chore: Go 1.26.3, Dependabot policy, and routine dependency bumps by digitallysavvy · Pull Request #15 · AgoraIO/cli

digitallysavvy · 2026-05-15T11:14:07Z

This PR batches maintenance work so CI stays green and dependency churn is safer going forward.

Go toolchain

Set go in go.mod to 1.26.3 and run go mod tidy. This addresses GO-2026-4971 and GO-2026-4918 in the standard library so govulncheck ./... no longer fails on reachable traces from this repo. Workflows already use go-version-file: go.mod, so no workflow changes are required for the toolchain.

Dependabot

Add cooldown for version updates (patch 7 / minor 14 / major 30 days) on gomod, npm (wrapper manifest only), and github-actions. Security advisories still open Dependabot security PRs immediately; cooldown applies only to version bumps.
ignore agoraio-cli-* under packaging/npm/agoraio-cli so Dependabot does not propose bumps to platform optionalDependencies, which are intentionally 0.0.0-dev in git and stamped at release.

Dependency updates (from Dependabot / aligned bumps)

Go: github.com/spf13/cobra 1.10.2, github.com/spf13/pflag 1.0.10, golang.org/x/term 0.43.0 (and any ensuing go.sum / indirect updates from go mod tidy).
Actions: e.g. actions/checkout v6, actions/setup-node v6, actions/deploy-pages v5, docker/login-action / docker/setup-buildx-action / docker/setup-qemu-action v4 (exact set per diff).

go mod tidy
make test / go test ./...
govulncheck ./...
Confirm Pages and release workflows still succeed if Actions versions changed (especially setup-node caching behavior and deploy-pages + upload-pages-artifact pairing).

digitallysavvy added 4 commits May 13, 2026 10:15

added cooldown delays for dependancy updates

9245fb7

updated go to 1.26.3

edbb792

added min wait time before updating deps

237f3db

updated deps

58ec151

digitallysavvy merged commit 3715e64 into main May 15, 2026
7 checks passed

digitallysavvy deleted the sec/workflows branch May 15, 2026 11:22

Provide feedback