Skip to content

Commit e1cb8eb

Browse files
fix(deps): update weekly-non-major-updates
1 parent 8cb7e35 commit e1cb8eb

15 files changed

Lines changed: 216 additions & 235 deletions

.github/workflows/codeql.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ jobs:
4242
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
4343

4444
- name: Initialize CodeQL
45-
uses: github/codeql-action/init@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
45+
uses: github/codeql-action/init@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
4646
with:
4747
languages: ${{ matrix.language }}
4848
# Use CodeQL config to exclude documented false positives
@@ -58,10 +58,10 @@ jobs:
5858
cache-dependency-path: backend/go.sum
5959

6060
- name: Autobuild
61-
uses: github/codeql-action/autobuild@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
61+
uses: github/codeql-action/autobuild@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
6262

6363
- name: Perform CodeQL Analysis
64-
uses: github/codeql-action/analyze@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
64+
uses: github/codeql-action/analyze@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
6565
with:
6666
category: "/language:${{ matrix.language }}"
6767

.github/workflows/docker-build.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -493,7 +493,7 @@ jobs:
493493
494494
- name: Run Trivy scan (table output)
495495
if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
496-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
496+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
497497
with:
498498
image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
499499
format: 'table'
@@ -504,7 +504,7 @@ jobs:
504504
- name: Run Trivy vulnerability scanner (SARIF)
505505
if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.skip.outputs.is_feature_push != 'true'
506506
id: trivy
507-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
507+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
508508
with:
509509
image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
510510
format: 'sarif'
@@ -524,7 +524,7 @@ jobs:
524524
525525
- name: Upload Trivy results
526526
if: github.event_name != 'pull_request' && steps.skip.outputs.skip_build != 'true' && steps.trivy-check.outputs.exists == 'true'
527-
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
527+
uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
528528
with:
529529
sarif_file: 'trivy-results.sarif'
530530
token: ${{ secrets.GITHUB_TOKEN }}
@@ -648,7 +648,7 @@ jobs:
648648
echo "✅ Image freshness validated"
649649
650650
- name: Run Trivy scan on PR image (table output)
651-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
651+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
652652
with:
653653
image-ref: ${{ steps.pr-image.outputs.image_ref }}
654654
format: 'table'
@@ -657,7 +657,7 @@ jobs:
657657

658658
- name: Run Trivy scan on PR image (SARIF - blocking)
659659
id: trivy-scan
660-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
660+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
661661
with:
662662
image-ref: ${{ steps.pr-image.outputs.image_ref }}
663663
format: 'sarif'
@@ -667,7 +667,7 @@ jobs:
667667

668668
- name: Upload Trivy scan results
669669
if: always()
670-
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
670+
uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
671671
with:
672672
sarif_file: 'trivy-pr-results.sarif'
673673
category: 'docker-pr-image'

.github/workflows/e2e-tests-split.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -93,7 +93,7 @@ jobs:
9393

9494
- name: Build Docker image
9595
id: build-image
96-
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
96+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
9797
with:
9898
context: .
9999
file: ./Dockerfile

.github/workflows/nightly-build.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ jobs:
133133
134134
- name: Build and push Docker image
135135
id: build
136-
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
136+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
137137
with:
138138
context: .
139139
platforms: linux/amd64,linux/arm64
@@ -278,14 +278,14 @@ jobs:
278278
severity-cutoff: high
279279

280280
- name: Scan with Trivy
281-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
281+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
282282
with:
283283
image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-nightly.outputs.digest }}
284284
format: 'sarif'
285285
output: 'trivy-nightly.sarif'
286286

287287
- name: Upload Trivy results
288-
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
288+
uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
289289
with:
290290
sarif_file: 'trivy-nightly.sarif'
291291
category: 'trivy-nightly'

.github/workflows/renovate.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -25,7 +25,7 @@ jobs:
2525
fetch-depth: 1
2626

2727
- name: Run Renovate
28-
uses: renovatebot/github-action@3c68caaa9db5ff24332596591dc7c4fed8de16ce # v46.0.1
28+
uses: renovatebot/github-action@44f24283a60f64273f1294932f16ba61193cccca # v46.1.0
2929
with:
3030
configurationFile: .github/renovate.json
3131
token: ${{ secrets.RENOVATE_TOKEN || secrets.GITHUB_TOKEN }}

.github/workflows/security-pr.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -222,7 +222,7 @@ jobs:
222222
- name: Run Trivy filesystem scan (SARIF output)
223223
if: steps.check-artifact.outputs.artifact_exists == 'true'
224224
# aquasecurity/trivy-action v0.33.1
225-
uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac
225+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
226226
with:
227227
scan-type: 'fs'
228228
scan-ref: ${{ steps.extract.outputs.binary_path }}
@@ -234,7 +234,7 @@ jobs:
234234
- name: Upload Trivy SARIF to GitHub Security
235235
if: steps.check-artifact.outputs.artifact_exists == 'true'
236236
# github/codeql-action v4
237-
uses: github/codeql-action/upload-sarif@b13d724d35ff0a814e21683638ed68ed34cf53d1
237+
uses: github/codeql-action/upload-sarif@ef618feace3c4838ae42b239ab86e8fb46437508
238238
with:
239239
sarif_file: 'trivy-binary-results.sarif'
240240
category: ${{ steps.pr-info.outputs.is_push == 'true' && format('security-scan-{0}', github.event.workflow_run.head_branch) || format('security-scan-pr-{0}', steps.pr-info.outputs.pr_number) }}
@@ -243,7 +243,7 @@ jobs:
243243
- name: Run Trivy filesystem scan (fail on CRITICAL/HIGH)
244244
if: steps.check-artifact.outputs.artifact_exists == 'true'
245245
# aquasecurity/trivy-action v0.33.1
246-
uses: aquasecurity/trivy-action@22438a435773de8c97dc0958cc0b823c45b064ac
246+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284
247247
with:
248248
scan-type: 'fs'
249249
scan-ref: ${{ steps.extract.outputs.binary_path }}

.github/workflows/security-weekly-rebuild.yml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ jobs:
7272
7373
- name: Build Docker image (NO CACHE)
7474
id: build
75-
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
75+
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
7676
with:
7777
context: .
7878
platforms: linux/amd64
@@ -88,7 +88,7 @@ jobs:
8888
BASE_IMAGE=${{ steps.base-image.outputs.digest }}
8989
9090
- name: Run Trivy vulnerability scanner (CRITICAL+HIGH)
91-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
91+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
9292
with:
9393
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
9494
format: 'table'
@@ -98,20 +98,20 @@ jobs:
9898

9999
- name: Run Trivy vulnerability scanner (SARIF)
100100
id: trivy-sarif
101-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
101+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
102102
with:
103103
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
104104
format: 'sarif'
105105
output: 'trivy-weekly-results.sarif'
106106
severity: 'CRITICAL,HIGH,MEDIUM'
107107

108108
- name: Upload Trivy results to GitHub Security
109-
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2
109+
uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
110110
with:
111111
sarif_file: 'trivy-weekly-results.sarif'
112112

113113
- name: Run Trivy vulnerability scanner (JSON for artifact)
114-
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
114+
uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # 0.34.0
115115
with:
116116
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}
117117
format: 'json'

.github/workflows/supply-chain-pr.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -284,7 +284,7 @@ jobs:
284284
285285
- name: Upload SARIF to GitHub Security
286286
if: steps.check-artifact.outputs.artifact_found == 'true'
287-
uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4
287+
uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4
288288
continue-on-error: true
289289
with:
290290
sarif_file: grype-results.sarif

Dockerfile

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ FROM --platform=$BUILDPLATFORM tonistiigi/xx:1.9.0@sha256:c64defb9ed5a91eacb37f9
3535
# CVEs fixed: CVE-2023-24531, CVE-2023-24540, CVE-2023-29402, CVE-2023-29404,
3636
# CVE-2023-29405, CVE-2024-24790, CVE-2025-22871, and 15 more
3737
# renovate: datasource=docker depName=golang
38-
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:dfdd969010ba978942302cee078235da13aef030d22841e873545001d68a61a7 AS gosu-builder
38+
FROM --platform=$BUILDPLATFORM golang:1.26-trixie@sha256:889885d7cc1275935e3f9920aabadc5fadbe873f633d92a746f1bc401dd40f69 AS gosu-builder
3939
COPY --from=xx / /
4040

4141
WORKDIR /tmp/gosu
@@ -65,7 +65,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
6565
# ---- Frontend Builder ----
6666
# Build the frontend using the BUILDPLATFORM to avoid arm64 musl Rollup native issues
6767
# renovate: datasource=docker depName=node
68-
FROM --platform=$BUILDPLATFORM node:24.13.0-slim@sha256:4660b1ca8b28d6d1906fd644abe34b2ed81d15434d26d845ef0aced307cf4b6f AS frontend-builder
68+
FROM --platform=$BUILDPLATFORM node:24.13.1-slim@sha256:a81a03dd965b4052269a57fac857004022b522a4bf06e7a739e25e18bce45af2 AS frontend-builder
6969
WORKDIR /app/frontend
7070

7171
# Copy frontend package files
@@ -89,7 +89,7 @@ RUN --mount=type=cache,target=/app/frontend/node_modules/.cache \
8989

9090
# ---- Backend Builder ----
9191
# renovate: datasource=docker depName=golang
92-
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:dfdd969010ba978942302cee078235da13aef030d22841e873545001d68a61a7 AS backend-builder
92+
FROM --platform=$BUILDPLATFORM golang:1.26-trixie@sha256:889885d7cc1275935e3f9920aabadc5fadbe873f633d92a746f1bc401dd40f69 AS backend-builder
9393
# Copy xx helpers for cross-compilation
9494
COPY --from=xx / /
9595

@@ -162,7 +162,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
162162
# Build Caddy from source to ensure we use the latest Go version and dependencies
163163
# This fixes vulnerabilities found in the pre-built Caddy images (e.g. CVE-2025-59530, stdlib issues)
164164
# renovate: datasource=docker depName=golang
165-
FROM --platform=$BUILDPLATFORM golang:1.25-trixie@sha256:dfdd969010ba978942302cee078235da13aef030d22841e873545001d68a61a7 AS caddy-builder
165+
FROM --platform=$BUILDPLATFORM golang:1.26-trixie@sha256:889885d7cc1275935e3f9920aabadc5fadbe873f633d92a746f1bc401dd40f69 AS caddy-builder
166166
ARG TARGETOS
167167
ARG TARGETARCH
168168
ARG CADDY_VERSION
@@ -227,7 +227,7 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
227227
# Build CrowdSec from source to ensure we use Go 1.25.5+ and avoid stdlib vulnerabilities
228228
# (CVE-2025-58183, CVE-2025-58186, CVE-2025-58187, CVE-2025-61729)
229229
# renovate: datasource=docker depName=golang versioning=docker
230-
FROM --platform=$BUILDPLATFORM golang:1.25.6-trixie@sha256:0032c99f1682c40dca54932e2fe0156dc575ed12c6a4fdec94df9db7a0c17ab0 AS crowdsec-builder
230+
FROM --platform=$BUILDPLATFORM golang:1.26.0-trixie@sha256:889885d7cc1275935e3f9920aabadc5fadbe873f633d92a746f1bc401dd40f69 AS crowdsec-builder
231231
COPY --from=xx / /
232232

233233
WORKDIR /tmp/crowdsec

backend/go.mod

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
module github.com/Wikid82/charon/backend
22

3-
go 1.25.7
3+
go 1.26.0
44

55
require (
66
github.com/containrrr/shoutrrr v0.8.0
@@ -16,9 +16,9 @@ require (
1616
github.com/robfig/cron/v3 v3.0.1
1717
github.com/sirupsen/logrus v1.9.4
1818
github.com/stretchr/testify v1.11.1
19-
golang.org/x/crypto v0.47.0
20-
golang.org/x/net v0.49.0
21-
golang.org/x/text v0.33.0
19+
golang.org/x/crypto v0.48.0
20+
golang.org/x/net v0.50.0
21+
golang.org/x/text v0.34.0
2222
gopkg.in/natefinch/lumberjack.v2 v2.2.1
2323
gorm.io/driver/sqlite v1.6.0
2424
gorm.io/gorm v1.31.1

0 commit comments

Comments
 (0)