From e398fed4532e0c6939f2315d3c6b1844abd91423 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Wed, 24 Jun 2026 05:09:26 +0000
Subject: [PATCH 1/9] chore(deps): update github-actions

---
 .github/workflows/ci.yml                 | 46 ++++++++++++------------
 .github/workflows/lint.yml               | 32 ++++++++---------
 .github/workflows/pages.yml              |  6 ++--
 .github/workflows/release.yml            | 12 +++----
 .github/workflows/scheduled-release.yml  |  6 ++--
 .github/workflows/security.yml           | 34 +++++++++---------
 .github/workflows/update-vendor-hash.yml | 12 +++----
 7 files changed, 74 insertions(+), 74 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a3780785..67bc0bfa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,7 +25,7 @@ jobs:
       ci: ${{ steps.detect.outputs.ci }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -35,7 +35,7 @@ jobs:
             api.github.com:443
             github.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           sparse-checkout: .github/detect-ci-changes.bash
           sparse-checkout-cone-mode: false
@@ -72,7 +72,7 @@ jobs:
           - windows-11-arm
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -91,11 +91,11 @@ jobs:
             storage.googleapis.com:443
             us-west-2.ec2.archive.ubuntu.com:80
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
@@ -243,7 +243,7 @@ jobs:
           --health-retries 5
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -255,11 +255,11 @@ jobs:
             release-assets.githubusercontent.com:443
             storage.googleapis.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
@@ -285,7 +285,7 @@ jobs:
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -298,11 +298,11 @@ jobs:
             release-assets.githubusercontent.com:443
             storage.googleapis.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
@@ -319,7 +319,7 @@ jobs:
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -333,11 +333,11 @@ jobs:
             releases.nixos.org:443
             storage.googleapis.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5
+      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
 
       - name: Build with Nix
         run: nix build '.#micasa'
@@ -352,7 +352,7 @@ jobs:
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -363,11 +363,11 @@ jobs:
             github.com:443
             releases.nixos.org:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5
+      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
 
       - name: Build docs
         run: nix run '.#docs'
@@ -383,7 +383,7 @@ jobs:
     runs-on: blacksmith-2vcpu-ubuntu-2404
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -394,7 +394,7 @@ jobs:
             github.com:443
             registry.npmjs.org:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -419,7 +419,7 @@ jobs:
         build_tags: ["", "selfhosted"]
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -441,12 +441,12 @@ jobs:
             storage.googleapis.com:443
             sum.golang.org:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
       - name: Setup Blacksmith Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
+        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
 
       - name: Build relay image${{ matrix.build_tags && format(' ({0})', matrix.build_tags) }}
         run: docker build --build-arg BUILD_TAGS=${{ matrix.build_tags }} -f deploy/relay/Dockerfile .
@@ -463,7 +463,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: block
           disable-telemetry: true
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index c5170192..add86fec 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -21,7 +21,7 @@ jobs:
       ci: ${{ steps.detect.outputs.ci }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -31,7 +31,7 @@ jobs:
             api.github.com:443
             github.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           sparse-checkout: .github/detect-ci-changes.bash
           sparse-checkout-cone-mode: false
@@ -61,7 +61,7 @@ jobs:
       CGO_ENABLED: "0"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -75,11 +75,11 @@ jobs:
             storage.googleapis.com:443
             sum.golang.org:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
@@ -106,7 +106,7 @@ jobs:
       CGO_ENABLED: "0"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -122,16 +122,16 @@ jobs:
             release-assets.githubusercontent.com:443
             storage.googleapis.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
       - name: Run golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
 
   pre-commit:
     name: Pre-commit
@@ -143,7 +143,7 @@ jobs:
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -156,12 +156,12 @@ jobs:
             releases.nixos.org:443
             storage.googleapis.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5
+      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
 
       - name: Run pre-commit hooks
         env:
@@ -180,7 +180,7 @@ jobs:
       CGO_ENABLED: "0"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -195,11 +195,11 @@ jobs:
             storage.googleapis.com:443
             sum.golang.org:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
@@ -213,7 +213,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: block
           disable-telemetry: true
diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
index 2e02e03b..d8e14c8e 100644
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -31,7 +31,7 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -42,13 +42,13 @@ jobs:
             github.com:443
             releases.nixos.org:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
       - uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6.0.0
 
-      - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5
+      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
 
       - name: Build docs
         run: nix run '.#docs'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6056b583..f93f13f0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,18 +32,18 @@ jobs:
       packages: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: audit
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           ref: ${{ github.event.release.tag_name || inputs.tag }}
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
@@ -51,7 +51,7 @@ jobs:
       # of pre-built CGO_ENABLED=0 binaries. Buildx assembles the multi-arch
       # manifest without emulation.
       - name: Setup Blacksmith Builder
-        uses: useblacksmith/setup-docker-builder@ac083cc84672d01c60d5e8561d0a939b697de542 # v1
+        uses: useblacksmith/setup-docker-builder@ab5c1da94f53f5cd75c1038092aa276dddfccbba # v1
 
       # useblacksmith/setup-docker-builder drops buildkitd.toml in the repo
       # root, which trips goreleaser's dirty-state check. Exclude it locally
@@ -60,7 +60,7 @@ jobs:
       - name: Ignore buildkitd.toml locally
         run: echo buildkitd.toml >> .git/info/exclude
 
-      - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
+      - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -86,7 +86,7 @@ jobs:
             echo "value=false" >> "$GITHUB_OUTPUT"
           fi
 
-      - uses: goreleaser/goreleaser-action@1a80836c5c9d9e5755a25cb59ec6f45a3b5f41a8 # v7.2.1
+      - uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 # v7.2.2
         with:
           version: "v2.13.3"
           args: release --clean
diff --git a/.github/workflows/scheduled-release.yml b/.github/workflows/scheduled-release.yml
index ce8a5232..06cbf07a 100644
--- a/.github/workflows/scheduled-release.yml
+++ b/.github/workflows/scheduled-release.yml
@@ -24,7 +24,7 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: audit
@@ -32,12 +32,12 @@ jobs:
 
       - name: Generate app token
         id: app-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
           token: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 6c7d40eb..80985c7c 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -21,7 +21,7 @@ jobs:
       ci: ${{ steps.detect.outputs.ci }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -31,7 +31,7 @@ jobs:
             api.github.com:443
             github.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           sparse-checkout: .github/detect-ci-changes.bash
           sparse-checkout-cone-mode: false
@@ -59,7 +59,7 @@ jobs:
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -73,11 +73,11 @@ jobs:
             storage.googleapis.com:443
             vuln.go.dev:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5
+      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
 
       - name: Run govulncheck
         run: nix run '.#govulncheck'
@@ -94,7 +94,7 @@ jobs:
       CGO_ENABLED: "0"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -109,11 +109,11 @@ jobs:
             storage.googleapis.com:443
             sum.golang.org:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
@@ -133,7 +133,7 @@ jobs:
       cancel-in-progress: ${{ github.event_name == 'pull_request' }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -143,12 +143,12 @@ jobs:
             github.com:443
             pkg-containers.githubusercontent.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
+      - uses: trufflesecurity/trufflehog@30d5bb91af1a771378349dbbb0c82129392acf70 # v3.95.6
         with:
           extra_args: --only-verified
 
@@ -167,7 +167,7 @@ jobs:
       CGO_ENABLED: "0"
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -180,16 +180,16 @@ jobs:
             release-assets.githubusercontent.com:443
             storage.googleapis.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           persist-credentials: false
 
-      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+      - uses: actions/setup-go@924ae3a1cded613372ab5595356fb5720e22ba16 # v6.5.0
         with:
           go-version: "1.26"
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
         with:
           languages: go
           build-mode: manual
@@ -198,7 +198,7 @@ jobs:
         run: go build ./...
 
       - name: Perform CodeQL analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
 
   result:
     name: Security Result
@@ -207,7 +207,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           egress-policy: block
           disable-telemetry: true
diff --git a/.github/workflows/update-vendor-hash.yml b/.github/workflows/update-vendor-hash.yml
index aa323959..3f3f84c8 100644
--- a/.github/workflows/update-vendor-hash.yml
+++ b/.github/workflows/update-vendor-hash.yml
@@ -22,7 +22,7 @@ jobs:
       needed: ${{ steps.check.outputs.needed }}
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -30,7 +30,7 @@ jobs:
           allowed-endpoints: >
             github.com:443
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           ref: ${{ github.head_ref }}
           fetch-depth: 0
@@ -60,7 +60,7 @@ jobs:
       contents: write
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
+        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
         with:
           deploy-on-self-hosted-vm: true
           egress-policy: block
@@ -77,18 +77,18 @@ jobs:
 
       - name: Generate app token
         id: app-token
-        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         with:
           client-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           ref: ${{ github.head_ref }}
           fetch-depth: 0
           token: ${{ steps.app-token.outputs.token }}
 
-      - uses: cachix/install-nix-action@ab739621df7a23f52766f9ccc97f38da6b7af14f # v31.10.5
+      - uses: cachix/install-nix-action@8aa03977d8d733052d78f4e008a241fd1dbf36b3 # v31.10.6
 
       - name: Tidy go modules
         run: nix develop -c go mod tidy

From bd32fa7a3a760a1a56f421e84e74bdee0d47ca04 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 06:26:21 -0400
Subject: [PATCH 2/9] ci: restore github-actions update checks

PR 998 moved harden-runner to v2.19.4, and the Linux test job started failing before Go tests because Ubuntu's default mirrorlist host was outside the egress allowlist. Pin apt to the already-allowed regional archives so the job keeps the blocked egress policy without depending on mirrors.ubuntu.com DNS.

govulncheck also began flagging two newer stdlib advisories from the scoped Go 1.26.3 override. Bump that override to 1.26.4 so the CI security job uses a fixed toolchain until nixpkgs catches up.
---
 .github/workflows/ci.yml | 21 ++++++++++++++++++++-
 nix/overlay.nix          | 12 +++++++-----
 2 files changed, 27 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 67bc0bfa..e87f3894 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -99,9 +99,28 @@ jobs:
         with:
           go-version: "1.26"
 
+      - name: Pin apt archive (Linux)
+        if: runner.os == 'Linux'
+        run: |
+          case "$(dpkg --print-architecture)" in
+            amd64)
+              archive_url="http://us-west-2.ec2.archive.ubuntu.com/ubuntu"
+              ;;
+            arm64)
+              archive_url="http://ports.ubuntu.com/ubuntu-ports"
+              ;;
+            *)
+              echo "::error::unsupported apt architecture"
+              exit 1
+              ;;
+          esac
+          sudo sed -i "s|mirror+http://mirrors.ubuntu.com/mirrors.txt|${archive_url}|g" /etc/apt/sources.list.d/ubuntu.sources
+
       - name: Install extraction tools (Linux)
         if: runner.os == 'Linux'
-        run: sudo apt-get update && sudo apt-get install -y poppler-utils tesseract-ocr imagemagick
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y poppler-utils tesseract-ocr imagemagick
 
       - name: Symlink magick to convert (Linux)
         if: runner.os == 'Linux'
diff --git a/nix/overlay.nix b/nix/overlay.nix
index 62325b74..71e07008 100644
--- a/nix/overlay.nix
+++ b/nix/overlay.nix
@@ -8,24 +8,26 @@
 
 _final: prev:
 let
-  # Scoped Go 1.26.3 override for micasa and its dev tools only.
+  # Scoped Go 1.26.4 override for micasa and its dev tools only.
   # NOT exported as go/go_1_26/buildGoModule — doing so rebuilds the
   # entire transitive closure from source (VHS → Chromium → PipeWire →
   # ffmpeg/gstreamer) because every Go derivation's input hash changes.
   #
-  # 1.26.3 fixes six stdlib vulnerabilities flagged by govulncheck:
+  # 1.26.4 fixes stdlib vulnerabilities flagged by govulncheck:
   #   GO-2026-4918 (net/http HTTP/2 SETTINGS frame infinite loop)
   #   GO-2026-4971 (net Dial/LookupPort panic on NUL input on Windows)
   #   GO-2026-4977 (net/mail consumePhrase DoS)
   #   GO-2026-4980 (html/template empty <script type=> escape bug)
   #   GO-2026-4982 (html/template <meta> URL escape gap)
   #   GO-2026-4986 (net/mail parsing CPU/memory exhaustion)
-  # Drop this override once nixpkgs picks up Go 1.26.3.
+  #   GO-2026-5037
+  #   GO-2026-5039
+  # Drop this override once nixpkgs picks up Go 1.26.4.
   patchedGo = prev.go_1_26.overrideAttrs (_: rec {
-    version = "1.26.3";
+    version = "1.26.4";
     src = prev.fetchurl {
       url = "https://go.dev/dl/go${version}.src.tar.gz";
-      hash = "sha256-HGRoddCqh5kTMYTtV895/yS97+jIggRwYCqdPW2Rkrg=";
+      hash = "sha256-T2aKMvv8ETLmqIH7lowvHa2mMUkqM5IRc1+7JVpCYC0=";
     };
   });
 in

From dfaffa64180c725974f05bdcec2101bb824f2b7d Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 06:34:31 -0400
Subject: [PATCH 3/9] ci: normalize apt source mirrors

Blacksmith's Ubuntu ARM image can ship a direct EC2 ports mirror in ubuntu.sources. The CI harden-runner policy already allows ports.ubuntu.com, but not that EC2 hostname, so apt-get update failed before installing extraction tools.

Keep the network policy unchanged and rewrite any archive or ports mirror that appears in ubuntu.sources to the per-architecture allowed host before apt runs. This covers mirror-list based x64 images and direct EC2 ports sources on arm64.
---
 .github/workflows/ci.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index e87f3894..25f5251c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -114,7 +114,11 @@ jobs:
               exit 1
               ;;
           esac
-          sudo sed -i "s|mirror+http://mirrors.ubuntu.com/mirrors.txt|${archive_url}|g" /etc/apt/sources.list.d/ubuntu.sources
+          sudo sed -i \
+            -e "s|mirror+http://mirrors.ubuntu.com/mirrors.txt|${archive_url}|g" \
+            -e "s|http://[^[:space:]]*archive.ubuntu.com/ubuntu|${archive_url}|g" \
+            -e "s|http://[^[:space:]]*ports.ubuntu.com/ubuntu-ports|${archive_url}|g" \
+            /etc/apt/sources.list.d/ubuntu.sources
 
       - name: Install extraction tools (Linux)
         if: runner.os == 'Linux'

From ee04b108bfacaa5da4d8ccb88f858d6d0e6708c3 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 07:02:53 -0400
Subject: [PATCH 4/9] ci: allow blacksmith ubuntu ports mirror

The ARM Blacksmith image uses us-west-2.ec2.ports.ubuntu.com for apt. Allowing that Ubuntu archive host keeps the egress requirement in harden-runner policy instead of rewriting the runner's apt sources before installation.

This broadens CI egress by one Ubuntu archive hostname and removes the workflow-side sources.list mutation. Fixes #1013.
---
 .github/workflows/ci.yml | 22 +---------------------
 1 file changed, 1 insertion(+), 21 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 25f5251c..df2bc8ce 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -90,6 +90,7 @@ jobs:
             security.ubuntu.com:80
             storage.googleapis.com:443
             us-west-2.ec2.archive.ubuntu.com:80
+            us-west-2.ec2.ports.ubuntu.com:80
 
       - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
@@ -99,27 +100,6 @@ jobs:
         with:
           go-version: "1.26"
 
-      - name: Pin apt archive (Linux)
-        if: runner.os == 'Linux'
-        run: |
-          case "$(dpkg --print-architecture)" in
-            amd64)
-              archive_url="http://us-west-2.ec2.archive.ubuntu.com/ubuntu"
-              ;;
-            arm64)
-              archive_url="http://ports.ubuntu.com/ubuntu-ports"
-              ;;
-            *)
-              echo "::error::unsupported apt architecture"
-              exit 1
-              ;;
-          esac
-          sudo sed -i \
-            -e "s|mirror+http://mirrors.ubuntu.com/mirrors.txt|${archive_url}|g" \
-            -e "s|http://[^[:space:]]*archive.ubuntu.com/ubuntu|${archive_url}|g" \
-            -e "s|http://[^[:space:]]*ports.ubuntu.com/ubuntu-ports|${archive_url}|g" \
-            /etc/apt/sources.list.d/ubuntu.sources
-
       - name: Install extraction tools (Linux)
         if: runner.os == 'Linux'
         run: |

From a8967aa5f9e46a6201cc06396f9fb12aef5b2f8b Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 07:07:53 -0400
Subject: [PATCH 5/9] ci: allow ubuntu mirror list host

The runner apt sources still use Ubuntu's mirrorlist URL. With harden-runner blocking egress, apt could resolve security.ubuntu.com and the explicit archive hosts but failed before reading mirrors.ubuntu.com, so the Linux extraction-tool install died with exit code 100.

