Skip to content

Commit b723502

Browse files
fix(deps): update weekly-non-major-updates
1 parent 7907bec commit b723502

13 files changed

Lines changed: 45 additions & 45 deletions

.github/workflows/codeql.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ jobs:
4242
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4343

4444
- name: Initialize CodeQL
45-
uses: github/codeql-action/init@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4
45+
uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
4646
with:
4747
languages: ${{ matrix.language }}
4848
# Use CodeQL config to exclude documented false positives
@@ -58,10 +58,10 @@ jobs:
5858
cache-dependency-path: backend/go.sum
5959

6060
- name: Autobuild
61-
uses: github/codeql-action/autobuild@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4
61+
uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
6262

6363
- name: Perform CodeQL Analysis
64-
uses: github/codeql-action/analyze@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4
64+
uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
6565
with:
6666
category: "/language:${{ matrix.language }}"
6767

.github/workflows/docker-build.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -524,15 +524,15 @@ jobs:
524524
525525
- name: Upload Trivy results
526526
if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy-check.outputs.exists == 'true'
527-
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
527+
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
528528
with:
529529
sarif_file: 'trivy-results.sarif'
530530
token: ${{ secrets.GITHUB_TOKEN }}
531531

532532
# Generate SBOM (Software Bill of Materials) for supply chain security
533533
# Only for production builds (main/development) - feature branches use downstream supply-chain-pr.yml
534534
- name: Generate SBOM
535-
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
535+
uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
536536
if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
537537
with:
538538
image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
@@ -667,7 +667,7 @@ jobs:
667667

668668
- name: Upload Trivy scan results
669669
if: always()
670-
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
670+
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
671671
with:
672672
sarif_file: 'trivy-pr-results.sarif'
673673
category: 'docker-pr-image'

.github/workflows/nightly-build.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -155,7 +155,7 @@ jobs:
155155
echo "- ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}" >> $GITHUB_STEP_SUMMARY
156156
157157
- name: Generate SBOM
158-
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
158+
uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
159159
with:
160160
image: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:nightly@${{ steps.build.outputs.digest }}
161161
format: cyclonedx-json
@@ -271,7 +271,7 @@ jobs:
271271
name: sbom-nightly
272272

273273
- name: Scan with Grype
274-
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1
274+
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
275275
with:
276276
sbom: sbom-nightly.json
277277
fail-build: false
@@ -285,7 +285,7 @@ jobs:
285285
output: 'trivy-nightly.sarif'
286286

287287
- name: Upload Trivy results
288-
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
288+
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
289289
with:
290290
sarif_file: 'trivy-nightly.sarif'
291291
category: 'trivy-nightly'

.github/workflows/security-pr.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -234,7 +234,7 @@ jobs:
234234
- name: Upload Trivy SARIF to GitHub Security
235235
if: steps.check-artifact.outputs.artifact_exists == 'true'
236236
# github/codeql-action v4
237-
uses: github/codeql-action/upload-sarif@f959778b39f110f7919139e242fa5ac47393c877
237+
uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1
238238
with:
239239
sarif_file: 'trivy-binary-results.sarif'
240240
category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}

.github/workflows/security-weekly-rebuild.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -106,7 +106,7 @@ jobs:
106106
severity: 'CRITICAL,HIGH,MEDIUM'
107107

108108
- name: Upload Trivy results to GitHub Security
109-
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
109+
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
110110
with:
111111
sarif_file: 'trivy-weekly-results.sarif'
112112

.github/workflows/supply-chain-pr.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -216,7 +216,7 @@ jobs:
216216
# Generate SBOM using official Anchore action (auto-updated by Renovate)
217217
- name: Generate SBOM
218218
if: steps.check-artifact.outputs.artifact_found == 'true'
219-
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
219+
uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
220220
id: sbom
221221
with:
222222
image: ${{ steps.load-image.outputs.image_name }}
@@ -234,7 +234,7 @@ jobs:
234234
# Scan for vulnerabilities using official Anchore action (auto-updated by Renovate)
235235
- name: Scan for vulnerabilities
236236
if: steps.check-artifact.outputs.artifact_found == 'true'
237-
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1
237+
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
238238
id: grype-scan
239239
with:
240240
sbom: sbom.cyclonedx.json
@@ -284,7 +284,7 @@ jobs:
284284
285285
- name: Upload SARIF to GitHub Security
286286
if: steps.check-artifact.outputs.artifact_found == 'true'
287-
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4
287+
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
288288
continue-on-error: true
289289
with:
290290
sarif_file: grype-results.sarif

.github/workflows/supply-chain-verify.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,7 @@ jobs:
114114
# Generate SBOM using official Anchore action (auto-updated by Renovate)
115115
- name: Generate and Verify SBOM
116116
if: steps.image-check.outputs.exists == 'true'
117-
uses: anchore/sbom-action@deef08a0db64bfad603422135db61477b16cef56 # v0.22.1
117+
uses: anchore/sbom-action@28d71544de8eaf1b958d335707167c5f783590ad # v0.22.2
118118
with:
119119
image: ghcr.io/${{ github.repository_owner }}/charon:${{ steps.tag.outputs.tag }}
120120
format: cyclonedx-json
@@ -228,7 +228,7 @@ jobs:
228228
# Scan for vulnerabilities using official Anchore action (auto-updated by Renovate)
229229
- name: Scan for Vulnerabilities
230230
if: steps.validate-sbom.outputs.valid == 'true'
231-
uses: anchore/scan-action@8d2fce09422cd6037e577f4130e9b925e9a37175 # v7.3.1
231+
uses: anchore/scan-action@7037fa011853d5a11690026fb85feee79f4c946c # v7.3.2
232232
id: scan
233233
with:
234234
sbom: sbom-verify.cyclonedx.json

Dockerfile

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f9
3535
# CVEs fixed: CVE-2023-24531, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404,
3636
# CVE-2023-29405, CVE-2024-24790, CVE-2025-22871, and 15 more
3737
# renovate: datasource=docker depName=golang
38-
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS gosu-builder
38+
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:dfdd969010ba978942302cee078235da13aef030d22841e873545001d68a61a7 AS gosu-builder
3939
COPY --from=xx / /
4040

4141
WORKDIR /tmp/gosu
@@ -89,7 +89,7 @@ RUN --mount=type=cache,target=/app/frontend/node_modules/.cache \
8989

9090
# ---- Backend Builder ----
9191
# renovate: datasource=docker depName=golang
92-
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS backend-builder
92+
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:dfdd969010ba978942302cee078235da13aef030d22841e873545001d68a61a7 AS backend-builder
9393
# Copy xx helpers for cross-compilation
9494
COPY --from=xx / /
9595

@@ -162,7 +162,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
162162
# Build Caddy from source to ensure we use the latest Go version and dependencies
163163
# This fixes vulnerabilities found in the pre-built Caddy images (e.g. CVE-2025-59530, stdlib issues)
164164
# renovate: datasource=docker depName=golang
165-
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS caddy-builder
165+
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:dfdd969010ba978942302cee078235da13aef030d22841e873545001d68a61a7 AS caddy-builder
166166
ARG TARGETOS
167167
ARG TARGETARCH
168168
ARG CADDY_VERSION

backend/go.mod

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/Wikid82/charon/backend
22

3-
go 1.25.6
3+
go 1.25.7
44

55
require (
66
github.com/containrrr/shoutrrr v0.8.0

frontend/package-lock.json

Lines changed: 12 additions & 12 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)