Phase 1 of CIS Docker Benchmark + OWASP Container Top 10 hardening pass.
All 5 published images rebuilt; baseline → hardened CVE counts:

  kubectl:           1H → 0
  cloud-helpers:     4H → 4H (glibc fix not yet in AL2023 dnf, deferred)
  caddy:             48 (5H/5M/3L+stdlib+core) → 10 (upstream transitives)
  github-actions:    38 (13 alpine + 25 binary + 2 secrets) → 2 (deferred)
  github-actions-staging: same as prod (synced)

Dockerfile changes (CIS 4.1/4.2/4.3/4.6/4.7/4.9, OWASP Container 02):
  - All FROM bases pinned by @sha256: digest
  - Pulumi installer replaced with checksum-verified tarball download
    (no more `curl | sh`); checksums fetched per-version from GitHub
    Releases pulumi-${VERSION}-checksums.txt
  - Google Cloud SDK pinned to 567.0.0 with inline SHA-256 ARG
  - github-actions(+staging) split into builder/runtime stages; runtime
    drops py3-pip, binutils, upx, bundledpythonunix; image 1.51GB→1.24GB
  - urllib3 dummyserver test fixtures (Trivy "secret" findings) removed
  - kubectl runs as non-root UID 10001
  - Caddy bumped 2.8.4 → 2.11.2; certmagic-gcs 0.1.2 → 0.1.7
  - Alpine 3.19 → 3.21 in github-actions(+staging) (clears musl, openssh,
    busybox CVEs)
  - HEALTHCHECK added to kubectl, caddy, github-actions(+staging)
  - cloud-helpers ADD → COPY

Go module bumps (clears 25 CVEs in the baked github-actions binary):
  google.golang.org/grpc          1.72.1 → 1.80.0   (CRIT CVE-2026-33186)
  go.opentelemetry.io/otel        1.36.0 → 1.43.0   (HIGH CVE-2026-29181)
  go.opentelemetry.io/otel/sdk    1.36.0 → 1.43.0   (HIGH CVE-2026-24051,
                                                          CVE-2026-39883)
  github.com/go-git/go-git/v5     5.13.1 → 5.18.0   (HIGH CVE-2026-25934,
                                                          CVE-2026-34165,
                                                          CVE-2026-41506)
  github.com/go-jose/go-jose/v3   3.0.4  → 3.0.5    (HIGH CVE-2026-34986)
  github.com/go-jose/go-jose/v4   4.1.3  → 4.1.4    (HIGH CVE-2026-34986)
  github.com/aws/aws-sdk-go-v2    1.26.1 → 1.41.5   (MED  GHSA-xmrv-pmrh-hhx2)
  github.com/aws/aws-sdk-go-v2/service/s3
                                  1.53.1 → 1.97.3   (MED  GHSA-xmrv-pmrh-hhx2)
  github.com/cloudflare/circl     1.6.1  → 1.6.3    (LOW  CVE-2026-1229)
  toolchain                       go1.25.1 → go1.25.9 (clears ~15 stdlib
                                                       CVEs incl. crypto/tls,
                                                       crypto/x509,
                                                       encoding/pem,
                                                       net/url, html/template)

Supersedes Dependabot PR #162 (go-git 5.13.1 → 5.16.5 — insufficient,
needed 5.18.0 for CVE-2026-41506).

Deferred (no upstream fix available):
  - github.com/docker/docker CVE-2026-34040/33997: Trivy points to v29.3.1
    but only v28.5.2+incompatible is published on proxy.golang.org.
    Reachability: pkg/clouds/pulumi/docker/pull.go uses Docker client for
    image pulls in Pulumi flows; auth-bypass is exploitable only against a
    malicious Docker daemon.
  - glibc CVE-2026-4046 in cloud-helpers: AL2023 dnf has not yet shipped
    2.34-231.amzn2023.0.4. Hardened Dockerfile runs `dnf upgrade` and will
    pick up the fix automatically. Reachability: glibc iconv() DoS via
    crafted charset; cloud-helpers Go binary doesn't call iconv. LOW risk.
  - Caddy upstream transitive deps in 2.11.2 binary (10 vulns): xcaddy
    can override direct deps via --with but not transitives in Caddy
    core's go.mod. Closes when Caddy 2.11.3+ ships.

…se 1) (#227)

## Summary

Phase 1 of a CIS Docker Benchmark + OWASP Container Top 10 hardening
pass on this repo's published artifacts. All 5 published images rebuilt;
CVE counts before → after:

| Image | Before | After | Notes |
|---|---|---|---|
| `simplecontainer/kubectl` | 1 HIGH | **0** | clean |
| `simplecontainer/cloud-helpers:aws-*` | 4 HIGH | 4 HIGH (deferred) |
glibc fix not yet in AL2023 dnf — auto-applies on next rebuild |
| `simplecontainer/caddy` | 48 (5H/5M/3L + Caddy core + Go stdlib) | 10
(upstream transitives) | Caddy 2.8.4 → 2.11.2 |
| `simplecontainer/github-actions` | 38 (13 alpine + 25 binary + 2
secrets) | **2** (deferred) | image 1.51GB → 1.24GB |
| `simplecontainer/github-actions:staging` | same as prod | same as prod
| synced |

**Grype cross-check (`--only-fixed`):** kubectl / caddy / github-actions
/ staging — `No vulnerabilities found`. cloud-helpers — only the
deferred glibc.

Supersedes Dependabot PR #162 (go-git 5.13.1 → 5.16.5 was insufficient;
this PR moves to 5.18.0 to clear CVE-2026-41506).

## Fixed — Dockerfile changes (CIS Docker Benchmark §4)

| CIS | What changed |
|---|---|
| 4.1 | `kubectl` runs as non-root UID 10001 |
| 4.2 / 4.7 | All `FROM` bases pinned by `@sha256:` digest (no floating
tags) |
| 4.3 | Multi-stage rewrite of `github-actions(+staging).Dockerfile`:
builder keeps `binutils`, `upx`, `python3` for `gcloud components
install`; runtime drops them and `py3-pip`. `bundledpythonunix` and
`urllib3` dummyserver test fixtures removed |
| 4.6 | `HEALTHCHECK` added to kubectl, caddy, github-actions(+staging)
|
| 4.9 | `cloud-helpers.aws.Dockerfile`: `ADD` → `COPY` |
| SSCS §5 | Pulumi installer replaced with verified tarball download
(per-version `pulumi-${VERSION}-checksums.txt` from GitHub Releases).
Google Cloud SDK pinned to 567.0.0 with inline SHA-256 ARG. **No
remaining `curl \| sh`** in any Dockerfile |
| OWASP Container 02 | Every third-party download verified before use |

Caddy upgraded 2.8.4 → 2.11.2, certmagic-gcs 0.1.2 → 0.1.7. Alpine 3.19
→ 3.21 for github-actions(+staging) (clears `musl`,
`openssh-client-common`, `busybox` CVEs).

## Fixed — Go module bumps (clears CVEs in the baked `github-actions`
binary)

| Module | Before → After | Severity |
|---|---|---|
| `google.golang.org/grpc` | 1.72.1 → 1.80.0 | **CRITICAL**
(CVE-2026-33186) |
| `go.opentelemetry.io/otel` | 1.36.0 → 1.43.0 | HIGH (CVE-2026-29181) |
| `go.opentelemetry.io/otel/sdk` | 1.36.0 → 1.43.0 | HIGH
(CVE-2026-24051, CVE-2026-39883) |
| `go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp` |
1.36.0 → 1.43.0 | MEDIUM (CVE-2026-39882) |
| `github.com/go-git/go-git/v5` | 5.13.1 → 5.18.0 | HIGH
(CVE-2026-25934, 34165, 41506) + LOW (CVE-2026-33762) |
| `github.com/go-jose/go-jose/v3` | 3.0.4 → 3.0.5 | HIGH
(CVE-2026-34986) |
| `github.com/go-jose/go-jose/v4` | 4.1.3 → 4.1.4 | HIGH
(CVE-2026-34986) |
| `github.com/aws/aws-sdk-go-v2` | 1.26.1 → 1.41.5 | MEDIUM
(GHSA-xmrv-pmrh-hhx2) |
| `github.com/aws/aws-sdk-go-v2/service/s3` | 1.53.1 → 1.97.3 | MEDIUM
(GHSA-xmrv-pmrh-hhx2) |
| `github.com/cloudflare/circl` | 1.6.1 → 1.6.3 | LOW (CVE-2026-1229) |
| `toolchain` | go1.25.1 → go1.25.9 | clears ~15 Go stdlib CVEs
(`crypto/tls`, `crypto/x509`, `encoding/pem`, `net/url`,
`html/template`, `archive/tar`, ...) |

## Deferred (no upstream fix available)

| Finding | Severity | Why | Reachability | When to revisit |
|---|---|---|---|---|
| `github.com/docker/docker` CVE-2026-34040 / 33997 | HIGH / MEDIUM |
Trivy points to v29.3.1 but only `v28.5.2+incompatible` is published on
`proxy.golang.org`. The Moby project may publish v29 later or under a
new module path. | Used by `pkg/clouds/pulumi/docker/pull.go` for Pulumi
image pulls. Auth-bypass is exploitable only against a malicious Docker
daemon authorizing plugin install — not the case in our pipelines. |
Re-check `go list -m -versions github.com/docker/docker` next pass |
| `glibc` CVE-2026-4046 in cloud-helpers AL2023 base | HIGH | AL2023 dnf
has not yet shipped 2.34-231.amzn2023.0.4. Hardened Dockerfile already
runs `dnf upgrade` so it will auto-apply on next image rebuild after
Amazon publishes. | iconv() DoS via attacker-controlled charset;
cloud-helpers Go Lambda runner doesn't call iconv. **LOW risk in this
image.** | Next image rebuild after Amazon publishes (typically
days/weeks) |
| Caddy 2.11.2 transitive deps (10 vulns) | 2C / 4H / 3M / 1L | xcaddy
can override direct deps via `--with` but not arbitrary transitives in
Caddy core's `go.mod` without forking. | Property of the upstream Caddy
core build. | Caddy 2.11.3+ release |
| Caddy non-root USER | n/a | Requires `setcap CAP_NET_BIND_SERVICE` on
binary plus coordinating cert/state directory ownership with
consumer-mounted volumes. | n/a | Phase 2+ |
| github-actions non-root USER | n/a | GitHub docker-action runners
mount `/github/workspace` as root; non-root USER triggers
`safe.directory` failures and write-permission errors. | n/a | Track
upstream GitHub guidance |

## Dependabot reconciliation

- **PR #162** (`go-git 5.13.1 → 5.16.5`): superseded by this PR (we move
to 5.18.0 — needed for CVE-2026-41506 which 5.16.5 doesn't fix). Will be
auto-closed when this PR merges; will leave a comment when ready.

## Evidence

```
# Trivy summary — kubectl
Before: 1 (LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)
After:  0

# Trivy summary — github-actions
Before: 13 alpine + 25 binary + 2 secrets (incl. 2 CRIT, 10 HIGH in binary)
After:  0 alpine + 2 binary + 0 secrets (only deferred docker/docker)

# Grype --only-fixed cross-check
sca-test/kubectl:hardened                 No vulnerabilities found
sca-test/cloud-helpers:hardened           glibc … (deferred)
sca-test/caddy:hardened                   No vulnerabilities found
sca-test/github-actions:hardened          No vulnerabilities found
sca-test/github-actions:staging-hardened  No vulnerabilities found

# Image size
simplecontainer/github-actions:latest    1.51 GB
sca-test/github-actions:hardened         1.24 GB  (-280 MB)
```

## Test plan

- [ ] CI builds all 5 images successfully on this branch (push.yaml
docker-build matrix)
- [ ] `simplecontainer/github-actions:hardened` boots — `docker run …
--version` works
- [ ] Pulumi flows still execute against new gcloud 567.0.0 + Pulumi
3.184.0 (auto-extracted from go.mod)
- [ ] Smoke test in [push.yaml](.github/workflows/push.yaml) builds —
schema-gen, golangci-lint, go test all pass against bumped go.mod
- [ ] Branch preview run validates new images end-to-end before merge
- [ ] After merge, monitor Dependabot alerts auto-close on default
branch

## Next phases (tracked separately)

2. Self-attest own artifacts — sign + scan + SBOM + SLSA provenance for
`simplecontainer/*` images and `sc.tar.gz` tarballs
3. Workflow least-privilege & pinning — drop root `contents: write`,
SHA-pin third-party actions, fix `pull_request` secret exposure, remove
`--allow-insecure-entitlement`
4. Repo controls — CODEOWNERS, SECURITY.md, expanded Dependabot, CodeQL,
gosec, branch rulesets
5. Code-level fixes — HMAC for `pkg/security/cache.go` tamper detection

Comprehensive SCA pass on top of the Go 1.25.10 + go-billy 5.9.0 work
in this PR's first commit. Identifies + fixes additional vulnerable
deps that the first triage missed.

## go-git/v5 5.18.0 → 5.19.0

CVE-2026-45022 (HIGH) — go-git's improper parsing of specially crafted
objects may lead to inconsistent interpretation compared to upstream
Git. Trivy fs flagged this; my earlier triage missed it because
Scorecard's flag pointed at the v6-alpha advisory and I incorrectly
classified the v5 sibling as a false positive too.

Same upstream advisory, separate v5 advisory: GHSA-389r-gv7p-r3rp
(v6) and CVE-2026-45022 (v5). Fix is in 5.19.0.

## Caddy 2.11.2 → 2.11.3 (caddy.Dockerfile)

Caddy 2.11.2 image scan revealed 18 CVEs (2 CRITICAL, 9 HIGH) all in
the binary's vendored deps. Caddy 2.11.3 released after our Phase 1
lock; it bumps:
- go-jose/v4 4.1.3 → 4.1.4 (CVE-2026-34986 HIGH)
- otel + otel/sdk 1.42→1.43 (CVE-2026-29181, CVE-2026-39883 HIGH)
- smallstep/certificates 0.30.0-rc3 → 0.30.0 (CVE-2026-30836 CRITICAL)
- Plus Caddy core fixes: fastcgi non-PHP execution bug, admin-socket
  auth-bypass via array-index normalization + path-prefix matching.

Source: https://github.com/caddyserver/caddy/releases/tag/v2.11.3

Updated all three sites (builder FROM + final FROM + xcaddy build arg)
per the in-file note. New digests resolved via Docker Hub registry
API on 2026-05-16.

## Net source-side state after this commit

- trivy fs: 0 vulnerabilities (was 1 HIGH = CVE-2026-45022, now fixed)
- govulncheck: 0 reachable; 2 unreachable in modules (the documented
  aws-sdk-go v1 s3crypto false positives)

## Image-side state (verify post-rebuild)

Each prod image at v2026.5.14:
  kubectl       8 (5H/3M) — all upstream kubectl-binary stdlib@1.26.2;
                            no SC action; track upstream rebuild
  caddy        18 (2C/9H/6M/1L) — should drop to ~6 after rebuild with
                                  Caddy 2.11.3 (this PR)
  github-actions 27 (17H/10M) — 7 fixed by Go 1.25.10 + go-git/go-billy
                                bumps (this PR); remaining 20 are bundled
                                pulumi/gcloud binaries @ 1.26.2 (upstream)
  cloud-helpers 17 (9H/8M) — glibc 2.34-231.amzn2023.0.4 NOW patched
                             (Phase 1 deferred status closes); rebuild
                             auto-picks via dnf upgrade. Plus stdlib
                             fixed by Go 1.25.10.

## Dependabot reconciliation

| PR | What | Verdict |
|---|---|---|
| #162 | go-git/v5 5.13.1 → 5.16.5 | SUPERSEDED — we're at 5.19.0 now |
| #237 | pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND |
| #242 | alpine 3.21 → 3.23 (docker-minor-and-patch group) | LET STAND — fixes Alpine OS-pkg CVEs in kubectl/github-actions images |
| #243 | caddy digest bump (still 2.11.2) | SUPERSEDED — this PR bumps to 2.11.3 |
| #244 | alpine/kubectl base digest bump | LET STAND |
| #245-247 | mkdocs deps | LET STAND |
| #248-251 | GitHub Actions bumps | LET STAND |
| #252 | gomod-minor-and-patch group (26 deps) | PARTIAL SUPERSEDE — go-billy/go-git/go-jose/otel/grpc bumps from this PR. Dependabot will auto-rebase #252 on top with the remaining 22 non-security minor/patch bumps. |
| #233 | reecetech/version-increment | LET STAND |

## Validation

- `go build ./...` clean
- `go vet ./...` clean
- `go test -short ./pkg/security/...` — all 8 packages PASS
- `govulncheck ./...` — 0 reachable
- `trivy fs` — 0 findings (any severity)

Refs HARDENING.md Phase 8 Scorecard climb plan.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

…addy 2.11.3 (#261)

## SCA pass — comprehensive deps + image scan

Goes beyond the initial Scorecard `Vulnerabilities` fix to address
**every** vulnerable dep found across source + 4 published images, all
severities. Per the `feedback_all_severities` rule.

Two commits in this PR:
1. Go 1.25.9 → **1.25.10** + go-billy/v5 5.8.0 → **5.9.0**
2. go-git/v5 5.18.0 → **5.19.0** + Caddy `caddy.Dockerfile` 2.11.2 →
**2.11.3**

## Source-side (govulncheck + trivy fs)

| Before | After |
|---|---|
| 6 reachable stdlib HIGH/MEDIUM + 1 HIGH go-git in `trivy fs` | **0
trivy fs findings · 0 reachable govulncheck** |

### Reachable Go stdlib (6, all fixed by Go 1.25.10)

| Advisory | Module | Severity | Call path govulncheck traced |
|---|---|---|---|
| GO-2026-4986 | `net/mail` consumeComment — quadratic concat | HIGH |
`pulumi.init` → `mail.ParseAddress` |
| GO-2026-4977 | `net/mail` consumePhrase — quadratic concat | HIGH |
same |
| GO-2026-4982 | `html/template` meta-content URL escaping bypass | HIGH
| `mcp.Start` → `http.Server.Serve` → `template.Execute` |
| GO-2026-4980 | `html/template` escaper bypass | HIGH | same |
| GO-2026-4971 | `net` Dial / LookupPort NUL-byte panic | HIGH | many
call sites (aws, mongo, mcp) |
| GO-2026-4918 | `net/http` HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite loop
| HIGH | many call sites |

### Reachable Go-deps (3 fixed, 2 documented)

| Advisory | Module | Old → New | Status |
|---|---|---|---|
| GHSA-m3xc-h892-ggx6 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅
fixed |
| GHSA-qw64-3x98-g7q2 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅
fixed |
| **CVE-2026-45022** | `go-git/go-git/v5 < 5.19.0` | 5.18.0 → 5.19.0 | ✅
fixed (trivy fs flagged) |
| GO-2022-0635 | `aws-sdk-go v1 service/s3/s3crypto` | n/a | ❌ FALSE
POSITIVE — we import aws-sdk-go v1 for cloudtrail code but NOT
`s3crypto`. govulncheck reachability confirms 0 hits. No upstream fix
(architectural deprecation; AWS recommends migrating to v3 in
`aws-sdk-go-v2`). Documented; standalone migration PR tracked. |
| GO-2022-0646 | same as above | n/a | ❌ FALSE POSITIVE — same |

(GHSA-389r-gv7p-r3rp / CVE-2026-45022 — initial triage misread the GHSA
as a v6-alpha flag; the Dependabot record makes clear it is the v5
advisory. Bumping to 5.19.0 closes it.)

## Image-side (Trivy + Grype on the 4 v2026.5.14 published images)

| Image | Before (v2026.5.14) | Source of fix | After next release |
|---|---|---|---|
| **simplecontainer/kubectl** | 8 (5H/3M) — all `kubectl` binary
stdlib@1.26.2 | Upstream kubectl needs Go 1.26.3 rebuild | unchanged
this PR; track upstream |
| **simplecontainer/caddy** | 18 (2C/9H/6M/1L) — all Caddy 2.11.2
vendored deps | **Caddy 2.11.3 bump in this PR** | drops to ~6
(residual: grpc 1.79.1 — Caddy 2.11.3 ships only 1.79.0; tracked
upstream) |
| **simplecontainer/github-actions** | 27 (17H/10M) — 7 our binary, 20
bundled gcloud/pulumi | Our 7 fixed by Go 1.25.10 + go-git/go-billy in
this PR; rest are upstream | drops to ~20 |
| **simplecontainer/cloud-helpers** | 17 (9H/8M) — 4× glibc, 4×
curl/krb5/libgcrypt (AL2023 now patched!), 8× stdlib in cloud-helpers
binary | AL2023 `dnf upgrade` auto-picks patched packages; Go 1.25.10
fixes the binary | drops to ~0 |

### Phase 1 deferred items — status check

Reviewed all four Phase 1 deferred items per HARDENING.md:

| Phase 1 deferred | Now |
|---|---|
| `glibc` CVE-2026-4046 (HIGH, AL2023 pending) | ✅ **AL2023 published
2.34-231.amzn2023.0.4** — picked up automatically by Dockerfile's `dnf
upgrade` on next rebuild |
| Caddy 2.11.2 upstream transitives (2C/4H/3M/1L originally) | 🟡 **Caddy
2.11.3 ships partial fix** (this PR); residual ~6 vulns track Caddy
2.11.4+ |
| `docker/docker` CVE-2026-34040 / CVE-2026-33997 | ❓ Re-check via `go
list -m -versions github.com/docker/docker` — separate triage. Was
migrated to `github.com/moby/moby` in PR #238; need to re-verify
reachability. |
| Caddy non-root USER | ⏳ Phase 6 (TUF + distro repackaging) |
| github-actions non-root USER | ⏳ Track upstream GitHub Actions
OIDC/userns guidance |

## Dependabot security alerts addressed

Three OPEN Dependabot alerts as of this PR — all close automatically
when this merges to `main`:

| Alert | GHSA | CVE | Sev | Package | Fixed in | Source of fix in this
PR |
|---|---|---|---|---|---|---|
|
[#62](https://github.com/simple-container-com/api/security/dependabot/62)
| GHSA-389r-gv7p-r3rp | CVE-2026-45022 | HIGH |
`github.com/go-git/go-git/v5` | 5.19.0 | ✅ `go.mod`: 5.18.0 → 5.19.0 |
|
[#63](https://github.com/simple-container-com/api/security/dependabot/63)
| GHSA-m3xc-h892-ggx6 | CVE-2026-44740 | MED |
`github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 |
|
[#64](https://github.com/simple-container-com/api/security/dependabot/64)
| GHSA-qw64-3x98-g7q2 | CVE-2026-44973 | HIGH |
`github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 |

What each one is:
- **GHSA-389r-gv7p-r3rp** — go-git parses specially-crafted objects
inconsistently with upstream Git, which can cause divergent state on a
clone. Reachable via the SC `welder` git-driver path.
- **GHSA-m3xc-h892-ggx6** — go-billy lacks depth/cycle detection in
symlink resolution; a crafted repo can spin the resolver into infinite
loops / resource exhaustion. Reachable via `welder` clone.
- **GHSA-qw64-3x98-g7q2** — go-billy path-traversal across multiple
components (`osfs.ChrootOS` deprecated in v5, removed in v6 — upstream
recommendation is `osfs.New(path, WithBoundOS())`). Reachable via
`welder` clone.

(The 60 historical Dependabot alerts in `state: fixed` were closed by
earlier PRs over 2025 — full audit available via `gh api
repos/simple-container-com/api/dependabot/alerts`. No additional
outstanding security alerts remain after this PR.)

## Dependabot PR reconciliation

| PR | What | Verdict |
|---|---|---|
| [#162](#162) |
go-git/v5 5.13.1 → 5.16.5 | **SUPERSEDED** — now at 5.19.0 |
| [#237](#237) |
pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND |
| [#242](#242) | alpine
3.21 → 3.23 (docker-minor-and-patch group) | **LET STAND + merge first**
— fixes Alpine OS-pkg CVEs in kubectl/github-actions images |
| [#243](#243) | caddy
digest bump (still 2.11.2) | **SUPERSEDED** — this PR bumps to 2.11.3 |
| [#244](#244) |
alpine/kubectl base digest bump | LET STAND |
| #245-247 | mkdocs deps | LET STAND (docs/) |
| #248-251 | GitHub Actions bumps | LET STAND |
| [#252](#252) |
gomod-minor-and-patch group (26 deps) | **PARTIAL SUPERSEDE** — go-billy
/ go-git / go-jose / otel / grpc bumps from this PR. Dependabot will
auto-rebase #252 on top with the remaining ~22 non-security bumps. |
| [#233](#233) |
reecetech/version-increment | LET STAND |

## Scorecard `Vulnerabilities` projection

| State | Score |
|---|---|
| Pre-PR (5 advisories flagged) | 5/10 |
| Post-PR + Scorecard rescan | **9-10/10** (3 advisories remaining are
documented false-positives + Scorecard's go-git/v6 flag, all
reachability-clean per govulncheck) |

## Validation

- `go build ./...` clean
- `go vet ./...` clean (no output)
- `go test -short ./pkg/security/...` — all 8 packages PASS (29 tests;
HMAC integrity cache from PR #254 still green)
- `govulncheck ./...` — **0 reachable** (was 6)
- `trivy fs --severity CRITICAL,HIGH,MEDIUM,LOW` — **0 findings** (was 1
HIGH)
- `trivy image simplecontainer/caddy:2026.5.14` — flagged 18; expected
~6 after Caddy 2.11.3 rebuild
- `trivy image simplecontainer/cloud-helpers:aws-2026.5.14` — flagged
17; expected ~0 after rebuild (AL2023 + Go 1.25.10)

## Follow-ups out of this PR's scope

- **aws-sdk-go v1 → v2 migration** — 3 `.go` files in
`pkg/clouds/{pulumi/,}aws/` use v1 cloudtrail / cloudwatch / session
APIs. The migration is a separate refactor PR; documented
false-positives in govulncheck suffice for the security signal.
- **`docker/docker` reachability re-check** — verify if PR #238's
moby/moby migration cleared the original CVE.
- **github-actions image bundled binaries** (pulumi, gcloud) — Track
upstream rebuilds with Go 1.26.3.
- **kubectl base bump** — Dependabot #244 will pick it up.

Refs HARDENING.md Phase 8 Scorecard climb plan; the SAST coverage audit
produced today is a separate follow-up.

---------

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

…label (#279)

## Summary

- **Consolidates 12 open Dependabot PRs into one merge** so we pay for
CI / review once instead of 12+ times. Closes #275 #276 #274 #242 #243
#244 #233 #237 #248 #249 #250 #251 (and the stale #162, superseded by
the gomod group in #275).
- **Gates `branch.yaml` (Blacksmith / paid) on Dependabot PRs behind a
`ci-run` label**, so future Dependabot PRs stop burning multi-vCPU
minutes on a doomed build (they can't decrypt `secrets.SC_CONFIG`).
Cheap PR workflows (CodeQL, Semgrep, govulncheck, Fuzz, TruffleHog, DCO)
still run on every Dependabot PR — they're free-tier and catch the
supply-chain risk that matters for a bump.
- **Adapts three upstream API breaks** that this bump batch introduces
(disgo, pulumi-cloudflare, pulumi backend) — `go build ./...` and tests
compile clean.

## What's bumped

### Go modules (group #275, post-tidy)
24 direct + transitive: `cloud.google.com/go/storage` 1.49.0→1.62.2 ·
`aws/aws-lambda-go` 1.47.0→1.54.0 · `aws/aws-sdk-go-v2/config`
1.29.7→1.32.17 · `cloudflare/cloudflare-go` 0.104.0→0.116.0 ·
`disgoorg/disgo` 0.18.5→0.19.3 · `fatih/color` 1.18.0→1.19.0 ·
`go-git/go-git/v5` 5.19.0→5.19.1 (also #276) · `onsi/gomega`
1.38.2→1.41.0 · `pulumi-aws/sdk/v6` 6.83.0→6.83.3 ·
`pulumi-cloudflare/sdk/v6` 6.2.0→6.15.0 · `pulumi-docker/sdk/v4`
4.5.8→4.11.2 · `pulumi-gcp/sdk/v8` 8.0.0→8.41.1 ·
`pulumi-kubernetes/sdk/v4` 4.18.1→4.31.0 · `pulumi-mongodbatlas/sdk/v3`
3.30.0→3.38.0 · `pulumi-random/sdk/v4` 4.17.0→4.20.0 · `pulumi/pkg/v3`
3.184.0→3.241.0 · `pulumi/sdk/v3` 3.214.0→3.241.0 · `samber/lo`
1.38.1→1.53.0 · `tmc/langchaingo` 0.1.13→0.1.14 · `mongo-driver`
1.16.1→1.17.9 · `k8s.io/apimachinery` 0.35.0→0.36.1 · `k8s.io/client-go`
0.35.0→0.36.1 · others.

Major bump (out of group): `pulumi/pulumi-command/sdk` 0.9.2→1.2.1
(#237).

### Docker (group #242 + digests #243 #244)
- `alpine` 3.21 → 3.23 (`github-actions.Dockerfile`,
`github-actions-staging.Dockerfile`)
- `caddy` digest `14f5b3e` → `f96a3b7`
- `alpine/kubectl` digest `e9acf90` → `405e713`

### Python docs (group #274)
3 updates in `docs/requirements.in` / `docs/requirements.txt`.

### GitHub Actions
- `actions/upload-artifact` v4.6.2 → v7.0.1 (#251)
- `actions/download-artifact` v4.3.0 → v8.0.1 (#249)
- `actions/cache` v4.3.0 → v5.0.5 (#248)
- `docker/setup-buildx-action` v3.12.0 → v4.0.0 (#250)
- `reecetech/version-increment` 2023.10.2 → 2024.10.1 (#233)

## Upstream API breaks adapted in `83401af`

| Dep | Break | Fix |
|---|---|---|
| `disgoorg/disgo` 0.19 | `webhook.Client` interface → struct | Field
type `*webhook.Client` |
| `disgoorg/disgo` 0.19 | `CreateMessage` gained required
`rest.CreateWebhookMessageParams` arg | Pass empty
`rest.CreateWebhookMessageParams{}` |
| `pulumi-cloudflare/sdk` v6.15 | `LookupZoneResult.ZoneId` `*string` →
`string` | Drop `lo.FromPtr(...)` wrapper at 4 sites |
| `pulumi/pkg/v3` v3.241 | `backend.RemoveStack` gained `removeBackups
bool` arg | Pass `false, false` (preserve no-backup-delete behaviour) |

## CI gate — what changes

```yaml
# .github/workflows/branch.yaml
on:
  pull_request:
    types: [opened, synchronize, reopened, labeled]  # `labeled` re-triggers
jobs:
  build-setup:
    if: >-
      github.event_name != 'pull_request' ||
      github.event.pull_request.user.login != 'dependabot[bot]' ||
      contains(github.event.pull_request.labels.*.name, 'ci-run')
```

`finalize` carries the same guard so a Dependabot PR doesn't get a
"build failed" Telegram sticky for a pipeline that was intentionally
never run.

**Operationally** — when a future Dependabot PR (or another consolidated
batch like this one) needs full Blacksmith validation before merge, add
the `ci-run` label and the workflow re-fires on label.

## Test plan

- [x] `go build ./...` clean (local Go 1.26, CI uses 1.25)
- [x] `go test -count=1 -run '^$' -vet=off ./...` (compile every test
binary) clean
- [ ] Add `ci-run` label to this PR (it's authored by a human, not
Dependabot, so the gate is inert — CI runs anyway) and let `branch.yaml`
produce a real green build
- [ ] Verify the Blacksmith build's `build-setup` decrypts `SC_CONFIG`
correctly (Dependabot's failure mode was secret access, not code)
- [ ] After merge: confirm next Monday's Dependabot PRs land with the
heavy workflow showing as skipped (cascade from `build-setup`) and only
cheap CI fires

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>