Allowing mirrors.ubuntu.com keeps the fix in the egress policy instead of mutating sources.list in CI. The archive hosts remain explicit, and unrelated dropped lookups from motd, contracts, NTP, and runner hostname resolution stay blocked because they were not part of the failing package install. Refs #1013.
---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index df2bc8ce..268075f9 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -83,6 +83,7 @@ jobs:
             azure.archive.ubuntu.com:80
             esm.ubuntu.com:443
             github.com:443
+            mirrors.ubuntu.com:80
             packages.microsoft.com:443
             ports.ubuntu.com:80
             proxy.golang.org:443

From 247ef0b9667de8f63dad70362d048b668220e27d Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 07:12:15 -0400
Subject: [PATCH 6/9] ci: allow default ubuntu archive host

After allowing Ubuntu's mirror-list endpoint, the x64 Blacksmith runner still failed because the mirror list returned archive.ubuntu.com for noble, noble-updates, and noble-backports. Harden-runner only allowed regional archive hosts, so apt could read the mirror list but not resolve the selected default archive host.

Allow archive.ubuntu.com directly in the test job policy. The CI workflow still leaves apt sources untouched, and ARM already resolves through ports.ubuntu.com and us-west-2.ec2.ports.ubuntu.com. Refs #1013.
---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 268075f9..fb1a76da 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -80,6 +80,7 @@ jobs:
           allowed-endpoints: >
             api.github.com:443
             api.zippopotam.us:443
+            archive.ubuntu.com:80
             azure.archive.ubuntu.com:80
             esm.ubuntu.com:443
             github.com:443

From e5e8b4ac20105b924e3ae6bdb635969d4d3bf025 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 07:30:37 -0400
Subject: [PATCH 7/9] ci: use hardened trufflehog action

The secret scan job was still executing the upstream TruffleHog action directly. Use StepSecurity's maintained drop-in replacement so the workflow runs the hardened action wrapper while keeping the existing TruffleHog arguments and harden-runner egress policy. The StepSecurity repository currently publishes v3.95.5, so the action is pinned to that tag's commit SHA rather than the unavailable upstream v3.95.6 tag.
---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 80985c7c..9f692b40 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -148,7 +148,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: trufflesecurity/trufflehog@30d5bb91af1a771378349dbbb0c82129392acf70 # v3.95.6
+      - uses: step-security/trufflehog-action@8560b0deaa854dfe432084eaefa1dffbc1647a6b # v3.95.5
         with:
           extra_args: --only-verified
 

From 1432ab11a6663ab071ee5e10c6d73b451d239d29 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 07:39:51 -0400
Subject: [PATCH 8/9] ci: pin trufflehog scanner version

The StepSecurity maintained TruffleHog action keeps the scanner image version as a separate input. Pin that input to the same v3.95.5 release as the maintained action wrapper so the secret scan no longer pulls a floating latest container image.
---
 .github/workflows/security.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 9f692b40..2d76819a 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -150,6 +150,7 @@ jobs:
 
       - uses: step-security/trufflehog-action@8560b0deaa854dfe432084eaefa1dffbc1647a6b # v3.95.5
         with:
+          version: v3.95.5
           extra_args: --only-verified
 
   codeql:

From fa1e29968583085da77dc78cea42cfc09a353b22 Mon Sep 17 00:00:00 2001
From: Phillip Cloud <417981+cpcloud@users.noreply.github.com>
Date: Sun, 28 Jun 2026 07:44:02 -0400
Subject: [PATCH 9/9] ci: use trufflehog image tag format

The StepSecurity action passes its version input directly to the GHCR TruffleHog image tag. GHCR publishes the scanner image as 3.95.5, not v3.95.5, so the previous input made Docker fail with manifest unknown before scanning started.
---
 .github/workflows/security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 2d76819a..79cbb7cb 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -150,7 +150,7 @@ jobs:
 
       - uses: step-security/trufflehog-action@8560b0deaa854dfe432084eaefa1dffbc1647a6b # v3.95.5
         with:
-          version: v3.95.5
+          version: 3.95.5
           extra_args: --only-verified
 
   codeql: