chore(deps): Bump the actions group with 3 updates#22
Merged
mastermanas805 merged 3 commits intoJun 3, 2026
Conversation
Bumps the actions group with 3 updates: [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer), [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) and [crate-ci/typos](https://github.com/crate-ci/typos). Updates `sigstore/cosign-installer` from 3.9.1 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@398d4b0...6f9f177) Updates `goreleaser/goreleaser-action` from 6.4.0 to 7.2.2 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](goreleaser/goreleaser-action@e435ccd...5daf1e9) Updates `crate-ci/typos` from 1.46.3 to 1.47.1 - [Release notes](https://github.com/crate-ci/typos/releases) - [Changelog](https://github.com/crate-ci/typos/blob/master/CHANGELOG.md) - [Commits](crate-ci/typos@v1.46.3...v1.47.1) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: crate-ci/typos dependency-version: 1.47.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
mastermanas805
added a commit
that referenced
this pull request
Jun 3, 2026
…b vulns) (#23) The govulncheck and osv-scan required checks fail on both master and Dependabot PR #22 due to two Go stdlib vulnerabilities present in the go1.25.10 toolchain that CI builds with: - GO-2026-5039 (net/textproto): arbitrary inputs included in errors without escaping. Fixed in go1.25.11. - GO-2026-5037 (crypto/x509): inefficient candidate hostname parsing. Fixed in go1.25.11. These are stdlib vulns, not module deps, so they are unrelated to the actions-group bump in #22. govulncheck.yml resolves its toolchain from go.mod (go-version-file + check-latest), so bumping the toolchain directive to go1.25.11 clears both checks and unblocks master and #22. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
mastermanas805
added a commit
that referenced
this pull request
Jun 3, 2026
) golangci-lint runs with version:latest, so a newer staticcheck (2.12.2) now flags SA5011 (possible nil pointer dereference) on the idiomatic `got := f(); if got == nil { t.Fatalf(...) }; got.X` test pattern in cmd/integration_test.go and internal/tokens/store_test.go. A nil deref in a test panics and fails the test loudly — benign test noise, not a production-safety signal. This reds lint on master (and every PR) on a fresh run, independent of any code change. Add the by-check `_test.go` SA5011 exclusion the api repo already carries (see memory project_golangci_lint_cache_masks_sa5011). Production SA5011 still fails the build — scoped to tests only, not a wholesale staticcheck disable. Unblocks the stuck dependabot actions-bump PR #22 and any future cli PR. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the actions group with 3 updates: sigstore/cosign-installer, goreleaser/goreleaser-action and crate-ci/typos.
Updates
sigstore/cosign-installerfrom 3.9.1 to 4.1.2Release notes
Sourced from sigstore/cosign-installer's releases.
... (truncated)
Commits
6f9f177Bump cosign to 3.0.6 (#232)b5e753aBump actions/github-script from 8.0.0 to 9.0.0 (#230)115e4ceBump actions/setup-go from 6.3.0 to 6.4.0 (#226)cad07c2chore: update default cosign-release to v3.0.5 (#223)ba7bc0afix: add retry to curl downloads for transient network failures (#210)5a292e1Bump cosign to 3.0.5 (#220)351ea76Bump actions/checkout from 6.0.1 to 6.0.2 (#217)c17565ftest with go 1.26 too (#221)a6fdd19Bump actions/setup-go from 6.1.0 to 6.3.0 (#218)430b6a7docs: fix registry from gcr.io to ghcr.io (#213)Updates
goreleaser/goreleaser-actionfrom 6.4.0 to 7.2.2Release notes
Sourced from goreleaser/goreleaser-action's releases.
... (truncated)
Commits
5daf1e9fix: nightly resolution to select newest published release (#562)5cc7ebbci: update actions702f5f9ci(deps): bump the actions group with 3 updates (#560)1a80836ci(nightly): pass GITHUB_TOKEN to nightly integration joba71152erefactor: drop legacy 'nightly' tag fallback4c6ab56feat: resolve nightly to latest vX.Y.Z-<sha>-nightly release (#558)4f96abffeat: addversion-fileinput (#556)15fa2a9test: cover install across release eras (#555)e24998bci: drop pre-cosign-v3 goreleaser versions from tests (#554)be2e8a3docs: document cosign verification in README (#553)Updates
crate-ci/typosfrom 1.46.3 to 1.47.1Release notes
Sourced from crate-ci/typos's releases.
Changelog
Sourced from crate-ci/typos's changelog.
Commits
44e2070chore: Releasee10d108docs: Update changelog06f8734Merge pull request #1566 from epage/fixa12d104fix(dict): Don't correct requestors823a0a4chore(deps): Update compatible (#1564)f8a58b6chore: Release52ee9d7chore: Releasef1aafeadocs: Update changelog0d2e4afMerge pull request #1563 from epage/mayd818ce0feat(dict): May updatesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions