Bump github.com/go-git/go-git/v5 from 5.13.1 to 5.16.5#162
Closed
dependabot[bot] wants to merge 2 commits into
Closed
Bump github.com/go-git/go-git/v5 from 5.13.1 to 5.16.5#162dependabot[bot] wants to merge 2 commits into
dependabot[bot] wants to merge 2 commits into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
force-pushed
the
dependabot/go_modules/github.com/go-git/go-git/v5-5.16.5
branch
from
d21aac4 to
85822fe
Compare
Bumps [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) from 5.13.1 to 5.16.5. - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.13.1...v5.16.5) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-version: 5.16.5 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/go_modules/github.com/go-git/go-git/v5-5.16.5
branch
from
85822fe to
7a5e378
Compare
6 tasks
Cre-eD
added a commit
that referenced
this pull request
May 6, 2026
Phase 1 of CIS Docker Benchmark + OWASP Container Top 10 hardening pass. All 5 published images rebuilt; baseline → hardened CVE counts: kubectl: 1H → 0 cloud-helpers: 4H → 4H (glibc fix not yet in AL2023 dnf, deferred) caddy: 48 (5H/5M/3L+stdlib+core) → 10 (upstream transitives) github-actions: 38 (13 alpine + 25 binary + 2 secrets) → 2 (deferred) github-actions-staging: same as prod (synced) Dockerfile changes (CIS 4.1/4.2/4.3/4.6/4.7/4.9, OWASP Container 02): - All FROM bases pinned by @sha256: digest - Pulumi installer replaced with checksum-verified tarball download (no more `curl | sh`); checksums fetched per-version from GitHub Releases pulumi-${VERSION}-checksums.txt - Google Cloud SDK pinned to 567.0.0 with inline SHA-256 ARG - github-actions(+staging) split into builder/runtime stages; runtime drops py3-pip, binutils, upx, bundledpythonunix; image 1.51GB→1.24GB - urllib3 dummyserver test fixtures (Trivy "secret" findings) removed - kubectl runs as non-root UID 10001 - Caddy bumped 2.8.4 → 2.11.2; certmagic-gcs 0.1.2 → 0.1.7 - Alpine 3.19 → 3.21 in github-actions(+staging) (clears musl, openssh, busybox CVEs) - HEALTHCHECK added to kubectl, caddy, github-actions(+staging) - cloud-helpers ADD → COPY Go module bumps (clears 25 CVEs in the baked github-actions binary): google.golang.org/grpc 1.72.1 → 1.80.0 (CRIT CVE-2026-33186) go.opentelemetry.io/otel 1.36.0 → 1.43.0 (HIGH CVE-2026-29181) go.opentelemetry.io/otel/sdk 1.36.0 → 1.43.0 (HIGH CVE-2026-24051, CVE-2026-39883) github.com/go-git/go-git/v5 5.13.1 → 5.18.0 (HIGH CVE-2026-25934, CVE-2026-34165, CVE-2026-41506) github.com/go-jose/go-jose/v3 3.0.4 → 3.0.5 (HIGH CVE-2026-34986) github.com/go-jose/go-jose/v4 4.1.3 → 4.1.4 (HIGH CVE-2026-34986) github.com/aws/aws-sdk-go-v2 1.26.1 → 1.41.5 (MED GHSA-xmrv-pmrh-hhx2) github.com/aws/aws-sdk-go-v2/service/s3 1.53.1 → 1.97.3 (MED GHSA-xmrv-pmrh-hhx2) github.com/cloudflare/circl 1.6.1 → 1.6.3 (LOW CVE-2026-1229) toolchain go1.25.1 → go1.25.9 (clears ~15 stdlib CVEs incl. crypto/tls, crypto/x509, encoding/pem, net/url, html/template) Supersedes Dependabot PR #162 (go-git 5.13.1 → 5.16.5 — insufficient, needed 5.18.0 for CVE-2026-41506). Deferred (no upstream fix available): - github.com/docker/docker CVE-2026-34040/33997: Trivy points to v29.3.1 but only v28.5.2+incompatible is published on proxy.golang.org. Reachability: pkg/clouds/pulumi/docker/pull.go uses Docker client for image pulls in Pulumi flows; auth-bypass is exploitable only against a malicious Docker daemon. - glibc CVE-2026-4046 in cloud-helpers: AL2023 dnf has not yet shipped 2.34-231.amzn2023.0.4. Hardened Dockerfile runs `dnf upgrade` and will pick up the fix automatically. Reachability: glibc iconv() DoS via crafted charset; cloud-helpers Go binary doesn't call iconv. LOW risk. - Caddy upstream transitive deps in 2.11.2 binary (10 vulns): xcaddy can override direct deps via --with but not transitives in Caddy core's go.mod. Closes when Caddy 2.11.3+ ships.
