[Sync] Update project files from source repository (ec82cd5) (#92)

* sync: bump tool versions in env configs and actions

* chore(deps): update dependabot configuration for GitHub Actions

Author: mrz1836

.github/actions/setup-goreleaser/action.yml

@@ -105,7 +105,7 @@ runs:
     # --------------------------------------------------------------------
     - name: ✅ Install GoReleaser (cache miss)
       if: steps.check-existing.outputs.exists != 'true' && steps.goreleaser-cache.outputs.cache-hit != 'true'
-      uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0
+      uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
       with:
         distribution: goreleaser
         version: ${{ inputs.goreleaser-version }}

.github/dependabot.yml

@@ -2,9 +2,7 @@
 # Dependabot Configuration
 #
 # Purpose:
-#   • Keep Go modules, GitHub Actions and DevContainer images/features
-#     base images up‑to‑date with zero‑day security patches and semantic‑version
-#     upgrades.
+#   • Keep GitHub Actions updated with the latest security patches and features.
 #   • Reduce attack surface by limiting outdated dependencies.
 #   • Minimise PR noise via smart grouping and sane pull‑request limits.
 #
@@ -13,13 +11,13 @@
 #   https://docs.github.com/en/code-security/dependabot/configuration-options-for-dependency-updates
 #
 # Security Hardened Defaults:
-#   • Weekly cadence (Monday 09:00 America/New_York) – align with CVE dump cycle.
+#   • Weekly cadence (Tuesday 11:00 America/New_York) – align with typical maintenance windows.
 #   • Direct dependencies only – prevents unsolicited transitive churn.
-#   • PRs labeled, assigned, and target the protected "master" branch.
+#   • PRs labeled, assigned, and target the protected master branch.
 #   • PR titles prefixed with chore(scope): – conventional commits.
 #   • Force‑push and delete‑branch disabled via branch‑protection rules.
 #   • PR limit = 10 to avoid queue flooding.
-#   • All dependency PRs require passing CI + CODEOWNERS review.
+#   • All dependency PRs require passing CI checks before merging.
 # ────────────────────────────────────────────────────────────────
 
 version: 2
@@ -33,19 +31,15 @@ updates:
     target-branch: "master"
     schedule:
       interval: "weekly"
-      day: "monday"
-      time: "09:00"
+      day: "tuesday"
+      time: "11:00"
       timezone: "America/New_York"
     allow:
       - dependency-type: "direct"
     groups:
-      security-deps:
-        patterns:
-          - "*crypto*"
-          - "*security*"
-          - "*auth*"
-          - "*jwt*"
-          - "*oauth*"
+      gomod-all:
+        applies-to: version-updates
+        patterns: ["*"]
         update-types: ["minor", "patch"]
     open-pull-requests-limit: 10
     assignees: ["mrz1836"]
@@ -62,8 +56,8 @@ updates:
     target-branch: "master"
     schedule:
       interval: "weekly"
-      day: "monday"
-      time: "09:15"
+      day: "tuesday"
+      time: "11:15"
       timezone: "America/New_York"
     allow:
       - dependency-type: "direct"
@@ -85,8 +79,8 @@ updates:
     target-branch: "master"
     schedule:
       interval: "weekly"
-      day: "monday"
-      time: "09:30"
+      day: "tuesday"
+      time: "11:30"
       timezone: "America/New_York"
     allow:
       - dependency-type: "direct"

.github/env/10-coverage.env

@@ -32,7 +32,7 @@ GO_COVERAGE_PROVIDER=internal
 CODECOV_TOKEN_REQUIRED=false
 
 # Go Coverage Tool Version
-GO_COVERAGE_VERSION=v1.3.8
+GO_COVERAGE_VERSION=v1.3.9
 GO_COVERAGE_USE_LOCAL=false
 
 # ================================================================================================

.github/env/10-mage-x.env

@@ -36,7 +36,7 @@
 # ================================================================================================
 
 # MAGE-X version
-MAGE_X_VERSION=v1.20.15
+MAGE_X_VERSION=v1.20.16
 
 # For mage-x development, set to 'true' to use local version instead of downloading from releases
 MAGE_X_USE_LOCAL=false
@@ -62,7 +62,7 @@ MAGE_X_FORMAT_EXCLUDE_PATHS=vendor,node_modules,.git,.idea
 MAGE_X_GITLEAKS_VERSION=8.30.1
 MAGE_X_GOFUMPT_VERSION=v0.9.2
 MAGE_X_GOLANGCI_LINT_VERSION=v2.11.4
-MAGE_X_GORELEASER_VERSION=v2.15.3
+MAGE_X_GORELEASER_VERSION=v2.15.4
 MAGE_X_GOVULNCHECK_VERSION=v1.1.4
 MAGE_X_GO_SECONDARY_VERSION=1.24.x
 MAGE_X_GO_VERSION=1.24.x
@@ -72,7 +72,7 @@ MAGE_X_STATICCHECK_VERSION=2026.1
 MAGE_X_SWAG_VERSION=v1.16.6
 MAGE_X_YAMLFMT_VERSION=v0.21.0
 MAGE_X_BENCHSTAT_VERSION=v0.0.0-20260409210113-8e83ce0f7b1c
-MAGE_X_MAGE_VERSION=v1.17.1
+MAGE_X_MAGE_VERSION=v1.17.2
 
 # ================================================================================================
 # 📝 RUNTIME VARIABLES (set by setup-goreleaser action)

.github/env/10-pre-commit.env

@@ -26,7 +26,7 @@
 # 🪝 PRE-COMMIT TOOL VERSION
 # ================================================================================================
 
-GO_PRE_COMMIT_VERSION=v1.8.1
+GO_PRE_COMMIT_VERSION=v1.8.2
 GO_PRE_COMMIT_USE_LOCAL=false
 
 # ================================================================================================

.github/workflows/fortress-security-scans.yml

@@ -160,6 +160,20 @@ jobs:
           if [[ $NANCY_EXIT_CODE -eq 0 ]]; then
             echo "nancy-status=success" >> $GITHUB_OUTPUT
             echo "✅ Nancy scan completed - no vulnerabilities found"
+          elif grep -qi "rate limited by OSS Index" nancy-output.log; then
+            # OSS Index rate-limited the scan; treat as inconclusive, NOT as a CI failure.
+            # Add OSSI_USERNAME and OSSI_TOKEN secrets to authenticate and lift the limit.
+            echo "nancy-status=rate-limited" >> $GITHUB_OUTPUT
+            echo "⚠️  Nancy scan inconclusive - OSS Index rate-limited the request (not failing CI)."
+            echo "    Configure OSSI_USERNAME and OSSI_TOKEN secrets to authenticate and lift the limit."
+            echo "    Register at https://ossindex.sonatype.org/user/register"
+          elif grep -qi "402 Payment Required" nancy-output.log; then
+            # OSS Index returned 402 (free-tier quota exhausted / paid plan required);
+            # treat as inconclusive, NOT as a CI failure.
+            echo "nancy-status=payment-required" >> $GITHUB_OUTPUT
+            echo "⚠️  Nancy scan inconclusive - OSS Index returned 402 Payment Required (not failing CI)."
+            echo "    Configure OSSI_USERNAME and OSSI_TOKEN secrets to authenticate against your OSS Index account."
+            echo "    Register at https://ossindex.sonatype.org/user/register"
           else
             echo "nancy-status=failure" >> $GITHUB_OUTPUT
             echo "❌ Nancy scan completed - vulnerabilities detected (exit code: $NANCY_EXIT_CODE)"
@@ -168,11 +182,27 @@ jobs:
       # --------------------------------------------------------------------
       # Create GitHub Annotations for failures
       # --------------------------------------------------------------------
-      - name: 📋 Create GitHub Annotations
+      - name: 📋 Create GitHub Annotations (vulnerabilities)
         if: always() && steps.run-nancy.outputs.nancy-status == 'failure'
         run: |
           echo "::error title=Nancy Security Scan Failed::Vulnerabilities detected in Go dependencies - see job summary for details"
 
+      # --------------------------------------------------------------------
+      # Create GitHub Annotations for rate-limited scans (warning, not error)
+      # --------------------------------------------------------------------
+      - name: 📋 Create GitHub Annotations (rate-limited)
+        if: always() && steps.run-nancy.outputs.nancy-status == 'rate-limited'
+        run: |
+          echo "::warning title=Nancy Rate Limited::OSS Index rate-limited the scan; results inconclusive. Add OSSI_USERNAME and OSSI_TOKEN secrets to authenticate and lift the limit."
+
+      # --------------------------------------------------------------------
+      # Create GitHub Annotations for 402 Payment Required (warning, not error)
+      # --------------------------------------------------------------------
+      - name: 📋 Create GitHub Annotations (payment-required)
+        if: always() && steps.run-nancy.outputs.nancy-status == 'payment-required'
+        run: |
+          echo "::warning title=Nancy Payment Required::OSS Index returned 402 Payment Required; results inconclusive. Add OSSI_USERNAME and OSSI_TOKEN secrets to authenticate against your OSS Index account."
+
       # --------------------------------------------------------------------
       # Summary of Nancy results
       # --------------------------------------------------------------------
@@ -192,6 +222,10 @@ jobs:
 
           if [[ "$NANCY_STATUS" == "success" ]]; then
             echo "| **Result** | ✅ No vulnerabilities found |" >> $GITHUB_STEP_SUMMARY
+          elif [[ "$NANCY_STATUS" == "rate-limited" ]]; then
+            echo "| **Result** | ⚠️ Rate limited by OSS Index — scan inconclusive (CI not failed) |" >> $GITHUB_STEP_SUMMARY
+          elif [[ "$NANCY_STATUS" == "payment-required" ]]; then
+            echo "| **Result** | ⚠️ OSS Index returned 402 Payment Required — scan inconclusive (CI not failed) |" >> $GITHUB_STEP_SUMMARY
           else
             echo "| **Result** | ❌ Vulnerabilities detected |" >> $GITHUB_STEP_SUMMARY
           fi
@@ -201,8 +235,58 @@ jobs:
           echo "The following vulnerabilities were excluded from the scan:" >> $GITHUB_STEP_SUMMARY
           echo "${{ env.NANCY_EXCLUDES }}" >> $GITHUB_STEP_SUMMARY
 
-          # Show failure details if applicable
-          if [[ "$NANCY_STATUS" != "success" ]] && [[ -f nancy-output.log ]]; then
+          # Rate-limited: explain clearly that CI was NOT failed and how to remediate
+          if [[ "$NANCY_STATUS" == "rate-limited" ]]; then
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### ⚠️ OSS Index Rate Limit" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Sonatype's OSS Index rate-limited this request before Nancy could complete the scan." >> $GITHUB_STEP_SUMMARY
+            echo "**This is not a vulnerability detection** and CI has **not** been failed for this run." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**To remediate (recommended):**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "1. Register a free account at <https://ossindex.sonatype.org/user/register>." >> $GITHUB_STEP_SUMMARY
+            echo "2. Retrieve your username (email) and API token from <https://ossindex.sonatype.org/user/settings>." >> $GITHUB_STEP_SUMMARY
+            echo "3. Add them as repository secrets named \`OSSI_USERNAME\` and \`OSSI_TOKEN\`." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Authenticated requests have a substantially higher rate limit and avoid this state." >> $GITHUB_STEP_SUMMARY
+            if [[ -f nancy-output.log ]]; then
+              echo "" >> $GITHUB_STEP_SUMMARY
+              echo "<details>" >> $GITHUB_STEP_SUMMARY
+              echo "<summary>Click to expand Nancy output</summary>" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+              head -50 nancy-output.log >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+              echo "</details>" >> $GITHUB_STEP_SUMMARY
+            fi
+          # Payment-required (402): explain clearly that CI was NOT failed and how to remediate
+          elif [[ "$NANCY_STATUS" == "payment-required" ]]; then
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "### ⚠️ OSS Index Payment Required (402)" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Sonatype's OSS Index returned **402 Payment Required**, indicating the free-tier quota for unauthenticated requests has been exhausted." >> $GITHUB_STEP_SUMMARY
+            echo "**This is not a vulnerability detection** and CI has **not** been failed for this run." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "**To remediate (recommended):**" >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "1. Register a free account at <https://ossindex.sonatype.org/user/register>." >> $GITHUB_STEP_SUMMARY
+            echo "2. Retrieve your username (email) and API token from <https://ossindex.sonatype.org/user/settings>." >> $GITHUB_STEP_SUMMARY
+            echo "3. Add them as repository secrets named \`OSSI_USERNAME\` and \`OSSI_TOKEN\`." >> $GITHUB_STEP_SUMMARY
+            echo "" >> $GITHUB_STEP_SUMMARY
+            echo "Authenticated requests have a higher quota and avoid this state." >> $GITHUB_STEP_SUMMARY
+            if [[ -f nancy-output.log ]]; then
+              echo "" >> $GITHUB_STEP_SUMMARY
+              echo "<details>" >> $GITHUB_STEP_SUMMARY
+              echo "<summary>Click to expand Nancy output</summary>" >> $GITHUB_STEP_SUMMARY
+              echo "" >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+              head -50 nancy-output.log >> $GITHUB_STEP_SUMMARY
+              echo '```' >> $GITHUB_STEP_SUMMARY
+              echo "</details>" >> $GITHUB_STEP_SUMMARY
+            fi
+          # Real vulnerability failure: keep existing details section
+          elif [[ "$NANCY_STATUS" == "failure" ]] && [[ -f nancy-output.log ]]; then
             echo "" >> $GITHUB_STEP_SUMMARY
             echo "### 🚨 Vulnerability Details" >> $GITHUB_STEP_SUMMARY
             echo "" >> $GITHUB_STEP_SUMMARY
@@ -252,6 +336,12 @@ jobs:
 
       # --------------------------------------------------------------------
       # Fail job if vulnerabilities found
+      #
+      # Only fires when nancy-status == 'failure' (real vulnerabilities).
+      # The 'rate-limited' status is intentionally excluded: an OSS Index rate
+      # limit produces an inconclusive scan, not a vulnerability finding, and
+      # must not red-X CI. See the run-nancy step above for the rate-limit
+      # detection logic.
       # --------------------------------------------------------------------
       - name: 🚨 Fail job if vulnerabilities found
         if: always() && steps.run-nancy.outputs.nancy-status == 'failure'

.github/workflows/fortress.yml

@@ -1,7 +1,7 @@
 # ------------------------------------------------------------------------------------
 #  🏰 GoFortress - Enterprise-grade CI/CD fortress for Go applications
 #
-#  Version: 1.7.2 | Released: 2026-03-09
+#  Version: 1.7.3 | Released: 2026-04-28
 #
 #  Built Strong. Tested Harder.
 #