build(deps): bump the dependencies group across 1 directory with 8 updates

[dependabot]

Bumps the dependencies group with 8 updates in the / directory:

Package	From	To
github.com/docker/cli	28.4.0+incompatible	29.1.1+incompatible
github.com/docker/docker	28.4.0+incompatible	28.5.2+incompatible
github.com/go-git/go-git/v5	5.16.2	5.16.4
github.com/opencontainers/selinux	1.12.0	1.13.1
github.com/rhysd/actionlint	1.7.7	1.7.9
github.com/spf13/pflag	1.0.9	1.0.10
golang.org/x/term	0.35.0	0.37.0
google.golang.org/protobuf	1.36.9	1.36.10

Updates github.com/docker/cli from 28.4.0+incompatible to 29.1.1+incompatible

Commits

• 0aedba5 Merge pull request #6669 from vvoland/29-norc
• dd2be02 gha/e2e: Switch to rc and 29 latest
• 360952c Merge pull request #6680 from thaJeztah/bump_modules
• 8fc15ea Merge pull request #6579 from dvdksn/doc-daemon-buildc-example
• 1abfbf2 vendor: github.com/moby/moby/client v0.2.1
• e0d30db docs: update buildgc example config to use new buildkit v0.17 options
• 5691ade Merge pull request #6682 from thaJeztah/bump_dct_deps
• 848dcad Merge pull request #6681 from thaJeztah/bump_x_deps2
• 6a0099b cmd/docker-trust: bump golang.org/x/crypto v0.45.0
• c90166f cmd/docker-trust: update dependencies
• Additional commits viewable in compare view

Updates github.com/docker/docker from 28.4.0+incompatible to 28.5.2+incompatible

Release notes

Sourced from github.com/docker/docker's releases.

v28.5.2

28.5.2

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.2 milestone
• moby/moby, 28.5.2 milestone

[!CAUTION] This release contains fixes for three high-severity security vulnerabilities in runc:

• CVE-2025-31133
• CVE-2025-52565
• CVE-2025-52881

All three vulnerabilities ultimately allow (through different methods) for full container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files.

Packaging updates

• Update runc to v1.3.3. moby/moby#51394

Bug fixes and enhancements

• dockerd-rootless.sh: if slirp4netns is not installed, try using pasta (passt). moby/moby#51162
• Update Go runtime to 1.24.9. moby/moby#51387, docker/cli#6613

Deprecations

• Go-SDK: cli/command/image/build: deprecate DefaultDockerfileName, DetectArchiveReader, WriteTempDockerfile, ResolveAndValidateContextPath. These utilities were only used internally and will be removed in the next release. docker/cli#6610
• Go-SDK: cli/command/image/build: deprecate IsArchive utility. docker/cli#6560
• Go-SDK: opts: deprecate ValidateMACAddress. docker/cli#6560
• Go-SDK: opts: deprecate ListOpts.Delete(). docker/cli#6560

v28.5.1

28.5.1

For a full list of pull requests and changes in this release, refer to the relevant GitHub milestones:

• docker/cli, 28.5.1 milestone
• moby/moby, 28.5.1 milestone
• Deprecated and removed features, see Deprecated Features.
• Changes to the Engine API, see API version history.

Bug fixes and enhancements

• Update BuildKit to v0.25.1. moby/moby#51137
• Update Go runtime to 1.24.8. moby/moby#51133, docker/cli#6541

Deprecations

• api/types/image: InspectResponse: deprecate Parent and DockerVersion fields. moby/moby#51105
• api/types/plugin: deprecate Config.DockerVersion field. moby/moby#51110

... (truncated)

Commits

• 89c5e8f Merge pull request #51396 from thaJeztah/28.x_backport_api_docs
• 9b93878 Merge pull request #51395 from thaJeztah/28.x_backport_rootless_reject
• 6178456 Merge pull request #51398 from vvoland/51397-28.x
• 0cae4e5 vendor: github.com/moby/buildkit v0.25.2
• 33cc06f Merge pull request #51394 from vvoland/51393-28.x
• d525277 api/docs: remove BuildCache.Parent field for API v1.42 and up
• 2fbc51b dockerd-rootless.sh: reject DOCKERD_ROOTLESS_ROOTLESSKIT_NET=host
• bd98008 integration-cli: Adjust nofile limits
• 1967515 Dockerfile: update runc binary to v1.3.3
• 4489660 Merge pull request #51387 from thaJeztah/28.x_bump_go
• Additional commits viewable in compare view

Updates github.com/go-git/go-git/v5 from 5.16.2 to 5.16.4

Release notes

Sourced from github.com/go-git/go-git/v5's releases.

v5.16.4

What's Changed

• backport plumbing: format/idxfile, prevent panic by @​swills in go-git/go-git#1732
• [backport] build: test, Fix build on Windows. by @​pjbgf in go-git/go-git#1734
• build: Update module golang.org/x/net to v0.38.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1742
• build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1741
• build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] (releases/v5.x) by @​go-git-renovate[bot] in go-git/go-git#1743

Full Changelog: go-git/go-git@v5.16.3...v5.16.4

v5.16.3

What's Changed

• internal: Expand regex to fix build [5.x] by @​baloo in go-git/go-git#1644
• build: raise timeouts for windows CI tests and disable CIFuzz [5.x] by @​baloo in go-git/go-git#1646
• plumbing: support commits extra headers, support jujutsu signed commit [5.x] by @​baloo in go-git/go-git#1633

Full Changelog: go-git/go-git@v5.16.2...v5.16.3

Commits

• de8ecc3 Merge pull request #1743 from go-git/renovate/releases/v5.x-go-github.com-go-...
• 3e752f0 build: Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY]
• 3a31754 Merge pull request #1741 from go-git/renovate/releases/v5.x-go-github.com-clo...
• acc28f1 build: Update module github.com/cloudflare/circl to v1.6.1 [SECURITY]
• 95f3880 Merge pull request #1742 from go-git/renovate/releases/v5.x-go-golang.org-x-n...
• 329f926 build: Update module golang.org/x/net to v0.38.0 [SECURITY]
• 399e04b Merge pull request #1734 from pjbgf/fix-ci
• 2025eae build: test, Fix build on Windows.
• fb6806f Merge pull request #1732 from swills/find-hash-panic-fix-backport
• 382530f plumbing: format/idxfile, prevent panic
• Additional commits viewable in compare view

Updates github.com/opencontainers/selinux from 1.12.0 to 1.13.1

Release notes

Sourced from github.com/opencontainers/selinux's releases.

v1.13.1

This release includes a minor update to reduce the minimum version requirement of the github.com/cyphar/filepath-securejoin package from v0.6.0 to v0.5.1. We did not use any of the newer features, so downgrading is a no-op but will help with downstreams that need to backport github.com/opencontainers/selinux updates.

What's Changed

• build(deps): bump golangci/golangci-lint-action from 8 to 9 by @​dependabot[bot] in opencontainers/selinux#240
• downgrade github.com/cyphar/filepath-securejoin to v0.5.1 by @​Luap99 in opencontainers/selinux#242

New Contributors

• @​Luap99 made their first contribution in opencontainers/selinux#242

Full Changelog: opencontainers/selinux@v1.13.0...v1.13.1

v1.13.0

What's Changed

• Switch to golangci-lint v2 by @​kolyshkin in opencontainers/selinux#230
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in opencontainers/selinux#233
• build(deps): bump actions/setup-go from 5 to 6 by @​dependabot[bot] in opencontainers/selinux#234
• keyring: fix typo in EACCES check by @​cyphar in opencontainers/selinux#235
• Add Go 1.25, drop go 1.23, bump golangci-lint by @​kolyshkin in opencontainers/selinux#236
• selinux: migrate to pathrs-lite procfs API by @​cyphar in opencontainers/selinux#237

Full Changelog: opencontainers/selinux@v1.12.0...v1.13.0

Commits

• 5647f06 Merge pull request #242 from Luap99/securejoin
• 69a52b8 downgrade github.com/cyphar/filepath-securejoin to v0.5.1
• 6950c32 Merge pull request #240 from opencontainers/dependabot/github_actions/golangc...
• 9a88c88 build(deps): bump golangci/golangci-lint-action from 8 to 9
• 4be9937 Merge pull request #237 from cyphar/selinux-safe-procfs
• c8cfa6f selinux: migrate to pathrs-lite procfs API
• f2424d8 Merge pull request #236 from kolyshkin/modernize-ci
• 648ce7f ci: add go 1.25
• 916cab9 ci: bump golangci-lint to v2.5
• b42e5c8 all: format sources with latest gofumpt
• Additional commits viewable in compare view

Updates github.com/rhysd/actionlint from 1.7.7 to 1.7.9

Release notes

Sourced from github.com/rhysd/actionlint's releases.

v1.7.9

• Add support for ubuntu-slim runner label. (#585, thanks @​cestorer)
• Check input deprecation in action by checking deprecationMessage property. Using a deprecated input is reported as error if it is not marked as required. See the document for more details. (#580)

  - uses: reviewdog/action-actionlint@v1
    with:
      # ERROR: Using a deprecated input
      fail_on_error: true

• Add support for the Custom images feature.
  • Support image_version workflow trigger.

    on:
      image_version:
        names:
          - "MyNewImage"
          - "MyOtherImage"
        versions:
          - 1.*
          - 2.*

  • Support jobs.<job_id>.snapshot syntax. To make actionlint recognize your own image generation runner, use self-hosted-runner.labels config.

    jobs:
      build:
        runs-on: my-image-generation-runner
        snapshot:
            image-name: my-custom-image
            version: 2.*

• Report constant conditions at if: like if: true as error. Only very simple expressions like true or false are detected for now. See the document for more details.
• Fix some invalid permissions are not reported as error in id-token and models scopes. (#582, thanks @​holtkampjs)
• Fix args and entrypoint inputs are not recognized at uses: when it's not a Docker action. (#550)
• Set correct column in source position of YAML parse error.
• Fix credentials cannot be configured with ${{ }}. (#590)
• Improve messages in syntax errors on parsing steps (run: and uses:). Available keys suggestion is now more accurate and unexpected keys are detected more accurately.
• Fix the order of errors can be non-deterministic when multiple errors are caused at the same source positions.
• Improve error messages showing suggestions on detecting invalid permissions.
• Add instruction for installing actionlint with mise package manager. (#589, thanks @​jylenhof)
• Fix outdated URLs in the document.
• Add new actionlint.AllContexts map constant in Go API that contains the information about all context availability.
• Update popular actions data set to the latest with several major versions of actions and the following new actions.
  • anthropics/claude-code-action
  • openai/codex-action
  • google-github-actions/run-gemini-cli
• Add make cov task to easily generate a code coverage report.
• Make installing the formula version of actionlint pacakge from tap of this repository with Homebrew a hard error. Install the cask version instead following the instruction in the error message.

v1.7.8

• Support models permission in permissions section. (#531, thanks @​muzimuzhi)

... (truncated)

Changelog

Sourced from github.com/rhysd/actionlint's changelog.

v1.7.9 - 2025-11-21

• Add support for ubuntu-slim runner label. (#585, thanks @​cestorer)
• Check input deprecation in action by checking deprecationMessage property. Using a deprecated input is reported as error if it is not marked as required. See the document for more details. (#580)

  - uses: reviewdog/action-actionlint@v1
    with:
      # ERROR: Using a deprecated input
      fail_on_error: true

• Add support for the Custom images feature.
  • Support image_version workflow trigger.

    on:
      image_version:
        names:
          - "MyNewImage"
          - "MyOtherImage"
        versions:
          - 1.*
          - 2.*

  • Support jobs.<job_id>.snapshot syntax. To make actionlint recognize your own image generation runner, use self-hosted-runner.labels config.

    jobs:
      build:
        runs-on: my-image-generation-runner
        snapshot:
            image-name: my-custom-image
            version: 2.*

• Report constant conditions at if: like if: true as error. Only very simple expressions like true or false are detected for now. See the document for more details.
• Fix some invalid permissions are not reported as error in id-token and models scopes. (#582, thanks @​holtkampjs)
• Fix args and entrypoint inputs are not recognized at uses: when it's not a Docker action. (#550)
• Set correct column in source position of YAML parse error.
• Fix credentials cannot be configured with ${{ }}. (#590)
• Improve messages in syntax errors on parsing steps (run: and uses:). Available keys suggestion is now more accurate and unexpected keys are detected more accurately.
• Fix the order of errors can be non-deterministic when multiple errors are caused at the same source positions.
• Improve error messages showing suggestions on detecting invalid permissions.
• Add instruction for installing actionlint with mise package manager. (#589, thanks @​jylenhof)
• Fix outdated URLs in the document.
• Add new actionlint.AllContexts map constant in Go API that contains the information about all context availability.
• Update popular actions data set to the latest with several major versions of actions and the following new actions.
  • anthropics/claude-code-action
  • openai/codex-action
  • google-github-actions/run-gemini-cli
• Add make cov task to easily generate a code coverage report.
• Make installing the formula version of actionlint pacakge from tap of this repository with Homebrew a hard error. Install the cask version instead following the instruction in the error message.

[Changes][v1.7.9]

... (truncated)

Commits

• a443f34 bump up version to v1.7.9
• c48cd05 fix deprecated GoReleaser config
• a03892f update the popular actions data set for actions/checkout@v6
• c85ea65 make installing formula version of actionlint error
• eb4d397 update playground npm dependencies
• baee0a7 fix webhook generation script
• 56ecc8c add anthropics/claude-code-action, openai/codex-action, `google-github-ac...
• 5ed2da8 add more tests for parsing and checking container and services
• dbcf56f report image is missing in container
• e4ba27e fix credentials cannot be initialized with ${{ }} (fix #590)
• Additional commits viewable in compare view

Updates github.com/spf13/pflag from 1.0.9 to 1.0.10

Release notes

Sourced from github.com/spf13/pflag's releases.

v1.0.10

What's Changed

• fix deprecation comment for (FlagSet.)ParseErrorsWhitelist by @​thaJeztah in spf13/pflag#447
• remove uses of errors.Is, which requires go1.13, move go1.16/go1.21 tests to separate file by @​thaJeztah in spf13/pflag#448

New Contributors

• @​thaJeztah made their first contribution in spf13/pflag#447

Full Changelog: spf13/pflag@v1.0.9...v1.0.10

Commits

• 0491e57 Merge pull request #448 from thaJeztah/fix_go_version
• 72abab1 Merge pull request #447 from thaJeztah/fix_deprecation_comment
• 7e4dfb1 Test on Go 1.12
• 18a9d17 move Func, BoolFunc, tests as they require go1.21
• c5b9e98 remove uses of errors.Is, which requires go1.13
• 45a4873 fix deprecation comment for (FlagSet.)ParseErrorsWhitelist
• See full diff in compare view

Updates golang.org/x/term from 0.35.0 to 0.37.0

Commits

• 1231d54 go.mod: update golang.org/x dependencies
• 3475bc8 term: fix some comments
• 3a0828a go.mod: update golang.org/x dependencies
• See full diff in compare view

Updates google.golang.org/protobuf from 1.36.9 to 1.36.10

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions