fix(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/download-artifact	action	major	v7.0.0 → v8.0.0
actions/download-artifact	action	major	v7 → v8
actions/runner		minor	2.331.0 → 2.332.0
actions/upload-artifact	action	major	v6.0.0 → v7.0.0
actions/upload-artifact	action	major	v6 → v7
cirruslabs/cirrus-cli		minor	v0.164.3 → v0.165.0
github.com/ProtonMail/go-crypto	indirect	minor	v1.3.0 → v1.4.0
github.com/alexkohler/prealloc	indirect	minor	v1.0.2 → v1.1.0
github.com/aws/aws-sdk-go-v2/service/ec2	require	minor	v1.290.0 → v1.293.0
github.com/aws/aws-sdk-go-v2/service/ecs	require	minor	v1.72.0 → v1.73.0
github.com/daixiang0/gci	indirect	minor	v0.13.7 → v0.14.0
github.com/go-git/go-billy/v5	indirect	minor	v5.7.0 → v5.8.0
github.com/go-git/go-git/v5	indirect	minor	v5.16.5 → v5.17.0
github.com/golangci/gofmt	indirect	digest	d62b90e → e7be49a
github.com/kisielk/errcheck	indirect	minor	v1.9.0 → v1.10.0
github.com/prometheus/procfs	indirect	minor	v0.19.2 → v0.20.1
github.com/pulumi/pulumi-aws-native/sdk	require	minor	v1.55.0 → v1.56.0
github.com/pulumi/pulumi-azure-native-sdk/authorization/v3	require	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-azure-native-sdk/compute/v3	require	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3	require	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v3	require	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-azure-native-sdk/network/v3	require	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-azure-native-sdk/resources/v3	require	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-azure-native-sdk/storage/v3	require	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-azure-native-sdk/v3	indirect	minor	v3.13.0 → v3.14.0
github.com/pulumi/pulumi-kubernetes/sdk/v4	require	minor	v4.26.0 → v4.27.0
github.com/pulumi/pulumi/sdk/v3	require	minor	v3.223.0 → v3.224.0
github.com/securego/gosec/v2	indirect	minor	v2.23.0 → v2.24.7
github.com/sonatard/noctx	indirect	minor	v0.4.0 → v0.5.0
github.com/zclconf/go-cty	indirect	minor	v1.17.0 → v1.18.0
golang.org/x/net	indirect	minor	v0.50.0 → v0.51.0
google.golang.org/genproto/googleapis/rpc	indirect	digest	42d3e9b → a57be14
pulumi/pulumi		minor	3.223.0 → 3.224.0
pulumi/pulumi-aws-native		minor	v1.55.0 → v1.56.0
pulumi/pulumi-azure-native		minor	v3.13.0 → v3.14.0
registry.access.redhat.com/ubi9/go-toolset	stage	digest	799cc02 → b3b98e0

---

Release Notes

actions/download-artifact (actions/download-artifact)

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

actions/runner (actions/runner)

v2.332.0

Compare Source

What's Changed

• chore: update Node versions by @​github-actions[bot] in #​4200
• Update dotnet sdk to latest version @​8.0.417 by @​github-actions[bot] in #​4201
• Bump System.Formats.Asn1 and System.Security.Cryptography.Pkcs by @​dependabot[bot] in #​4202
• Allow empty container options by @​ericsciple in #​4208
• Update Docker to v29.1.5 and Buildx to v0.31.0 by @​github-actions[bot] in #​4212
• Report job level annotations by @​TingluoHuang in #​4216
• Fix local action display name showing Run /./ instead of Run ./ by @​ericsciple in #​4218
• Update Docker to v29.2.0 and Buildx to v0.31.1 by @​github-actions[bot] in #​4219
• Add support for libssl3 and libssl3t64 for newer Debian/Ubuntu versions by @​nekketsuuu in #​4213
• Validate work dir during runner start up. by @​TingluoHuang in #​4227
• Bump hook to 0.8.1 by @​nikola-jokic in #​4222
• Support return job result as exitcode in hosted runner. by @​TingluoHuang in #​4233
• Add telemetry tracking for deprecated set-output and save-state commands by @​ericsciple in #​4221
• Fix parser comparison mismatches by @​ericsciple in #​4220
• Remove unnecessary connection test during some registration flows by @​zarenner in #​4244
• chore: update Node versions by @​github-actions[bot] in #​4249
• Update dotnet sdk to latest version @​8.0.418 by @​github-actions[bot] in #​4250
• Fix link to SECURITY.md in README by @​TingluoHuang in #​4253
• Try to infer runner is on hosted/ghes when githuburl is empty. by @​TingluoHuang in #​4254
• Add Node.js 20 deprecation warning annotation (Phase 1) by @​salmanmkc in #​4242
• Update Node.js 20 deprecation date to June 2nd, 2026 by @​salmanmkc in #​4258
• Composite Action Step Markers by @​ericsciple in #​4243
• Symlink actions cache by @​paveliak in #​4260
• Bump minimatch in /src/Misc/expressionFunc/hashFiles by @​dependabot[bot] in #​4261
• Bump @​stylistic/eslint-plugin from 3.1.0 to 5.9.0 in /src/Misc/expressionFunc/hashFiles by @​dependabot[bot] in #​4257

