Merge cb5463e5d88b42b17d233c7314daca4cbe0861b5 into 5f4f9643258dc2a65e684b63f12c8d543c936c67

Bumps the actions group with 2 updates in the / directory: [codecov/codecov-action](https://github.com/codecov/codecov-action) and [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action).


Updates `codecov/codecov-action` from 5 to 6
- [Release notes](https://github.com/codecov/codecov-action/releases)
- [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/codecov/codecov-action/compare/v5...v6)

Updates `aquasecurity/trivy-action` from 0.35.0 to 0.36.0
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](https://github.com/aquasecurity/trivy-action/compare/0.35.0...v0.36.0)

---
updated-dependencies:
- dependency-name: codecov/codecov-action
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: aquasecurity/trivy-action
  dependency-version: 0.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/gin.yml

@@ -78,6 +78,6 @@ jobs:
         run: make test
 
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         with:
           flags: ${{ matrix.os }},go-${{ matrix.go }},${{ matrix.test-tags }}

.github/workflows/trivy-scan.yml

@@ -27,7 +27,7 @@ jobs:
           fetch-depth: 0
 
       - name: Run Trivy vulnerability scanner (source code)
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         with:
           scan-type: "fs"
           scan-ref: "."
@@ -44,7 +44,7 @@ jobs:
           sarif_file: "trivy-results.sarif"
 
       - name: Run Trivy scanner (table output for logs)
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@v0.36.0
         if: always()
         with:
           scan-type: "fs"

gin_test.go

@@ -743,6 +743,78 @@ func TestEngineHandleContextPreventsMiddlewareReEntry(t *testing.T) {
 	assert.Equal(t, int64(1), handlerCounterV2)
 }
 
+func TestEngineHandleContextNoRouteWithGroupMiddleware(t *testing.T) {
+	// Scenario from issue #1848:
+	// - Engine with no global middleware (gin.New())
+	// - A group with middleware
+	// - A route in that group
+	// - NoRoute handler that redirects via HandleContext
+	// The group middleware should run exactly once per HandleContext call,
+	// not accumulate across redirects.
+
+	var middlewareCount, handlerCount int64
+
+	r := New()
+	grp := r.Group("", func(c *Context) {
+		atomic.AddInt64(&middlewareCount, 1)
+		c.Next()
+	})
+	grp.GET("/target", func(c *Context) {
+		atomic.AddInt64(&handlerCount, 1)
+		c.String(http.StatusOK, "ok")
+	})
+
+	r.NoRoute(func(c *Context) {
+		c.Request.URL.Path = "/target"
+		r.HandleContext(c)
+	})
+
+	// Access a non-existent route to trigger NoRoute -> HandleContext
+	w := PerformRequest(r, "GET", "/nonexistent")
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, "ok", w.Body.String())
+	// Middleware and handler should each run exactly once
+	assert.Equal(t, int64(1), atomic.LoadInt64(&middlewareCount))
+	assert.Equal(t, int64(1), atomic.LoadInt64(&handlerCount))
+}
+
+func TestEngineHandleContextNoRouteWithEngineMiddleware(t *testing.T) {
+	// When engine middleware exists and NoRoute redirects via HandleContext,
+	// verify the handlers run the expected number of times.
+
+	var engineMwCount, groupMwCount, handlerCount int64
+
+	r := New()
+	r.Use(func(c *Context) {
+		atomic.AddInt64(&engineMwCount, 1)
+		c.Next()
+	})
+
+	grp := r.Group("", func(c *Context) {
+		atomic.AddInt64(&groupMwCount, 1)
+		c.Next()
+	})
+	grp.GET("/target", func(c *Context) {
+		atomic.AddInt64(&handlerCount, 1)
+		c.String(http.StatusOK, "ok")
+	})
+
+	r.NoRoute(func(c *Context) {
+		c.Request.URL.Path = "/target"
+		r.HandleContext(c)
+	})
+
+	w := PerformRequest(r, "GET", "/nonexistent")
+	assert.Equal(t, http.StatusOK, w.Code)
+	assert.Equal(t, "ok", w.Body.String())
+	// Handler and group middleware should each run once (from HandleContext)
+	assert.Equal(t, int64(1), atomic.LoadInt64(&handlerCount))
+	assert.Equal(t, int64(1), atomic.LoadInt64(&groupMwCount))
+	// Engine middleware runs twice: once for the NoRoute chain, once for the HandleContext chain
+	// This is expected behavior since HandleContext re-enters the full handler chain
+	assert.Equal(t, int64(2), atomic.LoadInt64(&engineMwCount))
+}
+
 func TestEngineHandleContextUseEscapedPathPercentEncoded(t *testing.T) {
 	r := New()
 	r.UseEscapedPath = true