chore: Update deps

.github/workflows/base-images.yml

@@ -12,10 +12,12 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Set up Docker with Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
         with:
           driver: docker
 

.github/workflows/deploy.yml

@@ -28,14 +28,16 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Set Image Tag
         id: set-tag
         run: echo "IMAGE_TAG=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
 
       - name: Set up Docker with Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4
         with:
           driver: docker
 
@@ -47,7 +49,7 @@ jobs:
         run: make build-ci
 
       - name: Log in to GitHub Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
@@ -63,7 +65,7 @@ jobs:
 
     steps:
       - name: SSH and Pull Images on VPS
-        uses: appleboy/ssh-action@v1.2.2
+        uses: appleboy/ssh-action@2ead5e36573f08b82fbfce1504f1a4b05a647c6f # v1.2.2
         with:
           host: ${{ secrets.VPS_HOST }}
           username: ${{ secrets.VPS_USERNAME }}

.github/workflows/gofmt.yml

@@ -14,18 +14,18 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.26.1]
+        go-version: [1.26.3]
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           repository: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name || github.repository }}
           ref: ${{ github.event_name == 'pull_request' && github.event.pull_request.head.ref || github.ref }}
           fetch-depth: 0
 
       - name: Install Go
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ matrix.go-version }}
 
@@ -34,7 +34,7 @@ jobs:
 
       - name: Commit Formatting Changes
         if: github.event.pull_request.head.repo.full_name == github.repository
-        uses: stefanzweifel/git-auto-commit-action@v6.0.1
+        uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
         with:
           commit_message: apply coding style fixes
           commit_options: '--no-verify'

.github/workflows/tests.yml

@@ -11,17 +11,19 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        go-version: [1.26.1]
+        go-version: [1.26.3]
 
     steps:
-      - uses: actions/setup-go@v5
+      - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
         with:
           go-version: ${{ matrix.go-version }}
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Cache Go modules
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
         with:
           path: |
             ~/go/pkg/mod

database/connection_test.go

@@ -34,10 +34,10 @@ func setupPostgresConnection(t *testing.T, models ...interface{}) (*database.Con
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	t.Cleanup(cancel)
 
-	// Pinning to postgres:18.1-alpine to avoid CVE-2025-12817/12818 and ensure
-	// consistent checksum behaviour (initdb enables checksums by default in PG 18).
+	// Pinning to postgres:18.4-alpine by digest to avoid CVE-2025-12817/12818
+	// and ensure consistent checksum behaviour (initdb enables checksums by default in PG 18).
 	pg, err := postgres.Run(ctx,
-		"postgres:18.1-alpine",
+		"postgres:18.4-alpine@sha256:96d56f7f57c6aacd1fcb908bc83b345ec5f83231ee486dd66a1baadce274db88",
 		postgres.WithDatabase("testdb"),
 		postgres.WithUsername("test"),
 		postgres.WithPassword("secret"),
@@ -62,7 +62,7 @@ func setupPostgresConnection(t *testing.T, models ...interface{}) (*database.Con
 			UserName:     "test",
 			UserPassword: "secret",
 			DatabaseName: "testdb",
-			Port:         port.Int(),
+			Port:         int(port.Num()),
 			Host:         host,
 			DriverName:   database.DriverName,
 			SSLMode:      "disable",

database/seeder/importer/runner_test.go

@@ -709,10 +709,10 @@ func setupPostgresConnection(t *testing.T) (*database.Connection, *env.Environme
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	t.Cleanup(cancel)
 
-	// Pinning to postgres:18.1-alpine to avoid CVE-2025-12817/12818 and ensure
-	// consistent checksum behaviour (initdb enables checksums by default in PG 18).
+	// Pinning to postgres:18.4-alpine by digest to avoid CVE-2025-12817/12818
+	// and ensure consistent checksum behaviour (initdb enables checksums by default in PG 18).
 	pg, err := postgres.Run(ctx,
-		"postgres:18.1-alpine",
+		"postgres:18.4-alpine@sha256:96d56f7f57c6aacd1fcb908bc83b345ec5f83231ee486dd66a1baadce274db88",
 		postgres.WithDatabase("testdb"),
 		postgres.WithUsername("test"),
 		postgres.WithPassword("secret"),
@@ -738,7 +738,7 @@ func setupPostgresConnection(t *testing.T) (*database.Connection, *env.Environme
 			UserName:     "test",
 			UserPassword: "secret",
 			DatabaseName: "testdb",
-			Port:         port.Int(),
+			Port:         int(port.Num()),
 			Host:         host,
 			DriverName:   database.DriverName,
 			SSLMode:      "disable",

