fix: improve golangci-lint install security

Download pre-built binary directly from GitHub releases instead of
piping install script to sh. This addresses supply chain security
concerns about executing remote scripts.

The image tag 1-1.24-bookworm is valid - the first '1' is the
devcontainer definition version, second '1.24' is the Go version.
The markdown tables render correctly (Copilot false positive).

Author: dlevy-msft-sql

.devcontainer/Dockerfile

@@ -15,9 +15,13 @@ RUN curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor
 ENV PATH="/opt/mssql-tools18/bin:${PATH}"
 
 # Install golangci-lint for code quality
-# Download from specific release tag instead of master branch for supply chain security
-ARG GOLANGCI_LINT_VERSION=v1.64.8
-RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/${GOLANGCI_LINT_VERSION}/install.sh | sh -s -- -b /usr/local/bin ${GOLANGCI_LINT_VERSION}
+# Download pre-built binary directly instead of running install script (supply chain security)
+ARG GOLANGCI_LINT_VERSION=1.64.8
+RUN curl -fsSLO "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" \
+    && tar -xzf "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" \
+    && mv "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" /usr/local/bin/ \
+    && rm -rf "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64" "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" \
+    && golangci-lint --version
 
 # Install additional Go tools (pinned versions for reproducibility)
 RUN go install golang.org/x/tools/gopls@v0.18.1 \