chore(deps): update all-ci-dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	patch	v5.0.0 → v5.0.1
actions/setup-go	action	minor	v5.5.0 → v5.6.0
aquasecurity/trivy-action	action	minor	0.32.0 → v0.35.0
codecov/codecov-action	action	minor	v5.4.3 → v5.5.4
grafana (source)		minor	9.3.2 → 9.4.5
kube-prometheus-stack (source)		minor	76.4.0 → 76.5.1
loki (source)		minor	6.36.1 → 6.55.0
mimir-distributed (source)		minor	5.7.0 → 5.8.0
pyroscope (source)		minor	1.14.1 → 1.21.0
securego/gosec	action	minor	v2.22.8 → v2.25.0
sigstore/cosign-installer	action	minor	v3.9.2 → v3.10.1
tempo-distributed (source)		minor	1.46.4 → 1.61.3

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

actions/checkout (actions/checkout)

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

actions/setup-go (actions/setup-go)

v5.6.0

Compare Source

What's Changed

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​aparnajyothi-y in #​689

Full Changelog: actions/setup-go@v5...v5.6.0

aquasecurity/trivy-action (aquasecurity/trivy-action)

v0.35.0: Release: v0.35.0

Compare Source

This release is a duplicate of 0.35.0 which was not compromised.

As part of our response to the recent supply chain attack, we have migrated all tags to use the v prefix (e.g., v0.35.0 instead of 0.35.0). Going forward, all new releases will use the v prefix convention.

We have intentionally kept the 0.35.0 tag intact to avoid breaking existing workflows that depend on it.

If you are currently using 0.35.0, your workflows are safe — no action is required.

v0.35.0

Compare Source

What's Changed

• chore(deps): Update trivy to v0.69.3 by @​aqua-bot in #​519

Full Changelog: aquasecurity/trivy-action@0.34.2...0.35.0

v0.34.0

Compare Source

v0.33.1: Release: v0.33.1

Compare Source

What's Changed

• Update setup-trivy action to version v0.2.4 by @​martincostello in #​486

Full Changelog: aquasecurity/trivy-action@v0.33.0...v0.33.1

v0.33.0: Release: v0.33.0

Compare Source

What's Changed

• Update dependencies in README by @​ibakshay in #​378
• doc: correct sbom fs scan by @​yxtay in #​458
• Pin actions/cache by SHA by @​martincostello in #​480
• chore(ci): Add oras to correctly setup sync jobs by @​simar7 in #​482
• chore(deps): Update trivy to v0.65.0 by @​aqua-bot in #​481

New Contributors

• @​ibakshay made their first contribution in #​378
• @​yxtay made their first contribution in #​458

Full Changelog: aquasecurity/trivy-action@v0.32.0...v0.33.0

codecov/codecov-action (codecov/codecov-action)

v5.5.4

Compare Source

This is a mirror of v5.5.2. v6 will be released which requires node24

What's Changed

• Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" by @​thomasrockhu-codecov in #​1926
• chore(release): 5.5.4 by @​thomasrockhu-codecov in #​1927

Full Changelog: codecov/codecov-action@v5.5.3...v5.5.4

v5.5.3

Compare Source

What's Changed

• build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @​dependabot[bot] in #​1874
• chore(release): bump to 5.5.3 by @​thomasrockhu-codecov in #​1922

Full Changelog: codecov/codecov-action@v5.5.2...v5.5.3

v5.5.2

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

Compare Source

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in #​1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in #​1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in #​1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in #​1872
• docs: fix typo in README by @​datalater in #​1866
• Document a codecov-cli version reference example by @​webknjaz in #​1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in #​1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in #​1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

Compare Source

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in #​1864
• Pin actions/github-script by Git SHA by @​martincostello in #​1859
• fix: check reqs exist by @​joseph-sentry in #​1835
• fix: Typo in README by @​spalmurray in #​1838
• docs: Refine OIDC docs by @​spalmurray in #​1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in #​1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

grafana/helm-charts (grafana)

v9.4.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Fix typo in comment by @​ggabijaa in #​3901

New Contributors

• @​ggabijaa made their first contribution in #​3901

Full Changelog: grafana/helm-charts@tempo-distributed-1.47.2...grafana-9.4.5

v9.4.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Add missing attribute for GOMEMLIMIT field reference by @​cbcoutinho in #​3884

Full Changelog: grafana/helm-charts@rollout-operator-0.33.0...grafana-9.4.4

v9.4.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] upgrade kiwigrid/k8s-sidecar to 1.30.10 by @​DrFaust92 in #​3879

Full Changelog: grafana/helm-charts@tempo-distributed-1.47.1...grafana-9.4.3

v9.4.2

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] - bump to version 12.1.1 by @​cizara in #​3878

New Contributors

• @​cizara made their first contribution in #​3878

Full Changelog: grafana/helm-charts@grafana-9.4.1...grafana-9.4.2

v9.4.1

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] fix print statefulset pvc claim accessmode as list by @​LarsStegman in #​3823

Full Changelog: grafana/helm-charts@grafana-9.4.0...grafana-9.4.1

v9.4.0

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Set GOMEMLIMIT environment variable based on container resources by @​jnoordsij in #​3138

New Contributors

• @​jnoordsij made their first contribution in #​3138

Full Changelog: grafana/helm-charts@grafana-mcp-0.1.2...grafana-9.4.0

v9.3.6

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] fix:remove double quotes from NAMESPACE values in sidecar alerts by @​Peter-YoungUk in #​3871

New Contributors

• @​Peter-YoungUk made their first contribution in #​3871

Full Changelog: grafana/helm-charts@alloy-operator-0.3.9...grafana-9.3.6

v9.3.5

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] add support for envValueFrom in sidecar.alerts both initContainer and watch container by @​peter-kyu in #​3739

New Contributors

• @​peter-kyu made their first contribution in #​3739

Full Changelog: grafana/helm-charts@grafana-9.3.4...grafana-9.3.5

v9.3.4

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] switch targetport from number to port name by @​KyriosGN0 in #​3849

Full Changelog: grafana/helm-charts@grafana-9.3.3...grafana-9.3.4

v9.3.3

Compare Source

The leading tool for querying and visualizing time series and metrics.

What's Changed

• [grafana] Update _pod.tpl to override container name by @​brianjacksondev in #​3864

New Contributors

• @​brianjacksondev made their first contribution in #​3864

Full Changelog: grafana/helm-charts@helm-loki-6.37.0...grafana-9.3.3

prometheus-community/helm-charts (kube-prometheus-stack)

v76.5.1

Compare Source

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

What's Changed

• [kube-prometheus-stack] Update kube-prometheus-stack dependency non-major updates by @​renovate[bot] in #​6080

Full Changelog: prometheus-community/helm-charts@prometheus-ipmi-exporter-0.6.3...kube-prometheus-stack-76.5.1

v76.5.0

Compare Source

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

What's Changed

• [kube-prometheus-stack] Update https://github.com/etcd-io/etcd digest to e5654af by @​renovate[bot] in #​6079

Full Changelog: prometheus-community/helm-charts@prometheus-27.32.0...kube-prometheus-stack-76.5.0

v76.4.1

Compare Source

kube-prometheus-stack collects Kubernetes manifests, Grafana dashboards, and Prometheus rules combined with documentation and scripts to provide easy to operate end-to-end Kubernetes cluster monitoring with Prometheus using the Prometheus Operator.

What's Changed

• [kube-prometheus-stack] Update kube-prometheus-stack dependency non-major updates by @​renovate[bot] in #​6070

Full Changelog: prometheus-community/helm-charts@alertmanager-1.25.0...kube-prometheus-stack-76.4.1

securego/gosec (securego/gosec)

v2.25.0

Compare Source

Changelog

• 223e19b chore(deps): bump google.golang.org/grpc from 1.75.0 to 1.79.3 (#​1617)
• b23a9e5 fix: allow barry action to access secrets on fork PRs (#​1616)
• 355cfa5 fix: reduce G117 false positives for custom marshalers and transformed values (#​1614) (#​1615)
• 744bfb5 Add barry security scanner as a step in the CI (#​1612)
• 4fde15d chore(deps): update all dependencies (#​1611)
• dec52c4 fix: prevent taint analysis hang on packages with many CHA call graph edges (#​1608) (#​1610)
• a0de8b6 Add some skills for claude code to automate some tasks (#​1609)
• c2dfcec Add G701-G706 rule-to-CWE mappings and CWE-117, CWE-918 entries (#​1606)
• 8aec3f4 fix: skip SSA analysis on ill-typed packages to prevent panic (#​1607)
• 1ced32d Port G120 from SSA-based to taint analysis (fixes #​1600, #​1603) (#​1605)
• befce8d fix(G118): eliminate false positive for package-level cancel variables (#​1602)
• b7b2c7b feat: add G124 rule for insecure HTTP cookie configuration (#​1599)
• 6e66a94 feat: add G709 rule for unsafe deserialization of untrusted data (#​1598)
• e7ea237 feat: add G708 rule for server-side template injection via text/template (#​1597)
• 8895462 fix(G118): eliminate false positive when cancel is called via struct field in a closure (#​1596)
• 619ce21 Fix infinite recursion in interprocedural taint analysis (#​1594)
• 0e0eb17 Fix G118 false positive when cancel is stored in returned struct field (#​1593)
• 59a9da0 Fix G118 false positive on cancel called inside goroutine closure (#​1592)
• cbf46b8 fix(analyzer): per-package rule instantiation eliminates concurrent map crash (#​1589)
• c6c3ba8 chore(deps): update all dependencies (#​1588)
• c709ed8 fix(G118): treat returned cancel func as called (fixes #​1584) (#​1585)
• fa74dd7 chore(go): update supported Go versions to 1.25.8 and 1.26.1 (#​1583)
• cd1f29e Update the README with the correct version of the Github action for gosec (#​1582)
• 5887aee chore(deps): update all dependencies (#​1579)
• 6641fcf Fix G115 false positives for guarded int64-to-byte conversions (#​1578)
• 3c9c3da Update the container image migration notice (#​1576)
• 973e94e chore(action): bump gosec to 2.24.7 (#​1575)

v2.24.7

Compare Source

Changelog

• bb17e42 Ignore nosec comments in action integration workflow to generate some warnings (#​1573)
• e1502ad Add a workflow for action integration test (#​1571)
• f8691bd fix(sarif): avoid invalid null relationships in SARIF output (#​1569)
• ade1d0e chore: migrate gosec container image references to GHCR (#​1567)

v2.24.6

Compare Source

Changelog

• 88835e8 Update gorelease to use the latest cosign bundle argument (#​1565)

