fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	minor	v4.2.2 → v4.3.1
actions/setup-go	action	minor	v6.2.0 → v6.4.0
actions/setup-node	action	minor	v6.2.0 → v6.3.0
codecov/codecov-action	action	patch	v5.5.2 → v5.5.4
elgohr/Publish-Docker-Github-Action (changelog)	action	digest	4feac4d → 1c2f28c
github.com/go-vela/server	require	minor	v0.27.5 → v0.28.0
github.com/klauspost/compress	require	patch	v1.18.4 → v1.18.5
github.com/minio/minio-go/v7	require	patch	v7.0.98 → v7.0.100
github.com/urfave/cli/v3	require	minor	v3.6.2 → v3.8.0
github/codeql-action	action	minor	v4.32.4 → v4.35.1
reviewdog/action-golangci-lint	action	minor	v2.8.0 → v2.10.0

---

Release Notes

actions/checkout (actions/checkout)

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

actions/setup-go (actions/setup-go)

v6.4.0

Compare Source

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in #​721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in #​724
• Fix Microsoft build of Go link by @​gdams in #​734

New Contributors

• @​gdams made their first contribution in #​721

Full Changelog: actions/setup-go@v6...v6.4.0

v6.3.0

Compare Source

What's Changed

• Update default Go module caching to use go.mod by @​priyagupta108 in #​705
• Fix golang download url to go.dev by @​178inaba in #​469

Full Changelog: actions/setup-go@v6...v6.3.0

actions/setup-node (actions/setup-node)

v6.3.0

Compare Source

What's Changed

Enhancements:

• Support parsing devEngines field by @​susnux in #​1283

When using node-version-file: package.json, setup-node now prefers devEngines.runtime over engines.node.

Dependency updates:

• Fix npm audit issues by @​gowridurgad in #​1491
• Replace uuid with crypto.randomUUID() by @​trivikr in #​1378
• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​1498

Bug fixes:

• Remove hardcoded bearer for mirror-url @​marco-ippolito in #​1467
• Scope test lockfiles by package manager and update cache tests by @​gowridurgad in #​1495

New Contributors

• @​susnux made their first contribution in #​1283

Full Changelog: actions/setup-node@v6...v6.3.0

codecov/codecov-action (codecov/codecov-action)

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

go-vela/server (github.com/go-vela/server)

v0.28.0

Compare Source

What's Changed

• enhance(oidc): add jti claim by @​ecrupper in #​1356
• feat!: remove buildkite dependency by @​ecrupper in #​1352
• fix(compiler): prevent same-name stages in pipeline configs by @​ecrupper in #​1360
• fix(api): yaml expand on stage pipelines by @​wass3r in #​1363
• enhance(api)!: accept installation tokens for MustWrite and MustRead auth using caching by @​ecrupper in #​1373
• fix(mock): add refresh install token mock by @​ecrupper in #​1374
• fix(scm): proper expiration set to worker by @​ecrupper in #​1380
• fix(deps): bump aws-sdk to v2 by @​wass3r in #​1365
• fix(database)!: use transactions tied to repo counters for hook and build to avoid collisions by @​ecrupper in #​1353
• fix(scm): fall back on github info if role map missing entry by @​ecrupper in #​1382
• fix(deps): update module github.com/expr-lang/expr to v1.17.7 [security] by @​renovate[bot] in #​1379
• chore(build): reduce binary size by @​wass3r in #​1377
• chore: bump go-github to v81 by @​ecrupper in #​1383
• fix(deps): update module golang.org/x/crypto to v0.45.0 [security] by @​renovate[bot] in #​1370
• feat!: platform setting for enabling/disabling Vela secrets by @​ecrupper in #​1384
• fix(scm): add deployments as a default perm for deploy events by @​ecrupper in #​1386
• feat(events)!: support merge queue for GitHub SCM by @​ecrupper in #​1343
• fix(compiler): add origin secrets to pipeline validate func by @​ecrupper in #​1388
• enhance(app): add PR and Issue perms for install token by @​ecrupper in #​1389
• enhance(compiler)!: do not add duplicate origin secrets using name as key by @​ecrupper in #​1390
• chore(lint): update codebase for new linter rules by @​ecrupper in #​1393
• feat(artifacts): Object storage integration and artifacts key by @​KellyMerrick in #​1385
• feat: leverage checks API for CI statuses with app installation by @​ecrupper in #​1392
• fix(deps): update module github.com/google/go-github/v81 to v83 by @​renovate[bot] in #​1391
• fix(scm): add merge_group to events set by @​ecrupper in #​1394
• chore(deps): upgrade minor deps and apply some go fix changes by @​ecrupper in #​1395
• chore(deps): update actions/checkout action to v6 by @​renovate[bot] in #​1371
• chore(deps): update github/codeql-action action to v4 by @​renovate[bot] in #​1358
• chore(deps): update actions/github-script action to v8 by @​renovate[bot] in #​1349
• chore(deps): update actions/setup-go action to v6 by @​renovate[bot] in #​1348
• fix(artifacts): add upload to storage service by @​timhuynh94 in #​1397
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1396
• fix(scm): override details link to point to vela build by @​ecrupper in #​1400
• fix(artifacts): switch from sts to presigned put by @​timhuynh94 in #​1401
• fix(build): reset build number for restarts by @​ecrupper in #​1404
• fix(revert): use commit status API only by @​ecrupper in #​1405
• refactor(compiler): move script gen outside of compiler and into container by @​ecrupper in #​1403
• fix(env): remove id request url from compiler by @​ecrupper in #​1408
• fix(perm): allow for GETs when secrets are disabled by @​ecrupper in #​1406
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1398
• fix(deps): update module github.com/google/go-github/v83 to v84 by @​renovate[bot] in #​1399
• chore(deps): update docker/login-action action to v4 by @​renovate[bot] in #​1402
• chore(deps): update docker/metadata-action action to v6 by @​renovate[bot] in #​1407
• chore(deps): update docker/build-push-action action to v7 by @​renovate[bot] in #​1409
• chore(deps): bump go to 1.26.1 by @​wass3rw3rk in #​1410
• fix(webhook): generate token for status update on failed compile by @​ecrupper in #​1412
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1411
• fix: add clearer error message for post-subst unmarshal issues by @​ecrupper in #​1415
• fix(merge_group): set branch to base ref instead of head ref by @​ecrupper in #​1414
• fix(db): only update fields when necessary for repo hot path writes by @​ecrupper in #​1416
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1413
• fix(admin): add logs for secret toggles by @​wass3rw3rk in #​1419
• enhance: separate clone/build SCM token from status token by @​ecrupper in #​1420
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1417
• chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 by @​dependabot[bot] in #​1418
• chore(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 by @​dependabot[bot] in #​1421
• fix(webhook): use webhook parsed build info on compile failures for status by @​ecrupper in #​1422
• fix: use install token if available for changeset call by @​ecrupper in #​1424
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1423
• chore(deps): update codecov/codecov-action action to v6 by @​renovate[bot] in #​1425
• fix(util): use filepath matching for allowlist by @​ecrupper in #​1426

Full Changelog: go-vela/server@v0.27.5...v0.28.0

klauspost/compress (github.com/klauspost/compress)

v1.18.5

Compare Source

What's Changed

• zstd: Fix crash when changing encoder dictionary with same ID by @​klauspost in #​1135
• zstd: Default to full zero frames by @​klauspost in #​1134
• flate: Clean up histogram order by @​klauspost in #​1133

Full Changelog: klauspost/compress@v1.18.4...v1.18.5

minio/minio-go (github.com/minio/minio-go/v7)

v7.0.100

Compare Source

v7.0.99

Compare Source

urfave/cli (github.com/urfave/cli/v3)

v3.8.0

Compare Source

What's Changed

• chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in the python-packages group by @​dependabot[bot] in #​2267
• chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in the python-packages group by @​dependabot[bot] in #​2272
• chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in the python-packages group by @​dependabot[bot] in #​2276
• Fix: check MutuallyExclusiveFlags across parent command chain by @​siutsin in #​2274
• Modernize source code by @​kolyshkin in #​2289
• flag: replace regexp use by @​kolyshkin in #​2288
• chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in the python-packages group by @​dependabot[bot] in #​2284
• Fix:(issue_2281) Remove incorrect check for local flag for set by @​dearchap in #​2290
• Fix:(issue_2275) Make flag action execution consistent by @​dearchap in #​2295
• Fix:(issue_2293) --flag="" no longer rejected as missing argument by @​idelchi in #​2297
• Fix:(issue_2292) Empty positional args no longer break parse loop by @​idelchi in #​2296

New Contributors

• @​idelchi made their first contribution in #​2297

Full Changelog: urfave/cli@v3.7.0...v3.8.0

v3.7.0

Compare Source

What's Changed

• Fix: use the correct type name in the tracef message by @​icholy in #​2251
• chore(deps): bump mkdocs-git-revision-date-localized-plugin from 1.5.0 to 1.5.1 in the python-packages group by @​dependabot[bot] in #​2252
• Fix:(issue_2254) Fix incorrect handling of arg after short option token by @​dearchap in #​2255
• feat: ShellComplete for fish by @​marcusramberg in #​2256
• Fix: propagate MutuallyExclusiveFlags persistent flags to subcommands by @​siutsin in #​2266
• feat: support dynamic fish completion by @​Maks1mS in #​2270
• fix(help): show GLOBAL OPTIONS for leaf subcommands when HideHelpCommand is true by @​TimSoethout in #​2269

New Contributors

• @​marcusramberg made their first contribution in #​2256
• @​siutsin made their first contribution in #​2266
• @​TimSoethout made their first contribution in #​2269

Full Changelog: urfave/cli@v3.6.2...v3.7.0

github/codeql-action (github/codeql-action)

v4.35.1

Compare Source

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #​3781

v4.35.0

Compare Source

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #​3767
• Update default CodeQL bundle version to 2.25.1. #​3773

v4.34.1

Compare Source

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #​3762

v4.34.0

Compare Source

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #​3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #​3584
• Update default CodeQL bundle version to 2.25.0. #​3585

v4.33.0

Compare Source

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #​3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #​3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #​3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #​3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #​3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #​3570

v4.32.6

Compare Source

• Update default CodeQL bundle version to 2.24.3. #​3548

v4.32.5

Compare Source

• Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #​3507
• Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #​3487
• The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #​3515
• Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #​3516
• Added an experimental change which lowers the minimum disk space requirement for improved incremental analysis, enabling it to run on standard GitHub Actions runners. We expect to roll this change out to everyone in March. #​3498
• Added an experimental change which allows the start-proxy action to resolve the CodeQL CLI version from feature flags instead of using the linked CLI bundle version. We expect to roll this change out to everyone in March. #​3512
• The previously experimental changes from versions 4.32.3, 4.32.4, 3.32.3 and 3.32.4 are now enabled by default. #​3503, #​3504

reviewdog/action-golangci-lint (reviewdog/action-golangci-lint)

v2.10.0

Compare Source

What's Changed

• fix: update go download url by @​kurochan in #​817
• chore(deps): update dependency @​types/node to v20.19.37 by @​renovate[bot] in #​802
• chore(deps): update dependency ts-jest to v29.4.6 by @​renovate[bot] in #​805
• chore(deps): update dependency @​vercel/ncc to v0.38.4 by @​renovate[bot] in #​812
• chore(deps): update actions/checkout action to v4.3.1 by @​renovate[bot] in #​813
• chore(deps): update dependency eslint-plugin-import to v2.32.0 by @​renovate[bot] in #​814
• chore(deps): update @​typescript-eslint/parser and eslint-plugin-jest by @​renovate[bot] in #​818
• chore(deps): update dependency prettier to v3.8.1 by @​renovate[bot] in #​819
• chore(deps): update dependency typescript to v5.9.3 by @​renovate[bot] in #​820
• chore(deps): update github/codeql-action action to v3.32.6 by @​renovate[bot] in #​821
• chore(deps): update reviewdog/action-actionlint action to v1.71.0 by @​renovate[bot] in #​822
• chore(deps): update reviewdog/action-eslint action to v1.34.0 by @​renovate[bot] in #​823
• Upgrade Node.js runtime to v24 by @​Copilot in #​824
• Migrate to ES Modules with Rollup by @​Copilot in #​825
• chore(deps): update actions/checkout action to v6 by @​renovate[bot] in #​827
• bump eslint 10.0.3 by @​shogo82148 in #​832
• introduce bundle script by @​shogo82148 in #​835
• chore(deps): update node.js to v24.14.0 by @​renovate[bot] in #​836
• chore(deps): update actions/setup-node action to v6 by @​renovate[bot] in #​828
• chore(deps): update github/codeql-action action to v4 by @​renovate[bot] in #​829

New Contributors

• @​kurochan made their first contribution in #​817
• @​Copilot made their first contribution in #​824

Full Changelog: reviewdog/action-golangci-lint@v2.9.0...v2.10.0

v2.9.0

Compare Source

What's Changed

• Update Go to v1.23 by @​massongit in #​783
• chore(config): migrate renovate config by @​renovate[bot] in #​784
• chore(deps): update github/codeql-action action to v3.28.13 by @​renovate[bot] in #​781
• chore(deps): update dependency @​types/semver to v7.7.0 by @​renovate[bot] in #​786
• chore(deps): update dependency @​types/node to v20.17.28 by @​renovate[bot] in #​787
• Add CI to check golintci-lint config by @​massongit in #​790
• .golangci.v1.yml: disable golint by @​massongit in #​791
• chore(deps): update dependency ts-jest to v29.3.1 by @​renovate[bot] in #​792
• chore(deps): update dependency ts-jest to v29.3.2 by @​renovate[bot] in #​799
• chore(deps): update actions/setup-node action to v4.4.0 by @​renovate[bot] in #​800
• chore(deps): update github/codeql-action action to v3.28.15 by @​renovate[bot] in #​796
• chore(deps): update dependency @​types/node to v20.17.30 by @​renovate[bot] in #​793
• chore(deps): update dependency typescript to v5.8.3 by @​renovate[bot] in #​794
• chore(deps): update dependency js-yaml to v4.1.1 [security] by @​renovate[bot] in #​810
• chore(deps): update @​typescript-eslint/parser and eslint-plugin-jest (major) by @​renovate[bot] in #​727
• chore(deps): update haya14busa/action-bumpr action to v1.11.4 by @​renovate[bot] in #​795
• chore(deps): update haya14busa/action-update-semver action to v1.5.1 by @​renovate[bot] in #​797
• chore(deps): update github/codeql-action action to v3.31.8 by @​renovate[bot] in #​801

Full Changelog: reviewdog/action-golangci-lint@v2.8.0...v2.9.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 28.26%. Comparing base (97ebb1b) to head (4d6749d).

❌ Your project check has failed because the head coverage (28.26%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #180   +/-   ##
=======================================
  Coverage   28.26%   28.26%           
=======================================
  Files          13       13           
  Lines         895      895           
=======================================
  Hits          253      253           
  Misses        597      597           
  Partials       45       45           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 5 additional dependencies were updated

Details:

Package	Change
github.com/minio/crc64nvme	v1.0.2 -> v1.1.0
golang.org/x/crypto	v0.39.0 -> v0.41.0
golang.org/x/net	v0.41.0 -> v0.42.0
golang.org/x/sys	v0.34.0 -> v0.35.0
golang.org/x/text	v0.26.0 -> v0.28.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.7 -> 1.26.1
golang.org/x/crypto	v0.46.0 -> v0.49.0
golang.org/x/net	v0.48.0 -> v0.51.0
golang.org/x/sys	v0.39.0 -> v0.42.0
golang.org/x/text	v0.32.0 -> v0.35.0