From be755aef88b03aa1a2906ae7064790de8ed38132 Mon Sep 17 00:00:00 2001
From: "L. Bedatty" <79675696+bedatty@users.noreply.github.com>
Date: Thu, 14 May 2026 15:26:30 -0300
Subject: [PATCH 1/3] chore(deployment-matrix): register lerian-notification on
 firmino (#371)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

lerian-notification is the new Core-platform service onboarded in
firmino-dev (see LerianStudio/midaz-firmino-gitops#664). Without the
matrix entry, the upstream build.yml's update_gitops job — which now
relies on this file as the source of truth for cluster routing —
resolves to an empty cluster list and skips the gitops bump.

Add the app to:

- apps.registry under "Core platform" (next to fetcher, matcher,
  product-console, ...).
- clusters.firmino.apps. Only firmino is in scope today; the other
  cluster manifests stay unchanged. When the app is onboarded to
  another cluster, that cluster's apps: block adds it (and only it).

Co-authored-by: Gabriel Ferreira <39352130+ferr3ira-gabriel@users.noreply.github.com>
---
 config/deployment-matrix.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/config/deployment-matrix.yml b/config/deployment-matrix.yml
index 6edf799..45c1ad4 100644
--- a/config/deployment-matrix.yml
+++ b/config/deployment-matrix.yml
@@ -41,6 +41,7 @@ apps:
     - reporter
     - tracer
     - product-console
+    - lerian-notification         # firmino-dev only today
 
     # Plugins
     - plugin-access-manager       # caller repo may push as plugin-identity / plugin-auth / casdoor
@@ -72,6 +73,7 @@ clusters:
       - reporter
       - tracer
       - product-console
+      - lerian-notification
       - plugin-access-manager
       - plugin-fees
       - plugin-br-pix-direct-jd

From b368675b6b18e7a840bface896160a5041210d32 Mon Sep 17 00:00:00 2001
From: "L. Bedatty" <79675696+bedatty@users.noreply.github.com>
Date: Thu, 14 May 2026 15:28:26 -0300
Subject: [PATCH 2/3] fix(self-pr-validation): re-run on PR edited +
 ready_for_review (#372)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The self pr-validation suite (title check, scope check, source-branch
enforcement, etc.) only listened to opened/synchronize/reopened.
Editing the PR title or body did not retrigger the check, so a fix
applied via the GitHub UI would leave the validation in its previous
(possibly failed) state until someone pushed a new commit.

Add the two missing event types:

- edited: covers title / body / base-ref changes from the GitHub UI.
  This is what every reusable pr-validation.yml caller listens to
  (e.g., the standardize-repo template emitted into consumer repos),
  so the self suite should match.
- ready_for_review: covers draft -> ready transitions, which is when
  reviewers actually need the validation result to be current.

No change to the validation logic itself — just broader trigger.
---
 .github/workflows/self-pr-validation.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/self-pr-validation.yml b/.github/workflows/self-pr-validation.yml
index 267bdca..cf55346 100644
--- a/.github/workflows/self-pr-validation.yml
+++ b/.github/workflows/self-pr-validation.yml
@@ -7,8 +7,10 @@ on:
       - main
     types:
       - opened
+      - edited
       - synchronize
       - reopened
+      - ready_for_review
   workflow_dispatch:
 
 permissions:

From 630b736038c6ad0da660ed75604de65e31c21261 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 14 May 2026 15:30:59 -0300
Subject: [PATCH 3/3] chore(deps): bump trufflesecurity/trufflehog (#367)

Bumps the security-scanners group with 1 update: [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog).


Updates `trufflesecurity/trufflehog` from 3.95.2 to 3.95.3
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](https://github.com/trufflesecurity/trufflehog/compare/17456f8c7d042d8c82c9a8ca9e937231f9f42e26...37b77001d0174ebec2fcca2bd83ff83a6d45a3ab)

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: security-scanners
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/go-security.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/go-security.yml b/.github/workflows/go-security.yml
index 6335d10..45d193c 100644
--- a/.github/workflows/go-security.yml
+++ b/.github/workflows/go-security.yml
@@ -192,7 +192,7 @@ jobs:
           fetch-depth: 0
 
       - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2
+        uses: trufflesecurity/trufflehog@37b77001d0174ebec2fcca2bd83ff83a6d45a3ab # v3.95.3
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}