🌱 Bump the gomod group across 1 directory with 4 updates

[dependabot]

Bumps the gomod group with 3 updates in the / directory: github.com/rhysd/actionlint, github.com/onsi/ginkgo/v2 and gocloud.dev.

Updates github.com/rhysd/actionlint from 1.7.11 to 1.7.12

Release notes

Sourced from github.com/rhysd/actionlint's releases.

v1.7.12

• Support the timezone configuration in on.schedule with checks for IANA timezone string. See the documentation for more details. Note that actionlint starts to embed the timezone database in the executables from this version so the binary sizes slightly increase. (#641, thanks @​martincostello)

  on:
    schedule:
      # ERROR: The timezone is not a valid IANA timezone string
      - cron: '*/5 * * * *'
        timezone: 'Asia/Somewhere'

• Support the jobs.<job_name>.environment.deployment configuration. (#639, thanks @​springmeyer)
• Support the macos-26-intel runner label. (#629, thanks @​hugovk)
• Fix the outdated table of webhook activity types by rebuilding the script to scrape the table from scratch.
• Support Go 1.26 and drop the support for Go 1.24. Now supported versions are 1.25 and 1.26.
• Tests are run on arm64 Windows in CI.
• Update the popular actions data set to the latest.

Changelog

Sourced from github.com/rhysd/actionlint's changelog.

v1.7.12 - 2026-03-30

• Support the timezone configuration in on.schedule with checks for IANA timezone string. See the documentation for more details. Note that actionlint starts to embed the timezone database in the executables from this version so the binary sizes slightly increase. (#641, thanks @​martincostello)

  on:
    schedule:
      # ERROR: The timezone is not a valid IANA timezone string
      - cron: '*/5 * * * *'
        timezone: 'Asia/Somewhere'

• Support the jobs.<job_name>.environment.deployment configuration. (#639, thanks @​springmeyer)
• Support the macos-26-intel runner label. (#629, thanks @​hugovk)
• Fix the table of webhook activity types are outdated by rebuilding the script to scrape the table from scratch.
• Support Go 1.26 and drop the support for Go 1.24. Now supported versions are 1.25 and 1.26.
• Tests are run on arm64 Windows in CI.
• Update the popular actions data set to the latest.

[Changes][v1.7.12]

Commits

• 914e7df bump up version to v1.7.12
• f1fe8a1 update popular actions data set to the latest
• 0ef3e18 add support for https://github.blog/changelog/2026-03-19-github-actions-late-...
• d2f9e65 update document to describe the timezone check in on.schedule
• c03b271 Merge branch 'followup-issue641' (#641)
• c9efd91 fix staticcheck checks files inside ./playground/node_modules
• 08e2336 include timezone database in executable statically
• f48c0a4 fix timezone check is incomplete
• 6b811d3 fix problem matcher test fails due to line ending in test data
• 4897c1d Merge pull request #641 from martincostello/gh-638
• Additional commits viewable in compare view

Updates github.com/onsi/ginkgo/v2 from 2.28.1 to 2.29.0

Release notes

Sourced from github.com/onsi/ginkgo/v2's releases.

v2.29.0

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

v2.28.3

2.28.3

Maintenance

Bump all dependencies

v2.28.2

2.28.2

• Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
• Implement shell completion [94151c8]
• Add asan CLI option mirroring msan implementation [4d21dbb]
• Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
• fix aspect ratio [9619647]
• update logos [5779304]

Changelog

Sourced from github.com/onsi/ginkgo/v2's changelog.

2.29.0

GinkgoHelperGo makes it easier to write test helpers that need to run in goroutines. Specifically, it makes managing the failure state and capturing failure panics correctly straightforward.

ginkgo outline now includes entries defined in DescribeTableSubtree

2.28.3

Maintenance

Bump all dependencies

2.28.2

• Add ArtifactDir() to support Go 1.26 testing.TB interface [f3a36b6]
• Implement shell completion [94151c8]
• Add asan CLI option mirroring msan implementation [4d21dbb]
• Bump uri from 1.0.3 to 1.0.4 in /docs (#1630) [c102161]
• fix aspect ratio [9619647]
• update logos [5779304]

Commits

• 04b5bcb v2.29.0
• 124232a docs: GinkgoHelperGo
• ad9cee8 feat: GinkgoHelperGo, with integration tests
• 9e56a0a chore: refactor devcontainer for better maintenance
• 3d235a9 chore: ignore internal/tmp_*/ integration suite temporary dirs
• 782666a feat: devcontainer configuration with local pkgsite and GH pages
• 009dd04 Support DescribeTableSubtree in ginkgo outline
• 5de9c15 v2.28.3
• 7e2fa19 bump dependencies
• 1a81912 v2.28.2
• Additional commits viewable in compare view

Updates github.com/onsi/gomega from 1.39.1 to 1.40.0

Release notes

Sourced from github.com/onsi/gomega's releases.

v1.40.0

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Changelog

Sourced from github.com/onsi/gomega's changelog.

1.40.0

We're adopting a new release strategy to minimize dependency bloat in projects that consume Gomega. It is a limitation of the go mod toolchain that test subdependencies of your project's direct dependencies get pulled in as indirect dependencies. In the case of Gomega, this ends up pulling in all of Ginkgo into your go.mod even if you are only using Gomega (Gomega uses Ginkgo for its own tests).

Going forward, releases will strip out all tests, tidy up the go.mod and then push this stripped down version to a new master-lite branch. These stripped-down versions will receive the vx.y.z git tag and will be picked up by the go toolchain.

Please open an issue if this new release process causes unexpected changes for your projects.

Commits

• 87ee9d3 v1.40.0
• ea66027 v1.40.0 (full)
• e3fd789 update docs to reflect new versioning strategy
• 7d4ee30 first push to master-lite
• e4a82d1 Bump github/codeql-action from 3 to 4 (#875)
• af62723 Bump rexml from 3.4.0 to 3.4.2 in /docs (#870)
• e164221 Bump github.com/onsi/ginkgo/v2 from 2.28.0 to 2.28.1 (#895)
• 334a282 Bump faraday from 2.12.2 to 2.14.1 in /docs (#896)
• See full diff in compare view

Updates gocloud.dev from 0.45.0 to 0.46.0

Release notes

Sourced from gocloud.dev's releases.

v0.46.0

BREAKING_CHANGE:

• blob/s3blob: migrate from deprecated s3/manager to s3/transfermanager by @​vangent in google/go-cloud#3717
  • Only breaking if you're using As to access specific AWS types from the old manager.

What's Changed

all

• all: support typed errors and errors.Is for error codes by @​vangent in google/go-cloud#3708
• aws/aws: add AWS IAM Role assumption support by @​troyready in google/go-cloud#3716

blob:

• blob/fileblob: Prevent escaping bucket root by @​vangent in google/go-cloud#3669
• blob/fileblob: Close the file in case of BeforeRead or Seek error by @​ganigeorgiev in google/go-cloud#3696
• blob/azureblob: eliminate Azure Autorest dependency and replace usage by @​gaganhr94 in google/go-cloud#3672
• blob/gcsblob: Handle grpc errors on gcsblob by @​dpulpeiro in google/go-cloud#3697

runtimevar:

• runtimevar/filevar: Support relative paths in URL openers via a host of "." by @​vangent in google/go-cloud#3666
• runtimevar/etcdvar: Replace go.etcd.io/etcd/etcdserver/api/v3rpc/rpctypes by @​aaronjheng in google/go-cloud#3676

pubsub

• pubsub/gcppubsub: decrease max batch buffer size from 9MB to 8MB by @​vangent in google/go-cloud#3698

docstore

• docstore: Support unwrapping action list errors by @​Megakuul in google/go-cloud#3705

secrets

• secrets/azurekeyvault: migrate from beta keyvault/azkeys to stable security/keyvault/azkeys by @​vangent in google/go-cloud#3689

postgres

• postgres/awspostgres: add IAM authentication support by @​giautm in google/go-cloud#3713

New Contributors

• @​gaganhr94 made their first contribution in google/go-cloud#3672
• @​aaronjheng made their first contribution in google/go-cloud#3676
• @​kchoy-sfdc made their first contribution in google/go-cloud#3681
• @​dpulpeiro made their first contribution in google/go-cloud#3697
• @​ganigeorgiev made their first contribution in google/go-cloud#3696
• @​Megakuul made their first contribution in google/go-cloud#3705
• @​XananasX7 made their first contribution in google/go-cloud#3711
• @​LeSingh1 made their first contribution in google/go-cloud#3714
• @​troyready made their first contribution in google/go-cloud#3716
• @​peczenyj made their first contribution in google/go-cloud#3717

Full Changelog: google/go-cloud@v0.45.0...v0.46.0

Commits

• 60f0d74 all: prerelease
• a1725f0 blob/s3blob: migrate from deprecated s3/manager to s3/transfermanager (#3717)
• 7eadd65 aws: add AWS IAM Role assumption support (#3716)
• 054c82e postgres/awspostgres: add IAM authentication support (#3713)
• 2b85c85 docs: fix Pub/Sub subscribe wording (#3714)
• b9dee8d build: add top-level permissions restriction to tests workflow (#3711)
• 45a8cfc docstore: support unwrapping ActionListError for use with errors.Is (#3705)
• 78b5976 all: support typed errors and errors.Is for error codes (#3708)
• 595f8b6 all: update another otel dep (#3701)
• c903aef all: update otel deps (#3699)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[netlify]

✅ Deploy Preview for ossf-scorecard canceled.

Name	Link
🔨 Latest commit	7b6075b
🔍 Latest deploy log	https://app.netlify.com/projects/ossf-scorecard/deploys/6a1fa55eadf215000851f89e

[kusari-inspector]

Kusari Analysis Results:

Caution

Flagged Issues Detected
These changes contain flagged issues that may introduce security risks.

The code analysis returned zero issues — no security concerns, secrets, or workflow problems were identified in the changed files (go.mod, go.sum). However, the dependency analysis identified an active, unmitigated vulnerability that we strongly recommend addressing before merging. golang.org/x/net v0.53.0 carries CVE-2026-39821 (Privilege escalation via Punycode-encoded labels in golang.org/x/net/idna): the ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to ASCII-only labels (e.g., xn--example-.com resolving to example.com), which can enable privilege escalation in applications that perform hostname-based access control checks. This vulnerability is confirmed affected for this project — it is not marked as 'not-affected' by govulncheck. Since golang.org/x/net is a direct dependency of github.com/ossf/scorecard-webapp, the fix is straightforward: run 'go get golang.org/x/net@v0.55.0' and commit the updated go.mod and go.sum. All other flagged advisories (golang.org/x/crypto, golang.org/x/sys) are confirmed not-affected by govulncheck and require no action. The clean code analysis does not offset the active dependency vulnerability, as these are independent risk dimensions. We strongly recommend upgrading golang.org/x/net to v0.55.0 before merging.

Note

View full detailed analysis result for more information on the output and the checks that were run.

Required Dependency Mitigations

• golang.org/x/net (v0.53.0) - Active Vulnerability: CVE-2026-39821 (Privilege escalation via Punycode-encoded labels in golang.org/x/net/idna). The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to ASCII-only labels (e.g., xn--example-.com is accepted and converts to example.com), enabling privilege escalation in programs that perform access control checks on hostnames. This is NOT marked as not-affected for this project. Dependency path: github.com/ossf/scorecard-webapp -> golang.org/x/net (direct). A fix is available: run 'go get golang.org/x/net@v0.55.0' to resolve this. We strongly recommend addressing this before merging.

---

@kusari-inspector rerun - Trigger a re-analysis of this PR
@kusari-inspector feedback [your message] - Send feedback to our AI and team
See Kusari's documentation for setup and configuration.
Commit: 7b6075b, performed at: 2026-06-03T03:55:17Z

Found this helpful? Give it a 👍 or 👎 reaction!