Bump github.com/netresearch/go-cron from 0.14.0 to 0.15.0

[dependabot]

Bumps github.com/netresearch/go-cron from 0.14.0 to 0.15.0.

Release notes

Sourced from github.com/netresearch/go-cron's releases.

v0.15.0

Added — DrainAndUpsertJob

A windowless variant of UpsertJob for gracefully rescheduling a named entry.

// Two-step: a cron tick can still fire the OLD schedule between these calls.
cr.WaitForJobByName("my-job")
cr.UpsertJob(newSpec, newJob, cron.WithName("my-job"))
// Windowless: no invocation can start under the stale schedule.
cr.DrainAndUpsertJob(newSpec, newJob, cron.WithName("my-job"))

It pauses the entry, drains any in-flight invocation, swaps the schedule and job, then restores the entry's prior paused state. Pausing before the drain guarantees the old schedule cannot fire again between the wait and the replacement — closing the narrow stale-fire window of the two-step WaitForJobByName → UpsertJob sequence. It composes existing serialized methods, so the drain never holds a scheduler lock (no run-loop stall, no deadlock). If the named entry doesn't exist, it creates one.

Motivated by the weaviate object-TTL scheduler. Design rationale and the windowless proof: ADR-022. See #381.

Full Changelog: netresearch/go-cron@v0.14.0...v0.15.0

Supply Chain Security

This release includes:

• SBOM: CycloneDX (sbom-0.15.0.cyclonedx.json) and SPDX (sbom-0.15.0.spdx.json)
• Checksums: checksums.txt
• Signature: keyless Sigstore/Cosign bundle (checksums.txt.sigstore.json)

Verify with Cosign

Signing is performed by the shared netresearch/.github release workflow, so the certificate identity is that workflow (not this repo):

gh release download v0.15.0 -R netresearch/go-cron
cosign verify-blob 
--bundle checksums.txt.sigstore.json 
--certificate-identity-regexp "^https://github\.com/netresearch/\.github/\.github/workflows/golib-create-release\.yml@" 
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" 
checksums.txt
sha256sum -c checksums.txt

Changelog

Sourced from github.com/netresearch/go-cron's changelog.

[0.15.0] - 2026-06-02

Added

• DrainAndUpsertJob ([PR#381]): windowless variant of UpsertJob for graceful reschedule. Pauses the named entry, drains any in-flight invocation, swaps the schedule and job, then restores the entry's prior paused state — closing the narrow window in which the two-step WaitForJobByName → UpsertJob sequence could let the old schedule fire once more between the wait and the replacement. Composes existing serialized methods, so the drain never holds a cron lock. Motivated by the weaviate object-TTL scheduler; see ADR-022.

Commits

• cd4bf69 ci: grant id-token and attestations to release workflow caller (#383)
• d3b58c9 ci: grant id-token and attestations to release workflow caller
• 4bc3552 chore: release v0.15.0 (#382)
• af0eca1 chore: release v0.15.0
• b8c1734 feat: add DrainAndUpsertJob for windowless graceful reschedule (#381)
• d526e2f feat: add DrainAndUpsertJob for windowless graceful reschedule
• 627b18c ci: sync with netresearch/.github templates/go-lib (#380)
• e1beda3 ci: sync with netresearch/.github templates/go-lib
• 4621745 fix(lint): extract repeated cron descriptors into constants (#379)
• c1e6618 refactor(lint): consolidate @​every descriptor and clarify constant docs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)