fix(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/github-script	action	minor	v7.0.1 -> v7.1.0
alpine	final	patch	3.22.1 -> 3.22.2
codecov/codecov-action	action	patch	v5.5.0 -> v5.5.1
docker/login-action	action	minor	v3.5.0 -> v3.6.0
github.com/docker/docker	require	minor	v28.3.3+incompatible -> v28.5.1+incompatible
github.com/gin-gonic/gin	require	minor	v1.10.1 -> v1.11.0
github.com/go-vela/server	require	patch	v0.27.1 -> v0.27.2
github.com/prometheus/client_golang	require	patch	v1.23.0 -> v1.23.2
github.com/urfave/cli/v3	require	minor	v3.4.1 -> v3.5.0
github/codeql-action	action	minor	v3.29.11 -> v3.31.0
golang.org/x/sync	require	minor	v0.16.0 -> v0.17.0
k8s.io/api	require	patch	v0.34.0 -> v0.34.1
k8s.io/apimachinery	require	patch	v0.34.0 -> v0.34.1
k8s.io/client-go	require	patch	v0.34.0 -> v0.34.1

---

Release Notes

actions/github-script (actions/github-script)

v7.1.0

Compare Source

What's Changed

• Upgrade husky to v9 by @​benelan in #​482
• Add workflow file for publishing releases to immutable action package by @​Jcambass in #​485
• Upgrade IA Publish by @​Jcambass in #​486
• Fix workflow status badges by @​joshmgross in #​497
• Update usage of actions/upload-artifact by @​joshmgross in #​512
• Clear up package name confusion by @​joshmgross in #​514
• Update dependencies with npm audit fix by @​joshmgross in #​515
• Specify that the used script is JavaScript by @​timotk in #​478
• chore: Add Dependabot for NPM and Actions by @​nschonni in #​472
• Define permissions in workflows and update actions by @​joshmgross in #​531
• chore: Add Dependabot for .github/actions/install-dependencies by @​nschonni in #​532
• chore: Remove .vscode settings by @​nschonni in #​533
• ci: Use github/setup-licensed by @​nschonni in #​473
• make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by @​iamstarkov in #​508
• Remove octokit README updates for v7 by @​joshmgross in #​557
• docs: add "exec" usage examples by @​neilime in #​546
• Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by @​dependabot[bot] in #​563
• Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by @​dependabot[bot] in #​575
• Clearly document passing inputs to the script by @​joshmgross in #​603
• Update README.md by @​nebuk89 in #​610

New Contributors

• @​benelan made their first contribution in #​482
• @​Jcambass made their first contribution in #​485
• @​timotk made their first contribution in #​478
• @​iamstarkov made their first contribution in #​508
• @​neilime made their first contribution in #​546
• @​nebuk89 made their first contribution in #​610

Full Changelog: actions/github-script@v7...v7.1.0

codecov/codecov-action (codecov/codecov-action)

v5.5.1

Compare Source

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in #​1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in #​1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in #​1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in #​1872
• docs: fix typo in README by @​datalater in #​1866
• Document a codecov-cli version reference example by @​webknjaz in #​1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in #​1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in #​1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

docker/login-action (docker/login-action)

v3.6.0

Compare Source

• Add registry-auth input for raw authentication to registries by @​crazy-max in #​887
• Bump @​aws-sdk/client-ecr to 3.890.0 in #​882 #​890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in #​882 #​890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​883
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​880
• Bump undici from 5.28.4 to 5.29.0 in #​879
• Bump tmp from 0.2.3 to 0.2.4 in #​881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

docker/docker (github.com/docker/docker)

v28.5.1+incompatible

Compare Source

v28.5.0+incompatible

Compare Source

v28.4.0+incompatible

Compare Source

gin-gonic/gin (github.com/gin-gonic/gin)

v1.11.0

Compare Source

Features

• feat(gin): Experimental support for HTTP/3 using quic-go/quic-go (#​3210)
• feat(form): add array collection format in form binding (#​3986), add custom string slice for form tag unmarshal (#​3970)
• feat(binding): add BindPlain (#​3904)
• feat(fs): Export, test and document OnlyFilesFS (#​3939)
• feat(binding): add support for unixMilli and unixMicro (#​4190)
• feat(form): Support default values for collections in form binding (#​4048)
• feat(context): GetXxx added support for more go native types (#​3633)

Enhancements

• perf(context): optimize getMapFromFormData performance (#​4339)
• refactor(tree): replace string(/) with "/" in node.insertChild (#​4354)
• refactor(render): remove headers parameter from writeHeader (#​4353)
• refactor(context): simplify "GetType()" functions (#​4080)
• refactor(slice): simplify SliceValidationError Error method (#​3910)
• refactor(context):Avoid using filepath.Dir twice in SaveUploadedFile (#​4181)
• refactor(context): refactor context handling and improve test robustness (#​4066)
• refactor(binding): use strings.Cut to replace strings.Index (#​3522)
• refactor(context): add an optional permission parameter to SaveUploadedFile (#​4068)
• refactor(context): verify URL is Non-nil in initQueryCache() (#​3969)
• refactor(context): YAML judgment logic in Negotiate (#​3966)
• tree: replace the self-defined 'min' to official one (#​3975)
• context: Remove redundant filepath.Dir usage (#​4181)

