Propagate Development into Beta-Release

.github/renovate.json

@@ -64,6 +64,19 @@
       "datasourceTemplate": "go",
       "versioningTemplate": "semver"
     },
+    {
+      "customType": "regex",
+      "description": "Track Go major-version module patches in Dockerfile via github-tags (workaround: Renovate go datasource cannot resolve /vN paths from custom managers)",
+      "managerFilePatterns": [
+        "/^Dockerfile$/"
+      ],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=github-tags\\s+depName=(?<depName>[^\\s]+)\\s*\\n\\s*go get [^@]+@v(?<currentValue>[^\\s|]+)"
+      ],
+      "datasourceTemplate": "github-tags",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.+)$"
+    },
     {
       "customType": "regex",
       "description": "Track Alpine base image digest in Dockerfile for security updates",
@@ -242,6 +255,20 @@
       "depNameTemplate": "golang/go",
       "datasourceTemplate": "golang-version",
       "versioningTemplate": "semver"
+    },
+    {
+      "customType": "regex",
+      "description": "Track golangci-lint version in quality checks workflow",
+      "managerFilePatterns": [
+        "/^\\.github/workflows/quality-checks\\.yml$/"
+      ],
+      "matchStrings": [
+        "# renovate: datasource=github-releases depName=golangci/golangci-lint\\n\\s+version: v(?<currentValue>[^\\s]+)"
+      ],
+      "depNameTemplate": "golangci/golangci-lint",
+      "datasourceTemplate": "github-releases",
+      "versioningTemplate": "semver",
+      "extractVersionTemplate": "^v(?<version>.*)"
     }
   ],
 
@@ -289,22 +316,31 @@
       "allowedVersions": "<3.0.0"
     },
     {
-      "description": "Go: keep pgx within v4 (CrowdSec requires pgx/v4 module path)",
+      "description": "Go: keep pgx within v4 (CrowdSec requires pgx/v4 module path) - applies to go.mod lookups",
       "matchDatasources": ["go"],
       "matchPackageNames": ["github.com/jackc/pgx/v4"],
-      "allowedVersions": "<5.0.0"
+      "allowedVersions": "<5.0.0",
+      "sourceUrl": "https://github.com/jackc/pgx"
+    },
+    {
+      "description": "jackc/pgx via github-tags: constrain to v4.x.x patch releases (Dockerfile CVE pin)",
+      "matchDatasources": ["github-tags"],
+      "matchPackageNames": ["jackc/pgx"],
+      "allowedVersions": ">=4.0.0 <5.0.0"
     },
     {
       "description": "Go: keep go-jose/v3 within v3 (v4 is a different Go module path)",
       "matchDatasources": ["go"],
       "matchPackageNames": ["github.com/go-jose/go-jose/v3"],
-      "allowedVersions": "<4.0.0"
+      "allowedVersions": "<4.0.0",
+      "sourceUrl": "https://github.com/go-jose/go-jose"
     },
     {
       "description": "Go: keep go-jose/v4 within v4 (v5 would be a different Go module path)",
       "matchDatasources": ["go"],
       "matchPackageNames": ["github.com/go-jose/go-jose/v4"],
-      "allowedVersions": "<5.0.0"
+      "allowedVersions": "<5.0.0",
+      "sourceUrl": "https://github.com/go-jose/go-jose"
     },
     {
       "description": "Safety: Keep MAJOR updates separate and require manual review",
@@ -323,6 +359,60 @@
       "matchDatasources": ["go"],
       "matchPackageNames": ["github.com/google/uuid"],
       "sourceUrl": "https://github.com/google/uuid"
+    },
+    {
+      "description": "Fix Renovate lookup for golang-jwt/jwt v5 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/golang-jwt/jwt/v5"],
+      "sourceUrl": "https://github.com/golang-jwt/jwt"
+    },
+    {
+      "description": "Fix Renovate lookup for robfig/cron v3 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/robfig/cron/v3"],
+      "sourceUrl": "https://github.com/robfig/cron"
+    },
+    {
+      "description": "Fix Renovate lookup for oschwald/maxminddb-golang v2 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/oschwald/maxminddb-golang/v2"],
+      "sourceUrl": "https://github.com/oschwald/maxminddb-golang"
+    },
+    {
+      "description": "Fix Renovate lookup for cespare/xxhash v2 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/cespare/xxhash/v2"],
+      "sourceUrl": "https://github.com/cespare/xxhash"
+    },
+    {
+      "description": "Fix Renovate lookup for klauspost/cpuid v2 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/klauspost/cpuid/v2"],
+      "sourceUrl": "https://github.com/klauspost/cpuid"
+    },
+    {
+      "description": "Fix Renovate lookup for pelletier/go-toml v2 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/pelletier/go-toml/v2"],
+      "sourceUrl": "https://github.com/pelletier/go-toml"
+    },
+    {
+      "description": "Fix Renovate lookup for go-playground/validator v10 module path",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["github.com/go-playground/validator/v10"],
+      "sourceUrl": "https://github.com/go-playground/validator"
+    },
+    {
+      "description": "Fix Renovate lookup for gorm.io/gorm (vanity domain maps to go-gorm/gorm)",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["gorm.io/gorm"],
+      "sourceUrl": "https://github.com/go-gorm/gorm"
+    },
+    {
+      "description": "Fix Renovate lookup for gorm.io/driver/sqlite (vanity domain maps to go-gorm/sqlite)",
+      "matchDatasources": ["go"],
+      "matchPackageNames": ["gorm.io/driver/sqlite"],
+      "sourceUrl": "https://github.com/go-gorm/sqlite"
     }
   ]
 }

