fix: upgrade Go toolchain to 1.22 to address CVE-2025-22871, CVE-2025-68121, CVE-2024-3566

[ethan-wispr]

Fixes #159.

Why

All published app-builder-bin binaries are compiled with go1.21.13, which is affected by three high/critical CVEs:

CVE	CVSS	Description
CVE-2025-22871	9.1	net/http: request smuggling via malformed chunked encoding
CVE-2025-68121	10.0	net/http: arbitrary code execution via HTTP/2 CONTINUATION frames
CVE-2024-3566	9.1	cmd/go: argument injection on Windows

All three are fixed in Go 1.22+. Security scanners (e.g. Syft/Grype) flag every project that depends on app-builder-bin, blocking SBOM audits even though the exposure is build-time rather than runtime.

What Changed

• .github/actions/setup/action.yml: go-version: '1.21' → '1.22'
• go.mod: go 1.21 → go 1.22

No source changes required. Go 1.22 is backwards-compatible with this codebase — the only language behaviour change relevant to existing code (range loop variable scoping) doesn't apply here.

Testing

CI runs make test and make build-all, which cross-compiles for all 11 target platforms. That's the right validation gate for this change.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 96c5907

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR