fix(ci): 将 gosec 集成到 golangci-lint 解决安全扫描超时

standalone gosec 扫描 24 万行 Go 代码在 CI 中持续超时，
将其作为 golangci-lint 的内置 linter 运行，复用 AST 解析和缓存大幅提速。

- 在 .golangci.yml 中启用 gosec 并迁移原有排除规则
- golangci-lint timeout 从 5m 提升到 30m
- 从 security-scan.yml 移除 standalone gosec 步骤
- 删除不再需要的 .gosec.json 配置文件

.github/workflows/backend-ci.yml

@@ -43,5 +43,5 @@ jobs:
         uses: golangci/golangci-lint-action@v9
         with:
           version: v2.7
-          args: --timeout=5m
+          args: --timeout=30m
           working-directory: backend

.github/workflows/security-scan.yml

@@ -29,12 +29,6 @@ jobs:
         run: |
           go install golang.org/x/vuln/cmd/govulncheck@latest
           govulncheck ./...
-      - name: Run gosec
-        working-directory: backend
-        run: |
-          go install github.com/securego/gosec/v2/cmd/gosec@latest
-          # exclude ent/ — auto-generated ORM code, not subject to manual security review
-          gosec -conf .gosec.json -severity high -confidence high -exclude-generated -exclude-dir=ent ./...
 
   frontend-security:
     runs-on: ubuntu-latest

backend/.golangci.yml

@@ -5,6 +5,7 @@ linters:
   enable:
     - depguard
     - errcheck
+    - gosec
     - govet
     - ineffassign
     - staticcheck
@@ -42,6 +43,22 @@ linters:
               desc: "handler must not import gorm"
             - pkg: github.com/redis/go-redis/v9
               desc: "handler must not import redis"
+    gosec:
+      excludes:
+        - G101
+        - G103
+        - G104
+        - G109
+        - G115
+        - G201
+        - G202
+        - G301
+        - G302
+        - G304
+        - G306
+        - G404
+      severity: high
+      confidence: high
     errcheck:
       # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
       # Such cases aren't reported by default.

backend/.gosec.json

@@ -1,5 +0,0 @@
-{
-  "global": {
-    "exclude": "G704,G101,G103,G104,G109,G115,G201,G202,G301,G302,G304,G306,G404"
-  }
-}