Aureliolo · Aureliolo · May 24, 2026 · May 24, 2026 · May 24, 2026
@@ -132,7 +132,7 @@ runs:
 
     - name: Upload SARIF to GitHub Security
       if: always()
-      uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+      uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
       with: # zizmor: ignore[template-injection]
         sarif_file: trivy-${{ inputs.image-name }}-base.sarif
         category: trivy-${{ inputs.image-name }}-base
@@ -149,7 +149,7 @@ runs:
         platforms: arm64
 
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+      uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0
       with:
         # `docker` driver is required for `load: true` on PR builds so
         # Trivy can scan a locally loaded image; `docker-container`
@@ -178,7 +178,7 @@ runs:
 
     - name: Extract metadata
       id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
       with:
         images: ghcr.io/aureliolo/synthorg-${{ inputs.image-name }}
         tags: |
@@ -193,7 +193,7 @@ runs:
     # persisted -- PR builds never feed the publish-image action.
     - name: Build image (PR, loaded for scan)
       if: github.event_name == 'pull_request'
-      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+      uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
       with:
         context: ${{ inputs.context }}
         file: ${{ inputs.dockerfile }}
@@ -213,7 +213,7 @@ runs:
     # tarballs and reassemble the multi-arch manifest at push time.
     - name: Build amd64 tarball (non-PR)
       if: github.event_name != 'pull_request'
-      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+      uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
       with:
         context: ${{ inputs.context }}
         file: ${{ inputs.dockerfile }}
@@ -237,7 +237,7 @@ runs:
 
     - name: Build arm64 tarball (non-PR, multi-arch)
       if: github.event_name != 'pull_request' && inputs.enable-arm64 == 'true'
-      uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+      uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0
       with:
         context: ${{ inputs.context }}
         file: ${{ inputs.dockerfile }}
@@ -380,7 +380,7 @@ runs:
 
     - name: Upload SARIF amd64 to GitHub Security
       if: always()
-      uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+      uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
       with:
         sarif_file: trivy-${{ inputs.image-name }}-amd64.sarif
         category: trivy-${{ inputs.image-name }}-amd64
@@ -397,7 +397,7 @@ runs:
 
     - name: Upload SARIF arm64 to GitHub Security
       if: always() && github.event_name != 'pull_request' && inputs.enable-arm64 == 'true'
-      uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+      uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
       with:
         sarif_file: trivy-${{ inputs.image-name }}-arm64.sarif
         category: trivy-${{ inputs.image-name }}-arm64

@@ -80,7 +80,7 @@ runs:
 
     - name: Extract metadata
       id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
       with:
         images: ghcr.io/aureliolo/synthorg-${{ inputs.image-name }}
         tags: |

@@ -73,7 +73,7 @@ runs:
     # surface as a missing tag on the release.
     - name: Extract metadata
       id: meta
-      uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+      uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0
       with:
         images: ghcr.io/aureliolo/synthorg-${{ inputs.image-name }}
         tags: |

@@ -518,7 +518,7 @@ jobs:
         shard: [1, 2, 3, 4]
     services:
       postgres:
-        image: postgres:18-alpine
+        image: postgres:18-alpine@sha256:96d56f7f57c6aacd1fcb908bc83b345ec5f83231ee486dd66a1baadce274db88
         env:
           POSTGRES_USER: synthorg
           POSTGRES_PASSWORD: synthorg-test
@@ -635,7 +635,7 @@ jobs:
       contents: read
     services:
       postgres:
-        image: postgres:18-alpine
+        image: postgres:18-alpine@sha256:96d56f7f57c6aacd1fcb908bc83b345ec5f83231ee486dd66a1baadce274db88
         env:
           POSTGRES_USER: synthorg
           POSTGRES_PASSWORD: synthorg-test
@@ -1117,7 +1117,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
       - run: npm ci
@@ -1143,7 +1143,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
       - name: Download OpenAPI schema artifact
@@ -1172,7 +1172,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
       - name: Download OpenAPI schema artifact
@@ -1219,7 +1219,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
       - name: Download OpenAPI schema artifact
@@ -1263,7 +1263,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
       - run: npm ci
@@ -1288,7 +1288,7 @@ jobs:
           persist-credentials: false
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
       - run: npm ci

@@ -71,7 +71,7 @@ jobs:
         run: go vet ./...
 
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
+        uses: golangci/golangci-lint-action@82606bf257cbaff209d206a39f5134f0cfbfd2ee # v9.2.1
         with:
           # renovate: datasource=github-releases depName=golangci/golangci-lint
           version: v2.12.2

@@ -128,7 +128,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
 

@@ -651,7 +651,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "24.15.0"
+          node-version: "24.16.0"
           package-manager-cache: false
 
       - name: Set up Python + uv (OpenAPI export + docs build)
@@ -861,7 +861,7 @@ jobs:
 
       - name: Upload SARIF to GitHub Security (web)
         if: always()
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: trivy-web.sarif
           category: trivy-web

@@ -114,7 +114,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
 
@@ -162,7 +162,7 @@ jobs:
 
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: 24.15.0
+          node-version: 24.16.0
           cache: npm
           cache-dependency-path: web/package-lock.json
 

@@ -187,7 +187,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "24.15.0"
+          node-version: "24.16.0"
 
       - name: Install Astro dependencies
         working-directory: site
@@ -308,7 +308,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "24.15.0"
+          node-version: "24.16.0"
 
       - name: Deploy to Cloudflare Pages
         env:

@@ -154,7 +154,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
-          node-version: "24.15.0"
+          node-version: "24.16.0"
 
       - name: Install Astro dependencies
         working-directory: site

@@ -36,7 +36,7 @@ jobs:
       contents: read
     services:
       postgres:
-        image: postgres:18-alpine
+        image: postgres:18-alpine@sha256:96d56f7f57c6aacd1fcb908bc83b345ec5f83231ee486dd66a1baadce274db88
         env:
           POSTGRES_USER: synthorg
           POSTGRES_PASSWORD: synthorg-test

@@ -37,7 +37,7 @@ jobs:
 
       - name: Upload SARIF
         if: ${{ !cancelled() }}
-        uses: github/codeql-action/upload-sarif@9e0d7b8d25671d64c341c19c0152d693099fb5ba # v4.35.5
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           sarif_file: results.sarif
 

@@ -55,7 +55,7 @@ services:
   # cannot self-chown, so this one-shot container sets ownership on first start.
   data-init:
     # renovate: datasource=docker depName=busybox
-    image: busybox:1.37-musl@sha256:19b646668802469d968a05342a601e78da4322a414a7c09b1c9ee25165042138
+    image: busybox:1.38-musl@sha256:f36701e0a15a97186ccc59bbe9a6217b649edecb36ce32d07fa31bf5ad15e56d
     volumes:
       - synthorg-data:/data
 {{- if postgresEnabled}}

@@ -158,10 +158,10 @@ const (
 	DefaultDHIRegistry     = "dhi.io"
 	// renovate: datasource=docker depName=dhi.io/postgres
 	DefaultPostgresImageTag    = "18-debian13"
-	DefaultPostgresImageDigest = "sha256:6aa59b8ff6ffcbcea41f285c435243734a9cb60e0068a8345b8284b41e5e650b"
+	DefaultPostgresImageDigest = "sha256:21d6e884d25134f59723b11a0c1f78b199b38591d1c6f2d492934e31827f8376"
 	// renovate: datasource=docker depName=dhi.io/nats
 	DefaultNATSImageTag    = "2.14-debian13"
-	DefaultNATSImageDigest = "sha256:e545a823f5d6ceaa33983c2b055d85e200d497ef5f949c3b991698e268f34875"
+	DefaultNATSImageDigest = "sha256:5ce86b96c969f5089c65ac6c786556999e39980e3873140e1c5b034d4a8f8a92"
 
 	DefaultNATSURLValue          = "nats://nats:4222"
 	DefaultNATSStreamPrefixValue = "SYNTHORG"

@@ -8,7 +8,7 @@ services:
   # cannot self-chown, so this one-shot container sets ownership on first start.
   data-init:
     # renovate: datasource=docker depName=busybox
-    image: busybox:1.37-musl@sha256:19b646668802469d968a05342a601e78da4322a414a7c09b1c9ee25165042138
+    image: busybox:1.38-musl@sha256:f36701e0a15a97186ccc59bbe9a6217b649edecb36ce32d07fa31bf5ad15e56d
     volumes:
       - synthorg-data:/data
     command: ["sh", "-c", "set -e; mkdir -p /data/logs /data/memory; chown -R 65532:65532 /data"]

@@ -8,7 +8,7 @@ services:
   # cannot self-chown, so this one-shot container sets ownership on first start.
   data-init:
     # renovate: datasource=docker depName=busybox
-    image: busybox:1.37-musl@sha256:19b646668802469d968a05342a601e78da4322a414a7c09b1c9ee25165042138
+    image: busybox:1.38-musl@sha256:f36701e0a15a97186ccc59bbe9a6217b649edecb36ce32d07fa31bf5ad15e56d
     volumes:
       - synthorg-data:/data
     command: ["sh", "-c", "set -e; mkdir -p /data/logs /data/memory; chown -R 65532:65532 /data"]

@@ -8,7 +8,7 @@ services:
   # cannot self-chown, so this one-shot container sets ownership on first start.
   data-init:
     # renovate: datasource=docker depName=busybox
-    image: busybox:1.37-musl@sha256:19b646668802469d968a05342a601e78da4322a414a7c09b1c9ee25165042138
+    image: busybox:1.38-musl@sha256:f36701e0a15a97186ccc59bbe9a6217b649edecb36ce32d07fa31bf5ad15e56d
     volumes:
       - synthorg-data:/data
     command: ["sh", "-c", "set -e; mkdir -p /data/logs /data/memory; chown -R 65532:65532 /data"]

@@ -8,7 +8,7 @@ services:
   # cannot self-chown, so this one-shot container sets ownership on first start.
   data-init:
     # renovate: datasource=docker depName=busybox
-    image: busybox:1.37-musl@sha256:19b646668802469d968a05342a601e78da4322a414a7c09b1c9ee25165042138
+    image: busybox:1.38-musl@sha256:f36701e0a15a97186ccc59bbe9a6217b649edecb36ce32d07fa31bf5ad15e56d
     volumes:
       - synthorg-data:/data
     command: ["sh", "-c", "set -e; mkdir -p /data/logs /data/memory; chown -R 65532:65532 /data"]

@@ -22,7 +22,7 @@
 # ---------------------------------------------------------------------------
 FROM python:3.14.3-slim@sha256:5e59aae31ff0e87511226be8e2b94d78c58f05216efda3b07dbbed938ec8583b AS builder
 
-COPY --from=ghcr.io/astral-sh/uv:0.11.15@sha256:e590846f4776907b254ac0f44b5b380347af5d90d668138ca7938d1b0c2f98d3 /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/uv:0.11.16@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d /uv /uvx /bin/
 
 ENV UV_COMPILE_BYTECODE=1 \
     UV_LINK_MODE=copy
@@ -60,7 +60,7 @@
 # The embed runs *before* ``uv sync`` packages the venv so the
 # rewritten module is what gets cached in the wheel cache and
 # copied into the runtime stage.
 ARG LOGFIRE_PROJECT_TOKEN=""
 RUN if [ -n "$LOGFIRE_PROJECT_TOKEN" ]; then \
        python scripts/embed_logfire_token.py "$LOGFIRE_PROJECT_TOKEN"; \
    else \
@@ -92,7 +92,7 @@
 # ---------------------------------------------------------------------------
 # Stage 2 -- Runtime (apko-composed Wolfi base: no shell, no package manager)
 # ---------------------------------------------------------------------------
 FROM ${BASE_IMAGE}

 # Baked deployment-environment tag. Release-tag builds pass
 # `prod`; `-dev.N` / `-rc.*` / `-alpha.*` / `-beta.*` pre-release

@@ -7,7 +7,7 @@ x-logging: &logging
 services:
   postgres:
     # renovate: datasource=docker depName=dhi.io/postgres
-    image: dhi.io/postgres:18-debian13@sha256:6aa59b8ff6ffcbcea41f285c435243734a9cb60e0068a8345b8284b41e5e650b
+    image: dhi.io/postgres:18-debian13@sha256:21d6e884d25134f59723b11a0c1f78b199b38591d1c6f2d492934e31827f8376
     ports:
       - "${POSTGRES_PORT:-3002}:5432"
     volumes:
@@ -54,7 +54,7 @@ services:
   #   /nats-data -> 65532 (nats)
   data-init:
     # renovate: datasource=docker depName=busybox
-    image: busybox:1.37-musl@sha256:19b646668802469d968a05342a601e78da4322a414a7c09b1c9ee25165042138
+    image: busybox:1.38-musl@sha256:f36701e0a15a97186ccc59bbe9a6217b649edecb36ce32d07fa31bf5ad15e56d
     volumes:
       - synthorg-data:/data
       - synthorg-pgdata:/pgdata
@@ -173,7 +173,7 @@ services:
   # --max_payload CLI flag, so non-default settings need a config file.
   nats:
     # renovate: datasource=docker depName=dhi.io/nats
-    image: dhi.io/nats:2.14-debian13@sha256:e545a823f5d6ceaa33983c2b055d85e200d497ef5f949c3b991698e268f34875
+    image: dhi.io/nats:2.14-debian13@sha256:5ce86b96c969f5089c65ac6c786556999e39980e3873140e1c5b034d4a8f8a92
     command: ["-c", "/etc/nats/nats.conf"]
     ports:
       - "${NATS_CLIENT_PORT:-3003}:4222"

@@ -22,7 +22,7 @@
 # ---------------------------------------------------------------------------
 FROM python:3.14.3-slim@sha256:5e59aae31ff0e87511226be8e2b94d78c58f05216efda3b07dbbed938ec8583b AS builder
 
-COPY --from=ghcr.io/astral-sh/uv:0.11.15@sha256:e590846f4776907b254ac0f44b5b380347af5d90d668138ca7938d1b0c2f98d3 /uv /uvx /bin/
+COPY --from=ghcr.io/astral-sh/uv:0.11.16@sha256:440fd6477af86a2f1b38080c539f1672cd22acb1b1a47e321dba5158ab08864d /uv /uvx /bin/
 
 ENV UV_COMPILE_BYTECODE=1 \
     UV_LINK_MODE=copy
@@ -56,7 +56,7 @@
 # ---------------------------------------------------------------------------
 # Stage 2 -- Runtime (apko-composed Wolfi base)
 # ---------------------------------------------------------------------------
 FROM ${BASE_IMAGE}

 ARG FINE_TUNE_EXTRA
 LABEL org.opencontainers.image.title="synthorg-${FINE_TUNE_EXTRA}" \