From 21e4f5bc5de48fd88ac07778edfebe1e6eb6353a Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 26 Jun 2026 23:00:10 +0000
Subject: [PATCH 1/2] chore(deps): update docker-images

---
 deploy/docker-compose.caddy.yml | 2 +-
 deploy/docker-compose.yml       | 2 +-
 deploy/relay/Dockerfile         | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/deploy/docker-compose.caddy.yml b/deploy/docker-compose.caddy.yml
index fb85bef8..2112c448 100644
--- a/deploy/docker-compose.caddy.yml
+++ b/deploy/docker-compose.caddy.yml
@@ -3,7 +3,7 @@
 
 services:
   caddy:
-    image: caddy@sha256:25cdc846626b62d05f6b633b9b40c2c9f6ef89b515dc76133cefd920f7dbe562 # 2-alpine
+    image: caddy@sha256:af5fdcd76f2db5e4e974ee92f96ee8c0fc3edb55bd4ba5032547cbf3f65e486d # 2-alpine
     environment:
       DOMAIN: ${DOMAIN}
     ports:
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
index 190a9acc..dd8179b5 100644
--- a/deploy/docker-compose.yml
+++ b/deploy/docker-compose.yml
@@ -3,7 +3,7 @@
 
 services:
   postgres:
-    image: postgres@sha256:78481659c47e862334611ccdaf7c369c986b3046da9857112f3b309114a65fb4 # 17-alpine
+    image: postgres@sha256:4aabea78cf39b90e834caf3af7d602a18565f6fe2508705c8d01aa63245c2e20 # 17-alpine
     environment:
       POSTGRES_USER: micasa
       POSTGRES_DB: micasa
diff --git a/deploy/relay/Dockerfile b/deploy/relay/Dockerfile
index eb3fe414..de13c0f3 100644
--- a/deploy/relay/Dockerfile
+++ b/deploy/relay/Dockerfile
@@ -2,7 +2,7 @@
 # Licensed under the Apache License, Version 2.0
 
 # golang 1.26-alpine
-FROM golang@sha256:b54cbf583d390341599d7bcbc062425c081105cc5ef6d170ced98ef9d047c716 AS build
+FROM golang@sha256:32c0e6e5c4f6707717051091b4d0b077464a679eaab563e11474efc5328e2aa5 AS build
 ARG BUILD_TAGS
 WORKDIR /src
 COPY go.mod go.sum ./
@@ -11,7 +11,7 @@ COPY . .
 RUN CGO_ENABLED=0 go build -trimpath ${BUILD_TAGS:+-tags "$BUILD_TAGS"} -o /relay ./cmd/relay
 
 # distroless static-debian12
-FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838
+FROM gcr.io/distroless/static-debian12@sha256:9c346e4be81b5ca7ff31a0d89eaeade58b0f95cfd3baed1f36083ddb47ca3160
 COPY --from=build /relay /relay
 EXPOSE 8080
 ENTRYPOINT ["/relay"]

From 43c6de071854983739707e4824069bd51b5015e4 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 08:04:29 -0400
Subject: [PATCH 2/2] ci: restore docker image update checks

PR 1001 was failing before the test matrix reached Go because apt still resolves Ubuntu's mirror-list host under the blocked harden-runner policy. Allow the mirror list and default archive hosts directly so the workflow keeps apt sources untouched while package installs can resolve the mirror it selects.

The same run also exposed new stdlib advisories in govulncheck, so bump the scoped Go override to 1.26.4 until nixpkgs catches up. The branch also needs the StepSecurity TruffleHog wrapper because the org selected-actions policy no longer allows the old trufflesecurity action source.
---
 .github/workflows/ci.yml       |  2 ++
 .github/workflows/security.yml |  3 ++-
 nix/overlay.nix                | 12 +++++++-----
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a3780785..c8ac2cd3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -80,9 +80,11 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             api.zippopotam.us:443
+            archive.ubuntu.com:80
             azure.archive.ubuntu.com:80
             esm.ubuntu.com:443
             github.com:443
+            mirrors.ubuntu.com:80
             packages.microsoft.com:443
             ports.ubuntu.com:80
             proxy.golang.org:443
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6c7d40eb..2bb69980 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -148,8 +148,9 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
+      - uses: step-security/trufflehog-action@8560b0deaa854dfe432084eaefa1dffbc1647a6b # v3.95.5
         with:
+          version: 3.95.5
           extra_args: --only-verified
 
   codeql:
diff --git a/nix/overlay.nix b/nix/overlay.nix
index 62325b74..71e07008 100644
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@@ -8,24 +8,26 @@
 
 _final: prev:
 let
-  # Scoped Go 1.26.3 override for micasa and its dev tools only.
+  # Scoped Go 1.26.4 override for micasa and its dev tools only.
   # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the
   # entire transitive closure from source (VHS → Chromium → PipeWire →
   # ffmpeg/gstreamer) because every Go derivation's input hash changes.
   #
-  # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck:
+  # 1.26.4 fixes stdlib vulnerabilities flagged by govulncheck:
   #   GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop)
   #   GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows)
   #   GO-2026-4977 (net/mail consumePhrase DoS)
   #   GO-2026-4980 (html/template empty <script type=> escape bug)
   #   GO-2026-4982 (html/template <meta> URL escape gap)
   #   GO-2026-4986 (net/mail parsing CPU/memory exhaustion)
-  # Drop this override once nixpkgs picks up Go 1.26.3.
+  #   GO-2026-5037
+  #   GO-2026-5039
+  # Drop this override once nixpkgs picks up Go 1.26.4.
   patchedGo = prev.go_1_26.overrideAttrs (_: rec {
-    version = "1.26.3";
+    version = "1.26.4";
     src = prev.fetchurl {
       url = "https://go.dev/dl/go${version}.src.tar.gz";
-      hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg=";
+      hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0=";
     };
   });
 in