chore(deps): update all dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
aquasecurity/trivy-action	action	minor	0.35.0 → v0.36.0
github.com/fsnotify/fsnotify	require	minor	v1.9.0 → v1.10.0
github/codeql-action	action	patch	v4.35.2 → v4.35.3
golangci/golangci-lint		minor	2.11.4 → 2.12.1

---

Release Notes

aquasecurity/trivy-action (aquasecurity/trivy-action)

v0.36.0

Compare Source

What's Changed

• chore(ci): update bump-trivy workflow by @​DmitriyLewen in #​546
• ci: use action.yaml as single source of truth for Trivy version by @​nikpivkin in #​552
• ci: replace peter-evans/create-pull-request with gh CLI by @​nikpivkin in #​550
• test: use pinned digests for trivy-db, trivy-java-db and trivy-checks by @​nikpivkin in #​555
• ci: add dependabot config by @​nikpivkin in #​556
• chore: add zizmor config by @​nikpivkin in #​557
• chore(deps): bump the actions group with 5 updates by @​dependabot[bot] in #​558
• fix: use portable shebang in entrypoint.sh by @​Hayao0819 in #​545
• Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name by @​patrik-csak in #​547
• Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #​549 by @​Aditya09-cse in #​548
• chore: use GitHub Actions as git commit author in bump-trivy workflow by @​nikpivkin in #​561
• chore(deps): Update trivy to v0.70.0 by @​Argon-DevOps-Mgt in #​559
• chore: update action version to v0.36.0 in examples by @​nikpivkin in #​563

New Contributors

• @​dependabot[bot] made their first contribution in #​558
• @​Hayao0819 made their first contribution in #​545
• @​patrik-csak made their first contribution in #​547
• @​Aditya09-cse made their first contribution in #​548
• @​Argon-DevOps-Mgt made their first contribution in #​559

Full Changelog: aquasecurity/trivy-action@v0.35.0...v0.36.0

fsnotify/fsnotify (github.com/fsnotify/fsnotify)

v1.10.0

Compare Source

This version of fsnotify needs Go 1.23.

Changes and fixes

• inotify: improve initialization error message (#​731)

• inotify: send Rename event if recursive watch is renamed (#​696)

• inotify: avoid copying event buffers when reading names (#​741)

• kqueue: skip dangling symlinks (ENOENT) in watchDirectoryFiles, so a bad entry no longer aborts Watcher.Add for the whole directory (#​748)

• kqueue: drop watches directly in Close() to fix a file descriptor leak when recycling watchers (#​740)

• windows: fix nil pointer dereference in remWatch (#​736)

• windows: lock watch field updates against concurrent WatchList to fix a race introduced in v1.9.0 (#​709, #​749)

github/codeql-action (github/codeql-action)

v4.35.3

Compare Source

• Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
• Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
• Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
• Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
• Update default CodeQL bundle version to 2.25.3. #​3865

golangci/golangci-lint (golangci/golangci-lint)

v2.12.1

Compare Source

Released on 2026-05-01

1. Linters bug fixes
   • gomodguard_v2: fix panic with migration suggestion
2. Misc.
   • fix install.sh script (if you are still using an URL based on the branch master, please update to use https://golangci-lint.run/install.sh)

v2.12.0

Compare Source

Released on 2026-05-01

1. New linters
   • Add clickhouselint linter https://github.com/ClickHouse/clickhouse-go-linter
2. Linters new features or changes
   • dupl: from f665c8d to c99c5cf (extended detection)
   • funcorder: from 0.5.0 to 0.6.0 (new option: function)
   • goconst: add an option to ignore strings from tests
   • goconst: from 1.8.2 to 1.10.0 (extended detection)
   • gomodguard_v2: from 1.4.1 to 2.1.0 (major version with new configuration)
   • gosec: from 619ce21 to 2.26.1 (new checks: G124, G708, G709, G710)
   • govet: add inline analyzer
   • makezero: from 2.1.0 to 2.2.1 (support slice type aliases)
   • paralleltest: expose checkcleanup option
   • sloglint: from 0.11.1 to 0.12.0 (new options: allowed-keys, custom-funcs)
   • wsl_v5: from 5.6.0 to 5.8.0 (new option: cuddle-max-statements; new checks: after-decl, after-defer, after-expr, after-go, cuddle-group)
3. Linters bug fixes
   • forbidigo: from 2.3.0 to 2.3.1
   • godot: from 1.5.4 to 1.5.6
   • govet-modernize: from 0.43.0 to 0.44.0
   • ireturn: from 0.4.0 to 0.4.1
   • rowserrcheck: from 1.1.1 to c5f79b8
4. Misc.
   • Decrease cache entropy
   • Embed the JSON schema in the binary
   • Filter env vars when cloning the repository with the custom command

---

Configuration

📅 Schedule: (in timezone Etc/UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.