From 534d09b8ff4ecba79edfa140c621b7f9c4148bbf Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Mon, 28 Apr 2025 15:15:01 -0700
Subject: [PATCH 1/3] Add .github/dependabot.yml

Make sure our github actions stay up to date.

Since this is a package (set of packages), we do not to bump
dependencies to the latest versions automatically, but only
when it is really required, thus sticking to Go's minimum version
selection rules (essentially so that users of these packages
are not required to unnecessarily update their dependencies).

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 .github/dependabot.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..807baca
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+# Please see the documentation for all configuration options:
+# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  # Dependencies listed in .github/workflows/*.yml
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

From c801239f0a7ebe9d3b6b2a119553b902089ea0df Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 6 May 2025 15:01:28 -0700
Subject: [PATCH 2/3] ci/gha: add govulncheck job

This is to ensure our minimal dependencies do not have known
vulnerabilities.

NOTE we do not specify Go version to be used here to avoid reporting
vulnerabilities in stdlib which we're not interested in here.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 .github/workflows/validate.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 4517406..830757d 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -75,11 +75,17 @@ jobs:
         go-version: "${{ env.GO_VERSION }}"
     - run: go mod tidy --diff
 
+  govulncheck:
+    runs-on: ubuntu-24.04
+    steps:
+    - uses: golang/govulncheck-action@v1
+
   all-done:
     needs:
       - codespell
       - deps
       - go-fix
+      - govulncheck
       - lint
       - space-at-eol
     runs-on: ubuntu-24.04

From d7edb925c5a3934fd65cb6cdd35d6301cf903e6b Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Tue, 6 May 2025 15:15:45 -0700
Subject: [PATCH 3/3] ci/gha: run all github CI once a week on main

This is to ensure our CI is not rotting away when there are no new PRs
or merges.

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
---
 .github/workflows/test.yml     | 3 +++
 .github/workflows/validate.yml | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index abe7367..06acafb 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -7,6 +7,9 @@ on:
       - main
       - release-*
   pull_request:
+  schedule:
+    # Runs at 00:00 UTC every Monday
+    - cron: '0 0 * * 1'
 permissions:
   contents: read
 
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 830757d..1cbff63 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -7,6 +7,9 @@ on:
       - main
       - release-*
   pull_request:
+  schedule:
+    # Runs at 00:00 UTC every Monday
+    - cron: '0 0 * * 1'
 env:
   GO_VERSION: 1.24
 permissions: