From cd341b77e36a1d57972a61274d1ef3a6b64896bb Mon Sep 17 00:00:00 2001
From: Brandon Mitchell <git@bmitch.net>
Date: Mon, 30 Mar 2026 09:32:09 -0400
Subject: [PATCH] Version bump

- actions/setup-go to v6.4.0
- sigstore/cosign-installer to v4.1.1
- google/osv-scanner to v2.3.5
- go-git/go-git to v5.17.1

Signed-off-by: Brandon Mitchell <git@bmitch.net>
---
 .github/workflows/docker.yml    |  2 +-
 .github/workflows/go.yml        |  2 +-
 .github/workflows/vulnscans.yml |  2 +-
 .version-bump.lock              | 10 +++++-----
 Makefile                        |  2 +-
 go.mod                          |  2 +-
 go.sum                          |  4 ++--
 7 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 2d2905b..b3ea0b7 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -79,7 +79,7 @@ jobs:
       uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
 
     - name: Install cosign
-      uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+      uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
      
     - name: Login to DockerHub
       if: github.repository_owner == 'sudo-bmitch'
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 1bd0d33..b05c130 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -22,7 +22,7 @@ jobs:
     steps:
 
     - name: "Set up Go ${{ env.RELEASE_GO_VER }}"
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: "${{ env.RELEASE_GO_VER }}"
         check-latest: true
diff --git a/.github/workflows/vulnscans.yml b/.github/workflows/vulnscans.yml
index 0b6e3dc..49de377 100644
--- a/.github/workflows/vulnscans.yml
+++ b/.github/workflows/vulnscans.yml
@@ -17,7 +17,7 @@ jobs:
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: "Set up Go"
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
+      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
       with:
         go-version: "${{ env.RELEASE_GO_VER }}"
         check-latest: true
diff --git a/.version-bump.lock b/.version-bump.lock
index 0e438fe..90174a8 100644
--- a/.version-bump.lock
+++ b/.version-bump.lock
@@ -4,20 +4,20 @@
 {"name":"docker-arg-go-tag","key":"docker.io/library/golang","version":"1.26.1"}
 {"name":"gha-golang-release","key":"golang-latest","version":"1.26"}
 {"name":"gha-uses-commit","key":"https://github.com/actions/checkout.git:v6.0.2","version":"de0fac2e4500dabe0009e67214ff5f5447ce83dd"}
-{"name":"gha-uses-commit","key":"https://github.com/actions/setup-go.git:v6.3.0","version":"4b73464bb391d4059bd26b0524d20df3927bd417"}
+{"name":"gha-uses-commit","key":"https://github.com/actions/setup-go.git:v6.4.0","version":"4a3601121dd01d1626a1e23e37211e3254c1c06c"}
 {"name":"gha-uses-commit","key":"https://github.com/actions/upload-artifact.git:v7.0.0","version":"bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"}
 {"name":"gha-uses-commit","key":"https://github.com/docker/build-push-action.git:v7.0.0","version":"d08e5c354a6adb9ed34480a06d141179aa583294"}
 {"name":"gha-uses-commit","key":"https://github.com/docker/login-action.git:v4.0.0","version":"b45d80f862d83dbcd57f89517bcf500b2ab88fb2"}
 {"name":"gha-uses-commit","key":"https://github.com/docker/setup-buildx-action.git:v4.0.0","version":"4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd"}
-{"name":"gha-uses-commit","key":"https://github.com/sigstore/cosign-installer.git:v4.1.0","version":"ba7bc0a3fef59531c69a25acd34668d6d3fe6f22"}
+{"name":"gha-uses-commit","key":"https://github.com/sigstore/cosign-installer.git:v4.1.1","version":"cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003"}
 {"name":"gha-uses-commit","key":"https://github.com/softprops/action-gh-release.git:v2.6.1","version":"153bb8e04406b158c6c84fc1615b65b24149a1fe"}
 {"name":"gha-uses-semver","key":"https://github.com/actions/checkout.git","version":"v6.0.2"}
-{"name":"gha-uses-semver","key":"https://github.com/actions/setup-go.git","version":"v6.3.0"}
+{"name":"gha-uses-semver","key":"https://github.com/actions/setup-go.git","version":"v6.4.0"}
 {"name":"gha-uses-semver","key":"https://github.com/actions/upload-artifact.git","version":"v7.0.0"}
 {"name":"gha-uses-semver","key":"https://github.com/docker/build-push-action.git","version":"v7.0.0"}
 {"name":"gha-uses-semver","key":"https://github.com/docker/login-action.git","version":"v4.0.0"}
 {"name":"gha-uses-semver","key":"https://github.com/docker/setup-buildx-action.git","version":"v4.0.0"}
-{"name":"gha-uses-semver","key":"https://github.com/sigstore/cosign-installer.git","version":"v4.1.0"}
+{"name":"gha-uses-semver","key":"https://github.com/sigstore/cosign-installer.git","version":"v4.1.1"}
 {"name":"gha-uses-semver","key":"https://github.com/softprops/action-gh-release.git","version":"v2.6.1"}
 {"name":"go-mod-golang-release","key":"golang-latest","version":"1.26"}
 {"name":"makefile-go-vulncheck","key":"https://go.googlesource.com/vuln.git","version":"v1.1.4"}
@@ -25,6 +25,6 @@
 {"name":"makefile-gomajor","key":"https://github.com/icholy/gomajor.git","version":"v0.15.0"}
 {"name":"makefile-gosec","key":"https://github.com/securego/gosec.git","version":"v2.25.0"}
 {"name":"makefile-markdown-lint","key":"docker.io/davidanson/markdownlint-cli2","version":"v0.22.0"}
-{"name":"makefile-osv-scanner","key":"https://github.com/google/osv-scanner.git","version":"v2.3.4"}
+{"name":"makefile-osv-scanner","key":"https://github.com/google/osv-scanner.git","version":"v2.3.5"}
 {"name":"makefile-staticcheck","key":"https://github.com/dominikh/go-tools.git","version":"v0.7.0"}
 {"name":"osv-golang-release","key":"docker.io/library/golang","version":"1.26.1"}
diff --git a/Makefile b/Makefile
index d4909ee..ae5da43 100644
--- a/Makefile
+++ b/Makefile
@@ -22,7 +22,7 @@ GOFUMPT_VER?=v0.9.2
 GOMAJOR_VER?=v0.15.0
 GOSEC_VER?=v2.25.0
 GO_VULNCHECK_VER?=v1.1.4
-OSV_SCANNER_VER?=v2.3.4
+OSV_SCANNER_VER?=v2.3.5
 STATICCHECK_VER?=v0.7.0
 
 .PHONY: .FORCE
diff --git a/go.mod b/go.mod
index dd0428f..f5a59d2 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,7 @@ go 1.26
 
 require (
 	github.com/Masterminds/semver/v3 v3.4.0
-	github.com/go-git/go-git/v5 v5.17.0
+	github.com/go-git/go-git/v5 v5.17.1
 	github.com/goccy/go-yaml v1.19.2
 	github.com/regclient/regclient v0.11.2
 	github.com/spf13/cobra v1.10.2
diff --git a/go.sum b/go.sum
index cc9ce72..7cbb9f0 100644
--- a/go.sum
+++ b/go.sum
@@ -33,8 +33,8 @@ github.com/go-git/go-billy/v5 v5.8.0 h1:I8hjc3LbBlXTtVuFNJuwYuMiHvQJDq1AT6u4DwDz
 github.com/go-git/go-billy/v5 v5.8.0/go.mod h1:RpvI/rw4Vr5QA+Z60c6d6LXH0rYJo0uD5SqfmrrheCY=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.17.0 h1:AbyI4xf+7DsjINHMu35quAh4wJygKBKBuXVjV/pxesM=
-github.com/go-git/go-git/v5 v5.17.0/go.mod h1:f82C4YiLx+Lhi8eHxltLeGC5uBTXSFa6PC5WW9o4SjI=
+github.com/go-git/go-git/v5 v5.17.1 h1:WnljyxIzSj9BRRUlnmAU35ohDsjRK0EKmL0evDqi5Jk=
+github.com/go-git/go-git/v5 v5.17.1/go.mod h1:pW/VmeqkanRFqR6AljLcs7EA7FbZaN5MQqO7oZADXpo=
 github.com/goccy/go-yaml v1.19.2 h1:PmFC1S6h8ljIz6gMRBopkjP1TVT7xuwrButHID66PoM=
 github.com/goccy/go-yaml v1.19.2/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=