From c9b1d8bdd57e674c7962d96f2115fabf3a1acacf Mon Sep 17 00:00:00 2001 From: Adrian Brad Date: Tue, 21 Apr 2026 12:31:57 +0300 Subject: [PATCH 1/6] docs(readme): bust OpenSSF badge cache (?v=1) (#65) --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 492ce4e..85134a1 100644 --- a/README.md +++ b/README.md @@ -9,7 +9,7 @@ [![Go Report Card](https://goreportcard.com/badge/github.com/adrianbrad/queue)](https://goreportcard.com/report/github.com/adrianbrad/queue) [![codecov](https://codecov.io/gh/adrianbrad/queue/branch/main/graph/badge.svg)](https://codecov.io/gh/adrianbrad/queue) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/adrianbrad/queue/badge)](https://scorecard.dev/viewer/?uri=github.com/adrianbrad/queue) -[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12607/badge)](https://www.bestpractices.dev/projects/12607) +[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/12607/badge?v=1)](https://www.bestpractices.dev/projects/12607) [![lint-test](https://github.com/adrianbrad/queue/actions/workflows/lint-test.yaml/badge.svg)](https://github.com/adrianbrad/queue/actions?query=workflow%3Alint-test) [![grype](https://github.com/adrianbrad/queue/actions/workflows/grype.yaml/badge.svg)](https://github.com/adrianbrad/queue/actions?query=workflow%3Agrype) From cd54c18dfb002cf5bd36da9324df9291306fbe63 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 11:33:11 +0300 Subject: [PATCH 2/6] build(deps): bump github/codeql-action from 4.30.8 to 4.35.2 (#68) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.30.8 to 4.35.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/f443b600d91635bebf5b0d9ebc620189c0d6fba5...95e58e9a2cdfd71adc6e0353d5c52f41a045d225) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/codeql.yaml | 6 +++--- .github/workflows/scorecard.yaml | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml index 98988cb..d58c3a8 100644 --- a/.github/workflows/codeql.yaml +++ b/.github/workflows/codeql.yaml @@ -25,12 +25,12 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Initialize CodeQL - uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 + uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: languages: go - name: Autobuild - uses: github/codeql-action/autobuild@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 + uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 + uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 1b338db..3a112c6 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: Upload to code-scanning - uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8 + uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 with: sarif_file: results.sarif From b88c9a58b55fc329d865c73c64dcae2c19eaad92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 11:34:46 +0300 Subject: [PATCH 3/6] build(deps): bump actions/upload-artifact from 4.6.2 to 7.0.1 (#67) Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Adrian Brad --- .github/workflows/scorecard.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml index 3a112c6..b98921e 100644 --- a/.github/workflows/scorecard.yaml +++ b/.github/workflows/scorecard.yaml @@ -33,7 +33,7 @@ jobs: publish_results: true - name: Upload artifact - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: SARIF file path: results.sarif From f9a51a07d23e11d4ea7ac63fc3a165f9e8d26442 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 27 Apr 2026 11:37:14 +0300 Subject: [PATCH 4/6] build(deps): bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 (#66) Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 7.1.0 to 7.2.1. - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c...1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8) --- updated-dependencies: - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Adrian Brad --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 25eed8f..ac5c83c 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -38,7 +38,7 @@ jobs: uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 - name: Run goreleaser - uses: goreleaser/goreleaser-action@e24998b8b67b290c2fa8b7c14fcfa7de2c5c9b8c # v7.1.0 + uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1 with: distribution: goreleaser version: "~> v2" From bd5cdf3deab2cf54e1c6500d3023903218ad7140 Mon Sep 17 00:00:00 2001 From: Adrian Brad Date: Mon, 27 Apr 2026 11:46:17 +0300 Subject: [PATCH 5/6] ci(dependabot): group minor and patch updates into a single PR (#69) Bundle GitHub Actions and Go module minor/patch bumps into one weekly PR per ecosystem. Major versions still open individual PRs so breaking changes get isolated review. Also extend the auto-merge gate to allow grouped PRs (which have an empty `update-type` and a populated `dependency-group`). Co-authored-by: Claude Opus 4.7 (1M context) --- .github/dependabot.yaml | 16 +++++++++++++++- .github/workflows/dependabot-auto-merge.yaml | 4 ++-- 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 0c820ec..4511654 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -10,6 +10,13 @@ updates: prefix: "build(deps)" reviewers: - "adrianbrad" + groups: + go-modules: + patterns: + - "*" + update-types: + - "minor" + - "patch" - package-ecosystem: github-actions directory: "/" @@ -20,4 +27,11 @@ updates: commit-message: prefix: "build(deps)" reviewers: - - "adrianbrad" \ No newline at end of file + - "adrianbrad" + groups: + github-actions: + patterns: + - "*" + update-types: + - "minor" + - "patch" \ No newline at end of file diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml index f605053..849bef4 100644 --- a/.github/workflows/dependabot-auto-merge.yaml +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -21,14 +21,14 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Approve PR - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.dependency-group != '' run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Enable auto-merge - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.dependency-group != '' run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} From f5161681c8f15ff08bf22eca3da145a841dd9498 Mon Sep 17 00:00:00 2001 From: adrianbrad Date: Mon, 27 Apr 2026 11:50:20 +0300 Subject: [PATCH 6/6] Revert "ci(dependabot): group minor and patch updates into a single PR (#69)" This reverts commit bd5cdf3deab2cf54e1c6500d3023903218ad7140. --- .github/dependabot.yaml | 16 +--------------- .github/workflows/dependabot-auto-merge.yaml | 4 ++-- 2 files changed, 3 insertions(+), 17 deletions(-) diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml index 4511654..0c820ec 100644 --- a/.github/dependabot.yaml +++ b/.github/dependabot.yaml @@ -10,13 +10,6 @@ updates: prefix: "build(deps)" reviewers: - "adrianbrad" - groups: - go-modules: - patterns: - - "*" - update-types: - - "minor" - - "patch" - package-ecosystem: github-actions directory: "/" @@ -27,11 +20,4 @@ updates: commit-message: prefix: "build(deps)" reviewers: - - "adrianbrad" - groups: - github-actions: - patterns: - - "*" - update-types: - - "minor" - - "patch" \ No newline at end of file + - "adrianbrad" \ No newline at end of file diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml index 849bef4..f605053 100644 --- a/.github/workflows/dependabot-auto-merge.yaml +++ b/.github/workflows/dependabot-auto-merge.yaml @@ -21,14 +21,14 @@ jobs: github-token: ${{ secrets.GITHUB_TOKEN }} - name: Approve PR - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.dependency-group != '' + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr review --approve "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }} GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Enable auto-merge - if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' || steps.metadata.outputs.dependency-group != '' + if: steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor' run: gh pr merge --auto --squash "$PR_URL" env: PR_URL: ${{ github.event.pull_request.html_url }}