📦 deps: bump actions/setup-go from 5.5.0 to 6.4.0#8
Merged
s-b-e-n-s-o-n merged 1 commit intoApr 11, 2026
Merged
Conversation
Contributor
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-go-6.4.0
branch
from
871d6b4 to
89e93ca
Compare
Contributor
|
@dependabot rebase |
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-go-6.4.0
branch
from
89e93ca to
5f379d0
Compare
Contributor
|
@dependabot rebase |
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.4.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@d35c59a...4a36011) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 6.4.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-go-6.4.0
branch
from
5f379d0 to
de3e4b7
Compare
s-b-e-n-s-o-n
deleted the
dependabot/github_actions/actions/setup-go-6.4.0
branch
This was referenced May 11, 2026
s-b-e-n-s-o-n
added a commit
that referenced
this pull request
May 12, 2026
#46) * 🔒 security(deps): regenerate lockfile to apply postcss ^8.5.14 override The `overrides.next.postcss` rule was correct, but the old lockfile retained a nested `node_modules/next/node_modules/postcss@8.4.31` because `npm install --package-lock-only` would not drop the cached entry. A clean install hoists postcss to a single `8.5.14` and removes the nested copy. Fixes Scorecard alert #8 / GHSA-qx2v-qp2m-jg93 (PostCSS XSS via unescaped </style> in CSS Stringify Output, <8.5.10). Verified: - npm audit: 0 vulnerabilities - npm ls postcss: no nested copy under node_modules/next/ * 📝 docs: drop GO-LIVE-CHECKLIST.md and scrub planning-doc references Audit prep for the public-repo flip: - Remove `GO-LIVE-CHECKLIST.md` from the tree. The file is internal pre-launch working notes (phase plans, decision logs, audit findings with commit SHAs). The local copy is preserved under `.planning/`, which is already gitignored. - Scrub two `CHANGELOG.md` lines that named "internal planning docs" and "internal vision doc" — those phrases advertise the existence of private artifacts the public repo doesn't contain. - Tighten `CLAUDE.md` and `AGENTS.md` so the `.planning/` callout no longer enumerates its contents (was: "vision, roadmap, competitive analysis, threat model"). The directory is still flagged as gitignored-local-only so AI agents know not to commit anything there. No behavior change; documentation hygiene only. * 📝 docs: switch docs-site branding refs from Nextra to Fumadocs The `docs/` workspace migrated to Fumadocs (`fumadocs-core` / `fumadocs-mdx` / `fumadocs-ui`) some time ago, but four committed files still advertised the old framework: - `README.md` "Built With" badge - `CLAUDE.md` and `AGENTS.md` workspace blurb - `.gitignore` comment explaining the static-export copy step - `docs/globals.d.ts` ambient-CSS comment referencing `nextra-theme-docs` CHANGELOG entries for past releases keep the "Nextra" wording because that was true at the time and the changelog is a historical record. No behavior change. * 🔧 chore(demo): drop asciinema artifacts in favor of CliDemo React component The asciinema-based hero demo was superseded by `website/src/components/cli-demo.tsx`, an animated React component that simulates the same CLI output. Removing the now-orphaned script + cast + preview page so nothing in the build references them. - delete `scripts/asciinema-demo.sh` (recording helper for the cast) - delete `website/public/sockguard-demo.cast` (the recorded asciinema cast) - delete `website/public/asciinema-preview.html` (preview surface for the cast) - rephrase the lingering asciinema comment in `cli-demo.tsx`
s-b-e-n-s-o-n
added a commit
that referenced
this pull request
May 12, 2026
* 🔒 security(deps): regenerate lockfile to apply postcss ^8.5.14 override The `overrides.next.postcss` rule was correct, but the old lockfile retained a nested `node_modules/next/node_modules/postcss@8.4.31` because `npm install --package-lock-only` would not drop the cached entry. A clean install hoists postcss to a single `8.5.14` and removes the nested copy. Fixes Scorecard alert #8 / GHSA-qx2v-qp2m-jg93 (PostCSS XSS via unescaped </style> in CSS Stringify Output, <8.5.10). Verified: - npm audit: 0 vulnerabilities - npm ls postcss: no nested copy under node_modules/next/ * 📝 docs: drop GO-LIVE-CHECKLIST.md and scrub planning-doc references Audit prep for the public-repo flip: - Remove `GO-LIVE-CHECKLIST.md` from the tree. The file is internal pre-launch working notes (phase plans, decision logs, audit findings with commit SHAs). The local copy is preserved under `.planning/`, which is already gitignored. - Scrub two `CHANGELOG.md` lines that named "internal planning docs" and "internal vision doc" — those phrases advertise the existence of private artifacts the public repo doesn't contain. - Tighten `CLAUDE.md` and `AGENTS.md` so the `.planning/` callout no longer enumerates its contents (was: "vision, roadmap, competitive analysis, threat model"). The directory is still flagged as gitignored-local-only so AI agents know not to commit anything there. No behavior change; documentation hygiene only. * 📝 docs: switch docs-site branding refs from Nextra to Fumadocs The `docs/` workspace migrated to Fumadocs (`fumadocs-core` / `fumadocs-mdx` / `fumadocs-ui`) some time ago, but four committed files still advertised the old framework: - `README.md` "Built With" badge - `CLAUDE.md` and `AGENTS.md` workspace blurb - `.gitignore` comment explaining the static-export copy step - `docs/globals.d.ts` ambient-CSS comment referencing `nextra-theme-docs` CHANGELOG entries for past releases keep the "Nextra" wording because that was true at the time and the changelog is a historical record. No behavior change. * 🔧 chore(demo): drop asciinema artifacts in favor of CliDemo React component The asciinema-based hero demo was superseded by `website/src/components/cli-demo.tsx`, an animated React component that simulates the same CLI output. Removing the now-orphaned script + cast + preview page so nothing in the build references them. - delete `scripts/asciinema-demo.sh` (recording helper for the cast) - delete `website/public/sockguard-demo.cast` (the recorded asciinema cast) - delete `website/public/asciinema-preview.html` (preview surface for the cast) - rephrase the lingering asciinema comment in `cli-demo.tsx` * 🔄 refactor(app): collapse *WithDeps injection pattern across five packages Replace four injection-struct families with package-level var hooks (filter, testcert, proxy) or direct function parameters (clientacl, ownership): - filter: var regexpCompileHook = regexp.Compile; tests swap via t.Cleanup - testcert: 12 var *Hook vars replacing bundleDeps/certDeps/bundleWriteDeps/writePEMDeps; restoreTestcertHooks(t) helper - proxy/hijack: 5 var *Hook vars + restoreHijackHooks(t) helper - clientacl: middlewareWithDeps takes resolveClient func directly (no struct) - ownership: middlewareWithDeps/allowOwnershipRequest/checkOwnedResource take inspectResource+inspectExec funcs directly - visibility: inline dockerclient call replaces newVisibilityDeps() struct No public API change. All 20 packages pass. * 🔄 refactor(app): add shared dockerclient package for socket side-channels Extract the unix-socket http.Client construction (previously duplicated in ownership, clientacl, and visibility) into internal/dockerclient. Used by the preceding refactor commit that collapsed the *WithDeps pattern. * 🐛 fix(test): clear GIT_DIR/GIT_WORK_TREE in release-next-version temp git repos When the pre-push hook runs npm test, git commands in the release-next-version integration tests inherit the hook's GIT_DIR env var, causing them to operate on the main repository instead of the isolated temp git repos. This corrupts repository-local config (user.name, user.email) and appends test commits to the current branch. Fix by clearing GIT_DIR and GIT_WORK_TREE from the environment before each git call in the test helper. * 🐛 fix(test): strip GIT_DIR/GIT_WORK_TREE from all child processes in release test Extend the isolation fix to cover spawnSync calls (the script-under-test) in addition to the git() helper. Also switch from delete-after-copy to a filter approach so the env object never contains the stripped keys.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-go from 5.5.0 to 6.4.0.
Release notes
Sourced from actions/setup-go's releases.
... (truncated)
Commits
4a36011docs: fix Microsoft build of Go link (#734)8f19afcfeat: add go-download-base-url input for custom Go distributions (#721)27fdb26Bump minimatch from 3.1.2 to 3.1.5 (#727)def8c39Rearrange README.md, add advanced-usage.md (#724)4b73464Fix golang download url to go.dev (#469)a5f9b05Update default Go module caching to use go.mod (#705)7a3fe6cBump qs from 6.14.0 to 6.14.1 (#703)b9adafdBump actions/checkout from 5 to 6 (#686)d73f6bcREADME.md: correct to actions/checkout@v6 (#683)ae252eeBump@actions/cacheto v5 (#695)