From a6b5a9fb5aa5abc3a9e3212b3d18b556dc8a7d82 Mon Sep 17 00:00:00 2001
From: Ryan Trauntvein <djdefi@users.noreply.github.com>
Date: Thu, 29 Jan 2026 18:38:35 -0800
Subject: [PATCH 1/2] Bump dependencies: checkout v6, alpine 3.23.3, docker
 actions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Combined dependency updates:
- actions/checkout v5 → v6
- alpine 3.23.2 → 3.23.3
- docker/setup-buildx-action 3.11.1 → 3.12.0
- docker/login-action 3.6.0 → 3.7.0
- docker/metadata-action 5.7.0 → 5.10.0

Supersedes: #203, #204, #207, #208, #209
---
 .github/workflows/docker-publish.yml | 8 ++++----
 .github/workflows/test-scan.yml      | 2 +-
 Dockerfile                           | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 772910b..387c6d2 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -35,7 +35,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       # Install the cosign tool except on PR
       # https://github.com/sigstore/cosign-installer
@@ -45,13 +45,13 @@ jobs:
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -61,7 +61,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
diff --git a/.github/workflows/test-scan.yml b/.github/workflows/test-scan.yml
index c445f26..a7d8aaf 100644
--- a/.github/workflows/test-scan.yml
+++ b/.github/workflows/test-scan.yml
@@ -23,7 +23,7 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
 
       # Download test virii
       - name: Download EICAR test files
diff --git a/Dockerfile b/Dockerfile
index d7f0912..8b2b1c9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.23.2
+FROM alpine:3.23.3
 
 ENTRYPOINT ["/usr/bin/dumb-init", "--"]
 CMD ["/gitscan.sh"]

From 3744e8734c8ac652137ec9d732391a004761bc1b Mon Sep 17 00:00:00 2001
From: Ryan Trauntvein <djdefi@users.noreply.github.com>
Date: Thu, 29 Jan 2026 19:22:37 -0800
Subject: [PATCH 2/2] Fix test: make eicarcom2.zip download optional (404)

---
 .github/workflows/test-scan.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test-scan.yml b/.github/workflows/test-scan.yml
index a7d8aaf..bf1337e 100644
--- a/.github/workflows/test-scan.yml
+++ b/.github/workflows/test-scan.yml
@@ -31,7 +31,7 @@ jobs:
           wget "https://secure.eicar.org/eicar.com.txt"
           wget "https://secure.eicar.org/eicar.com"
           wget "https://secure.eicar.org/eicar_com.zip"
-          wget "https://secure.eicar.org/eicarcom2.zip"
+          wget "https://secure.eicar.org/eicarcom2.zip" || echo "eicarcom2.zip not available, skipping"
       
       - name: Build image
         run: docker build -t gitavscan .