with-cache
• Updated setup-go-with-cache step in warm-cache action to pass through the github-token input
• Added contents: read permission to multiple workflow files including fortress-benchmarks, fortress-code-quality, fortress-coverage, fortress-pre-commit, fortress-release, fortress-setup-config, fortress-test-fuzz, fortress-test-matrix, fortress-security-scans, fortress-test-suite, fortress-warm-cache, fortress.yml, and scorecard workflows

Why It Was Necessary

• Moving ENV_JSON to an environment variable prevents potential injection vulnerabilities and follows GitHub Actions security best practices
• Private Go module authentication support is needed to allow workflows to access dependencies hosted in private repositories when GOPRIVATE is configured
• Explicit contents: read permissions follow the principle of least privilege and make workflow permission requirements transparent

Testing Performed

• Verify parse-env action continues to parse environment JSON correctly with the refactored variable handling
• Test setup-go-with-cache action with and without private modules to ensure conditional authentication logic works as expected
• Confirm workflows execute successfully with the new explicit permission declarations

Impact / Risk

• Breaking Change: None - new github-token input is optional with empty string default, existing workflows continue to function unchanged
• Security: Low risk - improves security posture by using environment variables and explicit permissions, private token is only used when explicitly provided
• Compatibility: No impact on existing workflows that don't use private Go modules; workflows requiring private module access will need to pass the token explicitly

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud