fix(security): add object-src 'none' to CSP (#265) #389

	# Fast lane — gates every PR (ADR 0009 §"CI integration (PR-gate vs scheduled)").
	# Runs the bounded, deterministic subset: build, `go test -race`, lint, the
	# Tier-1 fuzz seed corpora (executed as ordinary `go test`), and — once they
	# land — the deterministic Tier-2 invariants. Unbounded generative fuzz and the
	# long sim / Tier-3 interop runs live in the scheduled slow lane
	# (.github/workflows/scheduled.yml), never here.
	name: CI

	on:
	push:
	branches: [main]
	pull_request:
	branches: [main]

	permissions:
	contents: read

	jobs:
	test:
	name: build / test / lint
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5

	- uses: actions/setup-go@v6
	with:
	go-version: '1.26'
	cache: true

	- name: go vet
	run: go vet ./...

	- name: build
	run: go build ./...

	- name: test (race)
	run: go test -race -count=1 ./...

	- name: golangci-lint
	uses: golangci/golangci-lint-action@v9
	with:
	version: v2.12
	args: --timeout=5m

	- name: gosec (standalone)
	run: make gosec

	- name: govulncheck
	run: make govulncheck

	readme-version:
	name: readme version pin
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	with:
	fetch-depth: 0 # need tags to compare the pinned VERSION against
	- name: check README pin is not behind latest release
	run: bash scripts/check-readme-version.sh

	docker:
	name: docker build
	runs-on: ubuntu-latest
	needs: test
	steps:
	- uses: actions/checkout@v5
	- uses: docker/setup-buildx-action@v3
	- name: build image
	uses: docker/build-push-action@v6
	with:
	context: .
	push: false
	tags: nebula-mgmt:ci-${{ github.sha }}

Provide feedback