umputun
diff --git a/‎.github/workflows/ci-backend.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/ci-backend.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/ci-build.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ci-build.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ci-frontend-api.yml‎
Lines changed: 3 additions & 3 deletions b/‎.github/workflows/ci-frontend-api.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎.github/workflows/ci-frontend.yml‎
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/ci-frontend.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/ci-site.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/ci-site.yml‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎.github/workflows/docker.yml‎
Lines changed: 5 additions & 4 deletions b/‎.github/workflows/docker.yml‎
Lines changed: 5 additions & 4 deletions
diff --git a/‎.github/workflows/e2e-tests.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/e2e-tests.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.gitignore‎
Lines changed: 3 additions & 0 deletions b/‎.gitignore‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎backend/.golangci.yml‎
Lines changed: 9 additions & 0 deletions b/‎backend/.golangci.yml‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎backend/_example/memory_store/go.mod‎
Lines changed: 6 additions & 6 deletions b/‎backend/_example/memory_store/go.mod‎
Lines changed: 6 additions & 6 deletions
@@ -60,13 +60,13 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: "v2.6.0"
+          version: "v2.10.1"
           working-directory: backend/app
 
       - name: golangci-lint on example directory
         uses: golangci/golangci-lint-action@v9
         with:
-          version: "v2.6.0"
+          version: "v2.10.1"
           args: --config ../../.golangci.yml
           working-directory: backend/_example/memory_store
 
 
@@ -31,7 +31,7 @@ jobs:
         uses: docker/setup-buildx-action@v3
 
       - name: expose GitHub Actions cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: /tmp/.buildx-cache
           key: ${{ runner.os }}-buildx-${{ github.sha }}
 
@@ -47,7 +47,7 @@ jobs:
         run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pnpm_cache_dir }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -94,7 +94,7 @@ jobs:
         run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pnpm_cache_dir }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -141,7 +141,7 @@ jobs:
         run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pnpm_cache_dir }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
 
@@ -47,7 +47,7 @@ jobs:
         run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pnpm_cache_dir }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -94,7 +94,7 @@ jobs:
         run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pnpm_cache_dir }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -141,7 +141,7 @@ jobs:
         run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pnpm_cache_dir }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
@@ -217,7 +217,7 @@ jobs:
         run: echo "pnpm_cache_dir=$(pnpm store path)" >> $GITHUB_ENV
 
       - name: Setup pnpm cache
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: ${{ env.pnpm_cache_dir }}
           key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}
 
@@ -1,10 +1,11 @@
 name: site
 
 on:
+  release:
+    types: [published]
   push:
     branches:
       - master
-    tags:
     paths:
       - ".github/workflows/ci-site.yml"
       - "site/**"
@@ -69,7 +70,7 @@ jobs:
           touch "/tmp/digests/${digest#sha256:}"
 
       - name: upload digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: site-digests-${{ matrix.artifact }}
           path: /tmp/digests/*
@@ -85,7 +86,7 @@ jobs:
 
     steps:
       - name: download digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           path: /tmp/digests
           pattern: site-digests-*
@@ -133,7 +134,8 @@ jobs:
     name: Deploy site
     runs-on: ubuntu-latest
     needs: merge
-    if: github.ref == 'refs/heads/master'
+    if: github.ref == 'refs/heads/master' || github.event_name == 'release'
+    permissions: {} # only calls an external URL via curl, no GitHub API access needed
 
     steps:
       - name: trigger deployment
 
@@ -104,14 +104,14 @@ jobs:
           touch "/tmp/digests/dockerhub/${digest_dockerhub#sha256:}"
 
       - name: upload ghcr digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: digests-ghcr-${{ matrix.artifact }}
           path: /tmp/digests/ghcr/*
           retention-days: 1
 
       - name: upload dockerhub digest
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: digests-dockerhub-${{ matrix.artifact }}
           path: /tmp/digests/dockerhub/*
@@ -127,14 +127,14 @@ jobs:
 
     steps:
       - name: download ghcr digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           path: /tmp/digests/ghcr
           pattern: digests-ghcr-*
           merge-multiple: true
 
       - name: download dockerhub digests
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           path: /tmp/digests/dockerhub
           pattern: digests-dockerhub-*
@@ -206,6 +206,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: merge
     if: github.event.workflow_run.head_branch == 'master'
+    permissions: {} # only calls an external URL via curl, no GitHub API access needed
 
     steps:
       - name: trigger deployment
 
@@ -34,7 +34,7 @@ jobs:
         id: tests
         run: COMPOSE_DOCKER_CLI_BUILD=1 DOCKER_BUILDKIT=1 docker compose -f compose-e2e-test.yml up --build --quiet-pull --exit-code-from tests
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v6
         if: always()
         with:
           name: playwright-report
 
@@ -26,3 +26,6 @@ compose-private.yml
 http-client.env.json
 /playwright-report/
 /backend/app/cmd/var
+
+# ralphex progress logs
+.ralphex/progress/
@@ -23,6 +23,12 @@ linters:
     goconst:
       min-len: 2
       min-occurrences: 2
+    gosec:
+      excludes:
+        - G117 # false positive: struct field name matches "secret" pattern
+        - G703 # false positive: path traversal via taint analysis
+        - G704 # false positive: SSRF via taint analysis
+        - G705 # false positive: XSS via taint analysis
     gocritic:
       disabled-checks:
         - wrapperFunc
@@ -51,6 +57,9 @@ linters:
       - linters:
           - revive
         text: 'var-naming: avoid meaningless package names'
+      - linters:
+          - revive
+        text: 'var-naming: avoid package names that conflict with Go standard library package names'
       - linters:
           - dupl
           - gosec
 
@@ -13,12 +13,12 @@ require (
 require (
 	github.com/Depado/bfchroma/v2 v2.0.0 // indirect
 	github.com/PuerkitoBio/goquery v1.11.0 // indirect
-	github.com/alecthomas/chroma/v2 v2.21.1 // indirect
+	github.com/alecthomas/chroma/v2 v2.23.1 // indirect
 	github.com/andybalholm/cascadia v1.3.3 // indirect
 	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dlclark/regexp2 v1.11.5 // indirect
-	github.com/go-pkgz/rest v1.20.6 // indirect
+	github.com/go-pkgz/rest v1.21.0 // indirect
 	github.com/go-pkgz/routegroup v1.6.0 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -30,10 +30,10 @@ require (
 	github.com/rs/xid v1.6.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	go.etcd.io/bbolt v1.4.3 // indirect
-	golang.org/x/crypto v0.46.0 // indirect
-	golang.org/x/image v0.34.0 // indirect
-	golang.org/x/net v0.48.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/image v0.36.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )