Use nilaway to incrementally check for unsafe nil pointer dereferences (#39030)

**Related issue:** Resolves #32999 

- Enhanced internal code quality tooling by implementing a custom
linting build configuration.
- Updated continuous integration workflow to utilize the new custom
build process for improved code analysis and consistency checks.

### Confirmed that running local custom `golangci-lint` build with
`nilaway` plugin catches lots of issues when run on `fleet/`:
<img width="1555" height="939" alt="Screenshot 2026-01-29 at 2 47 50 PM"
src="https://github.com/user-attachments/assets/c6a18400-fdf0-4104-97d8-e117efc28ed6"
/>
<img width="301" height="109" alt="Screenshot 2026-01-29 at 2 48 36 PM"
src="https://github.com/user-attachments/assets/b459ee7b-b391-457a-9191-17d56a80c783"
/>

### Confirmed that new incremental CI step using custom `golangci-lint`
build with `nilaway` plugin _does not_ check any `.go` files when none
have been modified, and so passes successfully (incremental check works
as expected):
<img width="337" height="197" alt="Screenshot 2026-01-29 at 2 45 24 PM"
src="https://github.com/user-attachments/assets/c7ae585e-2e10-4ebf-a3a3-96c26063f1e4"
/>

### Confirmed that new incremental CI step using custom `golangci-lint`
build with `nilaway` plugin _does_ check modified lines of `.go` files,
and so successfully flags a potentially unsafe dereference and fails the
job (incremental check works as expected):
<img width="825" height="491" alt="Screenshot 2026-01-29 at 5 50 01 PM"
src="https://github.com/user-attachments/assets/82bc5616-6fb9-4357-b8bc-c7eebc42c2d8"
/>

### Honorable mention:
`nilaway` agrees that `listHostSoftware` is a wild beast:
<img width="1277" height="190" alt="Screenshot 2026-01-29 at 5 52 32 PM"
src="https://github.com/user-attachments/assets/dfade2a8-fbcc-4bae-98f9-6bf1089620d2"
/>

- [x] QA'd all new/changed functionality manually

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **Fleet dev cycle reliability improvements**


<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Victor Lyuboslavsky <2685025+getvictor@users.noreply.github.com>

.custom-gcl.yml

@@ -0,0 +1,8 @@
+# This configures how golangci-lint builds a custom build, wich is necessary to use nilaway as a plugin per https://github.com/uber-go/nilaway?tab=readme-ov-file#golangci-lint--v1570
+
+# This has to be >= v1.57.0 for module plugin system support.
+version: v2.7.1
+plugins:
+  - module: "go.uber.org/nilaway"
+    import: "go.uber.org/nilaway/cmd/gclplugin"
+    version: v0.0.0-20260126174828-99d94caaf043 # fixed version for reproducible builds - latest as of 2026-01-29

.github/workflows/golangci-lint.yml

@@ -11,12 +11,14 @@ on:
       - '.github/workflows/golangci-lint.yml'
       - '.golangci.yml'
       - '.golangci-incremental.yml'
+      - '.custom-gcl.yml'
   pull_request:
     paths:
       - '**.go'
       - '.github/workflows/golangci-lint.yml'
       - '.golangci.yml'
       - '.golangci-incremental.yml'
+      - '.custom-gcl.yml'
   workflow_dispatch: # Manual
 
 # This allows a subsequently queued workflow run to interrupt previous runs
@@ -135,4 +137,6 @@ jobs:
           # Don't forget to update
           # docs/Contributing/Testing-and-local-development.md when this version changes
           go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@a4b55ebc3471c9fbb763fd56eefede8050f99887 # v2.7.1
-          golangci-lint run -c .golangci-incremental.yml --new-from-rev=origin/${{ github.base_ref }} --timeout 15m ./...
+          # custom build of golangci-lint that incorporates nilaway - see .custom-gcl.yml
+          golangci-lint custom
+          ./custom-gcl run -c .golangci-incremental.yml --new-from-rev=origin/${{ github.base_ref }} --timeout 15m ./...

.gitignore

@@ -120,4 +120,7 @@ fleet_tables_*.ext
 third_party/vuln-check/go.sum
 
 # Required to not make `fleet-desktop` macOS executable built with a `dirty` flag (see #35006).
-Fleet\ Desktop.app
+Fleet\ Desktop.app
+
+# custom golangci-lint executable
+custom-gcl

.golangci-incremental.yml

@@ -11,6 +11,15 @@ linters:
   default: none
   enable:
     - modernize
-
-exclusions:
-  generated: strict
+    - nilaway
+  settings:
+    custom:
+      nilaway:
+        type: module
+        description: Static analysis tool to detect potential nil panics in Go code.
+        settings:
+          # Settings must be a "map from string to string" to mimic command line flags: the keys are
+          # flag names and the values are the values to the particular flags.
+          include-pkgs: "github.com/fleetdm/fleet/v4"
+  exclusions:
+    generated: strict

Makefile

@@ -210,11 +210,19 @@ lint-js:
 .help-short--lint-go:
 	@echo "Run the Go linters"
 lint-go:
-	golangci-lint run --timeout 15m
+	-golangci-lint run --timeout 15m
 ifndef SKIP_INCREMENTAL
-	golangci-lint run -c .golangci-incremental.yml --new-from-merge-base=origin/main --timeout 15m ./...
+	$(MAKE) lint-go-incremental
 endif
 
+.help-short--lint-go-incremental:
+	@echo "Run the incremental Go linters"
+lint-go-incremental: custom-gcl
+	./custom-gcl run -c .golangci-incremental.yml --new-from-merge-base=origin/main --timeout 15m ./...
+
+custom-gcl:
+	golangci-lint custom
+
 .help-short--lint:
 	@echo "Run linters"
 .help-long--lint: