Skip to content

Release v1.18.7#852

Merged
tphoney merged 14 commits into
mainfrom
copybara/v1.18.7
Jul 7, 2026
Merged

Release v1.18.7#852
tphoney merged 14 commits into
mainfrom
copybara/v1.18.7

Conversation

@github-actions

@github-actions github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

Copybara Sync - Release v1.18.7

This PR was automatically created by Copybara, syncing changes from the overmindtech/workspace monorepo.

Original author: renovate[bot] (29139614+renovate[bot]@users.noreply.github.com)

What happens when this PR is merged?

  1. The tag-on-merge workflow will automatically create the v1.18.7 tag on main
  2. This tag will trigger the release workflow, which will:
    • Run tests
    • Build and publish release binaries via GoReleaser
    • Upload packages to Cloudsmith

Review Checklist

  • Changes look correct and match the expected monorepo sync
  • Tests pass (see CI checks below)

jameslaneovermind and others added 14 commits July 6, 2026 15:48
Co-authored-by: Cursor <cursoragent@cursor.com>

# Conflicts:
#	.cursor/skills/blog-writing/SKILL.md

GitOrigin-RevId: 055ac2e8ac6d3f73abaa32b6e916794271c6d153
<img width="1266" height="490" alt="image"
src="https://github.com/user-attachments/assets/4e4be35b-6d0e-4314-9758-76b09e06d550"
/>

## Summary

- Add observe-only MCP middleware that resolves grant-key workspace
bindings on every `/brent/mcp` request, classifies anomalies using the
same taxonomy as the Connect workspace interceptor, and reports
telemetry without changing tenancy or rejecting requests.
- Add the `whoami` MCP tool (`account:read`) so users and support can
inspect binding health: subject, bound workspace, legacy claim, and
`binding_status`.
- Document observe mode in the Auth0 runbook and Brent backend README.

## Linear Ticket

Fixes:
[ENG-5319](https://linear.app/overmind/issue/ENG-5319/brent-workspaces-mcp-observe-middleware-whoami)
— Brent Workspaces — MCP observe middleware + whoami

- **Purpose**: Resolve MCP grant-key bindings on every request in
observe mode, report binding-health anomalies, and expose a `whoami`
tool for support — without enforcing tenancy or changing existing MCP
tool behaviour.
- **Blocks**: [ENG-5341](https://linear.app/overmind/issue/ENG-5341)
(enforcement flip) depends on this landing first.

## Changes

- `go/auth`: `ExtractMCPGrantKey`, `WithMCPGrantKey`, and unit tests.
- `services/brent-backend/service`: shared `mcpGrantObserver` resolver,
`newMCPObserveMiddleware` wired after JWT auth in `server_wire.go`,
`whoami` MCP tool registered from `mcp.go`.
- Integration tests for classify paths, middleware pass-through, and
whoami scenarios (healthy, unbound, claim mismatch, missing grant key).
- Docs: MCP grant binding observe-mode section in
`docs/runbooks/brent-auth0-tenants.md`; README pointer under MCP Server.

## Brent Plan

- **Plan ID**: BRENT-466
- **Plan**: [ENG-5319 MCP
Observe](https://brent-dev.overmind-demo.com/open/plans/b59bcae8-65b5-4315-8eb8-29ab6cdef08c?intent=plan_review)
- **Approved by**: Elliot Waddington

> Deviation analysis and reviewer assignment are handled automatically
by the
> pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md).

## Test plan

- [ ] `go test -race ./go/auth/... -run MCPGrantKey -count=1`
- [ ] `go test -race ./services/brent-backend/service/... -run
'MCPObserve|Whoami' -count=1`
- [ ] `golangci-lint run ./services/brent-backend/service/...
./go/auth/...`

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Touches the authenticated MCP request path and auth claim handling on
every call, but observe-only (no rejections); DB binding lookups run
when a grant key is present.
>
> **Overview**
> Adds **observe-only** MCP grant-key → workspace binding checks on
every authenticated `/brent/mcp` request, without changing tenancy
(still `account-name` via `auth.ExtractAccount`) or rejecting traffic.
>
> **`go/auth`** gains `ExtractMCPGrantKey` / `WithMCPGrantKey` so JWT
context can carry `https://api.overmind.tech/mcp-grant-key` (empty claim
is normal until ENG-5343).
>
> **`brent-backend`** wires `newMCPObserveMiddleware` after JWT auth in
`server_wire.go`. The shared `mcpGrantObserver` looks up active
bindings, checks workspace membership and claim vs bound workspace, sets
`brent.mcp.observe.*` span attributes, and logs/Sentry-warns on alarming
anomalies (not on `missing_grant_key`). A new **`whoami`** MCP tool
(`account:read`) exposes subject, bound workspace, legacy claim, and
`binding_status` for support.
>
> Runbook and README document observe mode and the expected
`missing_grant_key` state pre–Auth0 grant-key minting; enforcement is
deferred to ENG-5341.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
5b6d91dbbddb237a3c6a182b5d48d188d632f654. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

GitOrigin-RevId: f9eb69ca485883b9c121f42884912573fad8ae02
…ra (#5740)

## Summary

- Admins can set a workspace logo (uploaded, re-encoded to PNG, stored
in a private bucket) and theme colour (`#rrggbb`) via new backend
endpoints.
- Implements the approved BRENT-463 backend/infra slice: image safety
pipeline, object storage seam, branding orchestration, and
Terraform/Kustomize wiring for IRSA + S3.
- `SuggestWorkspaceBranding` prefill and frontend UI remain out of scope
for follow-on plans.

## Linear Ticket

Fixes:
[ENG-5338](https://linear.app/overmind/issue/ENG-5338/brent-workspaces-p3-workspace-branding-backendinfra)
— Brent Workspaces P3 — workspace branding (backend/infra)

- **Purpose**: Backend/infra slice for workspace branding — logo upload
with server-side re-encode, private S3 storage via IRSA, public proxy
serve, and theme colour RPC.
- **Blocks**:
[ENG-5339](https://linear.app/overmind/issue/ENG-5339/brent-workspaces-p3b-workspace-slug-rename-backend)
(workspace slug rename backend)

## Changes

- New packages: `imageproc` (single chokepoint for untrusted image
bytes), `objectstore` (S3/fs/mem backends), `branding`
(`SetLogo`/`SetTheme` with admin gate).
- Workspaces store stores object **keys** (not URLs) and derives public
URLs in `view.go`; `AdminGetMembership` replaces `AdminIsActiveMember`.
- Transport: authed `POST /brent/workspace-logo-upload`, public `GET
/brent/workspace-logo/...` proxy, and `UpdateWorkspaceBranding` theme
RPC.
- Infra: private S3 bucket + IRSA role in Terraform; kustomize SA
annotation and `BRENT_BACKEND_LOGO_S3_BUCKET` ConfigMap per overlay
(prod + dogfood).
- Tests: imageproc units, branding with memstore, upload→proxy
round-trip.

## Brent Plan

- **Plan ID**: BRENT-463
- **Plan**: [Brent Workspaces P3 — workspace branding
(backend/infra)](https://brent-dev.overmind-demo.com/open/plans/d5bb5039-3461-47b4-8aed-28f1bb79a54b?intent=plan_review)
- **Approved by**: Thomas Honey
- **Pending reviews**: Daniel Carabas

> Deviation analysis and reviewer assignment are handled automatically
by the
> pre-approved PR review automation (see docs/PREAPPROVED_CHANGES.md).

Made with [Cursor](https://cursor.com)

---------

Co-authored-by: Cursor <cursoragent@cursor.com>
GitOrigin-RevId: e52da31d85c23268d5798e09e16cc9adb5ee2490
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github.com/openrdap/rdap](https://redirect.github.com/openrdap/rdap)
| require | digest | `8fa7e50` → `a095c49` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 4ec7b7d8c1682a4e95ef7b4f0d87ebf18af99eb7
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) | Type |
Update |
|---|---|---|---|---|---|
|
[cloud.google.com/go/storage](https://redirect.github.com/googleapis/google-cloud-go)
| `v1.62.3` → `v1.63.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/cloud.google.com%2fgo%2fstorage/v1.63.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/cloud.google.com%2fgo%2fstorage/v1.62.3/v1.63.0?slim=true)
| require | minor |
|
[google.golang.org/api](https://redirect.github.com/googleapis/google-api-go-client)
| `v0.285.0` → `v0.286.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fapi/v0.286.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fapi/v0.285.0/v0.286.0?slim=true)
| require | minor |
|
[google.golang.org/genproto/googleapis/rpc](https://redirect.github.com/googleapis/go-genproto)
| `87f3d3e` → `b703f56` |
![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fgenproto%2fgoogleapis%2frpc/v0.0.0-20260622175928-b703f567277d?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fgenproto%2fgoogleapis%2frpc/v0.0.0-20260618152121-87f3d3e198d3/v0.0.0-20260622175928-b703f567277d?slim=true)
| require | digest |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Release Notes

<details>
<summary>googleapis/google-api-go-client
(google.golang.org/api)</summary>

###
[`v0.286.0`](https://redirect.github.com/googleapis/google-api-go-client/releases/tag/v0.286.0)

[Compare
Source](https://redirect.github.com/googleapis/google-api-go-client/compare/v0.285.0...v0.286.0)

##### Features

- **all:** Auto-regenerate discovery clients
([#&#8203;3629](https://redirect.github.com/googleapis/google-api-go-client/issues/3629))
([f25a08b](https://redirect.github.com/googleapis/google-api-go-client/commit/f25a08b7bd916e0719cc9e0d003454a8aaa8caf9))
- **all:** Auto-regenerate discovery clients
([#&#8203;3631](https://redirect.github.com/googleapis/google-api-go-client/issues/3631))
([b3bb97f](https://redirect.github.com/googleapis/google-api-go-client/commit/b3bb97ff046401ce738b4e6830642b2e6c712536))
- **all:** Auto-regenerate discovery clients
([#&#8203;3632](https://redirect.github.com/googleapis/google-api-go-client/issues/3632))
([7332dd7](https://redirect.github.com/googleapis/google-api-go-client/commit/7332dd74f142bba59a27778f115eac98cc254bfb))
- **all:** Auto-regenerate discovery clients
([#&#8203;3634](https://redirect.github.com/googleapis/google-api-go-client/issues/3634))
([36081a0](https://redirect.github.com/googleapis/google-api-go-client/commit/36081a00df42df1ca3e3228067737839aa905c9e))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 5b2d027af0019683371bc679551b85317408f001
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/aws/aws-sdk-go-v2/service/directconnect](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.40.0` → `v1.41.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fdirectconnect/v1.41.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fdirectconnect/v1.40.0/v1.41.0?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/ec2](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.307.1` → `v1.308.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fec2/v1.308.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fec2/v1.307.1/v1.308.0?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Release Notes

<details>
<summary>aws/aws-sdk-go-v2
(github.com/aws/aws-sdk-go-v2/service/directconnect)</summary>

###
[`v1.41.0`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2025-06-12)

[Compare
Source](https://redirect.github.com/aws/aws-sdk-go-v2/compare/v1.40.0...v1.41.0)

#### Module Highlights

- `github.com/aws/aws-sdk-go-v2/service/apigateway`:
[v1.31.3](service/apigateway/CHANGELOG.md#v1313-2025-06-12)
  - **Documentation**: Documentation updates for Amazon API Gateway
- `github.com/aws/aws-sdk-go-v2/service/apigatewayv2`:
[v1.28.3](service/apigatewayv2/CHANGELOG.md#v1283-2025-06-12)
  - **Documentation**: Documentation updates for Amazon API Gateway
- `github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2`:
[v1.3.0](service/connectcampaignsv2/CHANGELOG.md#v130-2025-06-12)
- **Feature**: Added PutInstanceCommunicationLimits and
GetInstanceCommunicationLimits APIs
- `github.com/aws/aws-sdk-go-v2/service/ecs`:
[v1.57.5](service/ecs/CHANGELOG.md#v1575-2025-06-12)
- **Documentation**: This Amazon ECS release supports updating the
capacityProviderStrategy parameter in update-service.
- `github.com/aws/aws-sdk-go-v2/service/emrserverless`:
[v1.31.0](service/emrserverless/CHANGELOG.md#v1310-2025-06-12)
- **Feature**: This release adds support for retrieval of the optional
executionIamPolicy field in the GetJobRun API response.
- `github.com/aws/aws-sdk-go-v2/service/iotfleetwise`:
[v1.27.0](service/iotfleetwise/CHANGELOG.md#v1270-2025-06-12)
- **Feature**: Add new status READY\_FOR\_CHECKIN used for vehicle
synchronisation
- `github.com/aws/aws-sdk-go-v2/service/kms`:
[v1.41.0](service/kms/CHANGELOG.md#v1410-2025-06-12)
- **Feature**: AWS KMS announces the support of ML-DSA key pairs that
creates post-quantum safe digital signatures.

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 8e8d94504972b836e5172559c27efd79af65be5b
This PR contains the following updates:

| Update | Change |
|---|---|
| lockFileMaintenance | All locks refreshed |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

🔧 This Pull Request updates lock files to use the latest dependency
versions.

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "before 4am on monday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Patch provider bumps affect all Terraform init/apply paths that use
these locks (including production deploy workflows); behavior can shift
slightly even without HCL changes.
>
> **Overview**
> Renovate **lock file maintenance** bumps pinned Terraform provider
versions and checksums across `cli`, `deploy`, `deploy/meta`, and
`razorpay-deploy`. No `.tf` or module code changes.
>
> **hashicorp/aws** moves from **6.51.0** to **6.52.0** wherever that
provider is locked. **hashicorp/google** moves from **7.37.0** to
**7.38.0** in stacks that use it (e.g. `cli`, `deploy`, `deploy/meta`).
Provider **constraints** in the lock files are unchanged; only the
resolved version and `h1`/`zh` hashes are updated so `terraform init`
pulls the newer binaries.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
487cdd491eafce2a9eb200ae7f6d1b8834fa38f5. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 649b05733ce83f1d0bd864919129c6776dce54db
…ntity (ENG-5418) (#5796)

<!-- CURSOR_AGENT_PR_BODY_BEGIN -->
## Summary

This PR implements the core GitLab integration infrastructure for
ENG-5418, providing:
- **Per-install opaque URL path token** for secure webhook routing
- **Per-install secret token** (X-Gitlab-Token) for webhook
authentication
- **Client factory** for authenticated outbound GitLab API calls
- **Connect endpoint** for GitLab installation setup

## Changes

### Schema Migration
- Added `webhook_route_token` to `organisation_app_installations` for
per-install URL token routing
- Added `webhook_secret_ciphertext` and `webhook_secret_version` to
`organisation_app_config` for encrypted webhook secrets
- Added `account_integration_id` to `pull_requests` for multi-instance
PR attribution (absorbs ENG-5423)
- Added partial unique index for GitLab webhook tokens
- **Fixed:** Added `'gitlab'` to
`organisation_app_tokens_provider_check` constraint (was missing from
original migration)

### Client Factory (`client_factory.go`)
- Implements `ClientFactory` interface for creating authenticated
`go-gitlab` clients
- Loads install credentials via `GetGitLabInstallWithTokenByID` query
- Decrypts access tokens via `fieldcrypto`
- Wraps HTTP client with `otelhttp` for distributed tracing
- Provides `IsAuthError`/`WrapAuthError` helpers for 401/403 detection →
`ErrGitLabTokenInvalid`
- **Fixed:** Maps `pgx.ErrNoRows` to `ErrGitLabNotConfigured` (Bugbot
`755b75a7`)

### Connect Endpoint (`connect.go`)
- Validates GitLab access token against customer's instance via `GET
/user`
- Generates per-install webhook URL token (SHA-256 hashed in DB,
plaintext shown once)
- Generates per-install webhook secret (encrypted via `fieldcrypto`)
- Transactional upsert of installation/config/token rows
- Returns fully-formed webhook URL and secret for customer to paste into
GitLab
- **Fixed:** Uses `webhook_route_token` hash as `external_principal_id`
to prevent cross-tenant secret sharing (Bugbot `ebcc756e`)

### Webhook Lookup (`webhook_lookup.go`)
- Implements `WebhookTokenLookup` interface for `ByWebhookToken`
resolution
- Hashes incoming URL token and looks up via
`AdminGetGitLabInstallByWebhookToken`
- Returns install details + decrypted secret for per-install
verification
- `VerifyPerInstallSecret` uses constant-time comparison and **fails
closed** when secret is empty

### Token-Routed Webhook Handler (`webhook_handler_token.go`)
- New handler for `POST /webhooks/gitlab/{token}` route
- Extracts token from URL path (not payload) — key spoofing defense
- Verifies per-install secret via X-Gitlab-Token header
- Deduplication via Idempotency-Key header
- Writes `Event_GitlabWebhook` to event store with install context

### Store Validation (`store.go`)
- **Fixed:** `Validate()` now checks both legacy (webhookSecret) and
per-install (codec+orgQueries) configurations (Bugbot `814b6060`)
- Fails fast at boot if partial config is detected

### GitLab Disconnect (`disconnect_workspace.go`, `store.go`)
- **Fixed:** `DisconnectAllIntegrationsForWorkspace` now properly
deletes GitLab installs (Bugbot `c0d5c2e5`)
- New `DeleteGitLabInstallationByID` method deletes install, tokens, and
config atomically

### Wiring
- Added `ProviderGitLab` to Provider enum
- Wired `gitlabStore` with `Codec` and `OrganisationQueries`
- Constructed `GitLab ClientFactory` in `server_construct.go` (held for
ENG-5417/5419/5420/5424)
- Updated `HTTPRoutes` to include token-routed handler alongside legacy
handler
- Added exhaustive switch cases for `ProviderGitLab` across
`organisations` package

## Security Model

This implementation adopts the **industry-standard answer** for webhook
identity:

1. **Routing = per-install URL path token** (Brent-generated,
high-entropy)
- Identity comes from an unguessable URL token, never from payload
fields
- Prevents spoofing: attacker can't claim victim's workspace regardless
of payload
   - Solves gitlab.com tenant collapse and namespace collision issues

2. **Authentication = per-install secret token** (X-Gitlab-Token)
   - Defense in depth (URLs can leak into logs/proxies)
   - Encrypted at rest via `fieldcrypto`
   - Constant-time comparison prevents timing attacks
   - **Fails closed** when secret is missing

3. **Per-install identity isolation**
- `external_principal_id` = `webhook_route_token` hash (not GitLab user
ID)
- Same GitLab user connecting to different Brent workspaces get isolated
credentials
   - Prevents cross-tenant secret sharing

## Tests

- Unit tests for client factory, connect endpoint, webhook lookup
- Token webhook handler tests including **spoofing defense**
verification
- Integration with existing webhook handler tests

## Bugbot Fixes

All 5 Bugbot findings have been addressed:

| Severity | Finding | Fix |
|----------|---------|-----|
| **High** | `814b6060` Store.Validate() skips per-install wiring |
Validate now checks codec+orgQueries config |
| **High** | `ebcc756e` Cross-tenant secret sharing | Use
webhook_token_hash as external_principal_id |
| **High** | GitLab tokens blocked by DB provider check | Add 'gitlab'
to organisation_app_tokens_provider_check |
| **Medium** | `755b75a7` ClientFactory ErrNotConfigured mapping | Map
pgx.ErrNoRows correctly |
| **Medium** | `c0d5c2e5` GitLab disconnect leaves orphans | Implement
DeleteGitLabInstallationByID |

## Out of Scope

- OAuth-app connect flow + token refresh (ENG-5421)
- Factory consumers: commit fetch (ENG-5417), status (ENG-5419), note
(ENG-5420), tool bundle (ENG-5424)
- Frontend GitLab connect page (ENG-5421)
- v19 HMAC signing path (future enhancement)

---

## Deviation Explanations

### `missing-gitlab-connect-rpc-endpoint`

The plan called for a Connect-RPC endpoint `GitLabConnect({ base_url,
token })`. This PR implements the core `Connect()` logic, storage, and
validation, but defers the Connect-RPC handler registration to
**ENG-5421** (Frontend GitLab connect page). The plan itself notes "This
is the endpoint ENG-5421's frontend posts to" — the RPC wiring belongs
with the frontend work that will call it. The internal
`Store.ConnectGitLab()` method is ready for that wiring.

### `missing-pull-request-account-integration-write-path`

The `account_integration_id` column is added to the schema as planned,
but the `CreatePullRequest`/`UpdatePullRequest` queries are
intentionally not modified in this PR. The plan notes this column is
"populated by the translator (ENG-5417)" — the GitLab MR translator will
write this field when it creates PRs. GitHub PRs remain NULL pending a
separate backfill. Modifying write queries here would be premature since
no caller exists yet.

### `missing-review-eng-5423-absorbed-pr-install-write-path`

Same rationale as `missing-pull-request-account-integration-write-path`:
ENG-5423 absorption means the schema is ready for multi-instance
attribution. The write path belongs in ENG-5417 (GitLab MR translator)
which will actually create GitLab PRs and populate the field. Adding the
column now + write path later is the correct sequencing — the translator
needs the column to exist before it can write to it.

### `scope-token-routed-webhook-ingress`

The plan assigned webhook ingress to ENG-5416, but ENG-5416 already
merged with a stub `noopWebhookAccountResolver`. This PR provides the
**real resolver** (`WebhookTokenLookup`) that ENG-5416's plan promised
ENG-5418 would supply. The token-routed handler is the natural home for
the lookup integration — it cannot be tested or validated without the
handler that calls it. Splitting them would require artificial seams.
The legacy global-secret handler from ENG-5416 remains available during
migration.

### `changed-account-integration-id-without-fk`

The plan called for "validate index/FK choice at implementation." Per
the `sql-schema-design` skill: nullable FKs to high-cardinality tables
(like `organisation_app_installations`) typically omit the constraint to
avoid cascading deletes and lock contention on the referenced table. The
comment documents the semantic relationship; enforcement happens at the
application layer. This matches the existing pattern for
`plans.linked_pr_id` → `pull_requests`.

### `changed-gitlab-auth-error-mapping-left-manual`

The plan wanted the factory to automatically map 401/403 to
`ErrGitLabTokenInvalid`. The implementation provides `IsAuthError()` and
`WrapAuthError()` helpers that callers use explicitly. This is
intentional: automatic wrapping in the factory would require the factory
to make API calls (it only builds clients), and different callers may
want different error handling (e.g., retry vs. fail). The helpers are
used in `Connect()` and documented for downstream consumers
(ENG-5417/5419/5420).

### `changed-gitlab-external-principal-id-rekeyed-to-webhook-hash`

The plan stored GitLab user ID as `external_principal_id`. However,
Bugbot correctly identified (finding `ebcc756e`) that this creates a
**cross-tenant security vulnerability**: if the same GitLab user
connects to two different Brent workspaces, the second connection
overwrites the first workspace's secrets because
`organisation_app_config` and `organisation_app_tokens` are keyed on
`(provider, external_principal_id)`.

The fix uses the `webhook_route_token` hash as `external_principal_id`
instead. This ensures each Brent installation has a unique key,
preventing cross-tenant credential collisions. The GitLab user ID was
only used for display/audit purposes and is not needed for the core
routing/auth flow.

### `beyond-gitlab-disconnect-cleanup-landed`

This fix addresses Bugbot finding `c0d5c2e5` (medium severity): "GitLab
disconnect leaves installs and tokens." Without this fix, deleted
workspaces would retain GitLab install rows, encrypted tokens, and
config — and webhooks could still hit Brent for orphaned installs.
Proper cleanup is a security and hygiene requirement that cannot wait
for a separate ticket.

### `beyond-gitlab-store-validate-hardening-landed`

This fix addresses Bugbot finding `814b6060` (high severity):
"Store.Validate() skips per-install wiring." Without this fix,
misconfigured per-install GitLab wiring (missing codec, orgQueries, or
eventsStore) would pass boot-time validation and fail at runtime with
nil-pointer panics or cryptic errors. Fail-fast validation is a
reliability requirement that cannot be deferred.

### `beyond-gitlab-tokens-provider-check-fix`

This fix addresses an additional Bugbot finding (high severity): "GitLab
tokens blocked by DB provider check." The original migration added
`'gitlab'` to the provider CHECK constraints for
`organisation_app_installations` and `organisation_app_config`, but
missed `organisation_app_tokens`. This caused `Connect` and
`UpsertOrganisationAppAccessToken` to fail at the database level when
inserting GitLab token rows. The fix adds a follow-up migration to
include `'gitlab'` in the tokens constraint.

Brent-Plan: BRENT-511
<!-- CURSOR_AGENT_PR_BODY_END -->

<div><a
href="https://cursor.com/agents/bc-1941f19f-7cfa-4a75-9632-6bd5b7b05ab0"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-web-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-web-light.png"><img
alt="Open in Web" width="114" height="28"
src="https://cursor.com/assets/images/open-in-web-dark.png"></picture></a>&nbsp;<a
href="https://cursor.com/background-agent?bcId=bc-1941f19f-7cfa-4a75-9632-6bd5b7b05ab0"><picture><source
media="(prefers-color-scheme: dark)"
srcset="https://cursor.com/assets/images/open-in-cursor-dark.png"><source
media="(prefers-color-scheme: light)"
srcset="https://cursor.com/assets/images/open-in-cursor-light.png"><img
alt="Open in Cursor" width="131" height="28"
src="https://cursor.com/assets/images/open-in-cursor-dark.png"></picture></a>&nbsp;</div>

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>
Co-authored-by: jameslaneovermind <jameslaneovermind@users.noreply.github.com>
GitOrigin-RevId: ecc2551f2b602242b724cfcbfa95e23c1df2f64a
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/cache](https://redirect.github.com/actions/cache) | action |
major | `v5` → `v6` |
| [actions/cache](https://redirect.github.com/actions/cache) | action |
major | `v5.0.5` → `v6.1.0` |
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | major | `v6` → `v7` |
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | major | `v6.0.3` → `v7.0.0` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Release Notes

<details>
<summary>actions/cache (actions/cache)</summary>

###
[`v6.1.0`](https://redirect.github.com/actions/cache/releases/tag/v6.1.0)

[Compare
Source](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.1.0)

##### What's Changed

- Bump
[@&#8203;actions/cache](https://redirect.github.com/actions/cache) to
v6.1.0 - handle read-only cache access by
[@&#8203;jasongin](https://redirect.github.com/jasongin) in
[#&#8203;1768](https://redirect.github.com/actions/cache/pull/1768)

**Full Changelog**:
<actions/cache@v6...v6.1.0>

###
[`v6.0.0`](https://redirect.github.com/actions/cache/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/actions/cache/compare/v6.0.0...v6.0.0)

#### What's Changed

- Update packages, migrate to ESM by
[@&#8203;Samirat](https://redirect.github.com/Samirat) in
[#&#8203;1760](https://redirect.github.com/actions/cache/pull/1760)

**Full Changelog**:
<actions/cache@v5...v6.0.0>

###
[`v6`](https://redirect.github.com/actions/cache/compare/v5.0.5...v6.0.0)

[Compare
Source](https://redirect.github.com/actions/cache/compare/v5.1.0...v6.0.0)

</details>

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v7.0.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v7.0.0...v7.0.0)

- Block checking out fork PR for pull\_request\_target and workflow\_run
by [@&#8203;aiqiaoy](https://redirect.github.com/aiqiaoy) in
[#&#8203;2454](https://redirect.github.com/actions/checkout/pull/2454)
- Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2458](https://redirect.github.com/actions/checkout/pull/2458)
- Bump flatted from 3.3.1 to 3.4.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2460](https://redirect.github.com/actions/checkout/pull/2460)
- Bump js-yaml from 4.1.0 to 4.2.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2461](https://redirect.github.com/actions/checkout/pull/2461)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
and
[@&#8203;actions/tool-cache](https://redirect.github.com/actions/tool-cache)
and Remove uuid by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2459](https://redirect.github.com/actions/checkout/pull/2459)
- upgrade module to esm and update dependencies by
[@&#8203;aiqiaoy](https://redirect.github.com/aiqiaoy) in
[#&#8203;2463](https://redirect.github.com/actions/checkout/pull/2463)
- Bump the minor-npm-dependencies group across 1 directory with 3
updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2462](https://redirect.github.com/actions/checkout/pull/2462)

###
[`v7`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v700)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v6.0.3...v7.0.0)

- Block checking out fork PR for pull\_request\_target and workflow\_run
by [@&#8203;aiqiaoy](https://redirect.github.com/aiqiaoy) in
[#&#8203;2454](https://redirect.github.com/actions/checkout/pull/2454)
- Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2458](https://redirect.github.com/actions/checkout/pull/2458)
- Bump flatted from 3.3.1 to 3.4.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2460](https://redirect.github.com/actions/checkout/pull/2460)
- Bump js-yaml from 4.1.0 to 4.2.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2461](https://redirect.github.com/actions/checkout/pull/2461)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
and
[@&#8203;actions/tool-cache](https://redirect.github.com/actions/tool-cache)
and Remove uuid by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2459](https://redirect.github.com/actions/checkout/pull/2459)
- upgrade module to esm and update dependencies by
[@&#8203;aiqiaoy](https://redirect.github.com/aiqiaoy) in
[#&#8203;2463](https://redirect.github.com/actions/checkout/pull/2463)
- Bump the minor-npm-dependencies group across 1 directory with 3
updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot)\[bot] in
[#&#8203;2462](https://redirect.github.com/actions/checkout/pull/2462)

