feat: Add github release update check

[johnharris85]

Add a startup check that compares the local decK release version with the latest public GitHub release and prints a short stderr notice when an update is available. The notice is suppressible with --suppress-update-check or DECK_SUPPRESS_UPDATE_CHECK, includes a link to the version-specific release page, and is covered by tests for version comparison, help output, and flag/env precedence.

[Copilot]

Pull request overview

Adds a startup update check to decK that queries the latest GitHub release, compares it to the local build version, and emits a suppressible stderr notice (including a version-specific release notes URL) when an update is available.

Changes:

• Introduces GitHub release fetching + semver comparison and formats an “update available” notice.
• Wires the update notice into root command startup and help output, with --suppress-update-check / DECK_SUPPRESS_UPDATE_CHECK support.
• Adds tests covering version comparison, one-time printing behavior, help output, and flag/env precedence.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
cmd/update_check.go	Implements the GitHub “latest release” fetch, semver comparison, and stderr notice formatting/printing.
cmd/update_check_test.go	Adds unit/integration-style tests for notice building, suppression behavior, and help output.
cmd/root.go	Hooks the update check into command execution and adds the suppression flag/help wrapper.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 89.33333% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 51.07%. Comparing base (3221c8b) to head (695ae78).

Files with missing lines	Patch %	Lines
cmd/update_check.go	87.50%	4 Missing and 4 partials ⚠️

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1988       +/-   ##
===========================================
+ Coverage   32.87%   51.07%   +18.20%     
===========================================
  Files          77       78        +1     
  Lines        7064     7138       +74     
===========================================
+ Hits         2322     3646     +1324     
+ Misses       4546     3234     -1312     
- Partials      196      258       +62     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[gitguardian]

⚠️ GitGuardian has uncovered 12 secrets following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secrets in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
27577938	Triggered	Generic High Entropy Secret	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/credentials.yaml	View secret
27577943	Triggered	Generic High Entropy Secret	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/credentials.yaml	View secret
27577949	Triggered	Generic High Entropy Secret	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/plugin-partial-2.expected.yaml	View secret
29995049	Triggered	Generic Password	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/credentials.expected.yaml	View secret
27577959	Triggered	Generic Password	395a419	tests/integration/testdata/dump/008-sanitizer/consumergroup-plugins313.expected.yaml	View secret
27577938	Triggered	Generic High Entropy Secret	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/credentials.expected.yaml	View secret
27577959	Triggered	Generic Password	395a419	tests/integration/testdata/dump/008-sanitizer/consumergroup-plugins314.expected.yaml	View secret
27577959	Triggered	Generic Password	395a419	tests/integration/testdata/dump/008-sanitizer/consumergroup-plugins314.expected.yaml	View secret
27577951	Triggered	Generic Password	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/credentials.yaml	View secret
27577959	Triggered	Generic Password	395a419	tests/integration/testdata/dump/008-sanitizer/consumergroup-plugins313.expected.yaml	View secret
27577949	Triggered	Generic High Entropy Secret	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/plugin-partial-2.yaml	View secret
27577943	Triggered	Generic High Entropy Secret	395a419	tests/integration/testdata/dump/009-skip-defaults/enterprise/3.14+/credentials.expected.yaml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secrets safely. Learn here the best practices.
3. Revoke and rotate these secrets.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}