Bug Fixes

• fix: prevent middleware re-entry issue in HandleContext (#​3987)
• fix(binding): prevent duplicate decoding and add validation in decodeToml (#​4193)
• fix(gin): Do not panic when handling method not allowed on empty tree (#​4003)
• fix(gin): data race warning for gin mode (#​1580)
• fix(context): verify URL is Non-nil in initQueryCache() (#​3969)
• fix(context): YAML judgment logic in Negotiate (#​3966)
• fix(context): check handler is nil (#​3413)
• fix(readme): fix broken link to English documentation (#​4222)
• fix(tree): Keep panic infos consistent when wildcard type build faild (#​4077)

Build process updates / CI

• ci: integrate Trivy vulnerability scanning into CI workflow (#​4359)
• ci: support Go 1.25 in CI/CD (#​4341)
• build(deps): upgrade github.com/bytedance/sonic from v1.13.2 to v1.14.0 (#​4342)
• ci: add Go version 1.24 to GitHub Actions (#​4154)
• build: update Gin minimum Go version to 1.21 (#​3960)
• ci(lint): enable new linters (testifylint, usestdlibvars, perfsprint, etc.) (#​4010, #​4091, #​4090)
• ci(lint): update workflows and improve test request consistency (#​4126)

Dependency updates

• chore(deps): bump google.golang.org/protobuf from 1.36.6 to 1.36.9 (#​4346, #​4356)
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.1 (#​4347)
• chore(deps): bump actions/setup-go from 5 to 6 (#​4351)
• chore(deps): bump github.com/quic-go/quic-go from 0.53.0 to 0.54.0 (#​4328)
• chore(deps): bump golang.org/x/net from 0.33.0 to 0.38.0 (#​4178, #​4221)
• chore(deps): bump github.com/go-playground/validator/v10 from 10.20.0 to 10.22.1 (#​4052)

Documentation updates

• docs(changelog): update release notes for Gin v1.10.1 (#​4360)
• docs: Fixing English grammar mistakes and awkward sentence structure in doc/doc.md (#​4207)
• docs: update documentation and release notes for Gin v1.10.0 (#​3953)
• docs: fix typo in Gin Quick Start (#​3997)
• docs: fix comment and link issues (#​4205, #​3938)
• docs: fix route group example code (#​4020)
• docs(readme): add Portuguese documentation (#​4078)
• docs(context): fix some function names in comment (#​4079)

---

go-vela/server (github.com/go-vela/server)

v0.27.2

Compare Source

What's Changed

• fix(compiler): always include build repo in install and add VELA_GIT_TOKEN by @​ecrupper in #​1346
• fix(db/log): remove redundant service_id and step_id indices from log table by @​wass3r in #​1344
• fix(oidc): no trailing colon on non-action events in claim by @​ecrupper in #​1355

Full Changelog: go-vela/server@v0.27.1...v0.27.2

prometheus/client_golang (github.com/prometheus/client_golang)

v1.23.2: - 2025-09-05

Compare Source

This release is made to upgrade to prometheus/common v0.66.1, which drops the dependencies github.com/grafana/regexp and go.uber.org/atomic and replaces gopkg.in/yaml.v2 with go.yaml.in/yaml/v2 (a drop-in replacement). There are no functional changes.

All Changes

• [release-1.23] Upgrade to prometheus/common@​v0.66.1 by @​aknuds1 in #​1869
• [release-1.23] Cut v1.23.2 by @​aknuds1 in #​1870

Full Changelog: prometheus/client_golang@v1.23.1...v1.23.2

v1.23.1: - 2025-09-04

Compare Source

This release is made to be compatible with a backwards incompatible API change in prometheus/common v0.66.0. There are no functional changes.

All Changes

• [release-1.23] Upgrade to prometheus/common v0.66 by @​aknuds1 in #​1866
• [release-1.23] Cut v1.23.1 by @​aknuds1 in #​1867

