Skip to content

deps: consolidate 12 Dependabot bumps + gate branch.yaml on ci-run label#279

Merged
Cre-eD merged 35 commits into
mainfrom
deps/consolidated-2026-05-19
May 20, 2026
Merged

deps: consolidate 12 Dependabot bumps + gate branch.yaml on ci-run label#279
Cre-eD merged 35 commits into
mainfrom
deps/consolidated-2026-05-19

Conversation

@Cre-eD
Copy link
Copy Markdown
Contributor

@Cre-eD Cre-eD commented May 20, 2026

Summary

What's bumped

Go modules (group #275, post-tidy)

24 direct + transitive: cloud.google.com/go/storage 1.49.0→1.62.2 · aws/aws-lambda-go 1.47.0→1.54.0 · aws/aws-sdk-go-v2/config 1.29.7→1.32.17 · cloudflare/cloudflare-go 0.104.0→0.116.0 · disgoorg/disgo 0.18.5→0.19.3 · fatih/color 1.18.0→1.19.0 · go-git/go-git/v5 5.19.0→5.19.1 (also #276) · onsi/gomega 1.38.2→1.41.0 · pulumi-aws/sdk/v6 6.83.0→6.83.3 · pulumi-cloudflare/sdk/v6 6.2.0→6.15.0 · pulumi-docker/sdk/v4 4.5.8→4.11.2 · pulumi-gcp/sdk/v8 8.0.0→8.41.1 · pulumi-kubernetes/sdk/v4 4.18.1→4.31.0 · pulumi-mongodbatlas/sdk/v3 3.30.0→3.38.0 · pulumi-random/sdk/v4 4.17.0→4.20.0 · pulumi/pkg/v3 3.184.0→3.241.0 · pulumi/sdk/v3 3.214.0→3.241.0 · samber/lo 1.38.1→1.53.0 · tmc/langchaingo 0.1.13→0.1.14 · mongo-driver 1.16.1→1.17.9 · k8s.io/apimachinery 0.35.0→0.36.1 · k8s.io/client-go 0.35.0→0.36.1 · others.

Major bump (out of group): pulumi/pulumi-command/sdk 0.9.2→1.2.1 (#237).

Docker (group #242 + digests #243 #244)

  • alpine 3.21 → 3.23 (github-actions.Dockerfile, github-actions-staging.Dockerfile)
  • caddy digest 14f5b3ef96a3b7
  • alpine/kubectl digest e9acf90405e713

Python docs (group #274)

3 updates in docs/requirements.in / docs/requirements.txt.

GitHub Actions

Upstream API breaks adapted in 83401af

Dep Break Fix
disgoorg/disgo 0.19 webhook.Client interface → struct Field type *webhook.Client
disgoorg/disgo 0.19 CreateMessage gained required rest.CreateWebhookMessageParams arg Pass empty rest.CreateWebhookMessageParams{}
pulumi-cloudflare/sdk v6.15 LookupZoneResult.ZoneId *stringstring Drop lo.FromPtr(...) wrapper at 4 sites
pulumi/pkg/v3 v3.241 backend.RemoveStack gained removeBackups bool arg Pass false, false (preserve no-backup-delete behaviour)

CI gate — what changes

# .github/workflows/branch.yaml
on:
  pull_request:
    types: [opened, synchronize, reopened, labeled]  # `labeled` re-triggers
jobs:
  build-setup:
    if: >-
      github.event_name != 'pull_request' ||
      github.event.pull_request.user.login != 'dependabot[bot]' ||
      contains(github.event.pull_request.labels.*.name, 'ci-run')

finalize carries the same guard so a Dependabot PR doesn't get a "build failed" Telegram sticky for a pipeline that was intentionally never run.

Operationally — when a future Dependabot PR (or another consolidated batch like this one) needs full Blacksmith validation before merge, add the ci-run label and the workflow re-fires on label.

Test plan

  • go build ./... clean (local Go 1.26, CI uses 1.25)
  • go test -count=1 -run '^$' -vet=off ./... (compile every test binary) clean
  • Add ci-run label to this PR (it's authored by a human, not Dependabot, so the gate is inert — CI runs anyway) and let branch.yaml produce a real green build
  • Verify the Blacksmith build's build-setup decrypts SC_CONFIG correctly (Dependabot's failure mode was secret access, not code)
  • After merge: confirm next Monday's Dependabot PRs land with the heavy workflow showing as skipped (cascade from build-setup) and only cheap CI fires

dependabot Bot and others added 26 commits May 16, 2026 16:55
@dependabot
deps(deps): bump caddy from 14f5b3e to f96a3b7
4123888 
Bumps caddy from `14f5b3e` to `f96a3b7`.

---
updated-dependencies:
- dependency-name: caddy
  dependency-version: 2.11.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump alpine/kubectl from e9acf90 to 405e713
c7ef3e8 
Bumps alpine/kubectl from `e9acf90` to `405e713`.

