chore(deps): rollup renovate dependency updates

[jamestelfer]

Purpose

Batch dependency update to reduce PR noise and keep the dependency graph current.

Context

Rolls up 9 Renovate PRs into a single merge, skipping golangci-lint and tink updates which need separate handling.

Merged PRs

• chore(deps): update module github.com/gkampitakis/go-snaps to v0.5.21 #258 — github.com/gkampitakis/go-snaps to v0.5.21
• chore(deps): update module github.com/grafana/pyroscope-go to v1.2.8 #259 — github.com/grafana/pyroscope-go to v1.2.8
• chore(deps): update module github.com/phuslu/log to v1.0.124 #260 — github.com/phuslu/log to v1.0.123
• chore(deps): update module github.com/valkey-io/valkey-go to v1.0.73 #261 — github.com/valkey-io/valkey-go to v1.0.73
• chore(deps): update module github.com/buildkite/go-buildkite/v4 to v4.18.0 #263 — github.com/buildkite/go-buildkite/v4 to v4.17.0
• chore(deps): update module github.com/testcontainers/testcontainers-go to v0.41.0 #264 — github.com/testcontainers/testcontainers-go to v0.41.0
• chore(deps): update aws-sdk-go-v2 #257 — aws-sdk-go-v2
• chore(deps): update module golang.org/x/oauth2 to v0.36.0 #278 — golang.org/x/oauth2 to v0.36.0
• chore(deps): update module github.com/google/go-github/v82 to v84 #282 — github.com/google/go-github/v82 to v84

Skipped PRs

• chore(deps): update dependency golangci-lint to v2.11.4 #262 — golangci-lint
• chore(deps): update github.com/chinmina/tink-go-awskms/v3 digest to ce56148 #256 — tink-go-awskms

Summary by CodeRabbit

• Chores

  • Updated Go module dependencies to newer versions (including AWS SDK, GitHub API client, and system-related packages) for improved compatibility and security.
  • Bumped tooling config to a newer linter/tool version.

• Tests

  • Updated test setup to use request contexts and aligned test imports with updated client libraries to keep test suite current and reliable.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

Walkthrough

This PR updates multiple Go module versions in go.mod, bumps github.com/google/go-github from v82→v84 and updates corresponding imports across internal GitHub client and test files, plus small test helpers/context changes and linter/tool-version updates. No exported APIs were changed.

Changes

Cohort / File(s)	Summary
Go module manifest go.mod	Bumped numerous direct and indirect dependencies (AWS SDK v2 modules, Docker/moby, testing libs, system/CPU packages, etc.) to newer patch/minor versions.
GitHub client imports internal/github/token.go, internal/github/token_internal_test.go, internal/github/token_test.go, internal/testhelpers/mockservers.go	Updated imports from github.com/google/go-github/v82/github → github.com/google/go-github/v84/github; types referenced updated via import change only.
Tests: request context updates handlers_test.go, internal/audit/log_test.go, internal/jwt/jwt_test.go	Switched to creating HTTP requests with test context (httptest.NewRequestWithContext(...)) and updated helper signature for requestSetup(t *testing.T).
Linting & tooling .golangci.yaml, .tool-versions	Added targeted linter rule exclusions and bumped golangci-lint version from 2.9.0 → 2.11.4.

Sequence Diagram(s)

(omitted)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• chore(deps): merge renovate dependency updates #228: Updates the same go-github imports and related internal GitHub client files.
• test: add integration test suite for API endpoints #180: Modifies internal/testhelpers/mockservers.go and GitHub mock handling used here.
• chore: update project to Go 1.26 #232: Touches internal GitHub tests and API type usage similar to the import/version bump.

Suggested reviewers

• liamstevens

Poem

"I hopped from v82 to v84 with glee,
Dependencies rustled like leaves on a tree,
Tests now carry contexts snug and tight,
Linters nod — the rabbit's delight! 🐇✨"

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main objective: rolling up multiple Renovate dependency updates into a single batch changeset.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate-rollup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
integration	12.95% <ø> (ø)
unit	88.73% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
internal/github/token.go	95.10% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 66: The dependency entry for module github.com/docker/docker is pinned to
v28.5.2+incompatible which is vulnerable; update the version string for
github.com/docker/docker to v29.3.1 or a later patched release in the go.mod,
then run go mod tidy (and rerun your build/tests) to ensure the new version and
transitive changes are resolved; reference the module name
github.com/docker/docker in go.mod and ensure the version token is changed to
v29.3.1+incompatible (or later) before merging.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e17ace5d-e076-477b-8d7b-e6af5d12bfe5

📥 Commits

Reviewing files that changed from the base of the PR and between 4d1a1a3 and 3e1906f.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• go.mod
• internal/github/token.go
• internal/github/token_internal_test.go
• internal/github/token_test.go
• internal/testhelpers/mockservers.go

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

What is the first patched version of github.com/docker/docker for GHSA-pxq6-2prw-chj9 and GHSA-x744-4wpc-v9h2, and is v28.5.2 affected?

💡 Result:

The first patched version of github.com/docker/docker (Moby project) for both GHSA-pxq6-2prw-chj9 and GHSA-x744-4wpc-v9h2 is v29.3.1. Docker Engine v28.5.2 is affected by both vulnerabilities.

Citations:

• 1: GHSA-pxq6-2prw-chj9
• 2: https://osv.dev/vulnerability/GHSA-pxq6-2prw-chj9
• 3: https://osv.dev/vulnerability/GHSA-x744-4wpc-v9h2
• 4: https://docs.docker.com/engine/release-notes/29/
• 5: https://docs.docker.com/engine/release-notes/28/
• 6: https://docs.docker.com/engine/release-notes

---

Upgrade github.com/docker/docker to v29.3.1 or later before merge.

v28.5.2+incompatible is affected by two HIGH severity vulnerabilities (GHSA-pxq6-2prw-chj9, GHSA-x744-4wpc-v9h2) related to AuthZ and plugin validation. Upgrade to v29.3.1, the first patched version that remediates both issues.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 66-66: github.com/docker/docker 28.5.2+incompatible: Moby has an Off-by-one error in its plugin privilege validation

(GHSA-pxq6-2prw-chj9)

---

[HIGH] 66-66: github.com/docker/docker 28.5.2+incompatible: Moby has AuthZ plugin bypass when provided oversized request bodies

(GHSA-x744-4wpc-v9h2)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 66, The dependency entry for module github.com/docker/docker
is pinned to v28.5.2+incompatible which is vulnerable; update the version string
for github.com/docker/docker to v29.3.1 or a later patched release in the
go.mod, then run go mod tidy (and rerun your build/tests) to ensure the new
version and transitive changes are resolved; reference the module name
github.com/docker/docker in go.mod and ensure the version token is changed to
v29.3.1+incompatible (or later) before merging.