New Contributors

• @​nekketsuuu made their first contribution in #​4213
• @​zarenner made their first contribution in #​4244

Full Changelog: actions/runner@v2.331.0...v2.332.0

Note: Actions Runner follows a progressive release policy, so the latest release might not be available to your enterprise, organization, or repository yet.
To confirm which version of the Actions Runner you should expect, please view the download instructions for your enterprise, organization, or repository.
See https://docs.github.com/en/enterprise-cloud@latest/actions/hosting-your-own-runners/adding-self-hosted-runners

Windows x64

We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.

The following snipped needs to be run on powershell:

# Create a folder under the drive root
mkdir \actions-runner ; cd \actions-runner

# Download the latest runner package
Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v2.332.0/actions-runner-win-x64-2.332.0.zip -OutFile actions-runner-win-x64-2.332.0.zip

# Extract the installer
Add-Type -AssemblyName System.IO.Compression.FileSystem ;
[System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-x64-2.332.0.zip", "$PWD")

Windows arm64

We recommend configuring the runner in a root folder of the Windows drive (e.g. "C:\actions-runner"). This will help avoid issues related to service identity folder permissions and long file path restrictions on Windows.

The following snipped needs to be run on powershell:

# Create a folder under the drive root
mkdir \actions-runner ; cd \actions-runner

# Download the latest runner package
Invoke-WebRequest -Uri https://github.com/actions/runner/releases/download/v2.332.0/actions-runner-win-arm64-2.332.0.zip -OutFile actions-runner-win-arm64-2.332.0.zip

# Extract the installer
Add-Type -AssemblyName System.IO.Compression.FileSystem ;
[System.IO.Compression.ZipFile]::ExtractToDirectory("$PWD\actions-runner-win-arm64-2.332.0.zip", "$PWD")

OSX x64

# Create a folder
mkdir actions-runner && cd actions-runner

# Download the latest runner package
curl -O -L https://github.com/actions/runner/releases/download/v2.332.0/actions-runner-osx-x64-2.332.0.tar.gz

# Extract the installer
tar xzf ./actions-runner-osx-x64-2.332.0.tar.gz

OSX arm64 (Apple silicon)

# Create a folder
mkdir actions-runner && cd actions-runner

# Download the latest runner package
curl -O -L https://github.com/actions/runner/releases/download/v2.332.0/actions-runner-osx-arm64-2.332.0.tar.gz

# Extract the installer
tar xzf ./actions-runner-osx-arm64-2.332.0.tar.gz

Linux x64

# Create a folder
mkdir actions-runner && cd actions-runner

# Download the latest runner package
curl -O -L https://github.com/actions/runner/releases/download/v2.332.0/actions-runner-linux-x64-2.332.0.tar.gz

# Extract the installer
tar xzf ./actions-runner-linux-x64-2.332.0.tar.gz

Linux arm64

# Create a folder
mkdir actions-runner && cd actions-runner

# Download the latest runner package
curl -O -L https://github.com/actions/runner/releases/download/v2.332.0/actions-runner-linux-arm64-2.332.0.tar.gz

# Extract the installer
tar xzf ./actions-runner-linux-arm64-2.332.0.tar.gz

Linux arm

# Create a folder
mkdir actions-runner && cd actions-runner

# Download the latest runner package
curl -O -L https://github.com/actions/runner/releases/download/v2.332.0/actions-runner-linux-arm-2.332.0.tar.gz

# Extract the installer
tar xzf ./actions-runner-linux-arm-2.332.0.tar.gz

Using your self hosted runner

For additional details about configuring, running, or shutting down the runner please check out our product docs.

SHA-256 Checksums

The SHA-256 checksums for the packages included in this build are shown below:

• actions-runner-win-x64-2.332.0.zip 83e56e05b21eb58c9697f82e52c53b30867335ff039cd5d44d1a1a24d2149f4b
• actions-runner-win-arm64-2.332.0.zip e7dced5dcf8e8492ec24eb16446047ddccecdb55625f9f6738a96fa9da1bd7f6
• actions-runner-osx-x64-2.332.0.tar.gz 99755a4f48d81da8d6a59bad6a3216a49394f41d2c842c39f921a1592d7d0733
• actions-runner-osx-arm64-2.332.0.tar.gz d53bedb30619a64e751bb9f729cc9e9b35eb1df5361651d54daae00db33f2e73
• actions-runner-linux-x64-2.332.0.tar.gz f2094522a6b9afeab07ffb586d1eb3f190b6457074282796c497ce7dce9e0f2a
• actions-runner-linux-arm64-2.332.0.tar.gz b72f0599cdbd99dd9513ab64fcb59e424fc7359c93b849e8f5efdd5a72f743a6
• actions-runner-linux-arm-2.332.0.tar.gz 84ac6dda50f941c7bc4952a20af0c4147caa96bdb2cb2494e7a5eb630d63753b

actions/upload-artifact (actions/upload-artifact)

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

cirruslabs/cirrus-cli (cirruslabs/cirrus-cli)

v0.165.0

Compare Source

What's Changed

• Run Vetu tests on Cirrus Runners instead of AWS by @​edigaryev in #​1029
• Bump omni-cache dependency to v1.3.0 by @​fkorotkov in #​1031

Full Changelog: cirruslabs/cirrus-cli@v0.164.3...v0.165.0

ProtonMail/go-crypto (github.com/ProtonMail/go-crypto)

v1.4.0

Compare Source

What's Changed

• Ignore leading and trailing whitespaces in the armor body in #​288
• Update key_generation.go, rename variables to avoid shadowing in #​290
• Add InsecureGenerateNonCriticalKeyFlags option to generate non-critical key flags signature subpackets in #​291
• Add InsecureGenerateNonCriticalSignatureCreationTime option to generate non-critical signature creation time subpackets in #​292
• Bump dependencies and min go version to 1.23 in #​294
• ECDHv4: Error on low-order x25519 public key curve points in #​299
• Cleartext: Only allow valid hashes in header in #​298

Full Changelog: ProtonMail/go-crypto@v1.3.0...v1.4.0

alexkohler/prealloc (github.com/alexkohler/prealloc)

v1.1.0

Compare Source

v1.0.3

Compare Source

aws/aws-sdk-go-v2 (github.com/aws/aws-sdk-go-v2/service/ec2)

v1.293.0

General Highlights

• Dependency Update: Updated to the latest SDK module versions

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/backupgateway: v1.26.0
  • Feature: This release updates GetGateway API to include deprecationDate and softwareVersion in the response, enabling customers to track gateway software versions and upcoming deprecation dates.
• github.com/aws/aws-sdk-go-v2/service/ec2: v1.293.0
  • Feature: Add c8id, m8id and hpc8a instance types.
• github.com/aws/aws-sdk-go-v2/service/ecs: v1.73.0
  • Feature: Adding support for Capacity Reservations for ECS Managed Instances by introducing a new "capacityOptionType" value of "RESERVED" and new field "capacityReservations" for CreateCapacityProvider and UpdateCapacityProvider APIs.
• github.com/aws/aws-sdk-go-v2/service/internal/checksum: v1.9.10
  • Bug Fix: Allow sending unkown checksum values if the value is precalculated on the input request
• github.com/aws/aws-sdk-go-v2/service/marketplaceentitlementservice: v1.36.0
  • Feature: Added License Arn as a new optional filter for GetEntitlements and LicenseArn field in each entitlement in the response.
• github.com/aws/aws-sdk-go-v2/service/marketplacemetering: v1.36.0
  • Feature: Added LicenseArn to ResolveCustomer response and BatchMeterUsage usage records. BatchMeterUsage now accepts LicenseArn in each UsageRecord to report usage at the license level. Added InvalidLicenseException error response for invalid license parameters.
• github.com/aws/aws-sdk-go-v2/service/securityhub: v1.68.0
  • Feature: Security Hub added EXTENDED PLAN integration type to DescribeProductsV2 and added metadata.product.vendor name GroupBy support to GetFindingStatisticsV2

v1.292.0

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/batch: v1.60.2
  • Documentation: AWS Batch documentation update for service job capacity units.
• github.com/aws/aws-sdk-go-v2/service/ec2: v1.292.0
  • Feature: Add support for EC2 Capacity Blocks in Local Zones.
• github.com/aws/aws-sdk-go-v2/service/neptune: v1.44.0
  • Feature: Neptune global clusters now supports tags
• github.com/aws/aws-sdk-go-v2/service/wafv2: v1.71.0
  • Feature: AWS WAF now supports GetTopPathStatisticsByTraffic that provides aggregated statistics on the top URI paths accessed by bot traffic. Use this operation to see which paths receive the most bot traffic, identify the specific bots accessing them, and filter by category, organization, or bot name.

v1.291.0

Module Highlights

• github.com/aws/aws-sdk-go-v2/service/cloudwatch: v1.55.0
  • Feature: This release adds the APIs (PutAlarmMuteRule, ListAlarmMuteRules, GetAlarmMuteRule and DeleteAlarmMuteRule) to manage a new Cloudwatch resource, AlarmMuteRules. AlarmMuteRules allow customers to temporarily mute alarm notifications during expected downtime periods.
• github.com/aws/aws-sdk-go-v2/service/ec2: v1.291.0
  • Feature: Adds httpTokensEnforced property to ModifyInstanceMetadataDefaults API. Set per account or manage organization-wide using declarative policies to prevent IMDSv1-enabled instance launch and block attempts to enable IMDSv1 on existing IMDSv2-only instances.
• github.com/aws/aws-sdk-go-v2/service/elasticsearchservice: v1.38.0
  • Feature: Fixed HTTP binding for DescribeDomainAutoTunes API to correctly pass request parameters as query parameters in the HTTP request.
• github.com/aws/aws-sdk-go-v2/service/elementalinference: v1.0.0
  • Release: New AWS service client module
  • Feature: Initial GA launch for AWS Elemental Inference including capabilities of Smart Crop and Live Event Clipping
• github.com/aws/aws-sdk-go-v2/service/medialive: v1.93.0
  • Feature: AWS Elemental MediaLive - Added support for Elemental Inference for Smart Cropping and Clipping features for MediaLive.
• github.com/aws/aws-sdk-go-v2/service/observabilityadmin: v1.10.0
  • Feature: Adding a new field in the CreateCentralizationRuleForOrganization, UpdateCentralizationRuleForOrganization API and updating the GetCentralizationRuleForOrganization API response to include the new field
• github.com/aws/aws-sdk-go-v2/service/opensearch: v1.58.0
  • Feature: Fixed HTTP binding for DescribeDomainAutoTunes API to correctly pass request parameters as query parameters in the HTTP request.
• github.com/aws/aws-sdk-go-v2/service/partnercentralselling: v1.15.0
  • Feature: Added support for filtering opportunities by target close date in the ListOpportunities API. You can now filter results to return opportunities with a target close date before or after a specified date, enabling more precise opportunity searches based on expected closure timelines.

daixiang0/gci (github.com/daixiang0/gci)

v0.14.0

Compare Source

AST Support is Coming!

See details in #​241

Other Changes

• chore(deps): migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 by @​scop in #​240
• Add Go workspace support to LocalModule section by @​krostar in #​236
• feat(*): bump to 0.14 by @​daixiang0 in #​243

New Contributors

• @​scop made their first contribution in #​240
• @​krostar made their first contribution in #​236

Full Changelog: daixiang0/gci@v0.13.7...v0.14.0

go-git/go-billy (github.com/go-git/go-billy/v5)

v5.8.0

Compare Source

What's Changed

• build: Update module golang.org/x/net to v0.45.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​183
• v5: Ensure Chmod behaviour across BoundOS and ChrootOS by @​pjbgf in #​187

Full Changelog: go-git/go-billy@v5.7.0...v5.8.0

go-git/go-git (github.com/go-git/go-git/v5)

v5.17.0

Compare Source

What's Changed

• build: Update module github.com/go-git/go-git/v5 to v5.16.5 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in #​1839
• git: worktree, optimize infiles function for very large repos by @​k-anshul in #​1853
• git: Add strict checks for supported extensions by @​pjbgf in #​1861
• backport, git: Improve Status() speed with new index.ModTime check by @​cedric-appdirect in #​1862
• storage: filesystem, Avoid overwriting loose obj files by @​pjbgf in #​1864

Full Changelog: go-git/go-git@v5.16.5...v5.17.0

kisielk/errcheck (github.com/kisielk/errcheck)

v1.10.0

Compare Source

What's Changed

• exclude crypto/rand.Read by default by @​pitku in #​269
• README: Clarify the purpose and limitations of the program. by @​dtcaciuc in #​273

New Contributors

• @​pitku made their first contribution in #​269

Full Changelog: kisielk/errcheck@v1.9.0...v1.10.0

prometheus/procfs (github.com/prometheus/procfs)

v0.20.1

Compare Source

What's Changed

• nvme: Parse NVMe namespace details by @​ShashwatHiregoudar in #​765
• Fix bcachefs parsing by @​ananthb in #​789
• Synchronize common files from prometheus/prometheus by @​prombot in #​788
• Update sysfs/class_thermal: continue on EINVAL in parseClassThermalZone to ignore only invalid thermal zones which raise "invalid argument" by @​ccastiglione-reply in #​763