v2.24.5

Compare Source

v2.24.4

Compare Source

v2.24.3

Compare Source

v2.24.2

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

Changelog

• 271492b fix: G704 false positive on const URL (#​1551)
• 1341aea fix(G705): eliminate false positive for non-HTTP io.Writer (#​1550)
• f2262c8 G120: avoid false positive when MaxBytesReader is applied in middleware (#​1547)
• 5b580c7 Fix G602 regression coverage for issue #​1545 and stabilize G117 TOML test dependency (#​1546)
• eba2d15 taint: skip context.Context arguments during taint propagation to fix false positives (#​1543)
• a6381c1 test: add missing rules to formatter report tests (#​1540)
• fea9725 chore(deps): update all dependencies (#​1541)
• f3e2fac Regenrate the TLS config rule (#​1539)
• 200461f Improve documentation (#​1538)
• 078a62a Expand analyzer-core test coverage for orchestration, go/analysis adapter logic, and taint integration (#​1537)
• ffdc620 Add unit tests for CLI orchestration, TLS config generation, and SSA cache behavior (#​1536)
• c13a486 Add G707 taint analyzer for SMTP command/header injection (#​1535)
• f61ed31 Add G123 analyzer for tls.VerifyPeerCertificate resumption bypass risk (#​1534)
• b568aa1 Add G122 SSA analyzer for filepath.Walk/WalkDir symlink TOCTOU race risks (#​1532)
• 1735e5a fix(G602): avoid false positives for range-over-array indexing (#​1531)
• caf93d0 Improve taint analyzer performance with shared SSA cache, parallel analyzer execution, and CI regression guard (#​1530)
• bd11fbe fix: taint analysis false positives with G703,G705 (#​1522)
• e34e8dd Extend the G117 rule to cover other types of serialization such as yaml/xml/toml (#​1529)
• b940702 Fix the G117 rule to take the JSON serialization into account (#​1528)
• 4f84627 (docs) fix justification format (#​1524)
• 36ba72b Add G121 analyzer for unsafe CORS bypass patterns in CrossOriginProtection (#​1521)
• 238f982 Add G120 SSA analyzer for unbounded form parsing in HTTP handlers (#​1520)
• 89cde27 Add G119 analyzer for unsafe redirect header propagation in CheckRedirect callbacks (#​1519)
• 14fdd9c Fix G115 false positives and negatives (Issue #​1501) (#​1518)
• cec54ec chore(deps): update all dependencies (#​1517)
• 2b2077e Add G118 SSA analyzer for context propagation failures that can cause goroutine/resource leaks (#​1516)
• a7666f3 Add G113: Detect HTTP Request Smuggling via conflicting headers (CVE-2025-22891, CWE-444) (#​1515)
• 47f8b52 Add G408: SSH PublicKeyCallback Authentication Bypass Analyzer (#​1513)
• 4f1f362 Add more unit tests to improve coverage (#​1512)
• 9344582 Improve test coverage in various areas (#​1511)
• 8d1b2c6 Imprve the test coverage (#​1510)
• 993c1c4 Fix incorrect detection of fixed iv in G407 (#​1509)
• 8668b74 Add support for go 1.26.x and removed support for go 1.24.x (#​1508)
• 514225c Fix the sonar report to follow the latest schema (#​1507)
• 000384e fix: broken taint analysis causing false positives (#​1506)
• 616192c fix: panic on float constants in overflow analyzer (#​1505)
• 79956a3 fix: panic when scanning multi-module repos from root (#​1504)
• 5736e8b fix: G602 false positive for array element access (#​1499)
• 1b7e1e9 Update gosec to version v2.23.0 in the Github action (#​1496)

v2.23.0

Compare Source

Changelog

• 398ad54 feat: Support for adding taint analysis engine (#​1486)
• 6eacd5c chore(deps): update all dependencies (#​1494)
• 181a7cb chore(deps): update all dependencies (#​1494)
• e2fa6ab chore(deps): update all dependencies (#​1488)
• eb252ba Fix G602 analyzer panic that kills gosec process (#​1491)
• 20d71a0 update go version to 1.25.7 (#​1492)
• a631af8 Fix URL regexp and remove redundant Google regex patterns (#​1485)
• 8968502 feat: implement global cache usage in rules (#​1480)
• 04f729c chore(deps): update module google.golang.org/genai to v1.43.0 (#​1484)
• ade0e8f refactor: optimize nosec parsing and reduce allocations (#​1478)
• d24bbf7 Fix SARIF artifactChanges null validation error (#​1483)
• 15cba7f feat: optimize GetCallInfo with per-package sync.Pool caching (#​1481)
• 5288673 feat: implement entropy pre-filtering to optimize secret detection (#​1479)
• d9a9bcd feat: ensure GoVersion is cached using sync.Once (#​1477)
• 516260a Fix #​1240: nosec comments now work with trailing open brackets (#​1475)
• be0fd6d Debug Build Profiling Support: Code improvement suggestions for PR#1471 (#​1476)
• b579523 Update the go version to 1.25.6 and 1.24.12 (#​1474)
• bd3c738 G115: Enhance RangeAnalyzer with constant propagation and chained arithmetic support (#​1470)
• 6897b36 chore(deps): update all dependencies (#​1473)
• 9f20212 feat: support path-based rule exclusions via exclude-rules (#​1465)
• 726d847 Optimize analyzer with parallel package processing (#​1466)
• 3150b28 feat: add goanalysis package for nogo (#​1449)
• 7284e15 Refactor Analyzers: Unify Range Logic & Optimize Allocations (#​1464)
• 7a4ccef Optimize G115, G602, G407 analyzers to reduce allocations and memory (#​1463)
• 833d791 refactor(g115): improve coverage (#​1462)
• 0cc9e01 Refine G407 to improve detection and coverage of hardcoded nonces (#​1460)
• 303f84d chore(deps): update all dependencies (#​1461)
• 7387d22 Refactor rules to use callListRule base structure (#​1458)
• 52f5dbf feat(slice): enhance slice bounds analysis with dynamic bounds handling (#​1457)
• 649e2c8 remove deprecated ast.Object (#​1455)
• 35a92b4 feat(sql): enhance SQL injection detection with improved string concatenation checks (#​1454)
• bc9d2bc feat(rules): enhance subprocess variable checks (#​1453)
• 8a5404e feat(resolve): enhance TryResolve to handle KeyValueExpr, IndexExpr, and SliceExpr (#​1452)
• 0f6f21c feat: add secrets serialization G117 (#​1451)
• 717706e feat(rules): add support for detecting high entropy strings in composite literals (#​1447)
• 082deb6 whitelist crypto/rand Read from error checks (#​1446)
• 095d529 chore(deps): update all dependencies (#​1443)
• c073629 Improve slice bound check (#​1442)
• 538a05c docs: add documentation for using gosec with private modules (#​1441)
• 2580437 chore(deps): update all dependencies (#​1440)
• 872b331 docs: add G116 rule description to README (#​1439)
• dcf93a8 Update GitHub action to gosec 2.22.11 (#​1438)

v2.22.11

Compare Source

Changelog

• 424fc4c feature: add rule for trojan source (#​1431)
• aa2e2fb feat(ai): add OpenAI and custom API provider support (#​1424)
• b6eea26 chore: Migrate from gopkg.in/yaml.v3 to go.yaml.in/yaml/v3 (#​1437)
• 41f28e2 chore(deps): update module google.golang.org/genai to v1.37.0 (#​1435)
• daccba6 refactor: simplify report functions in main.go (#​1434)
• d4be287 Update go to 1.25.5 and 1.24.11 in CI (#​1433)
• fde7515 chore(deps): update all dependencies (#​1425)
• 20c9506 feat(ai): add support for latest Claude models and update provider flags (#​1423)
• bd9e372 Bump golang.org/x/crypto from 0.43.0 to 0.45.0 (#​1427)
• 7aa7e93 chore(deps): update module golang.org/x/crypto to v0.45.0 [security] (#​1428)
• a58917f fix: correct schema with temporary placeholder (#​1418)
• 8b0d0b8 perf: skip SSA analysis if no analyzers are loaded (#​1419)
• 8a5d01a test: add sarif validation (#​1417)
• a8fefd1 chore(deps): update all dependencies (#​1421)
• c34cbbf Update go to version 1.25.4 and 1.24.10 in CI (#​1415)
• 10cf58a fix: build tag parsing. (#​1413)
• d2d7348 chore(deps): update all dependencies (#​1411)
• afa853e chore(deps): update all dependencies (#​1409)
• 6b2e6e4 chore(deps): update all dependencies (#​1408)
• 0adab9d Update gosec to version v2.22.10 in the github action (#​1405)

v2.22.10

Compare Source

Changelog

• 6be2b51 Update go to version 1.25.3 and 1.24.9 in CI (#​1404)
• fddb942 chore(deps): update all dependencies (#​1402)
• f676031 Update go to version 1.25.2 and 2.24.8 in CI (#​1401)
• 35f7ec2 chore(deps): update all dependencies (#​1399)
• 01029f0 check nil slices, partially check bo

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
see 12 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.