ci: harden workflows, upgrade actions, fix caching

[paskal]

Summary

• add explicit permissions for least-privilege (contents: read/write, packages: write)
• upgrade all actions to latest major versions (checkout@v6, setup-go@v6, setup-buildx@v4, login-action@v4, build-push-action@v7, upload-artifact@v7, download-artifact@v8, goreleaser-action@v7, setup-qemu-action@v4)
• add persist-credentials: false to all checkout steps
• combine goveralls install and coverage submission into single step
• quote golangci-lint version string for YAML consistency

[umputun]

couple issues:

1. bug in app/main.go:304 — the error variable was changed from perr to err, but the assignment on line 301 still uses perr. this wraps the wrong error:

maxBodySize, perr := sizeParse(opts.MaxSize)
if perr != nil {
    return fmt.Errorf("failed to convert MaxSize: %w", err) // should be perr
}

2. app/mgmt/metrics.go removes the Flush() method and server_test.go removes its tests — this reverts #247 (SSE streaming fix) merged a few days ago. was this intentional?

3. docker.yml replaces the env: var approach from #245 with direct ${{ }} in run: blocks. the env approach was specifically chosen to prevent shell injection — putting expressions back inline in run blocks reverses that hardening.

4. the Go source changes (main.go alignment, defer cancel, server.go shutdown timeout, metrics.go Flusher removal) are unrelated to CI hardening. would be cleaner to split them into a separate PR, or at least mention them in the description.

CI workflow upgrades and permissions changes look good overall.

[paskal]

Reverted all the go changes, fixed the env usage. Should be solid now.