Cre-eD
added a commit
that referenced
this pull request
May 7, 2026
…se 1) (#227) ## Summary Phase 1 of a CIS Docker Benchmark + OWASP Container Top 10 hardening pass on this repo's published artifacts. All 5 published images rebuilt; CVE counts before → after: | Image | Before | After | Notes | |---|---|---|---| | `simplecontainer/kubectl` | 1 HIGH | **0** | clean | | `simplecontainer/cloud-helpers:aws-*` | 4 HIGH | 4 HIGH (deferred) | glibc fix not yet in AL2023 dnf — auto-applies on next rebuild | | `simplecontainer/caddy` | 48 (5H/5M/3L + Caddy core + Go stdlib) | 10 (upstream transitives) | Caddy 2.8.4 → 2.11.2 | | `simplecontainer/github-actions` | 38 (13 alpine + 25 binary + 2 secrets) | **2** (deferred) | image 1.51GB → 1.24GB | | `simplecontainer/github-actions:staging` | same as prod | same as prod | synced | **Grype cross-check (`--only-fixed`):** kubectl / caddy / github-actions / staging — `No vulnerabilities found`. cloud-helpers — only the deferred glibc. Supersedes Dependabot PR #162 (go-git 5.13.1 → 5.16.5 was insufficient; this PR moves to 5.18.0 to clear CVE-2026-41506). ## Fixed — Dockerfile changes (CIS Docker Benchmark §4) | CIS | What changed | |---|---| | 4.1 | `kubectl` runs as non-root UID 10001 | | 4.2 / 4.7 | All `FROM` bases pinned by `@sha256:` digest (no floating tags) | | 4.3 | Multi-stage rewrite of `github-actions(+staging).Dockerfile`: builder keeps `binutils`, `upx`, `python3` for `gcloud components install`; runtime drops them and `py3-pip`. `bundledpythonunix` and `urllib3` dummyserver test fixtures removed | | 4.6 | `HEALTHCHECK` added to kubectl, caddy, github-actions(+staging) | | 4.9 | `cloud-helpers.aws.Dockerfile`: `ADD` → `COPY` | | SSCS §5 | Pulumi installer replaced with verified tarball download (per-version `pulumi-${VERSION}-checksums.txt` from GitHub Releases). Google Cloud SDK pinned to 567.0.0 with inline SHA-256 ARG. **No remaining `curl \| sh`** in any Dockerfile | | OWASP Container 02 | Every third-party download verified before use | Caddy upgraded 2.8.4 → 2.11.2, certmagic-gcs 0.1.2 → 0.1.7. Alpine 3.19 → 3.21 for github-actions(+staging) (clears `musl`, `openssh-client-common`, `busybox` CVEs). ## Fixed — Go module bumps (clears CVEs in the baked `github-actions` binary) | Module | Before → After | Severity | |---|---|---| | `google.golang.org/grpc` | 1.72.1 → 1.80.0 | **CRITICAL** (CVE-2026-33186) | | `go.opentelemetry.io/otel` | 1.36.0 → 1.43.0 | HIGH (CVE-2026-29181) | | `go.opentelemetry.io/otel/sdk` | 1.36.0 → 1.43.0 | HIGH (CVE-2026-24051, CVE-2026-39883) | | `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` | 1.36.0 → 1.43.0 | MEDIUM (CVE-2026-39882) | | `github.com/go-git/go-git/v5` | 5.13.1 → 5.18.0 | HIGH (CVE-2026-25934, 34165, 41506) + LOW (CVE-2026-33762) | | `github.com/go-jose/go-jose/v3` | 3.0.4 → 3.0.5 | HIGH (CVE-2026-34986) | | `github.com/go-jose/go-jose/v4` | 4.1.3 → 4.1.4 | HIGH (CVE-2026-34986) | | `github.com/aws/aws-sdk-go-v2` | 1.26.1 → 1.41.5 | MEDIUM (GHSA-xmrv-pmrh-hhx2) | | `github.com/aws/aws-sdk-go-v2/service/s3` | 1.53.1 → 1.97.3 | MEDIUM (GHSA-xmrv-pmrh-hhx2) | | `github.com/cloudflare/circl` | 1.6.1 → 1.6.3 | LOW (CVE-2026-1229) | | `toolchain` | go1.25.1 → go1.25.9 | clears ~15 Go stdlib CVEs (`crypto/tls`, `crypto/x509`, `encoding/pem`, `net/url`, `html/template`, `archive/tar`, ...) | ## Deferred (no upstream fix available) | Finding | Severity | Why | Reachability | When to revisit | |---|---|---|---|---| | `github.com/docker/docker` CVE-2026-34040 / 33997 | HIGH / MEDIUM | Trivy points to v29.3.1 but only `v28.5.2+incompatible` is published on `proxy.golang.org`. The Moby project may publish v29 later or under a new module path. | Used by `pkg/clouds/pulumi/docker/pull.go` for Pulumi image pulls. Auth-bypass is exploitable only against a malicious Docker daemon authorizing plugin install — not the case in our pipelines. | Re-check `go list -m -versions github.com/docker/docker` next pass | | `glibc` CVE-2026-4046 in cloud-helpers AL2023 base | HIGH | AL2023 dnf has not yet shipped 2.34-231.amzn2023.0.4. Hardened Dockerfile already runs `dnf upgrade` so it will auto-apply on next image rebuild after Amazon publishes. | iconv() DoS via attacker-controlled charset; cloud-helpers Go Lambda runner doesn't call iconv. **LOW risk in this image.** | Next image rebuild after Amazon publishes (typically days/weeks) | | Caddy 2.11.2 transitive deps (10 vulns) | 2C / 4H / 3M / 1L | xcaddy can override direct deps via `--with` but not arbitrary transitives in Caddy core's `go.mod` without forking. | Property of the upstream Caddy core build. | Caddy 2.11.3+ release | | Caddy non-root USER | n/a | Requires `setcap CAP_NET_BIND_SERVICE` on binary plus coordinating cert/state directory ownership with consumer-mounted volumes. | n/a | Phase 2+ | | github-actions non-root USER | n/a | GitHub docker-action runners mount `/github/workspace` as root; non-root USER triggers `safe.directory` failures and write-permission errors. | n/a | Track upstream GitHub guidance | ## Dependabot reconciliation - **PR #162** (`go-git 5.13.1 → 5.16.5`): superseded by this PR (we move to 5.18.0 — needed for CVE-2026-41506 which 5.16.5 doesn't fix). Will be auto-closed when this PR merges; will leave a comment when ready. ## Evidence ``` # Trivy summary — kubectl Before: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0) After: 0 # Trivy summary — github-actions Before: 13 alpine + 25 binary + 2 secrets (incl. 2 CRIT, 10 HIGH in binary) After: 0 alpine + 2 binary + 0 secrets (only deferred docker/docker) # Grype --only-fixed cross-check sca-test/kubectl:hardened No vulnerabilities found sca-test/cloud-helpers:hardened glibc … (deferred) sca-test/caddy:hardened No vulnerabilities found sca-test/github-actions:hardened No vulnerabilities found sca-test/github-actions:staging-hardened No vulnerabilities found # Image size simplecontainer/github-actions:latest 1.51 GB sca-test/github-actions:hardened 1.24 GB (-280 MB) ``` ## Test plan - [ ] CI builds all 5 images successfully on this branch (push.yaml docker-build matrix) - [ ] `simplecontainer/github-actions:hardened` boots — `docker run … --version` works - [ ] Pulumi flows still execute against new gcloud 567.0.0 + Pulumi 3.184.0 (auto-extracted from go.mod) - [ ] Smoke test in [push.yaml](.github/workflows/push.yaml) builds — schema-gen, golangci-lint, go test all pass against bumped go.mod - [ ] Branch preview run validates new images end-to-end before merge - [ ] After merge, monitor Dependabot alerts auto-close on default branch ## Next phases (tracked separately) 2. Self-attest own artifacts — sign + scan + SBOM + SLSA provenance for `simplecontainer/*` images and `sc.tar.gz` tarballs 3. Workflow least-privilege & pinning — drop root `contents: write`, SHA-pin third-party actions, fix `pull_request` secret exposure, remove `--allow-insecure-entitlement` 4. Repo controls — CODEOWNERS, SECURITY.md, expanded Dependabot, CodeQL, gosec, branch rulesets 5. Code-level fixes — HMAC for `pkg/security/cache.go` tamper detection
Cre-eD
added a commit
that referenced
this pull request
May 16, 2026
Comprehensive SCA pass on top of the Go 1.25.10 + go-billy 5.9.0 work in this PR's first commit. Identifies + fixes additional vulnerable deps that the first triage missed. ## go-git/v5 5.18.0 → 5.19.0 CVE-2026-45022 (HIGH) — go-git's improper parsing of specially crafted objects may lead to inconsistent interpretation compared to upstream Git. Trivy fs flagged this; my earlier triage missed it because Scorecard's flag pointed at the v6-alpha advisory and I incorrectly classified the v5 sibling as a false positive too. Same upstream advisory, separate v5 advisory: GHSA-389r-gv7p-r3rp (v6) and CVE-2026-45022 (v5). Fix is in 5.19.0. ## Caddy 2.11.2 → 2.11.3 (caddy.Dockerfile) Caddy 2.11.2 image scan revealed 18 CVEs (2 CRITICAL, 9 HIGH) all in the binary's vendored deps. Caddy 2.11.3 released after our Phase 1 lock; it bumps: - go-jose/v4 4.1.3 → 4.1.4 (CVE-2026-34986 HIGH) - otel + otel/sdk 1.42→1.43 (CVE-2026-29181, CVE-2026-39883 HIGH) - smallstep/certificates 0.30.0-rc3 → 0.30.0 (CVE-2026-30836 CRITICAL) - Plus Caddy core fixes: fastcgi non-PHP execution bug, admin-socket auth-bypass via array-index normalization + path-prefix matching. Source: https://github.com/caddyserver/caddy/releases/tag/v2.11.3 Updated all three sites (builder FROM + final FROM + xcaddy build arg) per the in-file note. New digests resolved via Docker Hub registry API on 2026-05-16. ## Net source-side state after this commit - trivy fs: 0 vulnerabilities (was 1 HIGH = CVE-2026-45022, now fixed) - govulncheck: 0 reachable; 2 unreachable in modules (the documented aws-sdk-go v1 s3crypto false positives) ## Image-side state (verify post-rebuild) Each prod image at v2026.5.14: kubectl 8 (5H/3M) — all upstream kubectl-binary stdlib@1.26.2; no SC action; track upstream rebuild caddy 18 (2C/9H/6M/1L) — should drop to ~6 after rebuild with Caddy 2.11.3 (this PR) github-actions 27 (17H/10M) — 7 fixed by Go 1.25.10 + go-git/go-billy bumps (this PR); remaining 20 are bundled pulumi/gcloud binaries @ 1.26.2 (upstream) cloud-helpers 17 (9H/8M) — glibc 2.34-231.amzn2023.0.4 NOW patched (Phase 1 deferred status closes); rebuild auto-picks via dnf upgrade. Plus stdlib fixed by Go 1.25.10. ## Dependabot reconciliation | PR | What | Verdict | |---|---|---| | #162 | go-git/v5 5.13.1 → 5.16.5 | SUPERSEDED — we're at 5.19.0 now | | #237 | pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND | | #242 | alpine 3.21 → 3.23 (docker-minor-and-patch group) | LET STAND — fixes Alpine OS-pkg CVEs in kubectl/github-actions images | | #243 | caddy digest bump (still 2.11.2) | SUPERSEDED — this PR bumps to 2.11.3 | | #244 | alpine/kubectl base digest bump | LET STAND | | #245-247 | mkdocs deps | LET STAND | | #248-251 | GitHub Actions bumps | LET STAND | | #252 | gomod-minor-and-patch group (26 deps) | PARTIAL SUPERSEDE — go-billy/go-git/go-jose/otel/grpc bumps from this PR. Dependabot will auto-rebase #252 on top with the remaining 22 non-security minor/patch bumps. | | #233 | reecetech/version-increment | LET STAND | ## Validation - `go build ./...` clean - `go vet ./...` clean - `go test -short ./pkg/security/...` — all 8 packages PASS - `govulncheck ./...` — 0 reachable - `trivy fs` — 0 findings (any severity) Refs HARDENING.md Phase 8 Scorecard climb plan. Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Cre-eD
