build(deps): update all non-major dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout	action	patch	v5.0.0 → v5.0.1
actions/dependency-review-action	action	minor	v4.7.1 → v4.8.2
actions/setup-go	action	minor	v5.5.0 → v5.6.0
alpine	final	minor	3.22.0 → 3.23.3
codecov/codecov-action	action	minor	v5.4.3 → v5.5.2
docker/build-push-action	action	minor	v6.18.0 → v6.19.2
docker/login-action	action	minor	v3.4.0 → v3.7.0
docker/metadata-action	action	minor	v5.7.0 → v5.10.0
docker/setup-buildx-action	action	minor	v3.11.0 → v3.12.0
docker/setup-qemu-action	action	minor	v3.6.0 → v3.7.0
github.com/cloudflare/cloudflare-go	require	minor	v0.115.0 → v0.116.0
github.com/google/go-querystring	require	minor	v1.1.0 → v1.2.0
github.com/hashicorp/go-retryablehttp	require	patch	v0.7.7 → v0.7.8
github.com/jellydator/ttlcache/v3	require	minor	v3.3.0 → v3.4.0
github.com/stretchr/testify	require	minor	v1.10.0 → v1.11.1
github/codeql-action	action	minor	v3.29.0 → v3.32.2
go.uber.org/mock	require	minor	v0.5.2 → v0.6.0
golang.org/x/net	require	minor	v0.41.0 → v0.50.0
golang.org/x/text	require	minor	v0.26.0 → v0.34.0
ossf/scorecard-action	action	patch	v2.4.2 → v2.4.3
sigstore/cosign-installer	action	minor	v3.8.2 → v3.10.1
step-security/harden-runner	action	minor	v2.12.1 → v2.14.2

---

Release Notes

actions/checkout (actions/checkout)

v5.0.1

Compare Source

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in #​2301

Full Changelog: actions/checkout@v5...v5.0.1

actions/dependency-review-action (actions/dependency-review-action)

v4.8.2

Compare Source

Minor fixes:

• Fix PURL parsing for scoped packages (#​1008 from @​danielhardej)
• Fix for large summaries (#​1007 from @​gitulisca)
• README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej)

v4.8.1: Dependency Review Action v4.8.1

Compare Source

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in #​1000
• Bump version for 4.8.1 release by @​ahpook in #​1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

Compare Source

What's Changed

• Make Ruby Code Scannable by @​ljones140 in #​978
• Batch some contributions for release by @​brrygrdn in #​986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in #​978
• @​jasperkamerling made their first contribution in #​986
• @​MattMencel made their first contribution in #​986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

v4.7.4

Compare Source

v4.7.3: 4.7.3

Compare Source

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in #​966
• Claire153/fix spamming mentioned issue by @​claire153 in #​974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

v4.7.2: 4.7.2

Compare Source

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in #​945
• Deprecate deny lists by @​claire153 in #​958
• Address discrepancy between docs and reality by @​ahpook in #​960

New Contributors

• @​KyFaSt made their first contribution in #​945
• @​claire153 made their first contribution in #​958
• @​ahpook made their first contribution in #​960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

actions/setup-go (actions/setup-go)

v5.6.0

Compare Source

What's Changed

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​aparnajyothi-y in #​689

Full Changelog: actions/setup-go@v5...v5.6.0

codecov/codecov-action (codecov/codecov-action)

v5.5.2

Compare Source

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

Compare Source

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in #​1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in #​1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in #​1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in #​1872
• docs: fix typo in README by @​datalater in #​1866
• Document a codecov-cli version reference example by @​webknjaz in #​1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in #​1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in #​1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

Compare Source

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in #​1864
• Pin actions/github-script by Git SHA by @​martincostello in #​1859
• fix: check reqs exist by @​joseph-sentry in #​1835
• fix: Typo in README by @​spalmurray in #​1838
• docs: Refine OIDC docs by @​spalmurray in #​1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in #​1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

docker/build-push-action (docker/build-push-action)

v6.19.2

Compare Source

v6.19.1

Compare Source

v6.19.0

Compare Source

• Scope default git auth token to github.com by @​crazy-max in #​1451
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​1396
• Bump form-data from 2.5.1 to 2.5.5 in #​1391
• Bump js-yaml from 3.14.1 to 3.14.2 in #​1429
• Bump lodash from 4.17.21 to 4.17.23 in #​1446
• Bump tmp from 0.2.3 to 0.2.4 in #​1398
• Bump undici from 5.28.4 to 5.29.0 in #​1397

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

docker/login-action (docker/login-action)

v3.7.0

Compare Source

• Add scope input to set scopes for the authentication token by @​crazy-max in #​912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in #​914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in #​911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in #​915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

v3.6.0

Compare Source

• Add registry-auth input for raw authentication to registries by @​crazy-max in #​887
• Bump @​aws-sdk/client-ecr to 3.890.0 in #​882 #​890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in #​882 #​890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​883
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​880
• Bump undici from 5.28.4 to 5.29.0 in #​879
• Bump tmp from 0.2.3 to 0.2.4 in #​881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

Compare Source

• Support dual-stack endpoints for AWS ECR by @​Spacefish @​crazy-max in #​874 #​876
• Bump @​aws-sdk/client-ecr to 3.859.0 in #​860 #​878
• Bump @​aws-sdk/client-ecr-public to 3.859.0 in #​860 #​878
• Bump @​docker/actions-toolkit from 0.57.0 to 0.62.1 in #​870
• Bump form-data from 2.5.1 to 2.5.5 in #​875

Full Changelog: docker/login-action@v3.4.0...v3.5.0

docker/metadata-action (docker/metadata-action)

v5.10.0

Compare Source

• Bump @​docker/actions-toolkit from 0.66.0 to 0.68.0 in #​559 #​569
• Bump js-yaml from 3.14.1 to 3.14.2 in #​564

Full Changelog: docker/metadata-action@v5.9.0...v5.10.0

v5.9.0

Compare Source

• Add tag-names output to return tag names without image base name by @​crazy-max in #​553
• Bump @​babel/runtime-corejs3 from 7.14.7 to 7.28.2 in #​539
• Bump @​docker/actions-toolkit from 0.62.1 to 0.66.0 in #​555
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​540
• Bump csv-parse from 5.6.0 to 6.1.0 in #​532
• Bump semver from 7.7.2 to 7.7.3 in in #​554
• Bump tmp from 0.2.3 to 0.2.5 in #​541

Full Changelog: docker/metadata-action@v5.8.0...v5.9.0

v5.8.0

Compare Source

• New is_not_default_branch global expression by @​crazy-max in #​535
• Allow to match part of the git tag or value for semver/pep440 types by @​crazy-max in #​536 #​537
• Bump @​actions/github from 6.0.0 to 6.0.1 in #​523
• Bump @​docker/actions-toolkit from 0.56.0 to 0.62.1 in #​526
• Bump form-data from 2.5.1 to 2.5.5 in #​533
• Bump moment-timezone from 0.5.47 to 0.6.0 in #​525
• Bump semver from 7.7.1 to 7.7.2 in #​524

Full Changelog: docker/metadata-action@v5.7.0...v5.8.0

docker/setup-buildx-action (docker/setup-buildx-action)

v3.12.0

Compare Source

• Deprecate install input by @​crazy-max in #​455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​434
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​436
• Bump form-data from 2.5.1 to 2.5.5 in #​432
• Bump undici from 5.28.4 to 5.29.0 in #​435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

v3.11.1

Compare Source

• Fix keep-state not being respected by @​crazy-max in #​429

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

docker/setup-qemu-action (docker/setup-qemu-action)

v3.7.0

Compare Source

• Bump @​docker/actions-toolkit from 0.56.0 to 0.67.0 in #​217 #​230
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​220
• Bump form-data from 2.5.1 to 2.5.5 in #​218
• Bump tmp from 0.2.3 to 0.2.4 in #​221
• Bump undici from 5.28.4 to 5.29.0 in #​219

Full Changelog: docker/setup-qemu-action@v3.6.0...v3.7.0

cloudflare/cloudflare-go (github.com/cloudflare/cloudflare-go)

v0.116.0

Compare Source

ENHANCEMENTS:

• access_service_tokens: Added graceful rotation support for client secrets (#​4189)

google/go-querystring (github.com/google/go-querystring)

v1.2.0

Compare Source

A lot of version bumps, though mostly actually of GitHub Actions that have nothing to do with the package itself.

