Bump github.com/netresearch/go-cron from 0.13.1 to 0.13.4

[dependabot]

Bumps github.com/netresearch/go-cron from 0.13.1 to 0.13.4.

Release notes

Sourced from github.com/netresearch/go-cron's releases.

v0.13.4

Bug Fixes

• DST fall-back duplicate execution (#349, #350): Jobs scheduled during DST fall-back transitions (when wall-clock time repeats) no longer fire twice. The scheduler now detects when Next() returns the second occurrence of the same wall-clock time and skips it, consistent with ISC cron behavior and ADR-016. Per-schedule TZ= overrides are correctly respected.
• Hash expression false positive on day names (#347): Day-of-week names containing "H" (e.g., THU for Thursday) no longer incorrectly trigger hash expression validation, which previously caused valid expressions like 0 0 * * THU to fail.
• SLSA provenance format (#345): Fixed provenance subject format and flaky example test.

CI/CD & Supply Chain Security

• Migrate 5 workflows to shared reusable workflows from netresearch/.github (#353): codeql, dependency-review, auto-merge-deps, pr-quality, scorecard
• Fix broken release attestation by removing actions/attest-build-provenance (unpinned transitive dependency blocked by SHA-pinning ruleset); SLSA provenance handled by separate workflow
• Harden GitHub Actions against supply chain attacks with SHA-pinned actions and Dependabot (#348)
• Update trivy-action to v0.35.0

Documentation

• Rebrand from "maintained fork" to standalone project (#344)
• Add ofelia to notable dependents
• Update ADR-016 and DST_HANDLING.md with actual fall-back implementation details
• Add CLAUDE.md symlink and release workflow rule to AGENTS.md (#352)

Tests

• Comprehensive DST fall-back test coverage (#350, #351): unit tests (9 cases incl. Europe/London), scheduler-level tests (dedup, per-schedule TZ, ConstantDelaySchedule, schedule exhaustion), integration tests (bulk + minute-by-minute)

Contributors

• @​danielv6987 — DST fall-back duplicate execution report (#349)
• @​CybotTM — bug fixes, tests, CI hardening, documentation, workflow migration

Supply Chain Security

This release includes:

• SBOM: Software Bill of Materials in CycloneDX and SPDX formats
• Checksums: SHA256 checksums for all artifacts
• Signatures: Keyless Sigstore/Cosign signatures for verification
• SLSA Provenance: Generated by separate workflow after release

Verify with Cosign

# Install cosign: https://docs.sigstore.dev/cosign/installation/
gh release download v0.13.4 -R netresearch/go-cron
cosign verify-blob 
--certificate checksums.txt.pem 
--signature checksums.txt.sig 
--certificate-identity-regexp "https://github.com/netresearch/go-cron/*" 
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" 
checksums.txt
</tr></table>

... (truncated)

Changelog

Sourced from github.com/netresearch/go-cron's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Originally based on robfig/cron.

[Unreleased]

Planned for v2

• Context-aware Job interface with graceful shutdown support

Commits

• 1d32ec6 fix: migrate to shared reusable workflows, fix broken release attestation (#353)
• dbe204c fix: migrate to shared reusable workflows from netresearch/.github
• 8f0e23c docs: add release workflow rule to AGENTS.md (#352)
• 7208b63 docs: clarify release rule — restrict gh release create, not git tag -s
• 40138c8 docs: add release workflow rule to AGENTS.md
• e44f8a8 test: cover schedule-exhaustion path after DST fall-back skip (#351)
• ebf83bb test: cover schedule-exhaustion path after DST fall-back skip
• 71a366e fix: prevent duplicate job execution during DST fall-back (#350)
• f68b31f fix: address round-2 review findings
• cab1c71 test: add unit tests for scheduler-level DST fall-back dedup
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)