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Workflow-only dependency bumps with no application or deploy logic
changes; main behavioral note is checkout v7’s stricter handling of fork
PRs on `pull_request_target` / `workflow_run`, which may matter only if
those triggers check out untrusted refs.
>
> **Overview**
> Renovate-style **major version bumps** for two first-party GitHub
Actions across the monorepo’s workflow YAML: **`actions/checkout`**
moves from v6 (`v6.0.3` or `@v6`) to **v7.0.0** (or `@v7` in nested
`actions/` / `cli/` workflows), and **`actions/cache`** moves from v5
(`v5.0.5` or `@v5`) to **v6.1.0** (or `@v6`).
>
> The changes are **version reference swaps only**—no new steps, inputs,
or job logic. They touch the main **`ci.yml`** matrix (checkout on every
job; cache on pnpm, Terraform, lychee, and Next.js restore steps) plus
sync/release, Terraform, bundle analysis, e2e, Copilot setup,
devcontainer build, and Copybara-related workflows under **`actions/`**,
**`cli/`**, and **`aws-source/module/`**.
>
> **`azure-integration-tests-weekly.yml`** updates checkout to a **full
commit SHA** for v7.0.0 instead of a floating `@v6.0.3` tag, matching
existing pinning style elsewhere.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
99a080349ecb15d32597085b8809c3daf922ca4c. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: e52399b7eb5b2e7231484767d4e789f26c3cdbe5
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/nats-io/nats-server/v2](https://redirect.github.com/nats-io/nats-server)
| `v2.14.2` → `v2.14.3` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fnats-io%2fnats-server%2fv2/v2.14.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fnats-io%2fnats-server%2fv2/v2.14.2/v2.14.3?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Release Notes

<details>
<summary>nats-io/nats-server
(github.com/nats-io/nats-server/v2)</summary>

###
[`v2.14.3`](https://redirect.github.com/nats-io/nats-server/releases/tag/v2.14.3)

[Compare
Source](https://redirect.github.com/nats-io/nats-server/compare/v2.14.2...v2.14.3)

#### Changelog

Refer to the [2.14 Upgrade
Guide](https://docs.nats.io/release-notes/whats_new/whats_new_214) for
backwards compatibility notes with 2.12.x. Please note that the 2.13.x
version was skipped.

##### Go Version

- 1.26.4
([#&#8203;8281](https://redirect.github.com/nats-io/nats-server/issues/8281))

##### Dependencies

- golang.org/x/crypto v0.53.0
([#&#8203;8297](https://redirect.github.com/nats-io/nats-server/issues/8297))
- golang.org/x/sys v0.46.0
([#&#8203;8297](https://redirect.github.com/nats-io/nats-server/issues/8297))
- github.com/nats-io/jwt/v2 v2.8.2
- github.com/nats-io/nkeys v0.4.16

##### Improved

General

- Per-connection log lines that could be noisy in normal operation have
been demoted to debug level
([#&#8203;8289](https://redirect.github.com/nats-io/nats-server/issues/8289))
- Writer options are now applied consistently when using the `s2_fast`
compression mode
([#&#8203;8047](https://redirect.github.com/nats-io/nats-server/issues/8047))

JetStream

- Stream and consumer assignment handling has been refactored for more
consistent migration and info behavior
([#&#8203;8262](https://redirect.github.com/nats-io/nats-server/issues/8262))
- Meta, stream and consumer write errors are now registered more
consistently for health and recovery handling
([#&#8203;8293](https://redirect.github.com/nats-io/nats-server/issues/8293))

##### Removed

Monitoring

- JSONP callback support has been removed from monitoring endpoints

##### Fixed

General

- Long-running reconnect and OCSP loops no longer retain unused timers,
reducing memory pressure over time
([#&#8203;8204](https://redirect.github.com/nats-io/nats-server/issues/8204))
- Inherited JWT default permissions are now refreshed when account
claims are updated
([#&#8203;8276](https://redirect.github.com/nats-io/nats-server/issues/8276))
- External auth configuration is now cleared correctly when account
claims are updated
([#&#8203;8275](https://redirect.github.com/nats-io/nats-server/issues/8275))
- PROXY protocol detection, TLS sniffing with `allow_non_tls` and PROXY
v1 address-family parsing have been fixed
([#&#8203;8302](https://redirect.github.com/nats-io/nats-server/issues/8302))
- A race in gateway `CONNECT` handling has been fixed
([#&#8203;8306](https://redirect.github.com/nats-io/nats-server/issues/8306))
- Trusted proxy tracking no longer leaks closed clients during
concurrent updates
([#&#8203;8307](https://redirect.github.com/nats-io/nats-server/issues/8307))
- Service import replies can now be delivered across cluster routes
([#&#8203;8317](https://redirect.github.com/nats-io/nats-server/issues/8317))
- Message tracing now works correctly with service imports and exports
- Several panic, fatal and data race conditions in authentication,
routing, monitoring and clustered request handling have been fixed
- `NoAuthUser` now checks connection restrictions
- Leaf connections no longer bypass `Nats-Trace-Dest` publish permission
checks
- `CONNZ` and `SUBSZ` pagination now guard against `Offset` and `Limit`
integer overflow panics
- Fixed a nil pointer panic when starting up when the resolver parent
directory is missing
([#&#8203;8329](https://redirect.github.com/nats-io/nats-server/issues/8329))

MQTT

- Partial `CONNECT` packets can no longer exhaust pre-authentication
memory
- `PUBLISH` remaining-length underflow no longer causes a server panic
- Subscriptions to internal `$MQTT.deliver.pubrel` subjects are now
rejected
- Subscribe deny rules are now enforced on retained message and QoS
replay paths
- WebSocket `/mqtt` upgrades no longer panic when MQTT is disabled

Monitoring

- JetStream remote usage updates no longer panic on length integer
overflow

JetStream

- A data race on the cluster meta node during JetStream shutdown has
been fixed
([#&#8203;8260](https://redirect.github.com/nats-io/nats-server/issues/8260))
- Meta proposal inflight tracking is now kept consistent during stream
moves and related operations
([#&#8203;8261](https://redirect.github.com/nats-io/nats-server/issues/8261))
- Stream catchup is no longer skipped when limits are exceeded,
preventing possible stream desync
([#&#8203;8265](https://redirect.github.com/nats-io/nats-server/issues/8265))
- Malformed TTL and schedule state is now rejected during decode
([#&#8203;8269](https://redirect.github.com/nats-io/nats-server/issues/8269))
- Zero consumer limits are now treated as unlimited during stream
updates
([#&#8203;8286](https://redirect.github.com/nats-io/nats-server/issues/8286))
- Raft nodes no longer participate in voting or candidacy after write
errors
([#&#8203;8290](https://redirect.github.com/nats-io/nats-server/issues/8290))
- Raft checkpoint handling now aborts if the node is closed
([#&#8203;8296](https://redirect.github.com/nats-io/nats-server/issues/8296))
- Raft `ApplyCommit` now handles the post-snapshot index correctly
([#&#8203;8321](https://redirect.github.com/nats-io/nats-server/issues/8321))
- Consumer ack subscriptions now match correctly when consumer names
contain `%`
([#&#8203;8301](https://redirect.github.com/nats-io/nats-server/issues/8301))
- Observer state is now cleared correctly during `js_cluster_migrate`
when a leaf remote is removed
([#&#8203;8304](https://redirect.github.com/nats-io/nats-server/issues/8304))
- Atomic batch end-of-batch max-size checks and R1 message rewrites have
been fixed
([#&#8203;8305](https://redirect.github.com/nats-io/nats-server/issues/8305))
- Schedule drift, failed fast batch commits with `gapOk` and stale
`/varz` leaf remote state have been fixed
([#&#8203;8308](https://redirect.github.com/nats-io/nats-server/issues/8308))
- Peer state decoding now bounds peer ID reads to the buffer length
([#&#8203;8310](https://redirect.github.com/nats-io/nats-server/issues/8310))
- Counter stream staging no longer corrupts the committed running total
([#&#8203;8311](https://redirect.github.com/nats-io/nats-server/issues/8311))
- Filestore compaction no longer corrupts compressed or encrypted blocks
([#&#8203;8312](https://redirect.github.com/nats-io/nats-server/issues/8312))
- Memory store `NumPending` no longer overcounts for
`DeliverLastPerSubject` consumers
([#&#8203;8313](https://redirect.github.com/nats-io/nats-server/issues/8313))
- Consumer inactive-delete grace period handling and pull request
`MaxBytes` budgeting have been fixed
([#&#8203;8314](https://redirect.github.com/nats-io/nats-server/issues/8314))
- `MultiLastSeqs` no longer reorders stream config subjects through
`filterIsAll` handling
([#&#8203;8315](https://redirect.github.com/nats-io/nats-server/issues/8315))
- Meta recovery snapshots no longer leave phantom streams or consumers
behind
([#&#8203;8324](https://redirect.github.com/nats-io/nats-server/issues/8324))
- Skipped messages last time no longer violates ordering that could lead
to issues with starting by time
([#&#8203;8237](https://redirect.github.com/nats-io/nats-server/issues/8237))
- Raft now reverts uncommitted membership changes correctly when
truncating or snapshotting
([#&#8203;8332](https://redirect.github.com/nats-io/nats-server/issues/8332))

##### Credits

While CVE advisory notices are credited individually, a number of fixes
in this release were the result of non-CVE reports from the following
contributors:

- Koda Reef
- [@&#8203;Emin-ACIKGOZ](https://redirect.github.com/Emin-ACIKGOZ)
- [@&#8203;0xVijay](https://redirect.github.com/0xVijay)
- Yaohui Wang
- [@&#8203;alanturing881](https://redirect.github.com/alanturing881)

##### Complete Changes

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 50d19072cc9745b2fbc97394b597272bd9476150
> ℹ️ **Note**
>
> This PR body was truncated due to platform limits.

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/aws/aws-sdk-go-v2/config](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.32.25` → `v1.32.27` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fconfig/v1.32.27?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fconfig/v1.32.25/v1.32.27?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/credentials](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.19.24` → `v1.19.26` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fcredentials/v1.19.26?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fcredentials/v1.19.24/v1.19.26?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.18.29` → `v1.18.30` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2ffeature%2fec2%2fimds/v1.18.30?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2ffeature%2fec2%2fimds/v1.18.29/v1.18.30?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/apigateway](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.40.6` → `v1.40.8` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fapigateway/v1.40.8?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fapigateway/v1.40.6/v1.40.8?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/autoscaling](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.67.4` → `v1.68.1` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fautoscaling/v1.68.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fautoscaling/v1.67.4/v1.68.1?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/cloudfront](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.65.2` → `v1.65.4` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fcloudfront/v1.65.4?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fcloudfront/v1.65.2/v1.65.4?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/cloudwatch](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.59.0` → `v1.61.1` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fcloudwatch/v1.61.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fcloudwatch/v1.59.0/v1.61.1?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/directconnect](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.41.0` → `v1.41.2` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fdirectconnect/v1.41.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fdirectconnect/v1.41.0/v1.41.2?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/dynamodb](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.59.0` → `v1.59.2` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fdynamodb/v1.59.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fdynamodb/v1.59.0/v1.59.2?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/ec2](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.308.0` → `v1.311.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fec2/v1.311.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fec2/v1.308.0/v1.311.0?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/ecs](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.85.0` → `v1.86.2` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fecs/v1.86.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fecs/v1.85.0/v1.86.2?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/efs](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.42.1` → `v1.42.3` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fefs/v1.42.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fefs/v1.42.1/v1.42.3?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/eks](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.87.0` → `v1.88.1` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2feks/v1.88.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2feks/v1.87.0/v1.88.1?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.34.6` → `v1.34.8` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2felasticloadbalancing/v1.34.8?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2felasticloadbalancing/v1.34.6/v1.34.8?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.55.4` → `v1.55.6` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2felasticloadbalancingv2/v1.55.6?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2felasticloadbalancingv2/v1.55.4/v1.55.6?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/iam](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.54.5` → `v1.54.7` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fiam/v1.54.7?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fiam/v1.54.5/v1.54.7?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/kms](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.53.4` → `v1.53.6` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fkms/v1.53.6?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fkms/v1.53.4/v1.53.6?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/lambda](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.93.0` → `v1.94.1` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2flambda/v1.94.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2flambda/v1.93.0/v1.94.1?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/networkfirewall](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.61.8` → `v1.62.1` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fnetworkfirewall/v1.62.1?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fnetworkfirewall/v1.61.8/v1.62.1?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/networkmanager](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.42.6` → `v1.42.8` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fnetworkmanager/v1.42.8?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fnetworkmanager/v1.42.6/v1.42.8?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/rds](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.119.3` → `v1.119.5` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2frds/v1.119.5?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2frds/v1.119.3/v1.119.5?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/route53](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.63.3` → `v1.63.5` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2froute53/v1.63.5?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2froute53/v1.63.3/v1.63.5?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/s3](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.104.0` → `v1.104.2` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fs3/v1.104.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fs3/v1.104.0/v1.104.2?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/sesv2](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.62.4` → `v1.62.6` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsesv2/v1.62.6?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsesv2/v1.62.4/v1.62.6?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/sns](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.40.1` → `v1.40.3` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsns/v1.40.3?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsns/v1.40.1/v1.40.3?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/sqs](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.44.0` → `v1.44.2` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsqs/v1.44.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsqs/v1.44.0/v1.44.2?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/ssm](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.69.3` → `v1.69.5` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fssm/v1.69.5?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fssm/v1.69.3/v1.69.5?slim=true)
|
|
[github.com/aws/aws-sdk-go-v2/service/sts](https://redirect.github.com/aws/aws-sdk-go-v2)
| `v1.43.3` → `v1.43.5` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsts/v1.43.5?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2faws%2faws-sdk-go-v2%2fservice%2fsts/v1.43.3/v1.43.5?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Release Notes

<details>
<summary>aws/aws-sdk-go-v2
(github.com/aws/aws-sdk-go-v2/service/autoscaling)</summary>

###
[`v1.68.1`](https://redirect.github.com/aws/aws-sdk-go-v2/blob/HEAD/CHANGELOG.md#Release-2026-03-26)

#### General Highlights

- **Dependency Update**: Updated to the latest SDK module versions

#### Module Highlights

- `github.com/aws/aws-sdk-go-v2`: v1.41.5
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/accessanalyzer`:
[v1.45.12](service/accessanalyzer/CHANGELOG.md#v14512-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/account`:
[v1.30.5](service/account/CHANGELOG.md#v1305-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/acm`:
[v1.37.23](service/acm/CHANGELOG.md#v13723-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/acmpca`:
[v1.46.12](service/acmpca/CHANGELOG.md#v14612-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/aiops`:
[v1.6.21](service/aiops/CHANGELOG.md#v1621-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/amp`:
[v1.42.9](service/amp/CHANGELOG.md#v1429-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/amplify`:
[v1.38.14](service/amplify/CHANGELOG.md#v13814-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/amplifybackend`:
[v1.32.20](service/amplifybackend/CHANGELOG.md#v13220-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/amplifyuibuilder`:
[v1.28.20](service/amplifyuibuilder/CHANGELOG.md#v12820-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/apigateway`:
[v1.39.1](service/apigateway/CHANGELOG.md#v1391-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/apigatewaymanagementapi`:
[v1.29.14](service/apigatewaymanagementapi/CHANGELOG.md#v12914-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/apigatewayv2`:
[v1.34.1](service/apigatewayv2/CHANGELOG.md#v1341-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appconfig`:
[v1.43.13](service/appconfig/CHANGELOG.md#v14313-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appconfigdata`:
[v1.23.22](service/appconfigdata/CHANGELOG.md#v12322-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appfabric`:
[v1.16.21](service/appfabric/CHANGELOG.md#v11621-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appflow`:
[v1.51.12](service/appflow/CHANGELOG.md#v15112-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appintegrations`:
[v1.37.7](service/appintegrations/CHANGELOG.md#v1377-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/applicationautoscaling`:
[v1.41.14](service/applicationautoscaling/CHANGELOG.md#v14114-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/applicationcostprofiler`:
[v1.27.12](service/applicationcostprofiler/CHANGELOG.md#v12712-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/applicationdiscoveryservice`:
[v1.35.13](service/applicationdiscoveryservice/CHANGELOG.md#v13513-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/applicationinsights`:
[v1.34.20](service/applicationinsights/CHANGELOG.md#v13420-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/applicationsignals`:
[v1.19.1](service/applicationsignals/CHANGELOG.md#v1191-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appmesh`:
[v1.35.12](service/appmesh/CHANGELOG.md#v13512-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/apprunner`:
[v1.39.14](service/apprunner/CHANGELOG.md#v13914-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appstream`:
[v1.54.4](service/appstream/CHANGELOG.md#v1544-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/appsync`:
[v1.53.5](service/appsync/CHANGELOG.md#v1535-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/arcregionswitch`:
[v1.6.3](service/arcregionswitch/CHANGELOG.md#v163-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/arczonalshift`:
[v1.22.23](service/arczonalshift/CHANGELOG.md#v12223-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/artifact`:
[v1.15.5](service/artifact/CHANGELOG.md#v1155-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/athena`:
[v1.57.4](service/athena/CHANGELOG.md#v1574-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/auditmanager`:
[v1.46.12](service/auditmanager/CHANGELOG.md#v14612-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/autoscaling`:
[v1.64.4](service/autoscaling/CHANGELOG.md#v1644-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/autoscalingplans`:
[v1.30.14](service/autoscalingplans/CHANGELOG.md#v13014-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/b2bi`:
[v1.0.0-preview.100](service/b2bi/CHANGELOG.md#v100-preview100-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/backup`:
[v1.54.11](service/backup/CHANGELOG.md#v15411-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/backupgateway`:
[v1.26.3](service/backupgateway/CHANGELOG.md#v1263-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/backupsearch`:
[v1.6.23](service/backupsearch/CHANGELOG.md#v1623-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/batch`:
[v1.63.2](service/batch/CHANGELOG.md#v1632-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bcmdashboards`:
[v1.1.4](service/bcmdashboards/CHANGELOG.md#v114-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bcmdataexports`:
[v1.14.0](service/bcmdataexports/CHANGELOG.md#v1140-2026-03-26)
- **Feature**: With this release we are providing an option to accounts
to have their export delivered to an S3 bucket that is not owned by the
account.
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bcmpricingcalculator`:
[v1.10.9](service/bcmpricingcalculator/CHANGELOG.md#v1109-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bcmrecommendedactions`:
[v1.1.5](service/bcmrecommendedactions/CHANGELOG.md#v115-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrock`:
[v1.57.1](service/bedrock/CHANGELOG.md#v1571-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrockagent`:
[v1.52.7](service/bedrockagent/CHANGELOG.md#v1527-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrockagentcore`:
[v1.15.2](service/bedrockagentcore/CHANGELOG.md#v1152-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrockagentcorecontrol`:
[v1.25.1](service/bedrockagentcorecontrol/CHANGELOG.md#v1251-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrockagentruntime`:
[v1.51.8](service/bedrockagentruntime/CHANGELOG.md#v1518-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrockdataautomation`:
[v1.13.5](service/bedrockdataautomation/CHANGELOG.md#v1135-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrockdataautomationruntime`:
[v1.10.4](service/bedrockdataautomationruntime/CHANGELOG.md#v1104-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/bedrockruntime`:
[v1.50.4](service/bedrockruntime/CHANGELOG.md#v1504-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/billing`:
[v1.10.4](service/billing/CHANGELOG.md#v1104-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/billingconductor`:
[v1.28.5](service/billingconductor/CHANGELOG.md#v1285-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/braket`:
[v1.39.8](service/braket/CHANGELOG.md#v1398-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/budgets`:
[v1.43.4](service/budgets/CHANGELOG.md#v1434-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/chatbot`:
[v1.14.21](service/chatbot/CHANGELOG.md#v11421-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/chime`:
[v1.41.12](service/chime/CHANGELOG.md#v14112-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/chimesdkidentity`:
[v1.27.20](service/chimesdkidentity/CHANGELOG.md#v12720-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/chimesdkmediapipelines`:
[v1.26.21](service/chimesdkmediapipelines/CHANGELOG.md#v12621-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/chimesdkmeetings`:
[v1.33.15](service/chimesdkmeetings/CHANGELOG.md#v13315-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/chimesdkmessaging`:
[v1.32.17](service/chimesdkmessaging/CHANGELOG.md#v13217-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/chimesdkvoice`:
[v1.28.13](service/chimesdkvoice/CHANGELOG.md#v12813-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cleanrooms`:
[v1.42.4](service/cleanrooms/CHANGELOG.md#v1424-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cleanroomsml`:
[v1.22.5](service/cleanroomsml/CHANGELOG.md#v1225-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloud9`:
[v1.33.20](service/cloud9/CHANGELOG.md#v13320-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudcontrol`:
[v1.29.13](service/cloudcontrol/CHANGELOG.md#v12913-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/clouddirectory`:
[v1.30.12](service/clouddirectory/CHANGELOG.md#v13012-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudformation`:
[v1.71.9](service/cloudformation/CHANGELOG.md#v1719-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudfront`:
[v1.60.4](service/cloudfront/CHANGELOG.md#v1604-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudfrontkeyvaluestore`:
[v1.12.24](service/cloudfrontkeyvaluestore/CHANGELOG.md#v11224-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudhsm`:
[v1.29.21](service/cloudhsm/CHANGELOG.md#v12921-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudhsmv2`:
[v1.34.21](service/cloudhsmv2/CHANGELOG.md#v13421-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudsearch`:
[v1.32.12](service/cloudsearch/CHANGELOG.md#v13212-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudsearchdomain`:
[v1.28.20](service/cloudsearchdomain/CHANGELOG.md#v12820-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudtrail`:
[v1.55.9](service/cloudtrail/CHANGELOG.md#v1559-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudtraildata`:
[v1.17.13](service/cloudtraildata/CHANGELOG.md#v11713-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudwatch`:
[v1.55.3](service/cloudwatch/CHANGELOG.md#v1553-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudwatchevents`:
[v1.32.23](service/cloudwatchevents/CHANGELOG.md#v13223-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs`:
[v1.65.0](service/cloudwatchlogs/CHANGELOG.md#v1650-2026-03-26)
- **Feature**: This release adds parameter support to saved queries in
CloudWatch Logs Insights. Define reusable query templates with named
placeholders, invoke them using start query. Available in Console, CLI
and SDK
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codeartifact`:
[v1.38.21](service/codeartifact/CHANGELOG.md#v13821-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codebuild`:
[v1.68.13](service/codebuild/CHANGELOG.md#v16813-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codecatalyst`:
[v1.21.12](service/codecatalyst/CHANGELOG.md#v12112-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codecommit`:
[v1.33.12](service/codecommit/CHANGELOG.md#v13312-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codeconnections`:
[v1.10.20](service/codeconnections/CHANGELOG.md#v11020-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codedeploy`:
[v1.35.13](service/codedeploy/CHANGELOG.md#v13513-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codeguruprofiler`:
[v1.29.20](service/codeguruprofiler/CHANGELOG.md#v12920-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codegurureviewer`:
[v1.34.20](service/codegurureviewer/CHANGELOG.md#v13420-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codegurusecurity`:
[v1.16.24](service/codegurusecurity/CHANGELOG.md#v11624-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codepipeline`:
[v1.46.21](service/codepipeline/CHANGELOG.md#v14621-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codestarconnections`:
[v1.35.13](service/codestarconnections/CHANGELOG.md#v13513-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/codestarnotifications`:
[v1.31.21](service/codestarnotifications/CHANGELOG.md#v13121-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cognitoidentity`:
[v1.33.22](service/cognitoidentity/CHANGELOG.md#v13322-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cognitoidentityprovider`:
[v1.59.3](service/cognitoidentityprovider/CHANGELOG.md#v1593-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/cognitosync`:
[v1.29.12](service/cognitosync/CHANGELOG.md#v12912-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/comprehend`:
[v1.40.21](service/comprehend/CHANGELOG.md#v14021-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/comprehendmedical`:
[v1.31.21](service/comprehendmedical/CHANGELOG.md#v13121-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/computeoptimizer`:
[v1.49.8](service/computeoptimizer/CHANGELOG.md#v1498-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/computeoptimizerautomation`:
[v1.0.8](service/computeoptimizerautomation/CHANGELOG.md#v108-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/configservice`:
[v1.62.1](service/configservice/CHANGELOG.md#v1621-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/connect`:
[v1.166.1](service/connect/CHANGELOG.md#v11661-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/connectcampaigns`:
[v1.20.20](service/connectcampaigns/CHANGELOG.md#v12020-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/connectcampaignsv2`:
[v1.11.4](service/connectcampaignsv2/CHANGELOG.md#v1114-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/connectcases`:
[v1.39.1](service/connectcases/CHANGELOG.md#v1391-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/connectcontactlens`:
[v1.33.13](service/connectcontactlens/CHANGELOG.md#v13313-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/connecthealth`:
[v1.0.3](service/connecthealth/CHANGELOG.md#v103-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/connectparticipant`:
[v1.36.7](service/connectparticipant/CHANGELOG.md#v1367-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/controlcatalog`:
[v1.14.9](service/controlcatalog/CHANGELOG.md#v1149-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/controltower`:
[v1.28.9](service/controltower/CHANGELOG.md#v1289-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/costandusagereportservice`:
[v1.34.13](service/costandusagereportservice/CHANGELOG.md#v13413-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/costexplorer`:
[v1.63.6](service/costexplorer/CHANGELOG.md#v1636-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/costoptimizationhub`:
[v1.22.8](service/costoptimizationhub/CHANGELOG.md#v1228-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/customerprofiles`:
[v1.57.2](service/customerprofiles/CHANGELOG.md#v1572-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/databasemigrationservice`:
[v1.61.10](service/databasemigrationservice/CHANGELOG.md#v16110-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/databrew`:
[v1.39.14](service/databrew/CHANGELOG.md#v13914-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/dataexchange`:
[v1.40.14](service/dataexchange/CHANGELOG.md#v14014-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/datapipeline`:
[v1.30.20](service/datapipeline/CHANGELOG.md#v13020-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/datasync`:
[v1.58.2](service/datasync/CHANGELOG.md#v1582-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/datazone`:
[v1.54.2](service/datazone/CHANGELOG.md#v1542-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/dax`:
[v1.29.16](service/dax/CHANGELOG.md#v12916-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/deadline`:
[v1.26.2](service/deadline/CHANGELOG.md#v1262-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/detective`:
[v1.38.13](service/detective/CHANGELOG.md#v13813-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/devicefarm`:
[v1.38.8](service/devicefarm/CHANGELOG.md#v1388-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/devopsguru`:
[v1.40.12](service/devopsguru/CHANGELOG.md#v14012-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/directconnect`:
[v1.38.15](service/directconnect/CHANGELOG.md#v13815-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/directoryservice`:
[v1.38.16](service/directoryservice/CHANGELOG.md#v13816-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/directoryservicedata`:
[v1.7.21](service/directoryservicedata/CHANGELOG.md#v1721-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/dlm`:
[v1.35.16](service/dlm/CHANGELOG.md#v13516-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/docdb`:
[v1.48.13](service/docdb/CHANGELOG.md#v14813-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/docdbelastic`:
[v1.20.13](service/docdbelastic/CHANGELOG.md#v12013-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/drs`:
[v1.36.13](service/drs/CHANGELOG.md#v13613-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/dsql`:
[v1.12.8](service/dsql/CHANGELOG.md#v1128-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/dynamodb`:
[v1.57.1](service/dynamodb/CHANGELOG.md#v1571-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/dynamodbstreams`:
[v1.32.14](service/dynamodbstreams/CHANGELOG.md#v13214-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/ebs`:
[v1.33.14](service/ebs/CHANGELOG.md#v13314-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/ec2`:
[v1.296.1](service/ec2/CHANGELOG.md#v12961-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/ec2instanceconnect`:
[v1.32.20](service/ec2instanceconnect/CHANGELOG.md#v13220-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/ecr`:
[v1.56.2](service/ecr/CHANGELOG.md#v1562-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/ecrpublic`:
[v1.38.13](service/ecrpublic/CHANGELOG.md#v13813-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/ecs`:
[v1.74.1](service/ecs/CHANGELOG.md#v1741-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/efs`:
[v1.41.14](service/efs/CHANGELOG.md#v14114-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/eks`:
[v1.81.2](service/eks/CHANGELOG.md#v1812-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/eksauth`:
[v1.12.13](service/eksauth/CHANGELOG.md#v11213-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/elasticache`:
[v1.51.13](service/elasticache/CHANGELOG.md#v15113-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/elasticbeanstalk`:
[v1.34.2](service/elasticbeanstalk/CHANGELOG.md#v1342-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/elasticloadbalancing`:
[v1.33.23](service/elasticloadbalancing/CHANGELOG.md#v13323-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/elasticloadbalancingv2`:
[v1.54.10](service/elasticloadbalancingv2/CHANGELOG.md#v15410-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/elasticsearchservice`:
[v1.39.2](service/elasticsearchservice/CHANGELOG.md#v1392-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/elementalinference`:
[v1.0.3](service/elementalinference/CHANGELOG.md#v103-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/emr`:
[v1.59.0](service/emr/CHANGELOG.md#v1590-2026-03-26)
  - **Feature**: Add StepExecutionRoleArn to RunJobFlow API
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/emrcontainers`:
[v1.40.17](service/emrcontainers/CHANGELOG.md#v14017-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/emrserverless`:
[v1.39.6](service/emrserverless/CHANGELOG.md#v1396-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/entityresolution`:
[v1.26.5](service/entityresolution/CHANGELOG.md#v1265-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/eventbridge`:
[v1.45.23](service/eventbridge/CHANGELOG.md#v14523-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/evs`:
[v1.6.4](service/evs/CHANGELOG.md#v164-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/finspace`:
[v1.33.21](service/finspace/CHANGELOG.md#v13321-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/finspacedata`:
[v1.33.21](service/finspacedata/CHANGELOG.md#v13321-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/firehose`:
[v1.42.13](service/firehose/CHANGELOG.md#v14213-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/fis`:
[v1.37.20](service/fis/CHANGELOG.md#v13720-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/fms`:
[v1.44.22](service/fms/CHANGELOG.md#v14422-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/forecast`:
[v1.41.21](service/forecast/CHANGELOG.md#v14121-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/forecastquery`:
[v1.29.21](service/forecastquery/CHANGELOG.md#v12921-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/frauddetector`:
[v1.41.12](service/frauddetector/CHANGELOG.md#v14112-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/freetier`:
[v1.13.14](service/freetier/CHANGELOG.md#v11314-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/fsx`:
[v1.65.7](service/fsx/CHANGELOG.md#v1657-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/gamelift`:
[v1.51.3](service/gamelift/CHANGELOG.md#v1513-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/gameliftstreams`:
[v1.11.1](service/gameliftstreams/CHANGELOG.md#v1111-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/geomaps`:
[v1.9.4](service/geomaps/CHANGELOG.md#v194-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/geoplaces`:
[v1.8.5](service/geoplaces/CHANGELOG.md#v185-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/georoutes`:
[v1.7.14](service/georoutes/CHANGELOG.md#v1714-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/glacier`:
[v1.32.6](service/glacier/CHANGELOG.md#v1326-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/globalaccelerator`:
[v1.35.15](service/globalaccelerator/CHANGELOG.md#v13515-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/glue`:
[v1.139.1](service/glue/CHANGELOG.md#v11391-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/service/grafana`:
[v1.33.4](service/grafana/CHANGELOG.md#v1334-2026-03-26)
- **Bug Fix**: Fix a bug where a recorded clock skew could persist on
the client even if the client and server clock ended up realigning.
- `github.com/aws/aws-sdk-go-v2/serv

> ✂ **Note**
>
> PR body was truncated to here.

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: 567c239e09cecdf26b71f67b331058207ca1ff89
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[charm.land/lipgloss/v2](https://redirect.github.com/charmbracelet/lipgloss)
| `v2.0.4` → `v2.0.5` |
![age](https://developer.mend.io/api/mc/badges/age/go/charm.land%2flipgloss%2fv2/v2.0.5?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/charm.land%2flipgloss%2fv2/v2.0.4/v2.0.5?slim=true)
|
|
[github.com/auth0/go-auth0/v2](https://redirect.github.com/auth0/go-auth0)
| `v2.13.0` → `v2.14.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fauth0%2fgo-auth0%2fv2/v2.14.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fauth0%2fgo-auth0%2fv2/v2.13.0/v2.14.0?slim=true)
|
|
[github.com/harness/harness-go-sdk](https://redirect.github.com/harness/harness-go-sdk)
| `v0.8.3` → `v0.8.7` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fharness%2fharness-go-sdk/v0.8.7?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fharness%2fharness-go-sdk/v0.8.3/v0.8.7?slim=true)
|
|
[github.com/jedib0t/go-pretty/v6](https://redirect.github.com/jedib0t/go-pretty)
| `v6.8.1` → `v6.8.2` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fjedib0t%2fgo-pretty%2fv6/v6.8.2?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fjedib0t%2fgo-pretty%2fv6/v6.8.1/v6.8.2?slim=true)
|
|
[github.com/posthog/posthog-go](https://redirect.github.com/posthog/posthog-go)
| `v1.16.1` → `v1.17.4` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fposthog%2fposthog-go/v1.17.4?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fposthog%2fposthog-go/v1.16.1/v1.17.4?slim=true)
|
|
[github.com/slack-go/slack](https://redirect.github.com/slack-go/slack)
| `v0.26.0` → `v0.27.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fslack-go%2fslack/v0.27.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fslack-go%2fslack/v0.26.0/v0.27.0?slim=true)
|
|
[gitlab.com/gitlab-org/api/client-go/v2](https://gitlab.com/gitlab-org/api/client-go)
| `v2.43.0` → `v2.44.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/gitlab.com%2fgitlab-org%2fapi%2fclient-go%2fv2/v2.44.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/gitlab.com%2fgitlab-org%2fapi%2fclient-go%2fv2/v2.43.0/v2.44.0?slim=true)
|
| [google.golang.org/grpc](https://redirect.github.com/grpc/grpc-go) |
`v1.81.1` → `v1.82.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/google.golang.org%2fgrpc/v1.82.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/google.golang.org%2fgrpc/v1.81.1/v1.82.0?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Release Notes

<details>
<summary>charmbracelet/lipgloss (charm.land/lipgloss/v2)</summary>

###
[`v2.0.5`](https://redirect.github.com/charmbracelet/lipgloss/releases/tag/v2.0.5)

[Compare
Source](https://redirect.github.com/charmbracelet/lipgloss/compare/v2.0.4...v2.0.5)

#### Changelog

***

<a href="https://charm.land/"><img alt="The Charm logo"
src="https://stuff.charm.sh/charm-banner-next.jpg" width="400"></a>

Thoughts? Questions? We love hearing from you. Feel free to reach out on
[X](https://x.com/charmcli), [Discord](https://charm.land/discord),
[Slack](https://charm.land/slack), [The
Fediverse](https://mastodon.social/@&#8203;charmcli),
[Bluesky](https://bsky.app/profile/charm.land).

</details>

<details>
<summary>auth0/go-auth0 (github.com/auth0/go-auth0/v2)</summary>

###
[`v2.14.0`](https://redirect.github.com/auth0/go-auth0/blob/HEAD/CHANGELOG.md#v2140-2026-06-24)

[Compare
Source](https://redirect.github.com/auth0/go-auth0/compare/v2.13.0...v2.14.0)

[Full
Changelog](https://redirect.github.com/auth0/go-auth0/compare/v2.13.0...v2.14.0)

**Breaking Changes**

- Changed user date fields (`CreatedAt`, `UpdatedAt`, `LastLogin`,
`LastPasswordReset`, `MultifactorLastModified`) on
`CreateUserResponseContent`, `GetUserResponseContent`,
`UpdateUserResponseContent`, and `UserResponseSchema` from
`*UserDateSchema` to `*time.Time`, and removed the `UserDateSchema` type
and `UserDateSchemaVisitor` interface
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- Changed identity `UserID` fields on `UserIdentitySchema` and
`DeleteUserIdentityResponseContentItem` to the string-or-integer
`UserID` union (from `*string`/`string`)
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- Changed `UpdateClientRequestContent` `NativeSocialLogin` to
`*NativeSocialLoginPatch` and `FedcmLogin` to `*FedCmLoginPatch`
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))

**Added**

- feat: add phone provider protection API
(`Management.AttackProtection.PhoneProviderProtection`) with `Get` and
`Patch` methods and the `PhoneProviderProtectionBackoffStrategyEnum`
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- feat: add native social login configuration types
(`NativeSocialLoginPatch`, `NativeSocialLoginApplePatch`,
`NativeSocialLoginFacebookPatch`, `NativeSocialLoginGooglePatch`) and
FedCM login configuration types (`FedCmLoginPatch`,
`FedCmLoginGooglePatch`)
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- feat: add token vault privileged access types
(`ClientTokenVaultPrivilegedAccessWithCredentialID`,
`ClientTokenVaultPrivilegedAccessWithPublicKey`,
`TokenVaultPrivilegedAccessIPAllowlistEntry`)
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- feat: add `CrossAppAccessRequestingApp` field and type to
`CreateConnectionResponseContent` and `GetConnectionResponseContent`
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- feat: add `PhoneVerified`, `Multifactor`, `MultifactorLastModified`,
`LastIP`, `LastLogin`, and `LastPasswordReset` fields to user response
types [#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- feat: add `auth_email_by_code` value to `EmailTemplateNameEnum`
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))

**Fixed**

- fix: map HTTP `409` responses on self-service profiles to
`ConflictError`
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))
- fix: preserve the raw JSON payload on
`EventStreamSubscribeEventsResponseContent` so unknown union members
round-trip through marshal/unmarshal and validation
[#&#8203;801](https://redirect.github.com/auth0/go-auth0/pull/801)
([fern-api\[bot\]](https://redirect.github.com/apps/fern-api))

</details>

<details>
<summary>harness/harness-go-sdk
(github.com/harness/harness-go-sdk)</summary>

###
[`v0.8.7`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.6...v0.8.7)

[Compare
Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.6...v0.8.7)

###
[`v0.8.6`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.5...v0.8.6)

[Compare
Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.5...v0.8.6)

###
[`v0.8.5`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.4...v0.8.5)

[Compare
Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.4...v0.8.5)

###
[`v0.8.4`](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.3...v0.8.4)

[Compare
Source](https://redirect.github.com/harness/harness-go-sdk/compare/v0.8.3...v0.8.4)

</details>

<details>
<summary>jedib0t/go-pretty (github.com/jedib0t/go-pretty/v6)</summary>

###
[`v6.8.2`](https://redirect.github.com/jedib0t/go-pretty/releases/tag/v6.8.2)

[Compare
Source](https://redirect.github.com/jedib0t/go-pretty/compare/v6.8.1...v6.8.2)

#### What's Changed

- text: trim to display width so CJK content respects maxLen by
[@&#8203;greymoth-jp](https://redirect.github.com/greymoth-jp) in
[#&#8203;410](https://redirect.github.com/jedib0t/go-pretty/pull/410)

#### New Contributors

- [@&#8203;greymoth-jp](https://redirect.github.com/greymoth-jp) made
their first contribution in
[#&#8203;410](https://redirect.github.com/jedib0t/go-pretty/pull/410)

**Full Changelog**:
<jedib0t/go-pretty@v6.8.1...v6.8.2>

</details>

<details>
<summary>posthog/posthog-go (github.com/posthog/posthog-go)</summary>

###
[`v1.17.4`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.17.4):
1.17.4

[Compare
Source](https://redirect.github.com/posthog/posthog-go/compare/v1.17.3...v1.17.4)

#### Unreleased

###
[`v1.17.3`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.17.3):
1.17.3

[Compare
Source](https://redirect.github.com/posthog/posthog-go/compare/v1.17.2...v1.17.3)

#### Unreleased

###
[`v1.17.2`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.17.2):
1.17.2

[Compare
Source](https://redirect.github.com/posthog/posthog-go/compare/v1.17.1...v1.17.2)

#### Unreleased

###
[`v1.17.1`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.17.1):
1.17.1

[Compare
Source](https://redirect.github.com/posthog/posthog-go/compare/v1.17.0...v1.17.1)

#### Unreleased

###
[`v1.17.0`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.17.0):
1.17.0

[Compare
Source](https://redirect.github.com/posthog/posthog-go/compare/v1.16.2...v1.17.0)

#### Unreleased

###
[`v1.16.2`](https://redirect.github.com/PostHog/posthog-go/releases/tag/v1.16.2):
1.16.2

[Compare
Source](https://redirect.github.com/posthog/posthog-go/compare/v1.16.1...v1.16.2)

#### Unreleased

</details>

<details>
<summary>slack-go/slack (github.com/slack-go/slack)</summary>

###
[`v0.27.0`](https://redirect.github.com/slack-go/slack/releases/tag/v0.27.0)

[Compare
Source](https://redirect.github.com/slack-go/slack/compare/v0.26.0...v0.27.0)

#### Added

- Support for
[`data_visualization`](https://docs.slack.dev/reference/block-kit/blocks/data-visualization-block/)
block through `DataVisualizationBlock`.
- Team`now preserves`enterprise\_id`and`enterprise\_name`when Slack
includes Enterprise org details in interaction payload`team\` objects.

**Full Changelog**:
<slack-go/slack@v0.26.0...v0.27.0>

</details>

<details>
<summary>gitlab-org/api/client-go
(gitlab.com/gitlab-org/api/client-go/v2)</summary>

###
[`v2.44.0`](https://gitlab.com/gitlab-org/api/client-go/tags/v2.44.0)

[Compare
Source](https://gitlab.com/gitlab-org/api/client-go/compare/v2.43.0...v2.44.0)

##### 2.44.0

##### 🚀 Features

- feat: support renew application secret api endpoint
([!2934](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2934))
by [BoxBoxJason](https://gitlab.com/BoxBoxJason)

##### 🔄 Other Changes

- chore(deps): update docker docker tag to v29.6.0
([!2930](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2930))
by [GitLab Dependency
Bot](https://gitlab.com/gitlab-dependency-update-bot)
- test(workitems): split t.Run() sub-tests into individual parent test
functions
([!2929](https://gitlab.com/gitlab-org/api/client-go/-/merge_requests/2929))
by [Patrick Rice](https://gitlab.com/PatrickRice)

#####
[2.44.0](https://gitlab.com/gitlab-org/api/client-go/compare/v2.43.0...v2.44.0)
(2026-06-29)
##### Features

* support renew application secret api endpoint
([576fa15](https://gitlab.com/gitlab-org/api/client-go/commit/576fa15ec5d4e26a21e7d5a006f2afcc6e3d59ac))

</details>

<details>
<summary>grpc/grpc-go (google.golang.org/grpc)</summary>

###
[`v1.82.0`](https://redirect.github.com/grpc/grpc-go/releases/tag/v1.82.0):
Release 1.82.0

[Compare
Source](https://redirect.github.com/grpc/grpc-go/compare/v1.81.1...v1.82.0)

### Behavior Changes

- server: Remove support for
`GRPC_GO_EXPERIMENTAL_DISABLE_STRICT_PATH_CHECKING` environment
varibale. Strict incoming RPC path validation (which has been the
default since `v1.79.3`) can no longer be disabled.
([#&#8203;9112](https://redirect.github.com/grpc/grpc-go/issues/9112))
- transport: Add environment variable to change the default max header
list size from `16MB` to `8KB`. This may be enabled by setting
`GRPC_GO_EXPERIMENTAL_ENABLE_8KB_DEFAULT_HEADER_LIST_SIZE=true`. This
will be enabled by default in a subsequent release.
([#&#8203;9019](https://redirect.github.com/grpc/grpc-go/issues/9019))
- balancer: Load Balancing policy registry is now case-sensitive. Set
`GRPC_GO_EXPERIMENTAL_CASE_SENSITIVE_BALANCER_REGISTRIES=false` (and
file an issue) to revert to case-insensitive behavior.
([#&#8203;9017](https://redirect.github.com/grpc/grpc-go/issues/9017))

### New Features

- experimental/stats: Expose a new API, `NewContextWithLabelCallback`,
to register a callback that is invoked when telemetry labels are added.
([#&#8203;8877](https://redirect.github.com/grpc/grpc-go/issues/8877))
- Special Thanks:
[@&#8203;seth-epps](https://redirect.github.com/seth-epps)
- client: Return a portion of the response body in the error message,
when the client receives an unexpected non-gRPC HTTP response, to make
debugging easier.
([#&#8203;8929](https://redirect.github.com/grpc/grpc-go/issues/8929))
- Special Thanks:
[@&#8203;chengxilo](https://redirect.github.com/chengxilo)
- server: Add environment variable `GRPC_GO_SERVER_GOROUTINE_LABELS`
that controls setting `runtime/pprof.Labels` on goroutines spawned by
the server. Set `GRPC_GO_SERVER_GOROUTINE_LABELS=grpc.method=true` to
add the `grpc.method` label on goroutines spawned to handle incoming
requests.
([#&#8203;9082](https://redirect.github.com/grpc/grpc-go/issues/9082))
- Special Thanks: [@&#8203;dfinkel](https://redirect.github.com/dfinkel)

### Bug Fixes

- xds/server: Fix a memory leak of HTTP filter instances occurring when
route configurations are updated in-place during a Route Discovery
Service (RDS) update.
([#&#8203;9138](https://redirect.github.com/grpc/grpc-go/issues/9138))
- grpc: In the deprecated `gzip` Compressor (used via the deprecated
`WithCompressor` dial option), enforce the `MaxRecvMsgSize` limit on the
decompressed message buffer, preventing excessive memory allocation from
highly compressed payloads.
([#&#8203;9114](https://redirect.github.com/grpc/grpc-go/issues/9114))
- Special Thanks:
[@&#8203;evilgensec](https://redirect.github.com/evilgensec)
- stats/opentelemetry: Record retry attempts,
`grpc.previous-rpc-attempts`, at the call level and not the attempt
level.
([#&#8203;8923](https://redirect.github.com/grpc/grpc-go/issues/8923))
- encoding: Ensure `Close()` is always called on readers returned from
`Compressor.Decompress` if possible.
([#&#8203;9135](https://redirect.github.com/grpc/grpc-go/issues/9135))
- channelz: Fix the `LastMessageSentTimestamp` and
`LastMessageReceivedTimestamp` fields in `SocketMetrics` to ensure they
contain correct timestamp values.
([#&#8203;9109](https://redirect.github.com/grpc/grpc-go/issues/9109))

</details>

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
GitOrigin-RevId: f097c0715860637c064084b9ac5781a3bb8b413f
This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v7](https://redirect.github.com/Azure/azure-sdk-for-go)
| `v7.3.0` → `v8.1.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fcompute%2farmcompute%2fv7/v8.1.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fcompute%2farmcompute%2fv7/v7.3.0/v8.1.0?slim=true)
|
|
[github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/operationalinsights/armoperationalinsights](https://redirect.github.com/Azure/azure-sdk-for-go)
| `v1.2.0` → `v3.0.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2foperationalinsights%2farmoperationalinsights/v3.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2foperationalinsights%2farmoperationalinsights/v1.2.0/v3.0.0?slim=true)
|
|
[github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/privatedns/armprivatedns](https://redirect.github.com/Azure/azure-sdk-for-go)
| `v1.3.0` → `v2.0.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fprivatedns%2farmprivatedns/v2.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fprivatedns%2farmprivatedns/v1.3.0/v2.0.0?slim=true)
|
|
[github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources/v2](https://redirect.github.com/Azure/azure-sdk-for-go)
| `v2.1.0` → `v4.0.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fresources%2farmresources%2fv2/v4.0.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fresources%2farmresources%2fv2/v2.1.0/v4.0.0?slim=true)
|
|
[github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage/v3](https://redirect.github.com/Azure/azure-sdk-for-go)
| `v3.0.0` → `v4.1.0` |
![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fstorage%2farmstorage%2fv3/v4.1.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2fAzure%2fazure-sdk-for-go%2fsdk%2fresourcemanager%2fstorage%2farmstorage%2fv3/v3.0.0/v4.1.0?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/370) for more information.

---

### Configuration

📅 **Schedule**: (in timezone Europe/London)

- Branch creation
  - "after 6pm on thursday,before 10am on friday"
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/overmindtech/workspace).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJnb2xhbmciXX0=-->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Wide blast radius across Azure discovery (compute, storage, networking
DNS, Log Analytics) on major SDK bumps; behavior risk is mostly
compile-time compatibility and any subtle API differences not covered by
tests.
>
> **Overview**
> Bumps several **Azure Resource Manager** Go SDK modules to new major
versions and rewires imports across the Azure source (`go.mod`/`go.sum`,
clients, manual adapters, mocks, integration tests, and `adapters.go`).
>
> **Dependency moves:** `armcompute` v7→v8, `armstorage` v3→v4,
`armresources` v2→v4, `armprivatedns` v1→v2 (versioned import), and
`armoperationalinsights` v1→v3. The adapter template example now points
at `armcompute/v8`.
>
> Aside from path churn, the only visible API adjustment in the diff is
**`TableClient.Create`** in the storage table integration helper: it now
passes the table body as a direct `armstorage.Table` argument instead of
wrapping it in `TableClientCreateOptions`.
>
> No adapter logic changes are shown beyond staying on the new SDK
types.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
416eb42878cad24ea1fac7c01ebca3f9baee441a. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: lionel.wilson <lionel.wilson@overmind.tech>
Co-authored-by: Cursor <cursoragent@cursor.com>
GitOrigin-RevId: 515e3ec91d344cc7b0c13757a30547c243e6f80f
@tphoney tphoney merged commit a12f77b into main Jul 7, 2026
@tphoney tphoney deleted the copybara/v1.18.7 branch July 7, 2026 08:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants