chore(deps): bump the dependencies group with 3 updates

[dependabot]

Bumps the dependencies group with 3 updates: Songmu/tagpr, goreleaser/goreleaser-action and aquasecurity/trivy-action.

Updates Songmu/tagpr from 1.18.2 to 1.18.3

Release notes

Sourced from Songmu/tagpr's releases.

v1.18.3

What's Changed

• Fix previous tag detection after switching from semver to calver by @​katutoshi in Songmu/tagpr#342
• build(deps): bump Songmu/tagpr from 1.17.1 to 1.18.2 by @​dependabot[bot] in Songmu/tagpr#343
• build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in Songmu/tagpr#344

New Contributors

• @​katutoshi made their first contribution in Songmu/tagpr#342

Full Changelog: Songmu/tagpr@v1.18.2...v1.18.3

Changelog

Sourced from Songmu/tagpr's changelog.

Changelog

v1.18.3 - 2026-04-17

• Fix previous tag detection after switching from semver to calver by @​katutoshi in Songmu/tagpr#342
• build(deps): bump Songmu/tagpr from 1.17.1 to 1.18.2 by @​dependabot[bot] in Songmu/tagpr#343
• build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1 by @​dependabot[bot] in Songmu/tagpr#344

v1.18.2 - 2026-04-12

• fix: respect version labels in monorepo using --first-parent by @​Ito-Ryu in Songmu/tagpr#340

v1.18.1 - 2026-04-05

• Clear PR Base before Edit to avoid duplicate synchronize webhooks by @​178inaba in Songmu/tagpr#336

v1.18.0 - 2026-04-05

• build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] in Songmu/tagpr#322
• build(deps): bump Songmu/tagpr from 1.17.0 to 1.17.1 by @​dependabot[bot] in Songmu/tagpr#323
• build(deps): bump golang.org/x/oauth2 from 0.35.0 to 0.36.0 by @​dependabot[bot] in Songmu/tagpr#325
• build(deps): bump actions/create-github-app-token from 2.2.1 to 3.0.0 by @​dependabot[bot] in Songmu/tagpr#327
• Add retry to latestPullRequest for commit-to-PR index race condition by @​babarot in Songmu/tagpr#333
• fix: CalVer not working correctly with zero-padded formats (fixes #320) by @​oharo3109 in Songmu/tagpr#321
• Ignore labels from Dependabot PRs in version determination by @​Songmu in Songmu/tagpr#334
• build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] in Songmu/tagpr#331
• build(deps): bump codecov/codecov-action from 5.5.2 to 6.0.0 by @​dependabot[bot] in Songmu/tagpr#332

v1.17.1 - 2026-02-25

• add gh2changelog/LICENSE by @​Songmu in Songmu/tagpr#313
• Fix PR description including already shipped PRs when using fixedMajorVersion by @​Konboi in Songmu/tagpr#317
• build(deps): bump Songmu/tagpr from 1.15.0 to 1.17.0 by @​dependabot[bot] in Songmu/tagpr#316
• update google/go-github from v82 to v83 by @​Songmu in Songmu/tagpr#319

v1.17.0 - 2026-02-14

• Add fixedMajorVersion option for multiple major version support by @​Konboi in Songmu/tagpr#296

v1.16.0 - 2026-02-14

• docs: improve README for labels and env vars by @​tokuhirom in Songmu/tagpr#300
• Use scoped release yaml path in github releases by @​wreulicke in Songmu/tagpr#304
• fix: latestSemverTag returns empty for zero-padded calver tags by @​k1LoW in Songmu/tagpr#303
• build(deps): bump golang.org/x/oauth2 from 0.34.0 to 0.35.0 by @​dependabot[bot] in Songmu/tagpr#305
• build(deps): bump github.com/Songmu/gitconfig from 0.2.1 to 0.2.2 by @​dependabot[bot] in Songmu/tagpr#299
• Migrate gh2changelog to monorepo as local submodule by @​Copilot in Songmu/tagpr#307
• Fix: validate tagPrefix in isTagPR for monorepo isolation by @​Copilot in Songmu/tagpr#311

v1.15.0 - 2026-02-01

• feat: allow tagpr.calendarVersioning to accept format string directly by @​k1LoW in Songmu/tagpr#295

v1.14.0 - 2026-01-29

• feat: scoped release configuration by @​wreulicke in Songmu/tagpr#291
• [fix] care nil ReleaseYAML by @​Songmu in Songmu/tagpr#293

v1.13.0 - 2026-01-29

... (truncated)

Commits

• 9bbb945 Merge pull request #347 from Songmu/tagpr-from-v1.18.2
• be7142b [tagpr] update CHANGELOG.md
• 5bc7cf2 [tagpr] prepare for the next release
• 40a60a0 Merge pull request #346 from Songmu/tagpr-from-gh2changelog-v0.7.2
• e0cba8a Merge pull request #344 from Songmu/dependabot/github_actions/actions/create-...
• 18b8a7f Merge pull request #343 from Songmu/dependabot/github_actions/Songmu/tagpr-1....
• 734f50c [tagpr] update CHANGELOG.md
• a4812cf [tagpr] prepare for the next release
• b11c1e3 Merge pull request #342 from katutoshi/fix/calver-previous-tag-detection
• f61e3fd build(deps): bump actions/create-github-app-token from 3.0.0 to 3.1.1
• Additional commits viewable in compare view

Updates goreleaser/goreleaser-action from 7.0.0 to 7.1.0

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v7.1.0

What's Changed

• feat: verify release checksum and cosign signature by @​caarlos0 in goreleaser/goreleaser-action#550
• docs: document cosign verification in README by @​caarlos0 in goreleaser/goreleaser-action#553
• docs: Upgrade import GPG action version by @​flecno in goreleaser/goreleaser-action#547
• ci: drop docker-bake in favor of plain npm by @​caarlos0 in goreleaser/goreleaser-action#551
• ci: add release-major-tag workflow by @​caarlos0 in goreleaser/goreleaser-action#552
• ci: drop pre-cosign-v3 goreleaser versions from tests by @​caarlos0 in goreleaser/goreleaser-action#554
• ci(deps): bump the actions group with 2 updates by @​dependabot[bot] in goreleaser/goreleaser-action#543
• ci(deps): bump the actions group with 5 updates by @​dependabot[bot] in goreleaser/goreleaser-action#546
• chore(deps): bump undici from 6.23.0 to 6.24.1 by @​dependabot[bot] in goreleaser/goreleaser-action#545

New Contributors

• @​flecno made their first contribution in goreleaser/goreleaser-action#547

Full Changelog: goreleaser/goreleaser-action@v7...v7.1.0

Commits

• e24998b ci: drop pre-cosign-v3 goreleaser versions from tests (#554)
• be2e8a3 docs: document cosign verification in README (#553)
• 5e53f8e ci: add release-major-tag workflow (#552)
• 4068afa build: drop docker-bake in favor of plain npm (#551)
• 213ec80 docs: add CONTRIBUTING with pre-commit workflow
• 4b462d3 feat: verify release checksum and cosign signature (#550)
• 01cbe07 docs: Upgrade import GPG action version (#547)
• 2a473d7 ci(deps): bump the actions group with 5 updates (#546)
• fdcf0b9 clean: leftover files from node 22(?)
• 9881cc5 fix: use new static URL
• Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.35.0 to 0.36.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.36.0

What's Changed

• chore(ci): update bump-trivy workflow by @​DmitriyLewen in aquasecurity/trivy-action#546
• ci: use action.yaml as single source of truth for Trivy version by @​nikpivkin in aquasecurity/trivy-action#552
• ci: replace peter-evans/create-pull-request with gh CLI by @​nikpivkin in aquasecurity/trivy-action#550
• test: use pinned digests for trivy-db, trivy-java-db and trivy-checks by @​nikpivkin in aquasecurity/trivy-action#555
• ci: add dependabot config by @​nikpivkin in aquasecurity/trivy-action#556
• chore: add zizmor config by @​nikpivkin in aquasecurity/trivy-action#557
• chore(deps): bump the actions group with 5 updates by @​dependabot[bot] in aquasecurity/trivy-action#558
• fix: use portable shebang in entrypoint.sh by @​Hayao0819 in aquasecurity/trivy-action#545
• Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name by @​patrik-csak in aquasecurity/trivy-action#547
• Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 by @​Aditya09-cse in aquasecurity/trivy-action#548
• chore: use GitHub Actions as git commit author in bump-trivy workflow by @​nikpivkin in aquasecurity/trivy-action#561
• chore(deps): Update trivy to v0.70.0 by @​Argon-DevOps-Mgt in aquasecurity/trivy-action#559
• chore: update action version to v0.36.0 in examples by @​nikpivkin in aquasecurity/trivy-action#563

New Contributors

• @​dependabot[bot] made their first contribution in aquasecurity/trivy-action#558
• @​Hayao0819 made their first contribution in aquasecurity/trivy-action#545
• @​patrik-csak made their first contribution in aquasecurity/trivy-action#547
• @​Aditya09-cse made their first contribution in aquasecurity/trivy-action#548
• @​Argon-DevOps-Mgt made their first contribution in aquasecurity/trivy-action#559

Full Changelog: aquasecurity/trivy-action@v0.35.0...v0.36.0

Commits

• ed142fd chore: update action version to v0.36.0 in examples (#563)
• dea62cf chore(deps): Update trivy to v0.70.0 (#559)
• 128d9a8 chore: use GitHub Actions as git commit author in bump-trivy workflow (#561)
• 876cf04 Upgrade Trivy action version from 0.33.1 to 0.35.0 fixes #549 (#548)
• dada784 Fix typo in GOOGLE_APPLICATION_CREDENTIALS env var name (#547)
• 4a2deec fix: use portable shebang in entrypoint.sh (#545)
• 1994662 chore(deps): bump the actions group with 5 updates (#558)
• 6b36659 chore: add zizmor config (#557)
• 316aa5a ci: add dependabot config (#556)
• 264c9c5 test: use pinned digests for trivy-db, trivy-java-db and trivy-checks (#555)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Code Metrics Report

	main (93bab0c)	#180 (e819cd3)	+/-
Coverage	38.3%	38.3%	0.0%
Code to Test Ratio	1:2.2	1:2.2	0.0
Test Execution Time	19s	19s	0s

Details

  |                     | main (93bab0c) | #180 (e819cd3) | +/-  |
  |---------------------|----------------|----------------|------|
  | Coverage            |          38.3% |          38.3% | 0.0% |
  |   Files             |             13 |             13 |    0 |
  |   Lines             |           1173 |           1173 |    0 |
  |   Covered           |            450 |            450 |    0 |
  | Code to Test Ratio  |          1:2.2 |          1:2.2 |  0.0 |
  |   Code              |           2488 |           2488 |    0 |
  |   Test              |           5664 |           5664 |    0 |
  | Test Execution Time |            19s |            19s |   0s |

---

Reported by octocov

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.