micasa-dev · cpcloud · Jun 28, 2026 · Jun 26, 2026 · Jun 28, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -80,9 +80,11 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             api.zippopotam.us:443
+            archive.ubuntu.com:80
             azure.archive.ubuntu.com:80
             esm.ubuntu.com:443
             github.com:443
+            mirrors.ubuntu.com:80
             packages.microsoft.com:443
             ports.ubuntu.com:80
             proxy.golang.org:443

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
@@ -148,8 +148,9 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
+      - uses: step-security/trufflehog-action@8560b0deaa854dfe432084eaefa1dffbc1647a6b # v3.95.5
         with:
+          version: 3.95.5
           extra_args: --only-verified
 
   codeql:

diff --git a/deploy/docker-compose.caddy.yml b/deploy/docker-compose.caddy.yml
@@ -3,7 +3,7 @@
 
 services:
   caddy:
-    image: caddy@sha256:25cdc846626b62d05f6b633b9b40c2c9f6ef89b515dc76133cefd920f7dbe562 # 2-alpine
+    image: caddy@sha256:af5fdcd76f2db5e4e974ee92f96ee8c0fc3edb55bd4ba5032547cbf3f65e486d # 2-alpine
     environment:
       DOMAIN: ${DOMAIN}
     ports:

diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
@@ -3,7 +3,7 @@
 
 services:
   postgres:
-    image: postgres@sha256:78481659c47e862334611ccdaf7c369c986b3046da9857112f3b309114a65fb4 # 17-alpine
+    image: postgres@sha256:4aabea78cf39b90e834caf3af7d602a18565f6fe2508705c8d01aa63245c2e20 # 17-alpine
     environment:
       POSTGRES_USER: micasa
       POSTGRES_DB: micasa

diff --git a/deploy/relay/Dockerfile b/deploy/relay/Dockerfile
@@ -2,7 +2,7 @@
 # Licensed under the Apache License, Version 2.0
 
 # golang 1.26-alpine
-FROM golang@sha256:b54cbf583d390341599d7bcbc062425c081105cc5ef6d170ced98ef9d047c716 AS build
+FROM golang@sha256:32c0e6e5c4f6707717051091b4d0b077464a679eaab563e11474efc5328e2aa5 AS build
 ARG BUILD_TAGS
 WORKDIR /src
 COPY go.mod go.sum ./
@@ -11,7 +11,7 @@ COPY . .
 RUN CGO_ENABLED=0 go build -trimpath ${BUILD_TAGS:+-tags "$BUILD_TAGS"} -o /relay ./cmd/relay
 
 # distroless static-debian12
-FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838
+FROM gcr.io/distroless/static-debian12@sha256:9c346e4be81b5ca7ff31a0d89eaeade58b0f95cfd3baed1f36083ddb47ca3160
 COPY --from=build /relay /relay
 EXPOSE 8080
 ENTRYPOINT ["/relay"]
diff --git a/nix/overlay.nix b/nix/overlay.nix
@@ -8,24 +8,26 @@
 
 _final: prev:
 let
-  # Scoped Go 1.26.3 override for micasa and its dev tools only.
+  # Scoped Go 1.26.4 override for micasa and its dev tools only.
   # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the
   # entire transitive closure from source (VHS → Chromium → PipeWire →
   # ffmpeg/gstreamer) because every Go derivation's input hash changes.
   #
-  # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck:
+  # 1.26.4 fixes stdlib vulnerabilities flagged by govulncheck:
   #   GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop)
   #   GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows)
   #   GO-2026-4977 (net/mail consumePhrase DoS)
   #   GO-2026-4980 (html/template empty <script type=> escape bug)
   #   GO-2026-4982 (html/template <meta> URL escape gap)
   #   GO-2026-4986 (net/mail parsing CPU/memory exhaustion)
-  # Drop this override once nixpkgs picks up Go 1.26.3.
+  #   GO-2026-5037
+  #   GO-2026-5039
+  # Drop this override once nixpkgs picks up Go 1.26.4.
   patchedGo = prev.go_1_26.overrideAttrs (_: rec {
-    version = "1.26.3";
+    version = "1.26.4";
     src = prev.fetchurl {
       url = "https://go.dev/dl/go${version}.src.tar.gz";
-      hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg=";
+      hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0=";
     };
   });
 in