Bump github.com/netresearch/go-cron from 0.13.0 to 0.13.1

[dependabot]

Bumps github.com/netresearch/go-cron from 0.13.0 to 0.13.1.

Release notes

Sourced from github.com/netresearch/go-cron's releases.

v0.13.1

Bug Fixes

• Race condition in Entry/EntryByName and ScheduleJob (#336): When the scheduler is running, Entry/EntryByName now route lookups through the run loop channel, preventing concurrent map access. ScheduleJob now routes through the add channel when running, ensuring heap/map modifications happen atomically.
• Entry copies are now mutation-safe: Entry(), EntryByName(), and Entries() return struct copies with cloned Tags slices, preventing callers from mutating internal scheduler state.

Internal

• Convert flaky timing-based tests to FakeClock for deterministic execution
• Add tests for Tags deep copy isolation and ScheduleJob-while-running behavior
• Remove CodSpeed benchmarking integration
• Remove gosec from golangci-lint (runs as separate CI job)
• Add SPDX headers and DCO enforcement
• Fix SLSA provenance race condition in release workflow
• Fix CHANGELOG with missing version sections (v0.10.0, v0.12.0, v0.13.0)

Contributors

• @​jrouzierinverse — race condition fix and Tags deep copy (#336)
• @​CybotTM — tests, CI fixes, documentation, release

Supply Chain Security

This release includes:

• SBOM: Software Bill of Materials in CycloneDX and SPDX formats
• Checksums: SHA256 checksums for all artifacts
• Signatures: Keyless Sigstore/Cosign signatures for verification
• Attestations: GitHub artifact attestations with SLSA provenance

Verify with GitHub CLI (Recommended)

gh attestation verify sbom.cyclonedx.json -R netresearch/go-cron
gh attestation verify checksums.txt -R netresearch/go-cron

Verify with Cosign

gh release download v0.13.1 -R netresearch/go-cron
cosign verify-blob 
--certificate checksums.txt.pem 
--signature checksums.txt.sig 
--certificate-identity-regexp "https://github.com/netresearch/go-cron/*" 
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" 
checksums.txt
sha256sum -c checksums.txt

... (truncated)

Changelog

Sourced from github.com/netresearch/go-cron's changelog.

[0.13.1] - 2026-03-08

Fixed

• Race condition in Entry/EntryByName and ScheduleJob (PR#336): When the scheduler is running, Entry/EntryByName now route lookups through the run loop channel while holding runningMu, preventing concurrent map access. ScheduleJob now routes through the c.add channel when running, ensuring all heap/map modifications happen atomically in the run loop. Entry, EntryByName, and Entries now return struct copies with cloned Tags slices, preventing callers from mutating internal scheduler state.

Commits

• c95a63f chore: release v0.13.1 (#343)
• f6856f3 chore: prepare v0.13.1 release
• 0d7a26d docs: fix CHANGELOG with missing v0.10.0, v0.12.0, v0.13.0 sections (#342)
• 01ce791 docs: remove orphaned PR#341 link from CHANGELOG
• a3b23bb docs: fix CHANGELOG with missing v0.10.0, v0.12.0, v0.13.0 sections
• 3af2db7 test: add tests for PR #336 and fix pre-existing lint/flaky issues (#341)
• 9e6bfb4 test: assert no duplicate job invocation in TestAddWhileRunningWithDelay
• bac5aeb fix(lint): remove gosec from golangci-lint config
• 795076c fix(lint): exclude gosec G118 in golangci-lint config
• 4f035e0 fix: address review comments, remove CodSpeed, fix CI lint
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)