Two minor code optimizations:

• code opt: prioritize handling boundary conditions by @​hcraM41 in #​149
• code opt: replace bytes.Buffer with strings.Builder by @​hcraM41 in #​151

Full Changelog: google/go-querystring@v1.1.0...v1.2.0

hashicorp/go-retryablehttp (github.com/hashicorp/go-retryablehttp)

v0.7.8

Compare Source

jellydator/ttlcache (github.com/jellydator/ttlcache/v3)

v3.4.0

Compare Source

What's Changed

• Export NewItem function by @​hasfjord in #​151
• Bump golang.org/x/sync from 0.8.0 to 0.9.0 by @​dependabot in #​156
• Bump github.com/stretchr/testify from 1.9.0 to 1.10.0 by @​dependabot in #​157
• feat: New WithMaxCost option for custom cache capacity management strategies by @​dadrus in #​152
• Bump golang.org/x/sync from 0.9.0 to 0.10.0 by @​dependabot in #​158
• fix Range (and RangeBackwards) mutex usage by @​iurii-ssv in #​164
• Make Cache.Get allocation-free by @​yiftachkarkason in #​162
• Bump golang.org/x/sync from 0.10.0 to 0.11.0 by @​dependabot in #​165
• Add GetOrSetFunc method by @​inpos in #​161
• Handle empty cache while using Range or RangeBackwards by @​davseby in #​176
• Allow subsequent calls to Start and Stop by @​davseby in #​177
• Add OnUpdate method and metrics by @​davseby in #​179
• Export NewItemWithOpts and bump go version in go.mod by @​swithek in #​180
• Bump golang.org/x/sync from 0.11.0 to 0.14.0 by @​dependabot in #​172
• fix: Deadlock during cost calculation by @​dadrus in #​173
• Rewrite expired items tests to ensure expiration for Windows by @​davseby in #​178
• Expose item cost by @​davseby in #​181
• Add examples folder with httpcache example by @​davseby in #​183
• Bump golang.org/x/sync from 0.14.0 to 0.15.0 by @​dependabot in #​182

New Contributors

• @​hasfjord made their first contribution in #​151
• @​dadrus made their first contribution in #​152
• @​iurii-ssv made their first contribution in #​164
• @​yiftachkarkason made their first contribution in #​162
• @​inpos made their first contribution in #​161

Full Changelog: jellydator/ttlcache@v3.3.0...v3.4.0

stretchr/testify (github.com/stretchr/testify)

v1.11.1

Compare Source

This release fixes #​1785 introduced in v1.11.0 where expected argument values implementing the stringer interface (String() string) with a method which mutates their value, when passed to mock.Mock.On (m.On("Method", <expected>).Return()) or actual argument values passed to mock.Mock.Called may no longer match one another where they previously did match. The behaviour prior to v1.11.0 where the stringer is always called is restored. Future testify releases may not call the stringer method at all in this case.

What's Changed

• Backport #​1786 to release/1.11: mock: revert to pre-v1.11.0 argument matching behavior for mutating stringers by @​brackendawson in #​1788

Full Changelog: stretchr/testify@v1.11.0...v1.11.1

v1.11.0

Compare Source

What's Changed

Functional Changes

v1.11.0 Includes a number of performance improvements.

• Call stack perf change for CallerInfo by @​mikeauclair in #​1614
• Lazily render mock diff output on successful match by @​mikeauclair in #​1615
• assert: check early in Eventually, EventuallyWithT, and Never by @​cszczepaniak in #​1427
• assert: add IsNotType by @​bartventer in #​1730
• assert.JSONEq: shortcut if same strings by @​dolmen in #​1754
• assert.YAMLEq: shortcut if same strings by @​dolmen in #​1755
• assert: faster and simpler isEmpty using reflect.Value.IsZero by @​dolmen in #​1761
• suite: faster methods filtering (internal refactor) by @​dolmen in #​1758

Fixes

• assert.ErrorAs: log target type by @​craig65535 in #​1345
• Fix failure message formatting for Positive and Negative asserts in #​1062
• Improve ErrorIs message when error is nil but an error was expected by @​tsioftas in #​1681
• fix Subset/NotSubset when calling with mixed input types by @​siliconbrain in #​1729
• Improve ErrorAs failure message when error is nil by @​ccoVeille in #​1734
• mock.AssertNumberOfCalls: improve error msg by @​3scalation in #​1743

Documentation, Build & CI

• docs: Fix typo in README by @​alexandear in #​1688
• Replace deprecated io/ioutil with io and os by @​alexandear in #​1684
• Document consequences of calling t.FailNow() by @​greg0ire in #​1710
• chore: update docs for Unset #​1621 by @​techfg in #​1709
• README: apply gofmt to examples by @​alexandear in #​1687
• refactor: use %q and %T to simplify fmt.Sprintf by @​alexandear in #​1674
• Propose Christophe Colombier (ccoVeille) as approver by @​brackendawson in #​1716
• Update documentation for the Error function in assert or require package by @​architagr in #​1675
• assert: remove deprecated build constraints by @​alexandear in #​1671
• assert: apply gofumpt to internal test suite by @​ccoVeille in #​1739
• CI: fix shebang in .ci.*.sh scripts by @​dolmen in #​1746
• assert,require: enable parallel testing on (almost) all top tests by @​dolmen in #​1747
• suite.Passed: add one more status test report by @​Ararsa-Derese in #​1706
• Add Helper() method in internal mocks and assert.CollectT by @​dolmen in #​1423
• assert.Same/NotSame: improve usage of Sprintf by @​ccoVeille in #​1742
• mock: enable parallel testing on internal testsuite by @​dolmen in #​1756
• suite: cleanup use of 'testing' internals at runtime by @​dolmen in #​1751
• assert: check test failure message for Empty and NotEmpty by @​ccoVeille in #​1745
• deps: fix dependency cycle with objx (again) by @​dolmen in #​1567
• assert.Empty: comprehensive doc of "Empty"-ness rules by @​dolmen in #​1753
• doc: improve godoc of top level 'testify' package by @​dolmen in #​1760
• assert.ErrorAs: simplify retrieving the type name by @​ccoVeille in #​1740
• assert.EqualValues: improve test coverage to 100% by @​dolmen in #​1763
• suite.Run: simplify running of Setup/TeardownSuite by @​renzoarreaza in #​1769
• assert.CallerInfo: micro optimization by using LastIndexByte by @​dolmen in #​1767
• assert.CallerInfo: micro cleanup by @​dolmen in #​1768
• assert: refactor TestFileExists and TestDirExists tests to enable parallel testing by @​dolmen in #​1766
• suite.Run: refactor handling of stats for improved readability by @​dolmen in #​1764
• tests: improve captureTestingT helper by @​ccoVeille in #​1741
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in #​1778

New Contributors

• @​greg0ire made their first contribution in #​1710
• @​techfg made their first contribution in #​1709
• @​mikeauclair made their first contribution in #​1614
• @​cszczepaniak made their first contribution in #​1427
• @​architagr made their first contribution in #​1675
• @​tsioftas made their first contribution in #​1681
• @​siliconbrain made their first contribution in #​1729
• @​bartventer made their first contribution in #​1730
• @​Ararsa-Derese made their first contribution in #​1706
• @​renzoarreaza made their first contribution in #​1769
• @​3scalation made their first contribution in #​1743

Full Changelog: stretchr/testify@v1.10.0...v1.11.0

github/codeql-action (github/codeql-action)

v3.32.2

Compare Source

• Update default CodeQL bundle version to 2.24.1. #​3460

v3.32.1

Compare Source

• A warning is now shown in Default Setup workflow logs if a private package registry is configured using a GitHub Personal Access Token (PAT), but no username is configured. #​3422
• Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. #​3421

v3.32.0

Compare Source

• Update default CodeQL bundle version to 2.24.0. #​3425

v3.31.11

Compare Source

• When running a Default Setup workflow with Actions debugging enabled, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. #​3409
• Improved error handling throughout the CodeQL Action. #​3415
• Added experimental support for automatically excluding generated files from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. #​3318
• The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. #​3403

v3.31.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.10 - 12 Jan 2026

• Update default CodeQL bundle version to 2.23.9. #​3393

See the full CHANGELOG.md for more information.

v3.31.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.9 - 16 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #​3354

See the full CHANGELOG.md for more information.

v3.31.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #​3343

See the full CHANGELOG.md for more information.

v3.31.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #​3321

See the full CHANGELOG.md for more information.

v3.31.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.4 - 18 Nov 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.3 - 13 Nov 2025

• CodeQL Action v3 will be deprecated in December 2026. The Action now logs a warning for customers who are running v3 but could be running v4. For more information, see Upcoming deprecation of CodeQL Action v3.
• Update default CodeQL bundle version to 2.23.5. #​3288

See the full CHANGELOG.md for more information.

v3.31.2

Compare Source

v3.31.1

Compare Source

[v3.31.0](https://redirect.github.c

---

Configuration

📅 Schedule: Branch creation - "on the first day instance on friday after 9pm" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
golang.org/x/sync	v0.15.0 -> v0.19.0
golang.org/x/sys	v0.33.0 -> v0.39.0

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.80%. Comparing base (61655d4) to head (a93889b).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1064      +/-   ##
==========================================
+ Coverage   94.99%   95.80%   +0.80%     
==========================================
  Files          61       61              
  Lines        3397     2859     -538     
==========================================
- Hits         3227     2739     -488     
+ Misses        158      108      -50     
  Partials       12       12              

Flag	Coverage Δ
unittests	95.80% <ø> (+0.80%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
golang.org/x/sync	v0.15.0 -> v0.19.0
golang.org/x/sys	v0.33.0 -> v0.41.0