New Contributors

• @​ccastiglione-reply made their first contribution in #​763

Full Changelog: prometheus/procfs@v0.20.0...v0.20.1

v0.20.0

Compare Source

What's Changed

• Synchronize common files from prometheus/prometheus by @​prombot in #​747
• Synchronize common files from prometheus/prometheus by @​prombot in #​766
• build(deps): bump golang.org/x/sync from 0.17.0 to 0.19.0 by @​dependabot[bot] in #​773
• build(deps): bump golang.org/x/sys from 0.37.0 to 0.39.0 by @​dependabot[bot] in #​772
• Synchronize common files from prometheus/prometheus by @​prombot in #​774
• Fix /proc/interrupts by @​ffyuanda in #​775
• Synchronize common files from prometheus/prometheus by @​prombot in #​778
• Synchronize common files from prometheus/prometheus by @​prombot in #​779
• Migrate to GitHub actions by @​SuperQ in #​780
• build(deps): bump golang.org/x/sys from 0.40.0 to 0.41.0 by @​dependabot[bot] in #​782
• Synchronize common files from prometheus/prometheus by @​prombot in #​785
• bcachefs support by @​ananthb in #​750
• build(deps): bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in #​781
• feat: parse capabilities in /proc/pid/status by @​biscout42 in #​784
• class_cooling_device: ignore EINVAL (etc) when reading files. by @​malcolmr in #​783
• Add type and name to the DRM parser class by @​Deezzir in #​672

New Contributors

• @​ffyuanda made their first contribution in #​775
• @​ananthb made their first contribution in #​750
• @​biscout42 made their first contribution in #​784
• @​malcolmr made their first contribution in #​783
• @​Deezzir made their first contribution in #​672

Full Changelog: prometheus/procfs@v0.19.2...v0.20.0

pulumi/pulumi-aws-native (github.com/pulumi/pulumi-aws-native/sdk)

v1.56.0

Compare Source

Changelog

• 9a35b1e Automated SDK generation @​ aws-cloudformation-user-guide 19dc52c (#​2853)

pulumi/pulumi-azure-native-sdk (github.com/pulumi/pulumi-azure-native-sdk/authorization/v3)

v3.14.0

Compare Source

pulumi/pulumi-kubernetes (github.com/pulumi/pulumi-kubernetes/sdk/v4)

v4.27.0

Compare Source

pulumi/pulumi (github.com/pulumi/pulumi/sdk/v3)

v3.224.0

Compare Source

3.224.0 (2026-02-26)

Features

• [backend/diy] Add zstd compression option for DIY backend state files
  #​21877

• [engine] Automatically make invoke outputs secret when there is a secret input, and the invoke provider does not support secrets

• [cli/package] Support source-based packages in pulumi schema check, not just schema files
  #​21897

Bug Fixes

• [pkg] Correct the schema for "pulumi:pulumi:StackReference"
  #​21895

• [programgen/nodejs] Correct the semantics of singleOrNone in generated files
  #​21947

• [sdk/python] Fix StepEventMetadata.from_json reading detailed_diff (snake_case) instead of detailedDiff (camelCase), and PolicyEvent.from_json reading resource_urn instead of resourceUrn, causing both fields to always be None
  #​21714

• [sdk/python] Convert integer component inputs to int
  #​21944

• [sdk/python] Fix crash in forked processes using automation API
  #​21937

• [engine] Fix panic when a new component resource in the program is not targeted
  #​21957

Miscellaneous

• [sdk] Update java, dotnet & yaml
  #​21961

• [sdk/python] Improve the performance of contains_unknowns for large objects
  #​21893

securego/gosec (github.com/securego/gosec/v2)

v2.24.7

Compare Source

Changelog

• bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#​1573)
• e1502ad Add a workflow for action integration test (#​1571)
• f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#​1569)
• ade1d0e chore: migrate gosec container image references to GHCR (#​1567)

v2.24.6

Compare Source

Changelog

• 88835e8 Update gorelease to use the latest cosign bundle argument (#​1565)

v2.24.5

Compare Source

v2.24.4

Compare Source

v2.24.3

Compare Source

v2.24.2

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

Changelog

• 271492b fix: G704 false positive on const URL (#​1551)
• 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#​1550)
• f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#​1547)
• 5b580c7 Fix G602 regression coverage for issue #​1545 and stabilize G117 TOML test dependency (#​1546)
• eba2d15 taint: skip context.Context arguments during taint propagation to fix false positives (#​1543)
• a6381c1 test: add missing rules to formatter report tests (#​1540)
• fea9725 chore(deps): update all dependencies (#​1541)
• f3e2fac Regenrate the TLS config rule (#​1539)
• 200461f Improve documentation (#​1538)
• 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#​1537)
• ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#​1536)
• c13a486 Add G707 taint analyzer for SMTP command/header injection (#​1535)
• f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#​1534)
• b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#​1532)
• 1735e5a fix(G602): avoid false positives for range-over-array indexing (#​1531)
• caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#​1530)
• [bd11fbe](https://redirect.github.com/securego/gosec/commit/bd11fbe2bacb0abf1e541df8b

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: mod upgrade --mod-name=github.com/go-git/go-billy/v5 -t=5
could not load package: err: exit status 1: stderr: go: inconsistent vendoring in /tmp/renovate/repos/github/redhat-developer/mapt:
	github.com/pulumi/pulumi/sdk/v3@v3.224.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/aws/aws-sdk-go-v2/service/ec2@v1.293.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-aws-native/sdk@v1.56.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/authorization/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/compute/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/network/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/resources/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/storage/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-azure-native-sdk/v3@v3.14.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/cenkalti/backoff/v5@v5.0.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/charmbracelet/bubbles@v1.0.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/go-logr/logr@v1.4.3: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/go-logr/stdr@v1.2.2: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/grpc-ecosystem/grpc-gateway/v2@v2.27.7: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/hashicorp/go-version@v1.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/json-iterator/go@v1.1.12: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/klauspost/compress@v1.18.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/modern-go/concurrent@v0.0.0-20180306012644-bacd9c7ef1dd: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/modern-go/reflect2@v1.0.3-0.20250322232337-35a7c28c31ee: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/zclconf/go-cty@v1.18.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/auto/sdk@v1.2.1: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/collector/featuregate@v1.51.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/collector/pdata@v1.51.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/otel@v1.40.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/otel/exporters/otlp/otlptrace@v1.40.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc@v1.40.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/otel/metric@v1.40.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/otel/sdk@v1.40.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/otel/trace@v1.40.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	go.opentelemetry.io/proto/otlp@v1.9.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	google.golang.org/genproto/googleapis/api@v0.0.0-20260128011058-8636f8732409: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	google.golang.org/genproto/googleapis/rpc@v0.0.0-20260226221140-a57be14db171: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/ProtonMail/go-crypto@v1.4.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/aws/aws-sdk-go-v2/service/ecs@v1.73.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/go-git/go-billy/v5@v5.8.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/go-git/go-git/v5@v5.17.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/pulumi/pulumi-kubernetes/sdk/v4@v4.27.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	golang.org/x/net@v0.51.0: is explicitly required in go.mod, but not marked as explicit in vendor/modules.txt
	github.com/ProtonMail/go-crypto@v1.3.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/aws/aws-sdk-go-v2/service/ec2@v1.290.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/aws/aws-sdk-go-v2/service/ecs@v1.72.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/charmbracelet/bubbles@v0.21.1: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/go-git/go-billy/v5@v5.7.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/go-git/go-git/v5@v5.16.5: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-aws-native/sdk@v1.55.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/authorization/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/compute/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/containerservice/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/managedidentity/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/network/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/resources/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/storage/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-azure-native-sdk/v3@v3.13.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi-kubernetes/sdk/v4@v4.26.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/pulumi/pulumi/sdk/v3@v3.223.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	github.com/zclconf/go-cty@v1.17.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	golang.org/x/net@v0.50.0: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod
	google.golang.org/genproto/googleapis/rpc@v0.0.0-20260217215200-42d3e9bedb6d: is marked as explicit in vendor/modules.txt, but not explicitly required in go.mod

	To ignore the vendor directory, use -mod=readonly or -mod=mod.
	To sync the vendor directory, run:
		go mod vendor

File name: tools/go.sum

Command failed: go get -t ./...
go: downloading github.com/golangci/golangci-lint/v2 v2.10.1
go: downloading github.com/fatih/color v1.18.0
go: downloading github.com/gofrs/flock v0.13.0
go: downloading github.com/ldez/grignotin v0.10.1
go: downloading github.com/santhosh-tekuri/jsonschema/v6 v6.0.2
go: downloading github.com/mattn/go-colorable v0.1.14
go: downloading github.com/alecthomas/chroma/v2 v2.23.1
go: downloading github.com/golangci/plugin-module-register v0.1.2
go: downloading github.com/stretchr/testify v1.11.1
go: downloading github.com/go-xmlfmt/xmlfmt v1.1.3
go: downloading github.com/golangci/revgrep v0.8.0
go: downloading github.com/daixiang0/gci v0.14.0
go: downloading github.com/golangci/gofmt v0.0.0-20251215234548-e7be49a5ab4d
go: downloading mvdan.cc/gofumpt v0.9.2
go: downloading github.com/golangci/golines v0.15.0
go: downloading github.com/sourcegraph/go-diff v0.7.0
go: downloading github.com/golangci/swaggoswag v0.0.0-20250504205917-77f2aca3143e
go: downloading go.augendre.info/arangolint v0.4.0
go: downloading github.com/alingse/asasalint v0.0.11
go: downloading github.com/golangci/asciicheck v0.5.0
go: downloading github.com/breml/bidichk v0.3.3
go: downloading github.com/timakin/bodyclose v0.0.0-20260129054331-73d1f95b84b4
go: downloading github.com/lasiar/canonicalheader v1.1.2
go: downloading github.com/sivchari/containedctx v1.0.3
go: downloading github.com/kkHAIKE/contextcheck v1.1.6
go: downloading github.com/karamaru-alpha/copyloopvar v1.2.2
go: downloading github.com/bkielbasa/cyclop v1.2.3
go: downloading gitlab.com/bosi/decorder v0.4.2
go: downloading github.com/OpenPeeDeeP/depguard/v2 v2.2.1
go: downloading github.com/golangci/dupl v0.0.0-20250308024227-f665c8d69b32
go: downloading github.com/Abirdcfly/dupword v0.1.7
go: downloading github.com/charithe/durationcheck v0.0.11
go: downloading github.com/manuelarte/embeddedstructfieldcheck v0.4.0
go: downloading github.com/Djarvur/go-err113 v0.1.1
go: downloading github.com/kisielk/errcheck v1.10.0
go: downloading github.com/breml/errchkjson v0.4.1
go: downloading github.com/Antonboom/errname v1.1.1
go: downloading codeberg.org/polyfloyd/go-errorlint v1.9.0
go: downloading github.com/nishanths/exhaustive v0.12.0
go: downloading dev.gaijin.team/go/exhaustruct/v4 v4.0.0
go: downloading github.com/ldez/exptostd v0.4.5
go: downloading go.augendre.info/fatcontext v0.9.0
go: downloading github.com/ashanbrown/forbidigo/v2 v2.3.0
go: downloading github.com/gostaticanalysis/forcetypeassert v0.2.0
go: downloading github.com/manuelarte/funcorder v0.5.0
go: downloading github.com/ultraware/funlen v0.2.0
go: downloading github.com/nunnatsa/ginkgolinter v0.23.0
go: downloading 4d63.com/gocheckcompilerdirectives v1.3.0
go: downloading 4d63.com/gochecknoglobals v0.2.2
go: downloading github.com/alecthomas/go-check-sumtype v0.3.1
go: downloading github.com/uudashr/gocognit v1.2.1
go: downloading github.com/jgautheron/goconst v1.8.2
go: downloading github.com/go-critic/go-critic v0.14.3
go: downloading github.com/quasilyte/go-ruleguard/dsl v0.3.23
go: downloading github.com/quasilyte/go-ruleguard v0.4.5
go: downloading github.com/fzipp/gocyclo v0.6.0
go: downloading github.com/godoc-lint/godoc-lint v0.11.2
go: downloading github.com/tetafro/godot v1.5.4
go: downloading github.com/matoous/godox v1.1.0
go: downloading github.com/denis-tingaikin/go-header v0.5.0
go: downloading github.com/ldez/gomoddirectives v0.8.0
go: downloading github.com/ryancurrah/gomodguard v1.4.1
go: downloading github.com/golangci/go-printf-func-name v0.1.1
go: downloading github.com/securego/gosec/v2 v2.24.7
go: downloading github.com/xen0n/gosmopolitan v1.3.0
go: downloading github.com/leonklingele/grouper v1.1.2
go: downloading github.com/uudashr/iface v1.4.1
go: downloading github.com/julz/importas v0.2.0
go: downloading github.com/macabu/inamedparam v0.2.0
go: downloading github.com/gordonklaus/ineffassign v0.2.0
go: downloading github.com/sashamelentyev/interfacebloat v1.1.0
go: downloading github.com/ckaznocha/intrange v0.3.1
go: downloading github.com/AdminBenni/iota-mixing v1.0.0
go: downloading github.com/butuzov/ireturn v0.4.0
go: downloading github.com/timonwong/loggercheck v0.11.0
go: downloading github.com/yagipy/maintidx v1.0.0
go: downloading github.com/ashanbrown/makezero/v2 v2.1.0
go: downloading github.com/butuzov/mirror v1.3.0
go: downloading github.com/golangci/misspell v0.8.0
go: downloading github.com/tommy-muehle/go-mnd/v2 v2.5.1
go: downloading go-simpler.org/musttag v0.14.0
go: downloading github.com/alexkohler/nakedret/v2 v2.0.6
go: downloading github.com/nakabonne/nestif v0.3.1
go: downloading github.com/gostaticanalysis/nilerr v0.1.2
go: downloading github.com/alingse/nilnesserr v0.2.0
go: downloading github.com/Antonboom/nilnil v1.1.1
go: downloading github.com/ssgreg/nlreturn/v2 v2.2.1
go: downloading github.com/sonatard/noctx v0.5.0
go: downloading github.com/AlwxSin/noinlineerr v1.0.5
go: downloading github.com/firefart/nonamedreturns v1.0.6
go: downloading github.com/stbenjam/no-sprintf-host-port v0.3.1
go: downloading github.com/kunwardeep/paralleltest v1.0.15
go: downloading github.com/catenacyber/perfsprint v0.10.1
go: downloading github.com/alexkohler/prealloc v1.1.0
go: downloading github.com/nishanths/predeclared v0.2.2
go: downloading github.com/yeya24/promlinter v0.3.0
go: downloading github.com/ghostiam/protogetter v0.3.20
go: downloading github.com/curioswitch/go-reassign v0.3.0
go: downloading github.com/raeperd/recvcheck v0.2.0
go: downloading github.com/BurntSushi/toml v1.6.0
go: downloading github.com/mgechev/revive v1.14.0
go: downloading github.com/jingyugao/rowserrcheck v1.1.1
go: downloading go-simpler.org/sloglint v0.11.1
go: downloading github.com/jjti/go-spancheck v0.6.5
go: downloading github.com/ryanrolds/sqlclosecheck v0.5.1
go: downloading honnef.co/go/tools v0.7.0
go: downloading github.com/4meepo/tagalign v1.4.3
go: downloading github.com/ldez/tagliatelle v0.7.2
go: downloading github.com/maratori/testableexamples v1.0.1
go: downloading github.com/Antonboom/testifylint v1.6.4
go: downloading github.com/maratori/testpackage v1.1.2
go: downloading github.com/kulti/thelper v0.7.1
go: downloading github.com/moricho/tparallel v0.3.2
go: downloading github.com/golangci/unconvert v0.0.0-20250410112200-a129a6e6413e
go: downloading mvdan.cc/unparam v0.0.0-20251027182757-5beb8c8f8f15
go: downloading github.com/MirrexOne/unqueryvet v1.5.4
go: downloading github.com/sashamelentyev/usestdlibvars v1.29.0
go: downloading github.com/ldez/usetesting v0.5.0
go: downloading github.com/blizzy78/varnamelen v0.8.0
go: downloading github.com/sanposhiho/wastedassign/v2 v2.1.0
go: downloading github.com/ultraware/whitespace v0.2.0
go: downloading github.com/tomarrell/wrapcheck/v2 v2.12.0
go: downloading github.com/bombsimon/wsl/v4 v4.7.0
go: downloading github.com/bombsimon/wsl/v5 v5.6.0
go: downloading github.com/ykadowak/zerologlint v0.1.5
go: downloading github.com/davecgh/go-spew v1.1.1
go: downloading github.com/pmezard/go-difflib v1.0.0
go: downloading github.com/stretchr/objx v0.5.3
go: downloading github.com/dlclark/regexp2 v1.11.5
go: downloading github.com/hexops/gotextdiff v1.0.3
go: downloading go.uber.org/zap v1.27.1
go: downloading github.com/google/go-cmp v0.7.0
go: downloading github.com/dave/dst v0.27.3
go: downloading github.com/gostaticanalysis/analysisutil v0.7.1
go: downloading github.com/go-toolsmith/astcast v1.1.0
go: downloading github.com/gobwas/glob v0.2.3
go: downloading dev.gaijin.team/go/golib v0.8.1
go: downloading github.com/go-toolsmith/astcopy v1.1.0
go: downloading github.com/go-toolsmith/astequal v1.2.0
go: downloading github.com/go-toolsmith/astfmt v1.1.0
go: downloading github.com/go-toolsmith/astp v1.1.0
go: downloading github.com/go-toolsmith/strparse v1.1.0
go: downloading github.com/go-toolsmith/typep v1.1.0
go: downloading github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727
go: downloading github.com/Masterminds/semver/v3 v3.4.0
go: downloading github.com/ccojocar/zxcvbn-go v1.0.4
go: downloading github.com/gostaticanalysis/comment v1.5.0
go: downloading github.com/prometheus/client_golang v1.23.2
go: downloading github.com/prometheus/client_model v0.6.2
go: downloading github.com/fatih/structtag v1.2.0
go: downloading github.com/ettle/strcase v0.2.0
go: downloading github.com/alfatraining/structtag v1.0.0
go: downloading github.com/hashicorp/go-immutable-radix/v2 v2.1.0
go: downloading github.com/ldez/structtags v0.6.1
go: downloading golang.org/x/exp/typeparams v0.0.0-20260218203240-3dfff04db8fa
go: downloading github.com/quasilyte/gogrep v0.5.0
go: downloading github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567
go: downloading github.com/beorn7/perks v1.0.1
go: downloading github.com/prometheus/common v0.67.5
go: downloading github.com/prometheus/procfs v0.20.1
go: downloading codeberg.org/chavacava/garif v0.2.0
go: downloading github.com/hashicorp/golang-lru/v2 v2.0.7
go: downloading github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822
go: downloading go.yaml.in/yaml/v2 v2.4.3
go: github.com/redhat-developer/mapt/tools imports
	github.com/golangci/golangci-lint/v2/cmd/golangci-lint imports
	github.com/golangci/golangci-lint/v2/pkg/commands imports
	github.com/golangci/golangci-lint/v2/pkg/goformatters imports
	github.com/golangci/golangci-lint/v2/pkg/goformatters/gofmt imports
	github.com/golangci/gofmt/gofmt: cannot find module providing package github.com/golangci/gofmt/gofmt

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[adrianriobo]

LGTM

[adrianriobo]

LGTM