ci: stabilize keep tool bootstrap

[haasonsaas]

Summary

• pin golangci-lint installation instead of using latest in CI
• resolve Go tool binaries from GOPATH/bin explicitly in Make targets
• update setup-uv to v7 in the shared CI workflow

Why

The open keep Dependabot PRs are failing in the shared tool bootstrap because Installing Go tools...
mkdir -p /Users/jonathanhaas/go/bin
GOPROXY=https://proxy.golang.org,direct go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.64.8
go install golang.org/x/tools/cmd/goimports@v0.36.0
go install golang.org/x/vuln/cmd/govulncheck@latest
go install github.com/securego/gosec/v2/cmd/gosec@v2.22.6
Ensuring OPA CLI is available...
OPA already installed
Installing Python tools...
uv tool install black
uv tool install flake8
uv tool install isort
uv tool install mypy pulls the newest golangci-lint, which currently trips over a transitive fetch path during CI bootstrap. This change makes the bootstrap deterministic again on main so the stale Dependabot PRs can inherit a healthy workflow.

Validation

• go version go1.26.2 linux/arm64
  golangci-lint has version v1.64.8 built with go1.26.2 from (unknown, modified: ?, mod sum: "h1:y5TdeVidMtBGG32zgSC7ZXTFNHrsJkDnpO4ItB3Am+I=") on (unknown)

[cursor]

PR Summary

Low Risk
Low risk: changes are limited to CI/workflow and developer tooling resolution, primarily improving determinism; main risk is CI failures if tool paths/versions don’t match runner expectations.

Overview
Makes CI tool bootstrap deterministic by upgrading astral-sh/setup-uv to v7 and pinning golangci-lint installs to v1.64.8 instead of @latest.

Updates the Makefile to resolve Go tool binaries explicitly from $(GOBIN) (e.g., $(GOLANGCI_LINT), $(GOIMPORTS), $(GOVULNCHECK), $(GOSEC)) and adjusts check-tools, format-go, opa-test, and security targets to use these paths.

^{Reviewed by Cursor Bugbot for commit 732e324. Bugbot is set up for automated code reviews on this repo. Configure here.}