database/seeder/seeds/seeder_test.go

@@ -23,10 +23,10 @@ func testConnection(t *testing.T, e *env.Environment) *database.Connection {
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
-	// Pinning to postgres:18.1-alpine to avoid CVE-2025-12817/12818 and ensure
-	// consistent checksum behaviour (initdb enables checksums by default in PG 18).
+	// Pinning to postgres:18.4-alpine by digest to avoid CVE-2025-12817/12818
+	// and ensure consistent checksum behaviour (initdb enables checksums by default in PG 18).
 	pg, err := postgres.Run(ctx,
-		"postgres:18.1-alpine",
+		"postgres:18.4-alpine@sha256:96d56f7f57c6aacd1fcb908bc83b345ec5f83231ee486dd66a1baadce274db88",
 		postgres.WithDatabase("testdb"),
 		postgres.WithUsername("test"),
 		postgres.WithPassword("secret"),
@@ -55,7 +55,7 @@ func testConnection(t *testing.T, e *env.Environment) *database.Connection {
 		UserName:     "test",
 		UserPassword: "secret",
 		DatabaseName: "testdb",
-		Port:         port.Int(),
+		Port:         int(port.Num()),
 		Host:         host,
 		DriverName:   database.DriverName,
 		SSLMode:      "disable",

docker-compose.yml

@@ -108,7 +108,7 @@ services:
                 - caddy_net
 
         prometheus:
-            image: prom/prometheus:v3.8.1@sha256:2b6f734e372c1b4717008f7d0a0152316aedd4d13ae17ef1e3268dbfaf68041b
+            image: prom/prometheus:v3.11.3@sha256:e4254400b85610324913f0dc4acf92603d9984e7519414c5a12811aa6146acc3
             profiles: ["prod"]
             container_name: oullin_prometheus
             restart: unless-stopped
@@ -147,7 +147,7 @@ services:
                         memory: 256M
 
         prometheus_local:
-            image: prom/prometheus:v3.8.1@sha256:2b6f734e372c1b4717008f7d0a0152316aedd4d13ae17ef1e3268dbfaf68041b
+            image: prom/prometheus:v3.11.3@sha256:e4254400b85610324913f0dc4acf92603d9984e7519414c5a12811aa6146acc3
             profiles: ["local"]
             container_name: oullin_prometheus_local
             restart: unless-stopped
@@ -186,7 +186,7 @@ services:
                         memory: 256M
 
         postgres_exporter:
-            image: prometheuscommunity/postgres-exporter:v0.18.0@sha256:3a9be51b73ac4f007cec8a36d824253c0607d065196072b61d8808714d7e8044
+            image: prometheuscommunity/postgres-exporter:v0.19.1@sha256:e96064f876226d94bb6ce48a4c4b3dd76edba91168ec1ab024e5c4b959310b0f
             profiles: ["prod"]
             container_name: oullin_postgres_exporter
             restart: unless-stopped
@@ -221,7 +221,7 @@ services:
                         memory: 32M
 
         postgres_exporter_local:
-            image: prometheuscommunity/postgres-exporter:v0.18.0@sha256:3a9be51b73ac4f007cec8a36d824253c0607d065196072b61d8808714d7e8044
+            image: prometheuscommunity/postgres-exporter:v0.19.1@sha256:e96064f876226d94bb6ce48a4c4b3dd76edba91168ec1ab024e5c4b959310b0f
             profiles: ["local"]
             container_name: oullin_postgres_exporter_local
             restart: unless-stopped
@@ -256,7 +256,7 @@ services:
                         memory: 32M
 
         grafana:
-            image: grafana/grafana:12.3.1@sha256:2175aaa91c96733d86d31cf270d5310b278654b03f5718c59de12a865380a31f
+            image: grafana/grafana:13.0.1-security-01@sha256:2d1f9ae67c1778d33e291d4c3c759cd8b650e67491f02533499eb950e075eeb5
             profiles: ["prod"]
             container_name: oullin_grafana
             restart: unless-stopped
@@ -295,7 +295,7 @@ services:
                         memory: 128M
 
         grafana_local:
-            image: grafana/grafana:12.3.1@sha256:2175aaa91c96733d86d31cf270d5310b278654b03f5718c59de12a865380a31f
+            image: grafana/grafana:13.0.1-security-01@sha256:2d1f9ae67c1778d33e291d4c3c759cd8b650e67491f02533499eb950e075eeb5
             profiles: ["local"]
             container_name: oullin_grafana_local
             restart: unless-stopped
@@ -344,7 +344,7 @@ services:
             dockerfile: ./infra/docker/dockerfile-api
             target: builder
             args:
-              - BASE_IMAGE_VERSION=${BASE_IMAGE_VERSION:-1.26.1-alpine3.23-r3}
+              - BASE_IMAGE_VERSION=${BASE_IMAGE_VERSION:-1.26.3-alpine3.23-r4}
           volumes:
             - .:/app
             - go_mod_cache:/go/pkg/mod
@@ -357,7 +357,7 @@ services:
               GOPATH: /go
               GOMODCACHE: /go/pkg/mod
               GOCACHE: /tmp/go-build
-              GOTOOLCHAIN: ${GO_LOCAL_TOOLCHAIN:-go1.26.1}
+              GOTOOLCHAIN: ${GO_LOCAL_TOOLCHAIN:-go1.26.3}
               ENV_DB_HOST: api-db
               ENV_SPA_DIR: ${ENV_SPA_DIR}
               ENV_DB_PORT: ${ENV_DB_PORT:-5432}
@@ -386,7 +386,7 @@ services:
               - ${API_LOGS_PATH:-./storage/logs/api}:/app/storage/logs
             environment:
                 CGO_ENABLED: 1
-                GOTOOLCHAIN: ${GO_LOCAL_TOOLCHAIN:-go1.26.1}
+                GOTOOLCHAIN: ${GO_LOCAL_TOOLCHAIN:-go1.26.3}
                 # --- This ensures the Go web server listens for connections from other
                 #     containers (like Caddy), not just from within itself.
                 ENV_APP_LOGS_DIR: /app/storage/logs/logs_%s.log
@@ -396,7 +396,7 @@ services:
                 context: .
                 dockerfile: ./infra/docker/dockerfile-api
                 args:
-                    - BASE_IMAGE_VERSION=${BASE_IMAGE_VERSION:-1.26.1-alpine3.23-r3}
+                    - BASE_IMAGE_VERSION=${BASE_IMAGE_VERSION:-1.26.3-alpine3.23-r4}
                     - APP_VERSION=0.0.0.1
                     - APP_HOST_PORT=${ENV_HTTP_PORT}
                     - APP_USER=${ENV_DOCKER_USER}
@@ -461,10 +461,10 @@ services:
             # Ensure the database always restarts on server reboot or crash.
             restart: always
 
-            # Pinning to postgres:18.1-alpine to avoid CVE-2025-12817/12818 and ensure
+            # Pinning to postgres:18.4-alpine to avoid CVE-2025-12817/12818 and ensure
             # consistent checksum behaviour (initdb enables checksums by default in PG 18).
             # This matches the version used in test environments for consistency.
-            image: postgres:18.1-alpine@sha256:6723ec6d445fe51c6d097b9248f8a4b793255853524839fca1b2d69a435b6072
+            image: postgres:18.4-alpine@sha256:96d56f7f57c6aacd1fcb908bc83b345ec5f83231ee486dd66a1baadce274db88
             container_name: oullin_db
 
             env_file:

go.mod

@@ -1,26 +1,26 @@
 module github.com/oullin
 
-go 1.26.1
+go 1.26.3
 
 require (
 	github.com/DATA-DOG/go-sqlmock v1.5.2
-	github.com/andybalholm/brotli v1.2.0
+	github.com/andybalholm/brotli v1.2.1
 	github.com/chai2010/webp v1.4.0
 	github.com/felixge/httpsnoop v1.0.4
 	github.com/gen2brain/avif v0.4.4
-	github.com/getsentry/sentry-go v0.43.0
-	github.com/go-playground/validator/v10 v10.30.1
+	github.com/getsentry/sentry-go v0.46.2
+	github.com/go-playground/validator/v10 v10.30.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
-	github.com/klauspost/compress v1.18.4
-	github.com/lib/pq v1.11.2
+	github.com/klauspost/compress v1.18.6
+	github.com/lib/pq v1.12.3
 	github.com/prometheus/client_golang v1.23.2
-	github.com/testcontainers/testcontainers-go v0.41.0
-	github.com/testcontainers/testcontainers-go/modules/postgres v0.41.0
-	golang.org/x/crypto v0.49.0
-	golang.org/x/image v0.37.0
-	golang.org/x/term v0.41.0
-	golang.org/x/text v0.35.0
+	github.com/testcontainers/testcontainers-go v0.42.0
+	github.com/testcontainers/testcontainers-go/modules/postgres v0.42.0
+	golang.org/x/crypto v0.52.0
+	golang.org/x/image v0.41.0
+	golang.org/x/term v0.43.0
+	golang.org/x/text v0.37.0
 	gopkg.in/yaml.v3 v3.0.1 // Application code uses v3; Prometheus uses v2 (go.yaml.in/yaml/v2) internally - both versions coexist safely
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/gorm v1.31.1
@@ -40,8 +40,7 @@ require (
 	github.com/cpuguy83/dockercfg v0.3.2 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/distribution/reference v0.6.0 // indirect
-	github.com/docker/docker v28.5.2+incompatible // indirect
-	github.com/docker/go-connections v0.6.0 // indirect
+	github.com/docker/go-connections v0.7.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/ebitengine/purego v0.10.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
@@ -52,57 +51,50 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.8.0 // indirect
+	github.com/jackc/pgx/v5 v5.9.2 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/lufia/plan9stats v0.0.0-20260216142805-b3301c5f2a88 // indirect
+	github.com/lufia/plan9stats v0.0.0-20260330125221-c963978e514e // indirect
 	github.com/magiconair/properties v1.8.10 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/go-archive v0.2.0 // indirect
-	github.com/moby/patternmatcher v0.6.0 // indirect
+	github.com/moby/patternmatcher v0.6.1 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
 	github.com/moby/sys/user v0.4.0 // indirect
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
-	github.com/morikuni/aec v1.1.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.67.5 // indirect
 	github.com/prometheus/procfs v0.20.1 // indirect
-	github.com/shirou/gopsutil/v4 v4.26.2 // indirect
+	github.com/shirou/gopsutil/v4 v4.26.4 // indirect
 	github.com/sirupsen/logrus v1.9.4 // indirect
 	github.com/stretchr/testify v1.11.1 // indirect
 	github.com/tetratelabs/wazero v1.11.0 // indirect
-	github.com/tklauser/go-sysconf v0.3.16 // indirect
-	github.com/tklauser/numcpus v0.11.0 // indirect
+	github.com/tklauser/go-sysconf v0.4.0 // indirect
+	github.com/tklauser/numcpus v0.12.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
-	go.opentelemetry.io/otel v1.42.0 // indirect
-	go.opentelemetry.io/otel/metric v1.42.0 // indirect
-	go.opentelemetry.io/otel/trace v1.42.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.68.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.4 // indirect; Required by prometheus/client_golang; no type conflicts with our gopkg.in/yaml.v3 usage
 	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.42.0 // indirect
-	golang.org/x/time v0.15.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260311181403-84a4fc48630c // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260311181403-84a4fc48630c // indirect
+	golang.org/x/sys v0.45.0 // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
 )
 
 require (
-	github.com/creack/pty v1.1.24 // indirect
 	github.com/go-errors/errors v1.5.1 // indirect
-	github.com/stretchr/objx v0.5.3 // indirect
+	github.com/moby/moby/api v1.54.2 // indirect
+	github.com/moby/moby/client v0.4.1 // indirect
 	github.com/xyproto/randomstring v1.2.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.42.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
-	golang.org/x/net v0.52.0 // indirect
+	pgregory.net/rapid v1.3.0 // indirect
 )