added a commit
that referenced
this pull request
May 16, 2026
…addy 2.11.3 (#261) ## SCA pass — comprehensive deps + image scan Goes beyond the initial Scorecard `Vulnerabilities` fix to address **every** vulnerable dep found across source + 4 published images, all severities. Per the `feedback_all_severities` rule. Two commits in this PR: 1. Go 1.25.9 → **1.25.10** + go-billy/v5 5.8.0 → **5.9.0** 2. go-git/v5 5.18.0 → **5.19.0** + Caddy `caddy.Dockerfile` 2.11.2 → **2.11.3** ## Source-side (govulncheck + trivy fs) | Before | After | |---|---| | 6 reachable stdlib HIGH/MEDIUM + 1 HIGH go-git in `trivy fs` | **0 trivy fs findings · 0 reachable govulncheck** | ### Reachable Go stdlib (6, all fixed by Go 1.25.10) | Advisory | Module | Severity | Call path govulncheck traced | |---|---|---|---| | GO-2026-4986 | `net/mail` consumeComment — quadratic concat | HIGH | `pulumi.init` → `mail.ParseAddress` | | GO-2026-4977 | `net/mail` consumePhrase — quadratic concat | HIGH | same | | GO-2026-4982 | `html/template` meta-content URL escaping bypass | HIGH | `mcp.Start` → `http.Server.Serve` → `template.Execute` | | GO-2026-4980 | `html/template` escaper bypass | HIGH | same | | GO-2026-4971 | `net` Dial / LookupPort NUL-byte panic | HIGH | many call sites (aws, mongo, mcp) | | GO-2026-4918 | `net/http` HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite loop | HIGH | many call sites | ### Reachable Go-deps (3 fixed, 2 documented) | Advisory | Module | Old → New | Status | |---|---|---|---| | GHSA-m3xc-h892-ggx6 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅ fixed | | GHSA-qw64-3x98-g7q2 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅ fixed | | **CVE-2026-45022** | `go-git/go-git/v5 < 5.19.0` | 5.18.0 → 5.19.0 | ✅ fixed (trivy fs flagged) | | GO-2022-0635 | `aws-sdk-go v1 service/s3/s3crypto` | n/a | ❌ FALSE POSITIVE — we import aws-sdk-go v1 for cloudtrail code but NOT `s3crypto`. govulncheck reachability confirms 0 hits. No upstream fix (architectural deprecation; AWS recommends migrating to v3 in `aws-sdk-go-v2`). Documented; standalone migration PR tracked. | | GO-2022-0646 | same as above | n/a | ❌ FALSE POSITIVE — same | (GHSA-389r-gv7p-r3rp / CVE-2026-45022 — initial triage misread the GHSA as a v6-alpha flag; the Dependabot record makes clear it is the v5 advisory. Bumping to 5.19.0 closes it.) ## Image-side (Trivy + Grype on the 4 v2026.5.14 published images) | Image | Before (v2026.5.14) | Source of fix | After next release | |---|---|---|---| | **simplecontainer/kubectl** | 8 (5H/3M) — all `kubectl` binary stdlib@1.26.2 | Upstream kubectl needs Go 1.26.3 rebuild | unchanged this PR; track upstream | | **simplecontainer/caddy** | 18 (2C/9H/6M/1L) — all Caddy 2.11.2 vendored deps | **Caddy 2.11.3 bump in this PR** | drops to ~6 (residual: grpc 1.79.1 — Caddy 2.11.3 ships only 1.79.0; tracked upstream) | | **simplecontainer/github-actions** | 27 (17H/10M) — 7 our binary, 20 bundled gcloud/pulumi | Our 7 fixed by Go 1.25.10 + go-git/go-billy in this PR; rest are upstream | drops to ~20 | | **simplecontainer/cloud-helpers** | 17 (9H/8M) — 4× glibc, 4× curl/krb5/libgcrypt (AL2023 now patched!), 8× stdlib in cloud-helpers binary | AL2023 `dnf upgrade` auto-picks patched packages; Go 1.25.10 fixes the binary | drops to ~0 | ### Phase 1 deferred items — status check Reviewed all four Phase 1 deferred items per HARDENING.md: | Phase 1 deferred | Now | |---|---| | `glibc` CVE-2026-4046 (HIGH, AL2023 pending) | ✅ **AL2023 published 2.34-231.amzn2023.0.4** — picked up automatically by Dockerfile's `dnf upgrade` on next rebuild | | Caddy 2.11.2 upstream transitives (2C/4H/3M/1L originally) | 🟡 **Caddy 2.11.3 ships partial fix** (this PR); residual ~6 vulns track Caddy 2.11.4+ | | `docker/docker` CVE-2026-34040 / CVE-2026-33997 | ❓ Re-check via `go list -m -versions github.com/docker/docker` — separate triage. Was migrated to `github.com/moby/moby` in PR #238; need to re-verify reachability. | | Caddy non-root USER | ⏳ Phase 6 (TUF + distro repackaging) | | github-actions non-root USER | ⏳ Track upstream GitHub Actions OIDC/userns guidance | ## Dependabot security alerts addressed Three OPEN Dependabot alerts as of this PR — all close automatically when this merges to `main`: | Alert | GHSA | CVE | Sev | Package | Fixed in | Source of fix in this PR | |---|---|---|---|---|---|---| | [#62](https://github.com/simple-container-com/api/security/dependabot/62) | GHSA-389r-gv7p-r3rp | CVE-2026-45022 | HIGH | `github.com/go-git/go-git/v5` | 5.19.0 | ✅ `go.mod`: 5.18.0 → 5.19.0 | | [#63](https://github.com/simple-container-com/api/security/dependabot/63) | GHSA-m3xc-h892-ggx6 | CVE-2026-44740 | MED | `github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 | | [#64](https://github.com/simple-container-com/api/security/dependabot/64) | GHSA-qw64-3x98-g7q2 | CVE-2026-44973 | HIGH | `github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 | What each one is: - **GHSA-389r-gv7p-r3rp** — go-git parses specially-crafted objects inconsistently with upstream Git, which can cause divergent state on a clone. Reachable via the SC `welder` git-driver path. - **GHSA-m3xc-h892-ggx6** — go-billy lacks depth/cycle detection in symlink resolution; a crafted repo can spin the resolver into infinite loops / resource exhaustion. Reachable via `welder` clone. - **GHSA-qw64-3x98-g7q2** — go-billy path-traversal across multiple components (`osfs.ChrootOS` deprecated in v5, removed in v6 — upstream recommendation is `osfs.New(path, WithBoundOS())`). Reachable via `welder` clone. (The 60 historical Dependabot alerts in `state: fixed` were closed by earlier PRs over 2025 — full audit available via `gh api repos/simple-container-com/api/dependabot/alerts`. No additional outstanding security alerts remain after this PR.) ## Dependabot PR reconciliation | PR | What | Verdict | |---|---|---| | [#162](#162) | go-git/v5 5.13.1 → 5.16.5 | **SUPERSEDED** — now at 5.19.0 | | [#237](#237) | pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND | | [#242](#242) | alpine 3.21 → 3.23 (docker-minor-and-patch group) | **LET STAND + merge first** — fixes Alpine OS-pkg CVEs in kubectl/github-actions images | | [#243](#243) | caddy digest bump (still 2.11.2) | **SUPERSEDED** — this PR bumps to 2.11.3 | | [#244](#244) | alpine/kubectl base digest bump | LET STAND | | #245-247 | mkdocs deps | LET STAND (docs/) | | #248-251 | GitHub Actions bumps | LET STAND | | [#252](#252) | gomod-minor-and-patch group (26 deps) | **PARTIAL SUPERSEDE** — go-billy / go-git / go-jose / otel / grpc bumps from this PR. Dependabot will auto-rebase #252 on top with the remaining ~22 non-security bumps. | | [#233](#233) | reecetech/version-increment | LET STAND | ## Scorecard `Vulnerabilities` projection | State | Score | |---|---| | Pre-PR (5 advisories flagged) | 5/10 | | Post-PR + Scorecard rescan | **9-10/10** (3 advisories remaining are documented false-positives + Scorecard's go-git/v6 flag, all reachability-clean per govulncheck) | ## Validation - `go build ./...` clean - `go vet ./...` clean (no output) - `go test -short ./pkg/security/...` — all 8 packages PASS (29 tests; HMAC integrity cache from PR #254 still green) - `govulncheck ./...` — **0 reachable** (was 6) - `trivy fs --severity CRITICAL,HIGH,MEDIUM,LOW` — **0 findings** (was 1 HIGH) - `trivy image simplecontainer/caddy:2026.5.14` — flagged 18; expected ~6 after Caddy 2.11.3 rebuild - `trivy image simplecontainer/cloud-helpers:aws-2026.5.14` — flagged 17; expected ~0 after rebuild (AL2023 + Go 1.25.10) ## Follow-ups out of this PR's scope - **aws-sdk-go v1 → v2 migration** — 3 `.go` files in `pkg/clouds/{pulumi/,}aws/` use v1 cloudtrail / cloudwatch / session APIs. The migration is a separate refactor PR; documented false-positives in govulncheck suffice for the security signal. - **`docker/docker` reachability re-check** — verify if PR #238's moby/moby migration cleared the original CVE. - **github-actions image bundled binaries** (pulumi, gcloud) — Track upstream rebuilds with Go 1.26.3. - **kubectl base bump** — Dependabot #244 will pick it up. Refs HARDENING.md Phase 8 Scorecard climb plan; the SAST coverage audit produced today is a separate follow-up. --------- Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
5 tasks
Contributor
Cre-eD
deleted the
dependabot/go_modules/github.com/go-git/go-git/v5-5.16.5
branch
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
Cre-eD
added a commit
that referenced
this pull request
May 20, 2026
…label (#279) ## Summary - **Consolidates 12 open Dependabot PRs into one merge** so we pay for CI / review once instead of 12+ times. Closes #275 #276 #274 #242 #243 #244 #233 #237 #248 #249 #250 #251 (and the stale #162, superseded by the gomod group in #275). - **Gates `branch.yaml` (Blacksmith / paid) on Dependabot PRs behind a `ci-run` label**, so future Dependabot PRs stop burning multi-vCPU minutes on a doomed build (they can't decrypt `secrets.SC_CONFIG`). Cheap PR workflows (CodeQL, Semgrep, govulncheck, Fuzz, TruffleHog, DCO) still run on every Dependabot PR — they're free-tier and catch the supply-chain risk that matters for a bump. - **Adapts three upstream API breaks** that this bump batch introduces (disgo, pulumi-cloudflare, pulumi backend) — `go build ./...` and tests compile clean. ## What's bumped ### Go modules (group #275, post-tidy) 24 direct + transitive: `cloud.google.com/go/storage` 1.49.0→1.62.2 · `aws/aws-lambda-go` 1.47.0→1.54.0 · `aws/aws-sdk-go-v2/config` 1.29.7→1.32.17 · `cloudflare/cloudflare-go` 0.104.0→0.116.0 · `disgoorg/disgo` 0.18.5→0.19.3 · `fatih/color` 1.18.0→1.19.0 · `go-git/go-git/v5` 5.19.0→5.19.1 (also #276) · `onsi/gomega` 1.38.2→1.41.0 · `pulumi-aws/sdk/v6` 6.83.0→6.83.3 · `pulumi-cloudflare/sdk/v6` 6.2.0→6.15.0 · `pulumi-docker/sdk/v4` 4.5.8→4.11.2 · `pulumi-gcp/sdk/v8` 8.0.0→8.41.1 · `pulumi-kubernetes/sdk/v4` 4.18.1→4.31.0 · `pulumi-mongodbatlas/sdk/v3` 3.30.0→3.38.0 · `pulumi-random/sdk/v4` 4.17.0→4.20.0 · `pulumi/pkg/v3` 3.184.0→3.241.0 · `pulumi/sdk/v3` 3.214.0→3.241.0 · `samber/lo` 1.38.1→1.53.0 · `tmc/langchaingo` 0.1.13→0.1.14 · `mongo-driver` 1.16.1→1.17.9 · `k8s.io/apimachinery` 0.35.0→0.36.1 · `k8s.io/client-go` 0.35.0→0.36.1 · others. Major bump (out of group): `pulumi/pulumi-command/sdk` 0.9.2→1.2.1 (#237). ### Docker (group #242 + digests #243 #244) - `alpine` 3.21 → 3.23 (`github-actions.Dockerfile`, `github-actions-staging.Dockerfile`) - `caddy` digest `14f5b3e` → `f96a3b7` - `alpine/kubectl` digest `e9acf90` → `405e713` ### Python docs (group #274) 3 updates in `docs/requirements.in` / `docs/requirements.txt`. ### GitHub Actions - `actions/upload-artifact` v4.6.2 → v7.0.1 (#251) - `actions/download-artifact` v4.3.0 → v8.0.1 (#249) - `actions/cache` v4.3.0 → v5.0.5 (#248) - `docker/setup-buildx-action` v3.12.0 → v4.0.0 (#250) - `reecetech/version-increment` 2023.10.2 → 2024.10.1 (#233) ## Upstream API breaks adapted in `83401af` | Dep | Break | Fix | |---|---|---| | `disgoorg/disgo` 0.19 | `webhook.Client` interface → struct | Field type `*webhook.Client` | | `disgoorg/disgo` 0.19 | `CreateMessage` gained required `rest.CreateWebhookMessageParams` arg | Pass empty `rest.CreateWebhookMessageParams{}` | | `pulumi-cloudflare/sdk` v6.15 | `LookupZoneResult.ZoneId` `*string` → `string` | Drop `lo.FromPtr(...)` wrapper at 4 sites | | `pulumi/pkg/v3` v3.241 | `backend.RemoveStack` gained `removeBackups bool` arg | Pass `false, false` (preserve no-backup-delete behaviour) | ## CI gate — what changes ```yaml # .github/workflows/branch.yaml on: pull_request: types: [opened, synchronize, reopened, labeled] # `labeled` re-triggers jobs: build-setup: if: >- github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]' || contains(github.event.pull_request.labels.*.name, 'ci-run') ``` `finalize` carries the same guard so a Dependabot PR doesn't get a "build failed" Telegram sticky for a pipeline that was intentionally never run. **Operationally** — when a future Dependabot PR (or another consolidated batch like this one) needs full Blacksmith validation before merge, add the `ci-run` label and the workflow re-fires on label. ## Test plan - [x] `go build ./...` clean (local Go 1.26, CI uses 1.25) - [x] `go test -count=1 -run '^$' -vet=off ./...` (compile every test binary) clean - [ ] Add `ci-run` label to this PR (it's authored by a human, not Dependabot, so the gate is inert — CI runs anyway) and let `branch.yaml` produce a real green build - [ ] Verify the Blacksmith build's `build-setup` decrypts `SC_CONFIG` correctly (Dependabot's failure mode was secret access, not code) - [ ] After merge: confirm next Monday's Dependabot PRs land with the heavy workflow showing as skipped (cascade from `build-setup`) and only cheap CI fires --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Dmitrii Creed <creeed22@gmail.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps github.com/go-git/go-git/v5 from 5.13.1 to 5.16.5.
Release notes
Sourced from github.com/go-git/go-git/v5's releases.
... (truncated)
Commits
48a1ae0Merge pull request #1836 from go-git/check-v542bdf1fstorage: filesystem, Verify idx matches pack file4146a56plumbing: format/idxfile, Verify idxfile's checksum63d78ecplumbing: format/packfile, Add new ErrMalformedPackFile25f1624Merge pull request #1800 from Ch00k/no-delete-untracked-v5600fb13git: worktree, Don't delete local untracked files when resetting worktree390a569Merge pull request #1746 from pjbgf/bump-go61c8b85build: Bump Go test versions to 1.23-1.25 (v5)e5a05ecMerge pull request #1744 from go-git/renovate/releases/v5.x-go-golang.org-x-c...1495930plumbing: Remove use of non-constant format stringsYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.