.github/skills/examples/gorm-scanner-ci-workflow.yml

@@ -25,7 +25,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
-          go-version: "1.26.2"
+          go-version: "1.26.3"
 
       - name: Run GORM Security Scanner
         id: gorm-scan

.github/skills/security-scan-docker-image-scripts/run.sh

@@ -35,7 +35,7 @@ fi
 # Check Grype
 if ! command -v grype >/dev/null 2>&1; then
     log_error "Grype not found - install from: https://github.com/anchore/grype"
-    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.111.1"
+    log_error "Installation: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.112.0"
     error_exit "Grype is required for vulnerability scanning" 2
 fi
 
@@ -50,8 +50,8 @@ SYFT_INSTALLED_VERSION=$(syft version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\
 GRYPE_INSTALLED_VERSION=$(grype version | grep -oP 'Version:\s*\Kv?[0-9]+\.[0-9]+\.[0-9]+' | head -1 || echo "unknown")
 
 # Set defaults matching CI workflow
-set_default_env "SYFT_VERSION" "v1.43.0"
-set_default_env "GRYPE_VERSION" "v0.111.1"
+set_default_env "SYFT_VERSION" "v1.44.0"
+set_default_env "GRYPE_VERSION" "v0.112.0"
 set_default_env "IMAGE_TAG" "charon:local"
 set_default_env "FAIL_ON_SEVERITY" "Critical,High"
 

.github/workflows/auto-add-to-project.yml

@@ -26,7 +26,7 @@ jobs:
 
       - name: Add issue or PR to project
         if: steps.project_check.outputs.has_project == 'true'
-        uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
+        uses: actions/add-to-project@5afcf98fcd03f1c2f92c3c83f58ae24323cc57fd # v2.0.0
         continue-on-error: true
         with:
           project-url: ${{ secrets.PROJECT_URL }}

.github/workflows/auto-changelog.yml

@@ -24,6 +24,6 @@ jobs:
         with:
           ref: ${{ github.event.workflow_run.head_sha || github.sha }}
       - name: Draft Release
-        uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7
+        uses: release-drafter/release-drafter@c2e2804cc59f45f57076a99af580d0fedb697927 # v7
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/benchmark.yml

@@ -12,7 +12,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: '1.26.2'
+  GO_VERSION: '1.26.3'
   GOTOOLCHAIN: auto
 
 # Minimal permissions at workflow level; write permissions granted at job level for push only
@@ -52,7 +52,7 @@ jobs:
         # This avoids gh-pages branch errors and permission issues on fork PRs
         if: github.event.workflow_run.event == 'push' && github.event.workflow_run.head_branch == 'main'
         # Security: Pinned to full SHA for supply chain security
-        uses: benchmark-action/github-action-benchmark@a60cea5bc7b49e15c1f58f411161f99e0df48372 # v1.22.0
+        uses: benchmark-action/github-action-benchmark@52576c92bccf6ac60c8223ec7eb2565637cae9ba # v1.22.1
         with:
           name: Go Benchmark
           tool: 'go'

.github/workflows/codecov-upload.yml

@@ -23,7 +23,7 @@ concurrency:
   cancel-in-progress: true
 
 env:
-  GO_VERSION: '1.26.2'
+  GO_VERSION: '1.26.3'
   NODE_VERSION: '24.12.0'
   GOTOOLCHAIN: auto
 

.github/workflows/codeql.yml

@@ -4,7 +4,7 @@ on:
   pull_request:
     branches: [main, nightly, development]
   push:
-    branches: [main]
+    branches: [main, nightly, development]
   workflow_dispatch:
   schedule:
     - cron: '0 3 * * 1' # Mondays 03:00 UTC
@@ -15,7 +15,7 @@ concurrency:
 
 env:
   GOTOOLCHAIN: auto
-  GO_VERSION: '1.26.2'
+  GO_VERSION: '1.26.3'
 
 permissions:
   contents: read
@@ -52,7 +52,7 @@ jobs:
         run: bash scripts/ci/check-codeql-parity.sh
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-and-quality
@@ -92,16 +92,17 @@ jobs:
         run: mkdir -p sarif-results
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        id: codeql_analyze
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           category: "/language:${{ matrix.language }}"
           output: sarif-results/${{ matrix.language }}
 
       - name: Check CodeQL Results
-        if: always()
+        if: always() && steps.codeql_analyze.conclusion != 'skipped'
         run: |
           set -euo pipefail
           SARIF_DIR="sarif-results/${{ matrix.language }}"
@@ -194,7 +195,7 @@ jobs:
           } >> "$GITHUB_STEP_SUMMARY"
 
       - name: Fail on High-Severity Findings
-        if: always()
+        if: always() && steps.codeql_analyze.conclusion != 'skipped'
         run: |
           set -euo pipefail
           SARIF_DIR="sarif-results/${{ matrix.language }}"