fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/setup-go	action	minor	v6.3.0 → v6.4.0
alpine	final	patch	3.23.3 → 3.23.4
alpine	stage	patch	3.23.3 → 3.23.4
codecov/codecov-action	action	patch	v5.5.2 → v5.5.4
elgohr/Publish-Docker-Github-Action (changelog)	action	digest	4feac4d → 1c2f28c
github.com/go-vela/server	require	minor	v0.27.5 → v0.28.3
github.com/urfave/cli/v3	require	minor	v3.7.0 → v3.8.0
github/codeql-action	action	minor	v4.32.5 → v4.35.2
reviewdog/action-golangci-lint	action	minor	v2.8.0 → v2.10.0

---

Release Notes

actions/setup-go (actions/setup-go)

v6.4.0

Compare Source

What's Changed

Enhancement

• Add go-download-base-url input for custom Go distributions by @​gdams in #​721

Dependency update

• Upgrade minimatch from 3.1.2 to 3.1.5 by @​dependabot in #​727

Documentation update

• Rearrange README.md, add advanced-usage.md by @​priyagupta108 in #​724
• Fix Microsoft build of Go link by @​gdams in #​734

New Contributors

• @​gdams made their first contribution in #​721

Full Changelog: actions/setup-go@v6...v6.4.0

codecov/codecov-action (codecov/codecov-action)

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

go-vela/server (github.com/go-vela/server)

v0.28.3

Compare Source

What's Changed

• fix(db/hook): trim error to fit db column by @​wass3rw3rk in #​1440
• fix: tighten up UpdateRepo calls and add sync-up to repair by @​ecrupper in #​1438
• fix(router): use install token for caller token and fix ptr derefs by @​ecrupper in #​1439
• fix(cancel): follow through cancel on missing executor by @​ecrupper in #​1441
• fix(hook): matching error with other updatehook calls by @​wass3rw3rk in #​1442
• chore(deps): update all non-major dependencies by @​renovate[bot] in #​1437

Full Changelog: go-vela/server@v0.28.2...v0.28.3

v0.28.2

Compare Source

What's Changed

• fix(compiler/types): use struct walk for Substitute instead of JSON marshal by @​ecrupper in #​1432
• fix(scm): handle nil on getcontents by @​wass3rw3rk in #​1434
• fix(deps): update module golang.org/x/crypto to v0.50.0 by @​renovate[bot] in #​1433

Full Changelog: go-vela/server@v0.28.1...v0.28.2

v0.28.1

Compare Source

What's Changed

• fix(compiler): address logic bug in de-dup for origin secrets in templates by @​ecrupper in #​1431
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @​dependabot[bot] in #​1429
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1428

Full Changelog: go-vela/server@v0.28.0...v0.28.1

v0.28.0

Compare Source

What's Changed

• enhance(oidc): add jti claim by @​ecrupper in #​1356
• feat!: remove buildkite dependency by @​ecrupper in #​1352
• fix(compiler): prevent same-name stages in pipeline configs by @​ecrupper in #​1360
• fix(api): yaml expand on stage pipelines by @​wass3r in #​1363
• enhance(api)!: accept installation tokens for MustWrite and MustRead auth using caching by @​ecrupper in #​1373
• fix(mock): add refresh install token mock by @​ecrupper in #​1374
• fix(scm): proper expiration set to worker by @​ecrupper in #​1380
• fix(deps): bump aws-sdk to v2 by @​wass3r in #​1365
• fix(database)!: use transactions tied to repo counters for hook and build to avoid collisions by @​ecrupper in #​1353
• fix(scm): fall back on github info if role map missing entry by @​ecrupper in #​1382
• fix(deps): update module github.com/expr-lang/expr to v1.17.7 [security] by @​renovate[bot] in #​1379
• chore(build): reduce binary size by @​wass3r in #​1377
• chore: bump go-github to v81 by @​ecrupper in #​1383
• fix(deps): update module golang.org/x/crypto to v0.45.0 [security] by @​renovate[bot] in #​1370
• feat!: platform setting for enabling/disabling Vela secrets by @​ecrupper in #​1384
• fix(scm): add deployments as a default perm for deploy events by @​ecrupper in #​1386
• feat(events)!: support merge queue for GitHub SCM by @​ecrupper in #​1343
• fix(compiler): add origin secrets to pipeline validate func by @​ecrupper in #​1388
• enhance(app): add PR and Issue perms for install token by @​ecrupper in #​1389
• enhance(compiler)!: do not add duplicate origin secrets using name as key by @​ecrupper in #​1390
• chore(lint): update codebase for new linter rules by @​ecrupper in #​1393
• feat(artifacts): Object storage integration and artifacts key by @​KellyMerrick in #​1385
• feat: leverage checks API for CI statuses with app installation by @​ecrupper in #​1392
• fix(deps): update module github.com/google/go-github/v81 to v83 by @​renovate[bot] in #​1391
• fix(scm): add merge_group to events set by @​ecrupper in #​1394
• chore(deps): upgrade minor deps and apply some go fix changes by @​ecrupper in #​1395
• chore(deps): update actions/checkout action to v6 by @​renovate[bot] in #​1371
• chore(deps): update github/codeql-action action to v4 by @​renovate[bot] in #​1358
• chore(deps): update actions/github-script action to v8 by @​renovate[bot] in #​1349
• chore(deps): update actions/setup-go action to v6 by @​renovate[bot] in #​1348
• fix(artifacts): add upload to storage service by @​timhuynh94 in #​1397
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1396
• fix(scm): override details link to point to vela build by @​ecrupper in #​1400
• fix(artifacts): switch from sts to presigned put by @​timhuynh94 in #​1401
• fix(build): reset build number for restarts by @​ecrupper in #​1404
• fix(revert): use commit status API only by @​ecrupper in #​1405
• refactor(compiler): move script gen outside of compiler and into container by @​ecrupper in #​1403
• fix(env): remove id request url from compiler by @​ecrupper in #​1408
• fix(perm): allow for GETs when secrets are disabled by @​ecrupper in #​1406
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1398
• fix(deps): update module github.com/google/go-github/v83 to v84 by @​renovate[bot] in #​1399
• chore(deps): update docker/login-action action to v4 by @​renovate[bot] in #​1402
• chore(deps): update docker/metadata-action action to v6 by @​renovate[bot] in #​1407
• chore(deps): update docker/build-push-action action to v7 by @​renovate[bot] in #​1409
• chore(deps): bump go to 1.26.1 by @​wass3rw3rk in #​1410
• fix(webhook): generate token for status update on failed compile by @​ecrupper in #​1412
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1411
• fix: add clearer error message for post-subst unmarshal issues by @​ecrupper in #​1415
• fix(merge_group): set branch to base ref instead of head ref by @​ecrupper in #​1414
• fix(db): only update fields when necessary for repo hot path writes by @​ecrupper in #​1416
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1413
• fix(admin): add logs for secret toggles by @​wass3rw3rk in #​1419
• enhance: separate clone/build SCM token from status token by @​ecrupper in #​1420
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1417
• chore(deps): bump google.golang.org/grpc from 1.79.2 to 1.79.3 by @​dependabot[bot] in #​1418
• chore(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 by @​dependabot[bot] in #​1421
• fix(webhook): use webhook parsed build info on compile failures for status by @​ecrupper in #​1422
• fix: use install token if available for changeset call by @​ecrupper in #​1424
• fix(deps): update all non-major dependencies by @​renovate[bot] in #​1423
• chore(deps): update codecov/codecov-action action to v6 by @​renovate[bot] in #​1425
• fix(util): use filepath matching for allowlist by @​ecrupper in #​1426

Full Changelog: go-vela/server@v0.27.5...v0.28.0

urfave/cli (github.com/urfave/cli/v3)

v3.8.0

Compare Source

What's Changed

• chore(deps): bump mkdocs-material from 9.7.1 to 9.7.2 in the python-packages group by @​dependabot[bot] in #​2267
• chore(deps): bump mkdocs-material from 9.7.2 to 9.7.3 in the python-packages group by @​dependabot[bot] in #​2272
• chore(deps): bump mkdocs-material from 9.7.3 to 9.7.4 in the python-packages group by @​dependabot[bot] in #​2276
• Fix: check MutuallyExclusiveFlags across parent command chain by @​siutsin in #​2274
• Modernize source code by @​kolyshkin in #​2289
• flag: replace regexp use by @​kolyshkin in #​2288
• chore(deps): bump mkdocs-material from 9.7.4 to 9.7.5 in the python-packages group by @​dependabot[bot] in #​2284
• Fix:(issue_2281) Remove incorrect check for local flag for set by @​dearchap in #​2290
• Fix:(issue_2275) Make flag action execution consistent by @​dearchap in #​2295
• Fix:(issue_2293) --flag="" no longer rejected as missing argument by @​idelchi in #​2297
• Fix:(issue_2292) Empty positional args no longer break parse loop by @​idelchi in #​2296

New Contributors

• @​idelchi made their first contribution in #​2297

Full Changelog: urfave/cli@v3.7.0...v3.8.0

github/codeql-action (github/codeql-action)

v4.35.2

Compare Source

• The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
• The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
• Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
• Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #​3807
• Update default CodeQL bundle version to 2.25.2. #​3823

v4.35.1

Compare Source

• Fix incorrect minimum required Git version for improved incremental analysis: it should have been 2.36.0, not 2.11.0. #​3781

v4.35.0

Compare Source

• Reduced the minimum Git version required for improved incremental analysis from 2.38.0 to 2.11.0. #​3767
• Update default CodeQL bundle version to 2.25.1. #​3773

v4.34.1

Compare Source

• Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #​3762

v4.34.0

Compare Source

• Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #​3569
• We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #​3584
• Update default CodeQL bundle version to 2.25.0. #​3585

v4.33.0

Compare Source

• Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #​3562

  To opt out of this change:

  • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
  • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

• Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #​3557

• The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #​3559

• Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #​3563

• Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #​3564

• A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #​3570

v4.32.6

Compare Source

• Update default CodeQL bundle version to 2.24.3. #​3548

reviewdog/action-golangci-lint (reviewdog/action-golangci-lint)

v2.10.0

Compare Source

What's Changed

• fix: update go download url by @​kurochan in #​817
• chore(deps): update dependency @​types/node to v20.19.37 by @​renovate[bot] in #​802
• chore(deps): update dependency ts-jest to v29.4.6 by @​renovate[bot] in #​805
• chore(deps): update dependency @​vercel/ncc to v0.38.4 by @​renovate[bot] in #​812
• chore(deps): update actions/checkout action to v4.3.1 by @​renovate[bot] in #​813
• chore(deps): update dependency eslint-plugin-import to v2.32.0 by @​renovate[bot] in #​814
• chore(deps): update @​typescript-eslint/parser and eslint-plugin-jest by @​renovate[bot] in #​818
• chore(deps): update dependency prettier to v3.8.1 by @​renovate[bot] in #​819
• chore(deps): update dependency typescript to v5.9.3 by @​renovate[bot] in #​820
• chore(deps): update github/codeql-action action to v3.32.6 by @​renovate[bot] in #​821
• chore(deps): update reviewdog/action-actionlint action to v1.71.0 by @​renovate[bot] in #​822
• chore(deps): update reviewdog/action-eslint action to v1.34.0 by @​renovate[bot] in #​823
• Upgrade Node.js runtime to v24 by @​Copilot in #​824
• Migrate to ES Modules with Rollup by @​Copilot in #​825
• chore(deps): update actions/checkout action to v6 by @​renovate[bot] in #​827
• bump eslint 10.0.3 by @​shogo82148 in #​832
• introduce bundle script by @​shogo82148 in #​835
• chore(deps): update node.js to v24.14.0 by @​renovate[bot] in #​836
• chore(deps): update actions/setup-node action to v6 by @​renovate[bot] in #​828
• chore(deps): update github/codeql-action action to v4 by @​renovate[bot] in #​829

New Contributors

• @​kurochan made their first contribution in #​817
• @​Copilot made their first contribution in #​824

Full Changelog: reviewdog/action-golangci-lint@v2.9.0...v2.10.0

v2.9.0

Compare Source

What's Changed

• Update Go to v1.23 by @​massongit in #​783
• chore(config): migrate renovate config by @​renovate[bot] in #​784
• chore(deps): update github/codeql-action action to v3.28.13 by @​renovate[bot] in #​781
• chore(deps): update dependency @​types/semver to v7.7.0 by @​renovate[bot] in #​786
• chore(deps): update dependency @​types/node to v20.17.28 by @​renovate[bot] in #​787
• Add CI to check golintci-lint config by @​massongit in #​790
• .golangci.v1.yml: disable golint by @​massongit in #​791
• chore(deps): update dependency ts-jest to v29.3.1 by @​renovate[bot] in #​792
• chore(deps): update dependency ts-jest to v29.3.2 by @​renovate[bot] in #​799
• chore(deps): update actions/setup-node action to v4.4.0 by @​renovate[bot] in #​800
• chore(deps): update github/codeql-action action to v3.28.15 by @​renovate[bot] in #​796
• chore(deps): update dependency @​types/node to v20.17.30 by @​renovate[bot] in #​793
• chore(deps): update dependency typescript to v5.8.3 by @​renovate[bot] in #​794
• chore(deps): update dependency js-yaml to v4.1.1 [security] by @​renovate[bot] in #​810
• chore(deps): update @​typescript-eslint/parser and eslint-plugin-jest (major) by @​renovate[bot] in #​727
• chore(deps): update haya14busa/action-bumpr action to v1.11.4 by @​renovate[bot] in #​795
• chore(deps): update haya14busa/action-update-semver action to v1.5.1 by @​renovate[bot] in #​797
• chore(deps): update github/codeql-action action to v3.31.8 by @​renovate[bot] in #​801

Full Changelog: reviewdog/action-golangci-lint@v2.8.0...v2.9.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 35.56%. Comparing base (af322d5) to head (c6ad339).
⚠️ Report is 1 commits behind head on main.

❌ Your project status has failed because the head coverage (35.56%) is below the target coverage (90.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #196   +/-   ##
=======================================
  Coverage   35.56%   35.56%           
=======================================
  Files          12       12           
  Lines         883      883           
=======================================
  Hits          314      314           
  Misses        556      556           
  Partials       13       13           

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 4 additional dependencies were updated

Details:

Package	Change
golang.org/x/crypto	v0.40.0 -> v0.41.0
golang.org/x/mod	v0.25.0 -> v0.26.0
golang.org/x/sys	v0.34.0 -> v0.35.0
golang.org/x/text	v0.27.0 -> v0.28.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 3 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.8 -> 1.26.1
golang.org/x/crypto	v0.46.0 -> v0.50.0
golang.org/x/sys	v0.39.0 -> v0.43.0
golang.org/x/text	v0.32.0 -> v0.36.0