Full Changelog: prometheus/client_golang@v1.23.0...v1.23.1

urfave/cli (github.com/urfave/cli/v3)

v3.5.0

Compare Source

What's Changed

• Update mkdocs reqs by @​meatballhat in #​2190
• Allow the user to stop processing flags after seeing N args by @​adrian-thurston in #​2163
• chore(deps): bump github.com/stretchr/testify from 1.10.0 to 1.11.0 by @​dependabot[bot] in #​2194
• chore(deps): bump mkdocs-material from 9.6.16 to 9.6.18 in the python-packages group by @​dependabot[bot] in #​2195
• chore(deps): bump actions/setup-go from 5 to 6 by @​dependabot[bot] in #​2198
• chore(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in #​2199
• chore(deps): bump actions/setup-python from 5 to 6 by @​dependabot[bot] in #​2200
• chore(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @​dependabot[bot] in #​2197
• chore(deps): bump mkdocs-material from 9.6.18 to 9.6.19 in the python-packages group by @​dependabot[bot] in #​2201
• chore(deps): bump mkdocs-material from 9.6.19 to 9.6.20 in the python-packages group by @​dependabot[bot] in #​2202
• feat: add name of argument into error message when parsing fails by @​oprudkyi in #​2203
• chore(deps): bump mkdocs-material from 9.6.20 to 9.6.21 in the python-packages group by @​dependabot[bot] in #​2204
• add space between arguments usage by @​dimfu in #​2207
• chore(deps): bump mkdocs-material from 9.6.21 to 9.6.22 in the python-packages group by @​dependabot[bot] in #​2213
• Fix: Make DefaultText behaviour consistent by @​dearchap in #​2214

New Contributors

• @​adrian-thurston made their first contribution in #​2163
• @​oprudkyi made their first contribution in #​2203
• @​dimfu made their first contribution in #​2207

Full Changelog: urfave/cli@v3.4.1...v3.5.0

github/codeql-action (github/codeql-action)

v3.31.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #​3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #​3222

See the full CHANGELOG.md for more information.

v3.30.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #​3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #​3204

See the full CHANGELOG.md for more information.

v3.30.8

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.8 - 10 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.7

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.7 - 06 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.6

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.6 - 02 Oct 2025

• Update default CodeQL bundle version to 2.23.2. #​3168

See the full CHANGELOG.md for more information.

v3.30.5

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.5 - 26 Sep 2025

• We fixed a bug that was introduced in 3.30.4 with upload-sarif which resulted in files without a .sarif extension not getting uploaded. #​3160

See the full CHANGELOG.md for more information.

v3.30.4

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.4 - 25 Sep 2025

• We have improved the CodeQL Action's ability to validate that the workflow it is used in does not use different versions of the CodeQL Action for different workflow steps. Mixing different versions of the CodeQL Action in the same workflow is unsupported and can lead to unpredictable results. A warning will now be emitted from the codeql-action/init step if different versions of the CodeQL Action are detected in the workflow file. Additionally, an error will now be thrown by the other CodeQL Action steps if they load a configuration file that was generated by a different version of the codeql-action/init step. #​3099 and #​3100
• We added support for reducing the size of dependency caches for Java analyses, which will reduce cache usage and speed up workflows. This will be enabled automatically at a later time. #​3107
• You can now run the latest CodeQL nightly bundle by passing tools: nightly to the init action. In general, the nightly bundle is unstable and we only recommend running it when directed by GitHub staff. #​3130
• Update default CodeQL bundle version to 2.23.1. #​3118

See the full CHANGELOG.md for more information.

v3.30.3

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.3 - 10 Sep 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.30.2

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.2 - 09 Sep 2025

• Fixed a bug which could cause language autodetection to fail. #​3084
• Experimental: The quality-queries input that was added in 3.29.2 as part of an internal experiment is now deprecated and will be removed in an upcoming version of the CodeQL Action. It has been superseded by a new analysis-kinds input, which is part of the same internal experiment. Do not use this in production as it is subject to change at any time. #​3064

See the full CHANGELOG.md for more information.

v3.30.1

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.1 - 05 Sep 2025

• Update default CodeQL bundle version to 2.23.0. #​3077

See the full CHANGELOG.md for more information.

v3.30.0

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.0 - 01 Sep 2025

• Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #​3054

See the full CHANGELOG.md for more information.

kubernetes/api (k8s.io/api)

v0.34.1

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.34.1

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.34.1

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 9 additional dependencies were updated

Details:

Package	Change
github.com/bytedance/sonic	v1.13.3 -> v1.14.0
github.com/bytedance/sonic/loader	v0.2.4 -> v0.3.0
github.com/cloudwego/base64x	v0.1.5 -> v0.1.6
github.com/go-playground/validator/v10	v10.26.0 -> v10.27.0
github.com/klauspost/cpuid/v2	v2.2.11 -> v2.3.0
github.com/prometheus/common	v0.65.0 -> v0.66.1
golang.org/x/arch	v0.18.0 -> v0.20.0
golang.org/x/net	v0.42.0 -> v0.43.0
google.golang.org/protobuf	v1.36.6 -> v1.36.9

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 52.72%. Comparing base (a32db6a) to head (3c11c7e).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #660      +/-   ##
==========================================
- Coverage   58.16%   52.72%   -5.45%     
==========================================
  Files         123      123              
  Lines        8379     5354    -3025     
==========================================
- Hits         4874     2823    -2051     
+ Misses       3294     2320     -974     
  Partials      211      211              

see 102 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.