---
updated-dependencies:
- dependency-name: alpine/kubectl
  dependency-version: latest
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump github.com/pulumi/pulumi-command/sdk
e9dddbb 
Bumps [github.com/pulumi/pulumi-command/sdk](https://github.com/pulumi/pulumi-command) from 0.9.2 to 1.2.1.
- [Release notes](https://github.com/pulumi/pulumi-command/releases)
- [Commits](pulumi/pulumi-command@v0.9.2...v1.2.1)

---
updated-dependencies:
- dependency-name: github.com/pulumi/pulumi-command/sdk
  dependency-version: 1.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump alpine
368e945 
Bumps the docker-minor-and-patch group with 1 update in the / directory: alpine.


Updates `alpine` from 3.21 to 3.23

---
updated-dependencies:
- dependency-name: alpine
  dependency-version: '3.23'
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: docker-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump the pip-minor-and-patch group in /docs with 3 updates
471a0d7 
Bumps the pip-minor-and-patch group in /docs with 3 updates: [mkdocs](https://github.com/mkdocs/mkdocs), [mkdocs-material](https://github.com/squidfunk/mkdocs-material) and [mkdocs-mermaid2-plugin](https://github.com/fralau/mkdocs-mermaid2-plugin).


Updates `mkdocs` from 1.5.3 to 1.6.1
- [Release notes](https://github.com/mkdocs/mkdocs/releases)
- [Commits](mkdocs/mkdocs@1.5.3...1.6.1)

Updates `mkdocs-material` from 9.4.14 to 9.7.6
- [Release notes](https://github.com/squidfunk/mkdocs-material/releases)
- [Changelog](https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG)
- [Commits](squidfunk/mkdocs-material@9.4.14...9.7.6)

Updates `mkdocs-mermaid2-plugin` from 1.1.1 to 1.2.3
- [Release notes](https://github.com/fralau/mkdocs-mermaid2-plugin/releases)
- [Changelog](https://github.com/fralau/mkdocs-mermaid2-plugin/blob/master/CHANGELOG.md)
- [Commits](fralau/mkdocs-mermaid2-plugin@v1.1.1...v1.2.3)

---
updated-dependencies:
- dependency-name: mkdocs
  dependency-version: 1.6.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip-minor-and-patch
- dependency-name: mkdocs-material
  dependency-version: 9.7.6
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip-minor-and-patch
- dependency-name: mkdocs-mermaid2-plugin
  dependency-version: 1.2.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pip-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump the gomod-minor-and-patch group across 1 directory w…
b628c7f 
…ith 31 updates

Bumps the gomod-minor-and-patch group with 24 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [cloud.google.com/go/storage](https://github.com/googleapis/google-cloud-go) | `1.49.0` | `1.62.2` |
| [github.com/MShekow/directory-checksum](https://github.com/MShekow/directory-checksum) | `1.4.9` | `1.4.18` |
| [github.com/atombender/go-jsonschema](https://github.com/atombender/go-jsonschema) | `0.23.0` | `0.23.1` |
| [github.com/aws/aws-lambda-go](https://github.com/aws/aws-lambda-go) | `1.47.0` | `1.54.0` |
| [github.com/aws/aws-sdk-go-v2/config](https://github.com/aws/aws-sdk-go-v2) | `1.29.7` | `1.32.17` |
| [github.com/cloudflare/cloudflare-go](https://github.com/cloudflare/cloudflare-go) | `0.104.0` | `0.116.0` |
| [github.com/disgoorg/disgo](https://github.com/disgoorg/disgo) | `0.18.5` | `0.19.3` |
| [github.com/fatih/color](https://github.com/fatih/color) | `1.18.0` | `1.19.0` |
| [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) | `5.19.0` | `5.19.1` |
| [github.com/onsi/gomega](https://github.com/onsi/gomega) | `1.38.2` | `1.41.0` |
| [github.com/otiai10/copy](https://github.com/otiai10/copy) | `1.14.0` | `1.14.1` |
| [github.com/pulumi/pulumi-aws/sdk/v6](https://github.com/pulumi/pulumi-aws) | `6.83.0` | `6.83.3` |
| [github.com/pulumi/pulumi-cloudflare/sdk/v6](https://github.com/pulumi/pulumi-cloudflare) | `6.2.0` | `6.15.0` |
| [github.com/pulumi/pulumi-docker/sdk/v4](https://github.com/pulumi/pulumi-docker) | `4.5.8` | `4.11.2` |
| [github.com/pulumi/pulumi-gcp/sdk/v8](https://github.com/pulumi/pulumi-gcp) | `8.0.0` | `8.41.1` |
| [github.com/pulumi/pulumi-kubernetes/sdk/v4](https://github.com/pulumi/pulumi-kubernetes) | `4.18.1` | `4.31.0` |
| [github.com/pulumi/pulumi-mongodbatlas/sdk/v3](https://github.com/pulumi/pulumi-mongodbatlas) | `3.30.0` | `3.38.0` |
| [github.com/pulumi/pulumi-random/sdk/v4](https://github.com/pulumi/pulumi-random) | `4.17.0` | `4.20.0` |
| [github.com/pulumi/pulumi/pkg/v3](https://github.com/pulumi/pulumi) | `3.184.0` | `3.241.0` |
| [github.com/samber/lo](https://github.com/samber/lo) | `1.38.1` | `1.53.0` |
| [github.com/tmc/langchaingo](https://github.com/tmc/langchaingo) | `0.1.13` | `0.1.14` |
| [go.mongodb.org/mongo-driver](https://github.com/mongodb/mongo-go-driver) | `1.16.1` | `1.17.9` |
| [k8s.io/apimachinery](https://github.com/kubernetes/apimachinery) | `0.35.0` | `0.36.1` |
| [k8s.io/client-go](https://github.com/kubernetes/client-go) | `0.35.0` | `0.36.1` |



Updates `cloud.google.com/go/storage` from 1.49.0 to 1.62.2
- [Release notes](https://github.com/googleapis/google-cloud-go/releases)
- [Changelog](https://github.com/googleapis/google-cloud-go/blob/main/CHANGES.md)
- [Commits](googleapis/google-cloud-go@pubsub/v1.49.0...storage/v1.62.2)

Updates `github.com/MShekow/directory-checksum` from 1.4.9 to 1.4.18
- [Release notes](https://github.com/MShekow/directory-checksum/releases)
- [Commits](MShekow/directory-checksum@v1.4.9...v1.4.18)

Updates `github.com/atombender/go-jsonschema` from 0.23.0 to 0.23.1
- [Release notes](https://github.com/atombender/go-jsonschema/releases)
- [Commits](omissis/go-jsonschema@v0.23.0...v0.23.1)

Updates `github.com/aws/aws-lambda-go` from 1.47.0 to 1.54.0
- [Release notes](https://github.com/aws/aws-lambda-go/releases)
- [Commits](aws/aws-lambda-go@v1.47.0...v1.54.0)

Updates `github.com/aws/aws-sdk-go-v2/config` from 1.29.7 to 1.32.17
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@config/v1.29.7...config/v1.32.17)

Updates `github.com/aws/aws-sdk-go-v2/credentials` from 1.17.60 to 1.19.16
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](aws/aws-sdk-go-v2@credentials/v1.17.60...credentials/v1.19.16)

Updates `github.com/cloudflare/cloudflare-go` from 0.104.0 to 0.116.0
- [Release notes](https://github.com/cloudflare/cloudflare-go/releases)
- [Changelog](https://github.com/cloudflare/cloudflare-go/blob/v0.116.0/CHANGELOG.md)
- [Commits](cloudflare/cloudflare-go@v0.104.0...v0.116.0)

Updates `github.com/disgoorg/disgo` from 0.18.5 to 0.19.3
- [Release notes](https://github.com/disgoorg/disgo/releases)
- [Commits](disgoorg/disgo@v0.18.5...v0.19.3)

Updates `github.com/fatih/color` from 1.18.0 to 1.19.0
- [Release notes](https://github.com/fatih/color/releases)
- [Commits](fatih/color@v1.18.0...v1.19.0)

Updates `github.com/go-git/go-git/v5` from 5.19.0 to 5.19.1
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.19.0...v5.19.1)

Updates `github.com/onsi/gomega` from 1.38.2 to 1.41.0
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](onsi/gomega@v1.38.2...v1.41.0)

Updates `github.com/otiai10/copy` from 1.14.0 to 1.14.1
- [Release notes](https://github.com/otiai10/copy/releases)
- [Commits](otiai10/copy@v1.14.0...v1.14.1)

Updates `github.com/pulumi/pulumi-aws/sdk/v6` from 6.83.0 to 6.83.3
- [Release notes](https://github.com/pulumi/pulumi-aws/releases)
- [Changelog](https://github.com/pulumi/pulumi-aws/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-aws@v6.83.0...v6.83.3)

Updates `github.com/pulumi/pulumi-cloudflare/sdk/v6` from 6.2.0 to 6.15.0
- [Release notes](https://github.com/pulumi/pulumi-cloudflare/releases)
- [Changelog](https://github.com/pulumi/pulumi-cloudflare/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-cloudflare@v6.2.0...v6.15.0)

Updates `github.com/pulumi/pulumi-docker/sdk/v4` from 4.5.8 to 4.11.2
- [Release notes](https://github.com/pulumi/pulumi-docker/releases)
- [Changelog](https://github.com/pulumi/pulumi-docker/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-docker@v4.5.8...v4.11.2)

Updates `github.com/pulumi/pulumi-gcp/sdk/v8` from 8.0.0 to 8.41.1
- [Release notes](https://github.com/pulumi/pulumi-gcp/releases)
- [Changelog](https://github.com/pulumi/pulumi-gcp/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-gcp@v8.0.0...v8.41.1)

Updates `github.com/pulumi/pulumi-kubernetes/sdk/v4` from 4.18.1 to 4.31.0
- [Release notes](https://github.com/pulumi/pulumi-kubernetes/releases)
- [Changelog](https://github.com/pulumi/pulumi-kubernetes/blob/master/CHANGELOG.md)
- [Commits](pulumi/pulumi-kubernetes@v4.18.1...v4.31.0)

Updates `github.com/pulumi/pulumi-mongodbatlas/sdk/v3` from 3.30.0 to 3.38.0
- [Release notes](https://github.com/pulumi/pulumi-mongodbatlas/releases)
- [Changelog](https://github.com/pulumi/pulumi-mongodbatlas/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-mongodbatlas@v3.30.0...v3.38.0)

Updates `github.com/pulumi/pulumi-random/sdk/v4` from 4.17.0 to 4.20.0
- [Release notes](https://github.com/pulumi/pulumi-random/releases)
- [Changelog](https://github.com/pulumi/pulumi-random/blob/master/CHANGELOG_OLD.md)
- [Commits](pulumi/pulumi-random@v4.17.0...v4.20.0)

Updates `github.com/pulumi/pulumi/pkg/v3` from 3.184.0 to 3.241.0
- [Release notes](https://github.com/pulumi/pulumi/releases)
- [Changelog](https://github.com/pulumi/pulumi/blob/master/CHANGELOG.md)
- [Commits](pulumi/pulumi@v3.184.0...v3.241.0)

Updates `github.com/pulumi/pulumi/sdk/v3` from 3.184.0 to 3.241.0
- [Release notes](https://github.com/pulumi/pulumi/releases)
- [Changelog](https://github.com/pulumi/pulumi/blob/master/CHANGELOG.md)
- [Commits](pulumi/pulumi@v3.184.0...v3.241.0)

Updates `github.com/samber/lo` from 1.38.1 to 1.53.0
- [Release notes](https://github.com/samber/lo/releases)
- [Commits](samber/lo@v1.38.1...v1.53.0)

Updates `github.com/tmc/langchaingo` from 0.1.13 to 0.1.14
- [Release notes](https://github.com/tmc/langchaingo/releases)
- [Commits](tmc/langchaingo@v0.1.13...v0.1.14)

Updates `go.mongodb.org/mongo-driver` from 1.16.1 to 1.17.9
- [Release notes](https://github.com/mongodb/mongo-go-driver/releases)
- [Commits](mongodb/mongo-go-driver@v1.16.1...v1.17.9)

Updates `golang.org/x/crypto` from 0.50.0 to 0.51.0
- [Commits](golang/crypto@v0.50.0...v0.51.0)

Updates `golang.org/x/oauth2` from 0.35.0 to 0.36.0
- [Commits](golang/oauth2@v0.35.0...v0.36.0)

Updates `golang.org/x/term` from 0.42.0 to 0.43.0
- [Commits](golang/term@v0.42.0...v0.43.0)

Updates `golang.org/x/text` from 0.36.0 to 0.37.0
- [Release notes](https://github.com/golang/text/releases)
- [Commits](golang/text@v0.36.0...v0.37.0)

Updates `google.golang.org/api` from 0.223.0 to 0.274.0
- [Release notes](https://github.com/googleapis/google-api-go-client/releases)
- [Changelog](https://github.com/googleapis/google-api-go-client/blob/main/CHANGES.md)
- [Commits](googleapis/google-api-go-client@v0.223.0...v0.274.0)

Updates `k8s.io/apimachinery` from 0.35.0 to 0.36.1
- [Commits](kubernetes/apimachinery@v0.35.0...v0.36.1)

Updates `k8s.io/client-go` from 0.35.0 to 0.36.1
- [Changelog](https://github.com/kubernetes/client-go/blob/master/CHANGELOG.md)
- [Commits](kubernetes/client-go@v0.35.0...v0.36.1)

---
updated-dependencies:
- dependency-name: cloud.google.com/go/storage
  dependency-version: 1.62.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/MShekow/directory-checksum
  dependency-version: 1.4.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/atombender/go-jsonschema
  dependency-version: 0.23.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/aws/aws-lambda-go
  dependency-version: 1.54.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/config
  dependency-version: 1.32.17
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/aws/aws-sdk-go-v2/credentials
  dependency-version: 1.19.16
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/cloudflare/cloudflare-go
  dependency-version: 0.116.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/disgoorg/disgo
  dependency-version: 0.19.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/fatih/color
  dependency-version: 1.19.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/onsi/gomega
  dependency-version: 1.41.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/otiai10/copy
  dependency-version: 1.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-aws/sdk/v6
  dependency-version: 6.83.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-cloudflare/sdk/v6
  dependency-version: 6.15.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-docker/sdk/v4
  dependency-version: 4.11.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-gcp/sdk/v8
  dependency-version: 8.41.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-kubernetes/sdk/v4
  dependency-version: 4.31.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-mongodbatlas/sdk/v3
  dependency-version: 3.38.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi-random/sdk/v4
  dependency-version: 4.20.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi/pkg/v3
  dependency-version: 3.241.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/pulumi/pulumi/sdk/v3
  dependency-version: 3.241.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/samber/lo
  dependency-version: 1.53.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: github.com/tmc/langchaingo
  dependency-version: 0.1.14
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gomod-minor-and-patch
- dependency-name: go.mongodb.org/mongo-driver
  dependency-version: 1.17.9
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/crypto
  dependency-version: 0.51.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/term
  dependency-version: 0.43.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: golang.org/x/text
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: google.golang.org/api
  dependency-version: 0.274.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: k8s.io/apimachinery
  dependency-version: 0.36.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
- dependency-name: k8s.io/client-go
  dependency-version: 0.36.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gomod-minor-and-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1
b4febc6 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@ea165f8...043fb46)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump actions/cache from 4.3.0 to 5.0.5
3debbcc 
Bumps [actions/cache](https://github.com/actions/cache) from 4.3.0 to 5.0.5.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@0057852...27d5ce7)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump actions/download-artifact from 4.3.0 to 8.0.1
fdef607 
Bumps [actions/download-artifact](https://github.com/actions/download-artifact) from 4.3.0 to 8.0.1.
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@d3f86a1...3e5f45b)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-version: 8.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0
01c5dbf 
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3.12.0 to 4.0.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](docker/setup-buildx-action@8d2750c...4d04d5d)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-version: 4.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump reecetech/version-increment from 2023.10.2 to 2024.10.1
7888aff 
Bumps [reecetech/version-increment](https://github.com/reecetech/version-increment) from 2023.10.2 to 2024.10.1.
- [Release notes](https://github.com/reecetech/version-increment/releases)
- [Commits](reecetech/version-increment@71036b2...a29aa75)

---
updated-dependencies:
- dependency-name: reecetech/version-increment
  dependency-version: 2024.10.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
deps(deps): bump github.com/go-git/go-git/v5 from 5.19.0 to 5.19.1
ced869a 
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.19.0 to 5.19.1.
- [Release notes](https://github.com/go-git/go-git/releases)
- [Changelog](https://github.com/go-git/go-git/blob/main/HISTORY.md)
- [Commits](go-git/go-git@v5.19.0...v5.19.1)

---
updated-dependencies:
- dependency-name: github.com/go-git/go-git/v5
  dependency-version: 5.19.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@Cre-eD
Merge branch 'dep-275' into deps/consolidated-2026-05-19
cfb1642
@Cre-eD
Merge branch 'dep-276' into deps/consolidated-2026-05-19
2f236e2 
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

# Conflicts:
#	go.sum
@Cre-eD
Merge branch 'dep-242' into deps/consolidated-2026-05-19
31ff10a
@Cre-eD
Merge branch 'dep-243' into deps/consolidated-2026-05-19
574fbf4
@Cre-eD
Merge branch 'dep-244' into deps/consolidated-2026-05-19
f91e170
@Cre-eD
Merge branch 'dep-274' into deps/consolidated-2026-05-19
a101ff6
@Cre-eD
Merge branch 'dep-233' into deps/consolidated-2026-05-19
7a703ab
@Cre-eD
Merge branch 'dep-237' into deps/consolidated-2026-05-19
d156cfa 
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

# Conflicts:
#	go.mod
#	go.sum
@Cre-eD
Merge branch 'dep-248' into deps/consolidated-2026-05-19
293e718
@Cre-eD
Merge branch 'dep-249' into deps/consolidated-2026-05-19
2f40a9d
@Cre-eD
Merge branch 'dep-250' into deps/consolidated-2026-05-19
9e7e21d
@Cre-eD
Merge branch 'dep-251' into deps/consolidated-2026-05-19
205e737
@Cre-eD
ci(branch): gate Blacksmith PR build behind ci-run label for Depend…
b67c70b 
…abot

Dependabot PRs don't receive `secrets.SC_CONFIG` (lives in the
repo-secret namespace, not the `dependabot` one), so `build-setup`
always fails — and downstream Blacksmith jobs `needs:` it, so each
Dependabot PR was burning multi-vCPU Blacksmith minutes on a doomed
build. The cheap PR workflows (CodeQL, Semgrep, govulncheck, Fuzz,
TruffleHog, DCO) still run unchanged on every Dependabot PR; they're
on free ubuntu-latest and catch the supply-chain risk that matters for
dependency bumps.

Codeowners can opt a Dependabot PR back into the full Blacksmith build
by adding the `ci-run` label (most useful right before merging a
consolidated dep PR). `pull_request.types: [opened, synchronize,
reopened, labeled]` ensures the label add re-triggers the workflow.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD
deps: adapt to upstream API breaks from this bump batch
83401af 
Three breaking-change adapters introduced by the consolidated bumps in
this branch, none of which Dependabot's auto-tidy could fix on its own:

- disgo v0.18.5 → v0.19.3 (gomod group): `webhook.Client` switched
  from interface to struct, so the `alertSender.client` field becomes
  `*webhook.Client`. `Client.CreateMessage` also gained a required
  `rest.CreateWebhookMessageParams{}` argument — pass an empty value
  to preserve the previous default behaviour.

- pulumi-cloudflare/sdk v6.2.0 → v6.15.0 (gomod group):
  `cloudflare.LookupZoneResult.ZoneId` changed from `*string` to
  `string`. Drop the `lo.FromPtr(...)` wrapper at the 4 call sites in
  registrar.go.

- pulumi/pkg/v3 v3.184.0 → v3.241.0 (gomod group):
  `backend.RemoveStack` signature gained a fourth `removeBackups bool`
  arg. Pass `false` at both destroy.go call sites to preserve the
  pre-bump behaviour (no backup deletion).

Also picks up the go.sum hash update for pulumi-command/sdk v1.2.1
that `go mod tidy` performed after the manual merge resolution.

`go build ./...` and `go test -count=1 -run '^$' -vet=off ./...` both
pass. The `go vet` printf warnings surfaced in this tree are
pre-existing on main and stem from the local Go 1.26 being stricter
than CI's Go 1.25 — not from this batch.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD Cre-eD requested a review from smecsia as a code owner May 20, 2026 06:45
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026
edited
Loading

Semgrep Scan Results

Repository: api | Commit: d21a0b3

Check Status Details
⚠️ Semgrep Warning 10 warning(s), 10 total

Scanned at 2026-05-20 14:01 UTC

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 20, 2026
edited
Loading

Security Scan Results

Repository: api | Commit: d21a0b3

Check Status Details
✅ Secret Scan Pass No secrets detected
✅ Dependencies (Trivy) Pass 0 total (no critical/high)
✅ Dependencies (Grype) Pass 0 total (no critical/high)
📦 SBOM Generated 528 components (CycloneDX)

Scanned at 2026-05-20 14:08 UTC

@Cre-eD Cre-eD mentioned this pull request May 20, 2026
Closed
@Cre-eD
fix: address Go 1.26 govet + staticcheck violations surfaced by k8s.i…
ff8c066 
…o bump

The gomod-minor-and-patch group required k8s.io v0.36.1, which in turn
required bumping the `go` directive from 1.25.10 to 1.26.0. Go 1.26's
stricter govet/staticcheck linters surfaced 8 pre-existing printf
mismatches and 6 SA1019 deprecations that previously passed under
1.25. All fixed:

printf (govet) — wrong type or wrong arg count, 8 sites:
- aws_lambda.go: 3 %q verbs but 2 args (dropped extra %q)
- ecs_fargate.go: %q on *EcsFargateInput → %+v
- adopt_redis.go: %q on *string → dereference before logging
- cloudrun.go: %q on *CloudRunInput → %+v
- gke_autopilot.go: %s on pulumi.StringOutput → %v
- redis.go: 4 %q verbs but 3 args (dropped extra %q)
- kube_run.go: %q on *string → lo.FromPtr(...)
- simple_container.go: %s on pulumi.StringPtrOutput → %v

staticcheck SA1019 — deprecated symbol use, 6 sites:
- login.go: workspace.PulumiHomeEnvVar → package-local const
  pulumiHomeEnvVar = "PULUMI_HOME". The deprecated SDK symbol points to
  env.Home (a Var indirection), which would couple us to the env.Var
  API for no behavioural change; "PULUMI_HOME" is a stable CLI contract.
- bucket_uploader.go / kms_key.go / provider.go:
  gcpOptions.WithCredentialsJSON is deprecated by Google as a "potential
  security risk" but Google offers no equivalent in-memory replacement —
  all suggested alternatives require disk or SecretManager round-trips,
  neither of which fits these flows. Suppressed per-line with
  //nolint:staticcheck and a justification comment.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@blacksmith-sh

This comment has been minimized.

Sign in to view
Cre-eD added 2 commits May 20, 2026 12:56
@Cre-eD
fix: Go 1.26 strict-vet round 2 + MongoDB URI Parse + TruffleHog FP
b6c5598 
CI from the first push of the deps-consolidation branch surfaced
three remaining issues all triggered by the same `go 1.25.10 → 1.26.0`
bump:

1. **`go vet` printf non-constant-format on 40+ Logger callsites.**
   Default `go test` runs vet, so all packages using Logger.Info /
   Debug / Warn / Error with `fmt.Sprintf(...)`, `color.XxxFmt(...)`,
   or a bare variable as the format argument now build-fail. Wrapped
   each with an explicit `"%s",` first arg. Touches ch_cloudwatch_alert,
   ch_healthevent_trigger, cancel, deploy, destroy, login, preview,
   provision, gcp/bucket_uploader, aws/cloudtrail_security_alerts,
   provisioner/deploy. Behaviour identical — same string is logged.

2. **`Test_appendUserPasswordToMongoUri` failure.** Go 1.26's
   `net/url.Parse` rejects MongoDB-style multi-host URIs
   (`mongodb://a:27017,b:27017,c:27017/db?opts`) — "invalid port
   after host". The util was already wrong (silently returned the
   unchanged URI for any unparseable input); the test was added in
   #228 and only ever passed under Go 1.25's looser url.Parse.
   Rewrote AppendUserPasswordAndDBToMongoUri to do string surgery
   instead of going through net/url for the input. Rewrote the test
   to verify by string assertion instead of round-tripping through
   url.Parse on the output.

3. **TruffleHog flagged a "Cloudflare API token" in `go.sum`.** The
   `h1:` SHA-256 hash for `pulumi-cloudflare/sdk v6.15.0/go.mod` is
   `WdXrlCWF8RxzVLCAGEQyCqW86lyXYfzawmtTughL/8E=`, which matches
   TruffleHog's `CloudflareApiToken` detector regex by coincidence.
   `go.sum` is a module-checksum file, not a credential carrier.
   Added it to `secret-scan-extra-excludes` in security-scan.yml
   alongside the existing docs / testdata excludes.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD
Merge branch 'main' into deps/consolidated-2026-05-19
b49bcb0
github-advanced-security[bot]
github-advanced-security AI found potential problems May 20, 2026
View reviewed changes
Comment thread pkg/clouds/aws/helpers/ch_cloudwatch_alert.go Fixed
Comment thread pkg/clouds/aws/helpers/ch_healthevent_trigger.go Fixed
@Cre-eD
deps: bump go directive 1.26.0 → 1.26.1 to patch crypto/x509 CVEs
45e7247 
govulncheck reported 17 reachable stdlib vulnerabilities in
crypto/x509 on go 1.26.0, every one of them flagged as "Fixed in:
crypto/x509@go1.26.1". The reachable trace is mostly through
pkg/assistant/mcp/server.go's MCP HTTP server eventually invoking
http.Server.Serve → x509.Certificate.Verify.

Bumping just the `go` directive (no `toolchain` line per project
policy [feedback_sc_no_toolchain]) makes setup-go install Go 1.26.1
and brings in the patched stdlib. `go build ./...` clean.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
smecsia
smecsia previously approved these changes May 20, 2026
View reviewed changes
@Cre-eD
fix(ci): close CodeQL log-injection (#171 #172) + cap govulncheck memory
6ba3fdf 
CodeQL alerts on PR #279:

  go/log-injection (medium) at
    pkg/clouds/aws/helpers/ch_cloudwatch_alert.go:59
    pkg/clouds/aws/helpers/ch_healthevent_trigger.go:18

Both AWS lambda handlers logged the raw `event any` payload via
`fmt.Sprintf("...%v", event)`. The pattern was pre-existing on main —
the Go 1.26 vet failure in the previous round just kept CodeQL from
analysing these files until the fmt fix landed in this branch.

Added `sanitizeForLog(v any) string` in pkg/clouds/aws/helpers: JSON-
marshals the payload (json escapes embedded \r\n inside string fields
to literal \\n) and runs the result through a `strings.Replacer` that
strips any residual CR/LF — the latter is what CodeQL's
go/log-injection query recognises as the sanitisation sink, so the
taint trace from `event` to the logger no longer terminates in a
flagged call. Both call sites updated to use it.

govulncheck mitigation:

  govulncheck -mode=source ./... is intrinsically memory-heavy on this
  module — local benchmark: peak RSS **13.5 GiB**, wall 11:35, 9M+
  page faults building the full call graph across pulumi v3, k8s.io,
  aws-sdk-v2, langchaingo, ... (492 require lines post-#279).

  The GH-hosted ubuntu-24.04 runner has 16 GiB total RAM minus
  ~2-3 GiB for the OS + runner agent → ~13-14 GiB usable. Every
  PR-279 run died around 2m41s–4m57s with "the runner has received
  a shutdown signal" — kernel OOM-killer firing on the runner agent
  when govulncheck's RSS crossed the cliff. `cancelled_by` is null
  on every failed run, ruling out concurrency / API cancellation.

  Fix:
    GOMEMLIMIT=12GiB — soft heap cap; Go's GC throttles allocation
                       pressure as it approaches this number.
    GOGC=25         — collect 4x more often than default (100).
    timeout-minutes: 20 — extra headroom for the GC-paced scan
                          (local 11:35 → expect ~14-16 min on CI).

  No runner upgrade or `-mode=binary` downgrade — keeps coverage
  unchanged, trades wall time for memory safety.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems May 20, 2026
View reviewed changes
Comment thread pkg/clouds/aws/helpers/ch_cloudwatch_alert.go

func (l *cloudwatchEventsLambda) handler(ctx context.Context, event any) error {
l.log.Info(ctx, fmt.Sprintf("lambda executing handler with event... %v", event))
l.log.Info(ctx, "lambda executing handler with event... %s", sanitizeForLog(event))
Comment thread pkg/clouds/aws/helpers/ch_healthevent_trigger.go

func (l *lambdaHealthBridgeCloudHelper) handler(ctx context.Context, event any) error {
l.log.Info(ctx, fmt.Sprintf("health bridge lambda executing handler with event... %v", event))
l.log.Info(ctx, "health bridge lambda executing handler with event... %s", sanitizeForLog(event))
Cre-eD added 4 commits May 20, 2026 16:19
@Cre-eD
deps: bump go 1.26.1 → 1.26.2 to patch 12 fresh stdlib CVEs
3781ae8 
govulncheck's OOM mitigation in the previous commit let the scan
actually finish on CI for the first time (3m42s, ~12 GiB peak under
GOMEMLIMIT). The complete report flags 12 reachable stdlib
vulnerabilities, every one in go1.26.1, every one fixed in go1.26.2:

  GO-2026-4866  crypto/x509  excludedSubtrees case-sensitivity Auth Bypass
                             (reachable: mcp.Start → http.Server.Serve
                              → x509.Certificate.Verify)
  GO-2026-4869  archive/tar  unbounded allocation, old-GNU sparse
                             (reachable via pulumi.Context.RegisterResourceOutputs)
  GO-2026-4865  html/template  JsBraceDepth context-tracking XSS
                             (reachable: mcp.Start → http.Server.Serve)
  ... and 9 more, all stdlib, all fixed in 1.26.2

Per [feedback_sc_no_toolchain] only the `go` directive is bumped;
no `toolchain` line is added. setup-go reads go.mod and will install
go 1.26.2 (binary confirmed available on dl.google.com).

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD
deps: bump go 1.26.2 → 1.26.3 (latest stable) to patch 6 more stdlib …
8670f61 
…CVEs

After landing 1.26.2 (which closed the 12 prior stdlib CVEs flagged
under 1.26.1) govulncheck now reports 6 fresh reachable CVEs against
go1.26.2, all fixed in 1.26.3:

  GO-2026-4986  net/mail
  GO-2026-4982  html/template
  GO-2026-4980  html/template
  GO-2026-4977  net/mail
  GO-2026-4971  net
  GO-2026-4918  net/http

The Go team is shipping security patches in rapid succession this
month; 1.26.3 is currently the latest stable release on go.dev. Per
[feedback_sc_no_toolchain] only the `go` directive is bumped — no
`toolchain` line. Binary confirmed available on dl.google.com.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD
ci: address OpenSSF Scorecard Pinned-Dependencies + Signed-Releases p…
8a36806 
…robes

Two Scorecard warnings on PR #279 left after the deps consolidation:

1. **Pinned-Dependencies**: the sole `goCommand not pinned by hash`
   was `go install golang.org/x/vuln/cmd/govulncheck@latest` in
   govulncheck.yml. SHA-pin to v1.3.0:
   0782b76014f15f24e22a438f30f308df42899ba1. Bumps will be 1-line PRs
   going forward.

2. **Signed-Releases / releasesHaveProvenance**: the 5 most recent
   releases each carry a `.sigstore.json` SLSA build-provenance bundle
   (from actions/attest-build-provenance@v4) which Scorecard
   recognises as a *signature*, but its provenance-probe matches
   specifically on `.intoto.jsonl`. Dual-publish each `.sigstore.json`
   as a `.intoto.jsonl` alias from create-github-release.sh — same
   bytes, second name, so cosign/sigstore consumers keep the
   canonical name and Scorecard sees provenance on every future
   release. (Scorecard#3699 tracks the upstream rule extension.)

Other Scorecard warnings already handled in earlier commits of #279:

  - GHSA-crhj-59gh-8x96 / GHSA-m7cr-m3pv-hgrp (go-git ≤5.19.0) —
    bumped to v5.19.1 in the gomod-minor-and-patch group (#275).
  - GO-2022-0635 / GO-2022-0646 (aws-sdk-go v1 s3crypto) — transitive
    via Pulumi, no reachable call, already in vex/openvex.json.
  - PYSEC-2026-89 (Python markdown) — OSV record is incomplete
    (missing fixed-event); we already pin `markdown==3.9` which is
    past the 3.8.1 fix referenced in the advisory body.

Out-of-scope follow-ups (require repo-admin action, not file edits):

  - Branch protection: require ≥2 approving reviews + codeowners
    review + apply settings to admins on `main`.
  - SAST coverage 19/30 commits: historical, no retroactive fix.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD
Merge branch 'main' into deps/consolidated-2026-05-19
53d842c
@Cre-eD Cre-eD merged commit e3d0e73 into main May 20, 2026
23 of 25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@smecsia smecsia smecsia approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Cre-eD @smecsia @github-advanced-security