From 4001a1b3e866db2dc99e89dd884102a28b0e1077 Mon Sep 17 00:00:00 2001 From: msukkari Date: Mon, 20 Apr 2026 23:12:30 -0700 Subject: [PATCH 1/3] chore: bump vendor/zoekt to include CodeQL security fixes Pulls in sourcebot-dev/zoekt#13 (open), which resolves all open CodeQL security alerts on the zoekt repo: - go/clear-text-logging (high) in gitindex/clone.go - go/incorrect-integer-conversion (high) in api.go and zoekt-sourcegraph-indexserver/sg.go - actions/missing-workflow-permissions (medium x8) in ci.yml and buf-breaking-check.yml - actions/untrusted-checkout/high (high) in semgrep.yml Also carries through the dependency bumps from sourcebot-dev/zoekt#11 and #12 (go-git 5.18.0, grpc 1.80.0, otel 1.43.0) that were merged after #1140 so weren't included when main shipped the original zoekt sync. Co-Authored-By: Claude Opus 4.7 (1M context) --- vendor/zoekt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/zoekt b/vendor/zoekt index da9bf1a3c..945c3e96b 160000 --- a/vendor/zoekt +++ b/vendor/zoekt @@ -1 +1 @@ -Subproject commit da9bf1a3c96b438268e2692c4b4fd7a3d341c2c9 +Subproject commit 945c3e96b253d242b2f2f31df872e81cacaa3bf3 From b5682cadc038f58260200d2edee66fff2b8140e8 Mon Sep 17 00:00:00 2001 From: msukkari Date: Mon, 20 Apr 2026 23:20:23 -0700 Subject: [PATCH 2/3] chore: repoint vendor/zoekt at sourcebot-dev/zoekt@main merge commit sourcebot-dev/zoekt#13 merged as 7c6c629f. Updating the submodule pointer from the feature-branch tip (945c3e96) to the merge commit on main so vendor/zoekt tracks canonical history before merging. Co-Authored-By: Claude Opus 4.7 (1M context) --- vendor/zoekt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/zoekt b/vendor/zoekt index 945c3e96b..7c6c629f7 160000 --- a/vendor/zoekt +++ b/vendor/zoekt @@ -1 +1 @@ -Subproject commit 945c3e96b253d242b2f2f31df872e81cacaa3bf3 +Subproject commit 7c6c629f7d00f3508a41f750f162ca7339c69901 From ae0d18ff5687c8e743d607f2275da01c1f0930be Mon Sep 17 00:00:00 2001 From: msukkari Date: Tue, 21 Apr 2026 09:39:20 -0700 Subject: [PATCH 3/3] chore: repoint vendor/zoekt at upstream-ancestry merge commit sourcebot-dev/zoekt#10 was squash-merged into zoekt@main, which flattened the merge commit and left GitHub reporting the fork as 108 commits behind sourcegraph/zoekt:main even though all upstream content was present. Fixed by performing a 'git merge -s ours upstream/main' on zoekt@main: this records upstream/main as a second parent without changing any files, restoring the ancestry link. Bumping this submodule pointer from 7c6c629f (the previous main tip) to df983ea1 (the new merge-ours commit). The vendored tree content is byte-identical to 7c6c629f; only the commit graph is different. Co-Authored-By: Claude Opus 4.7 (1M context) --- vendor/zoekt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/vendor/zoekt b/vendor/zoekt index 7c6c629f7..df983ea11 160000 --- a/vendor/zoekt +++ b/vendor/zoekt @@ -1 +1 @@ -Subproject commit 7c6c629f7d00f3508a41f750f162ca7339c69901 +Subproject commit df983ea1170b43829f4317660bdf2345791f350e