letsencrypt · aarongable · Jun 18, 2026
@@ -2,37 +2,60 @@ version: 2
 
 updates:
   - package-ecosystem: "gomod"
+    # Update a select few Go dependencies (mostly those we maintain, and ones
+    # that are important to keep up-to-date like zlint and psl) regularly.
+    # Group the updates so that one package can't starve out the others.
+    # No cooldown because of the very limited set of deps we're updating.
+    # Note that this also disables security updates for all other go deps:
+    # that's okay because we run govulncheck (which is more granular than
+    # dependabot) regularly and can handle those security updates manually.
     directory: "/"
+    allow:
+      - dependency-name: "github.com/go-jose/*"
+      - dependency-name: "github.com/letsencrypt/*"
+      - dependency-name: "github.com/weppos/publicsuffix-go"
+      - dependency-name: "github.com/zmap/*"
     groups:
-      aws:
-        patterns:
-          - "github.com/aws/*"
-      otel:
+      go:
         patterns:
-          - "go.opentelemetry.io/*"
-    open-pull-requests-limit: 1
+          - "*"
     schedule:
       interval: "weekly"
       day: "wednesday"
-    cooldown:
-      default-days: 30
+    open-pull-requests-limit: 1
+
   - package-ecosystem: "github-actions"
+    # Keep all github actions up to date on a monthly basis, but group the
+    # updates because they're generally easy to review.
     directory: "/"
+    groups:
+      gha:
+        patterns:
+          - "*"
     schedule:
       interval: monthly
     open-pull-requests-limit: 1
     cooldown:
       default-days: 7
+
   - package-ecosystem: "docker-compose"
+    # Keep a select few Docker images (those which are only used in our CI,
+    # and don't have to match production image versions) up to date. Group the
+    # updates to prevent review fatigue and to ensure pkimetal doesn't get
+    # starved.
     directory: "/"
+    allow:
+      - dependency-name: "ghcr.io/pkimetal/pkimetal"
+      - dependency-name: "jaegertracing/all-in-one"
+      - dependency-name: "minio/minio"
+      - dependency-name: "minio/mc"
+    groups:
+      docker-compose:
+        patterns:
+          - "*"
     schedule:
       interval: "weekly"
       day: "wednesday"
     open-pull-requests-limit: 1
     cooldown:
       default-days: 7
-    allow:
-      - dependency-name: "ghcr.io/pkimetal/pkimetal"
-      - dependency-name: "jaegertracing/all-in-one"
-      - dependency-name: "minio/minio"
-      - dependency-name: "minio/mc"
@@ -8,7 +8,7 @@ on:
   push:
     branches:
       - main
-      - release-branch-*
+      - v0.
   pull_request:
     branches:
       - '**'
@@ -109,29 +109,6 @@ jobs:
           name: container-logs
           path: ${{ github.workspace }}/containers.log
 
-  govulncheck:
-    runs-on: ubuntu-24.04
-    strategy:
-      fail-fast: false
-
-    steps:
-      # Checks out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Setup Go
-        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
-        with:
-          # When Go produces a security release, we want govulncheck to run
-          # against the most recently released Go version.
-          check-latest: true
-          go-version: "stable"
-          cache: false
-
-      - name: Run govulncheck
-        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
-
   vendorcheck:
     runs-on: ubuntu-24.04
     strategy:

@@ -1,7 +1,7 @@
 name: Check for IANA special-purpose address registry updates
 
 on:
-  schedule:
+  schedule: # daily around 16:20 UTC
     - cron: "20 16 * * *"
   workflow_dispatch:
 

@@ -1,11 +1,13 @@
 name: "Code Scanning - Action"
 
 on:
-  pull_request:
-   branches: [ release-branch-*, main]
   push:
-   branches: [ release-branch-*, main]
-
+    branches:
+      - main
+      - v0.*
+  pull_request:
+    branches:
+      - '**'
 
 jobs:
   CodeQL-Build:

@@ -0,0 +1,73 @@
+# Workflow to regularly check boulder's dependencies for vulnerabilities
+# and updates.
+
+name: Dependency checks
+
+on:
+  schedule: # daily around 16:20 UTC
+    - cron: "20 16 * * *"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          # We want to run with the latest version of Go, just like we'll be
+          # running with the latest version of all of our dependencies.
+          go-version: "stable"
+
+      - name: Update Go dependencies
+        run: go get -u -t ./...
+
+      - name: Install crane
+        # This is the sole external dependency of update-container-versions.sh
+        run: go install github.com/google/go-containerregistry/cmd/crane@latest
+
+      - name: Update Docker dependencies
+        run: ./tools/update-container-versions.sh
+
+      - name: Build Docker images
+        # We do this locally, rather than pulling BOULDER_TOOLS_TAG like the
+        # CI job does, to also get the latest versions of everything in the
+        # DOCKERFILE.
+        run: docker compose build
+
+      - name: Run tests
+        run: ./tn.sh -lui
+
+  govulncheck:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
+        with:
+          # When Go produces a security release, we want govulncheck to run
+          # against the most recently released Go version.
+          check-latest: true
+          go-version: "stable"
+          cache: false
+
+      - name: Run govulncheck
+        run: go run golang.org/x/vuln/cmd/govulncheck@latest ./...
@@ -7,9 +7,8 @@ on:
     - 'test/config-next/*.json'
     - 'test/config-next/*.yaml'
     - 'test/config-next/*.yml'
-    - 'sa/db-users/*.sql'
-    - 'sa/db-next/**/*.sql'
-    - 'sa/db/**/*.sql'
+    - 'sa/db/*.sql'
+    - 'sa/vtschema/*/.json'
 
 jobs:
   check-changes:

@@ -2,17 +2,20 @@
 # be used by tag protection rules to ensure that tags may only be pushed if
 # their corresponding commit was first pushed to one of those branches.
 name: Merged to main (or hotfix)
-permissions:
-  contents: read
+
 on:
   push:
     branches:
       - main
-      - release-branch-*
+      - v0.*
+
+permissions:
+  contents: read
+
 jobs:
   merged-to-main:
     name: Merged to main (or hotfix)
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:

@@ -4,6 +4,7 @@
 # Keep the GO_VERSION matrix and the container-building steps in sync with
 # try-release.yml.
 name: Build release
+
 on:
   push:
     tags:

@@ -4,11 +4,15 @@
 # Keep the GO_VERSION matrix and the container-building steps in sync with
 # release.yml.
 name: Try release
+
 on:
   push:
-    branches: [main]
+    branches:
+      - main
+      - v0.
   pull_request:
-    branches: [main]
+    branches:
+      - '**'
   workflow_dispatch:
 
 permissions:

@@ -4,7 +4,7 @@ on:
   push:
     branches:
       - main
-      - release-branch-*
+      - v0.*
   pull_request:
     branches:
       - '**'
@@ -14,7 +14,7 @@ permissions: {}
 
 jobs:
   zizmor:
-    runs-on: ubuntu-24.04
+    runs-on: ubuntu-latest
 
     env:
       ZIZMOR_IMAGE: ghcr.io/zizmorcore/zizmor:1.25.2@sha256:14ea7f5cc7c67933394a35b5a38a277397818d232602635edb2010b313afb110
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,7 @@ @@
     # Keep the GO_VERSION matrix and the container-building steps in sync with
     # try-release.yml.
     name: Build release
     on:
       push:
         tags:
@@ Expand Down @@