deps: consolidate 12 Dependabot bumps + gate branch.yaml on ci-run label

.github/workflows/branch-preview.yaml

@@ -35,7 +35,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Get next version
-        uses: reecetech/version-increment@71036b212bbdc100b48aae069870f10953433346  # 2023.10.2
+        uses: reecetech/version-increment@a29aa752dc3b8118a2dc2ed93faf0e95a73a9c7e  # 2024.10.1
         id: base-version
         with:
           scheme: "calver"
@@ -121,7 +121,7 @@ jobs:
           echo "cicd-bot-telegram-token=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-token)" >> $GITHUB_OUTPUT
           echo "cicd-bot-telegram-chat-id=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT
       - name: upload bin directory artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: bin-tools
           path: bin
@@ -226,7 +226,7 @@ jobs:
         run: |
           cp "$BUNDLE_PATH" ".sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}-v${VERSION}.tar.gz.sigstore.json"
       - name: upload build artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sc-${{ matrix.os }}-${{ matrix.arch }}
           path: |
@@ -268,7 +268,7 @@ jobs:
         run: |
           go build -a -installsuffix cgo -ldflags "-s -w -X=github.com/simple-container-com/api/internal/build.Version=${VERSION}" -o ${{ matrix.output }} ./cmd/${{ matrix.cmd }}
       - name: upload ${{ matrix.target }} binary
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: ${{ matrix.target }}-binary
           path: ${{ matrix.output }}
@@ -316,7 +316,7 @@ jobs:
         with:
           persist-credentials: false
       - name: download ${{ matrix.target }} binary
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: ${{ matrix.target }}-binary
           path: dist
@@ -331,7 +331,7 @@ jobs:
           EOF
           sc secrets reveal
       - name: Setup Docker Buildx with advanced caching
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
         with:
           driver-opts: |
             image=moby/buildkit:buildx-stable-1
@@ -378,7 +378,7 @@ jobs:
           printf '%s@%s\n' "$IMAGE_REPO" "$DIGEST" > "digests/${{ matrix.target }}.txt"
       - name: Upload digest artifact for ${{ matrix.target }}
         if: steps.build_and_push.outcome == 'success'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: image-digest-${{ matrix.target }}
           path: digests/${{ matrix.target }}.txt
@@ -414,12 +414,12 @@ jobs:
         with:
           persist-credentials: false
       - name: download all sc platform artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           path: artifacts
           pattern: sc-*
       - name: download bin tools artifact
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: bin-tools
           path: bin

.github/workflows/branch.yaml

@@ -11,6 +11,9 @@ name: Build simple-container in branch
 on:
   workflow_dispatch:
   pull_request:
+    # `labeled` is required so a codeowner adding the `ci-run` label
+    # re-triggers the workflow on an open Dependabot PR (see gate below).
+    types: [opened, synchronize, reopened, labeled]
     branches:
       - 'main'
       - 'staging'
@@ -22,8 +25,22 @@ permissions:
   contents: read
 
 jobs:
+  # Cost gate: Dependabot PRs don't see `secrets.SC_CONFIG` (lives in the
+  # repo-secret namespace, not the `dependabot` one), so build-setup
+  # always fails on them. Worse, this workflow runs on paid Blacksmith
+  # runners — every Dependabot bot PR was burning Blacksmith minutes on
+  # a doomed build. Skip the whole pipeline by default for Dependabot;
+  # a codeowner adds the `ci-run` label when they want to actually
+  # validate a bump (e.g. before merging the consolidated dep PR). All
+  # downstream jobs `needs: build-setup`, so they cascade-skip; the
+  # `finalize` aggregator below has the same guard so it doesn't fire a
+  # spurious "build failed" Telegram on the cascade.
   build-setup:
     name: Build Setup (clean, tools, schemas, lint, fmt)
+    if: >-
+      github.event_name != 'pull_request' ||
+      github.event.pull_request.user.login != 'dependabot[bot]' ||
+      contains(github.event.pull_request.labels.*.name, 'ci-run')
     runs-on: blacksmith-8vcpu-ubuntu-2204
     outputs:
       cicd-bot-telegram-token: ${{ steps.telegram-secrets.outputs.cicd-bot-telegram-token }}
@@ -94,7 +111,7 @@ jobs:
           echo "cicd-bot-telegram-token=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-token)" >> $GITHUB_OUTPUT
           echo "cicd-bot-telegram-chat-id=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT
       - name: upload bin directory artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: bin-tools
           path: bin
@@ -136,7 +153,7 @@ jobs:
           go build -ldflags "-s -w" -o dist/${GOOS}-${GOARCH}/sc${EXT} ./cmd/sc
           tar -czf .sc/stacks/dist/bundle/sc-${GOOS}-${GOARCH}.tar.gz -C dist/${GOOS}-${GOARCH} sc${EXT}
       - name: upload build artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sc-${{ matrix.os }}-${{ matrix.arch }}
           path: .sc/stacks/dist/bundle/sc-${{ matrix.os }}-${{ matrix.arch }}.tar.gz
@@ -172,7 +189,7 @@ jobs:
         run: |
           go build -a -installsuffix cgo -ldflags "-s -w" -o ${{ matrix.output }} ./cmd/${{ matrix.cmd }}
       - name: upload ${{ matrix.target }} binary
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: ${{ matrix.target }}-binary
           path: ${{ matrix.output }}
@@ -195,7 +212,7 @@ jobs:
           mkdir -p bin
           go build -ldflags "-s -w" -a -installsuffix cgo -o bin/github-actions ./cmd/github-actions
       - name: upload github-actions-staging binary
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: github-actions-staging-binary
           path: bin/github-actions
@@ -220,7 +237,16 @@ jobs:
   finalize:
     name: Finalize build in branch
     runs-on: ubuntu-latest
-    if: ${{ always() }}
+    # Match the build-setup gate: skip on Dependabot PRs without the
+    # `ci-run` label so we don't post a "build failed" sticky comment
+    # for a pipeline that was intentionally never run.
+    if: >-
+      always() &&
+      (
+        github.event_name != 'pull_request' ||
+        github.event.pull_request.user.login != 'dependabot[bot]' ||
+        contains(github.event.pull_request.labels.*.name, 'ci-run')
+      )
     permissions:
       contents: write
     needs:

.github/workflows/build-staging.yml

@@ -61,7 +61,7 @@ jobs:
           echo "🏷️ Set VERSION: $VERSION"
 
       - name: Cache CLI tools (SC + Welder)
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0 (Automatically uses Blacksmith cache on Blacksmith runners)
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v4.3.0 (Automatically uses Blacksmith cache on Blacksmith runners)
         with:
           path: |
             ~/.local/bin/sc
@@ -90,7 +90,7 @@ jobs:
           echo "cicd-bot-telegram-chat-id=$(sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT
 
       - name: Setup Docker Buildx with advanced caching
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
         with:
           driver-opts: |
             image=moby/buildkit:buildx-stable-1

.github/workflows/fuzz.yml

@@ -114,7 +114,7 @@ jobs:
       # re-fuzzing.
       - name: Upload crash corpus
         if: failure()
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: fuzz-crash-corpus-${{ github.run_id }}
           path: pkg/security/testdata/fuzz/

.github/workflows/govulncheck.yml

@@ -49,6 +49,25 @@ jobs:
   govulncheck:
     name: govulncheck (reachability-aware)
     runs-on: ubuntu-24.04
+    # Locally `govulncheck -mode=source ./...` on this module peaks at
+    # ~13.5 GB RSS over ~12 min (full call-graph construction across
+    # pulumi v3, k8s.io, aws-sdk-v2, langchaingo, etc — 492 require lines
+    # post-PR #279). GH-hosted ubuntu-24.04 has 16 GB RAM minus 2-3 GB
+    # for OS + runner agent, so peak crosses the OOM cliff right around
+    # the 3-min mark — every prior run on this PR died there with
+    # "runner has received a shutdown signal" (the kernel killing the
+    # runner agent process). 20 minutes is the soft cap so the GC-paced
+    # variant below has room to finish on the first try.
+    timeout-minutes: 20
+    env:
+      # Soft-cap Go's heap so the GC runs more aggressively as we
+      # approach the limit. 12 GiB keeps us comfortably below the
+      # runner's available RAM. Trades wall time for memory safety.
+      GOMEMLIMIT: 12GiB
+      # Default GOGC is 100 (collect when heap doubles). 25 collects
+      # 4x more often — extra CPU for the assurance that RSS doesn't
+      # balloon past GOMEMLIMIT between collection cycles.
+      GOGC: "25"
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -62,9 +81,12 @@ jobs:
           cache: true
 
       - name: Install govulncheck
+        # SHA-pin govulncheck to satisfy Scorecard's Pinned-Dependencies
+        # check (was the sole `goCommand not pinned by hash` warning).
+        # v1.3.0 → 0782b76014f15f24e22a438f30f308df42899ba1
         run: |
           set -euo pipefail
-          go install golang.org/x/vuln/cmd/govulncheck@latest
+          go install golang.org/x/vuln/cmd/govulncheck@0782b76014f15f24e22a438f30f308df42899ba1  # v1.3.0
           govulncheck -version
 
       - name: Run govulncheck on source

.github/workflows/push.yaml

@@ -38,7 +38,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Get next version
-        uses: reecetech/version-increment@71036b212bbdc100b48aae069870f10953433346  # 2023.10.2
+        uses: reecetech/version-increment@a29aa752dc3b8118a2dc2ed93faf0e95a73a9c7e  # 2024.10.1
         id: version
         with:
           scheme: "calver"
@@ -118,12 +118,12 @@ jobs:
           echo "cicd-bot-telegram-token=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-token)" >> $GITHUB_OUTPUT
           echo "cicd-bot-telegram-chat-id=$(./bin/sc stack secret-get -s dist cicd-bot-telegram-chat-id)" >> $GITHUB_OUTPUT
       - name: save schemas cache
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: docs/schemas
           key: schemas-${{ github.run_id }}
       - name: upload bin directory artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: bin-tools
           path: bin
@@ -267,7 +267,7 @@ jobs:
             echo "All tarball attestation steps succeeded for ${{ matrix.os }}/${{ matrix.arch }}."
           fi
       - name: upload build artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: sc-${{ matrix.os }}-${{ matrix.arch }}
           # Match both versioned (sc-os-arch-vX.Y.Z.tar.gz) AND unversioned (sc-os-arch.tar.gz).
@@ -316,7 +316,7 @@ jobs:
         run: |
           go build -a -installsuffix cgo -ldflags "-s -w -X=github.com/simple-container-com/api/internal/build.Version=${VERSION}" -o ${{ matrix.output }} ./cmd/${{ matrix.cmd }}
       - name: upload ${{ matrix.target }} binary
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: ${{ matrix.target }}-binary
           path: ${{ matrix.output }}
@@ -352,7 +352,7 @@ jobs:
         with:
           persist-credentials: false
       - name: restore cached schemas
-        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830  # v4.3.0
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae  # v5.0.5
         with:
           path: docs/schemas
           key: schemas-${{ github.run_id }}
@@ -372,7 +372,7 @@ jobs:
           # / arm64 / arm/v5 / arm/v7 / 386 / ppc64le / riscv64 / s390x.
           docker run --rm -v $PWD/docs:/docs -w /docs python@sha256:401f6e1a67dad31a1bd78e9ad22d0ee0a3b52154e6bd30e90be696bb6a3d7461 sh -c "pip install --require-hashes -r requirements.txt && PATH=\$PATH:~/.local/bin mkdocs build"
       - name: upload docs artifact
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: docs-site
           path: docs/site
@@ -426,13 +426,13 @@ jobs:
           persist-credentials: false
       - name: download github-actions binary
         if: matrix.image == 'github-actions'
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: github-actions-binary
           path: dist
       - name: download cloud-helpers binary
         if: matrix.image == 'cloud-helpers-aws'
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: cloud-helpers-binary
           path: dist
@@ -448,7 +448,7 @@ jobs:
           EOF
           sc secrets reveal
       - name: Setup Docker Buildx with advanced caching
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f  # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd  # v4.0.0
         with:
           driver-opts: |
             image=moby/buildkit:buildx-stable-1
@@ -509,7 +509,7 @@ jobs:
           printf '%s@%s\n' "$IMAGE_REPO" "$DIGEST" > "digests/${{ matrix.image }}.txt"
       - name: Upload digest artifact for ${{ matrix.image }}
         if: steps.build_and_push.outcome == 'success'
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: image-digest-${{ matrix.image }}
           path: digests/${{ matrix.image }}.txt
@@ -555,7 +555,7 @@ jobs:
           EOF
           sc secrets reveal
       - name: download sc tarball artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           # Filter to sc-* artifacts only — without a pattern, this step
           # also pulls the build-push-action's internal `*.dockerbuild`
@@ -569,14 +569,14 @@ jobs:
           pattern: sc-*
           path: artifacts
       - name: download bin tools artifact
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: bin-tools
           path: bin
       - name: fix bin tools permissions
         run: chmod +x bin/*
       - name: download docs artifact
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           name: docs-site
           path: docs/site

.github/workflows/scorecard.yml

@@ -61,7 +61,7 @@ jobs:
           category: scorecard
 
       - name: Upload artifact (debugging)
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a  # v7.0.1
         with:
           name: scorecard-results
           path: results.sarif

.github/workflows/security-scan.yml

@@ -25,3 +25,8 @@ jobs:
         docs/docs/guides/parent-gcp-gke-autopilot\.md
         pkg/api/secrets/testdata/repo/
         pkg/provisioner/testdata/
+        # Go module-checksum file. TruffleHog's CloudflareApiToken
+        # detector pattern-matches against the base64 `h1:` hashes
+        # in go.sum (PR #279 flagged a pulumi-cloudflare hash).
+        # The hashes are SHA-256 of module contents, not credentials.
+        go\.sum

.github/workflows/verify-attestations.yml

@@ -120,7 +120,7 @@ jobs:
         id: download_digests
         if: github.event_name == 'workflow_run'
         continue-on-error: true
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c  # v8.0.1
         with:
           pattern: image-digest-*
           path: image-digests

caddy.Dockerfile

@@ -4,15 +4,15 @@
 # Bumping requires editing all three "2.11.x" sites below (two FROMs + xcaddy).
 # Refresh: docker buildx imagetools inspect caddy:X.Y.Z[-builder]
 
-FROM caddy:2.11.3-builder@sha256:14f5b3ecb208d45a37bc26435a8c0c29181de98115358b4b863c6ec5801116a5 AS builder
+FROM caddy:2.11.3-builder@sha256:f96a3b748f2ce4e5f6595453615da734b93993b231213fe35d0673893b5613ef AS builder
 
 RUN --mount=type=cache,target=/go/pkg/mod,sharing=locked \
     --mount=type=cache,target=/root/.cache,sharing=locked \
     xcaddy build "v2.11.3" \
         --with github.com/grafana/certmagic-gcs@v0.1.7 \
     && caddy version
 
-FROM caddy:2.11.3@sha256:3739ea4f0c877259a693d932693cf8f3408e9a9497c004f031b0e830e93e1546
+FROM caddy:2.11.3@sha256:ec18ee54aab3315c22e25f3b2babda73ff8007d39b13b3bd1bfffa2f0444c7d9
 
 RUN apk update && apk upgrade --no-cache && rm -rf /var/cache/apk/*