chore(ci): add workflow to automate Go version updates

Add GitHub Actions workflow using StefMa/Upgrade-Go-Action to
automatically check for new Go releases and create PRs to update
the go directive in go.mod.

This addresses the limitation that Dependabot cannot update the
Go version itself (only module dependencies), which means stdlib
CVEs that are fixed in newer Go patch releases are not automatically
detected.

Workflow runs:
- Weekly on Mondays at 8am UTC
- Manually via workflow_dispatch

When a new Go version is available, the action will:
1. Update the go directive in go.mod
2. Run go mod tidy
3. Create a pull request with the changes

Related: replicated-collab/git-guardian-kots#287
Dependabot limitation: dependabot/dependabot-core#9527

Author: Bishibop

.github/workflows/upgrade-go.yaml

@@ -0,0 +1,23 @@
+name: Upgrade Go Version
+
+on:
+  # Run manually when needed
+  workflow_dispatch:
+  # Run weekly on Mondays at 8am UTC
+  schedule:
+    - cron: "0 8 * * MON"
+
+jobs:
+  upgrade-go:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Check for Go updates
+        uses: StefMa/Upgrade-Go-Action@v1
+        with:
+          base-branch: 'main'