From 19535f392fbd8807b27b09f24fd5db5b00f9133e Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Fri, 13 Dec 2024 12:19:32 +0100 Subject: [PATCH 1/2] chore(deps): update github-actions (#3991) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `9a9194f` -> `cbb7224` | | [actions/checkout](https://redirect.github.com/actions/checkout) | action | minor | `v4.1.7` -> `v4.2.2` | | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v5.0.2` -> `v5.2.0` | | [actions/setup-java](https://redirect.github.com/actions/setup-java) | action | minor | `v4.2.1` -> `v4.5.0` | | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | minor | `v4.0.3` -> `v4.1.0` | | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | digest | `1e60f62` -> `39370e3` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v4.3.5` -> `v4.4.3` | | [geekyeggo/delete-artifact](https://redirect.github.com/geekyeggo/delete-artifact) | action | minor | `v5.0.0` -> `v5.1.0` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v3.25.15` -> `v3.27.9` | | [google-github-actions/auth](https://redirect.github.com/google-github-actions/auth) | action | patch | `v2.1.3` -> `v2.1.7` | | [ianlewis/todo-issue-reopener](https://redirect.github.com/ianlewis/todo-issue-reopener) | action | minor | `v1.2.1` -> `v1.4.0` | | [sigstore/cosign-installer](https://redirect.github.com/sigstore/cosign-installer) | action | minor | `v3.5.0` -> `v3.7.0` | | [softprops/action-gh-release](https://redirect.github.com/softprops/action-gh-release) | action | minor | `v2.0.8` -> `v2.2.0` | | [thehanimo/pr-title-checker](https://redirect.github.com/thehanimo/pr-title-checker) | action | patch | `v1.4.2` -> `v1.4.3` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes
actions/checkout (actions/checkout) ### [`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2) - `url-helper.ts` now leverages well-known environment variables by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941) - Expand unit test coverage for `isGhes` by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946) ### [`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1) - Check out other refs/\* by commit if provided, fall back to ref by [@​orhantoy](https://redirect.github.com/orhantoy) in [https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924) ### [`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0) - Add Ref and Commit outputs by [@​lucacome](https://redirect.github.com/lucacome) in [https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180) - Dependency updates by [@​dependabot-](https://redirect.github.com/dependabot-) [https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777), [https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872)
actions/setup-go (actions/setup-go) ### [`v5.2.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.2.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.1.0...v5.2.0) #### What's Changed - Leveraging the raw API to retrieve the version-manifest, as it does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token for Github Enterprise Servers by [@​Shegox](https://redirect.github.com/Shegox) in [https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496) #### New Contributors - [@​Shegox](https://redirect.github.com/Shegox) made their first contribution in [https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496) **Full Changelog**: https://github.com/actions/setup-go/compare/v5...v5.2.0 ### [`v5.1.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.1.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.0.2...v5.1.0) ##### What's Changed - Add workflow file for publishing releases to immutable action package by [@​Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500) - Upgrade IA Publish by [@​Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/setup-go/pull/502](https://redirect.github.com/actions/setup-go/pull/502) - Add architecture to cache key by [@​Zxilly](https://redirect.github.com/Zxilly) in [https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493) This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format. - Enhance workflows and Upgrade micromatch Dependency by [@​priyagupta108](https://redirect.github.com/priyagupta108) in [https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510) **Bug Fixes** - Revise `isGhes` logic by [@​jww3](https://redirect.github.com/jww3) in [https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511) ##### New Contributors - [@​Zxilly](https://redirect.github.com/Zxilly) made their first contribution in [https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493) - [@​Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500) - [@​jww3](https://redirect.github.com/jww3) made their first contribution in [https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511) - [@​priyagupta108](https://redirect.github.com/priyagupta108) made their first contribution in [https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510) **Full Changelog**: https://github.com/actions/setup-go/compare/v5...v5.1.0
actions/setup-java (actions/setup-java) ### [`v4.5.0`](https://redirect.github.com/actions/setup-java/releases/tag/v4.5.0) [Compare Source](https://redirect.github.com/actions/setup-java/compare/v4.4.0...v4.5.0) #### What's Changed - Upgrade IA Publish by [@​Jcambass](https://redirect.github.com/Jcambass) in [#​686](https://redirect.github.com/actions/setup-java/issues/686) ##### Bug fixes: - Improve archive extraction on windows runners without powershell core and Update micromatch dependency by [@​priyagupta108](https://redirect.github.com/priyagupta108) in [#​689](https://redirect.github.com/actions/setup-java/issues/689) - Update workflows for GraalVM and Version Enhancements by [@​mahabaleshwars](https://redirect.github.com/mahabaleshwars) in [#​699](https://redirect.github.com/actions/setup-java/issues/699) - Refine `isGhes` logic by [@​jww3](https://redirect.github.com/jww3) in [#​697](https://redirect.github.com/actions/setup-java/issues/697) ##### New Contributors: - [@​priyagupta108](https://redirect.github.com/priyagupta108) made their first contribution in [https://github.com/actions/setup-java/pull/689](https://redirect.github.com/actions/setup-java/pull/689) - [@​jww3](https://redirect.github.com/jww3) made their first contribution in [https://github.com/actions/setup-java/pull/697](https://redirect.github.com/actions/setup-java/pull/697) **Full Changelog**: https://github.com/actions/setup-java/compare/v4...v4.5.0 ### [`v4.4.0`](https://redirect.github.com/actions/setup-java/releases/tag/v4.4.0) [Compare Source](https://redirect.github.com/actions/setup-java/compare/v4.3.0...v4.4.0) ##### What's Changed **Add-ons :** - Add support for Oracle GraalVM by [@​fniephaus](https://redirect.github.com/fniephaus) in [https://github.com/actions/setup-java/pull/501](https://redirect.github.com/actions/setup-java/pull/501) steps: - name: Checkout uses: actions/checkout@v4 - name: Setup-java uses: actions/setup-java@v4 with: distribution: 'graalvm' java-version: '21' - Add workflow file for publishing releases to immutable action package by [@​Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/setup-java/pull/684](https://redirect.github.com/actions/setup-java/pull/684) **Bug fixes :** - Add architecture to cache key by [@​Zxilly](https://redirect.github.com/Zxilly) in [https://github.com/actions/setup-java/pull/664](https://redirect.github.com/actions/setup-java/pull/664) This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format. - Resolve check failures by [@​aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in [https://github.com/actions/setup-java/pull/687](https://redirect.github.com/actions/setup-java/pull/687) ##### New Contributors - [@​Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/setup-java/pull/684](https://redirect.github.com/actions/setup-java/pull/684) - [@​Zxilly](https://redirect.github.com/Zxilly) made their first contribution in [https://github.com/actions/setup-java/pull/664](https://redirect.github.com/actions/setup-java/pull/664) **Full Changelog**: https://github.com/actions/setup-java/compare/v4...v4.4.0 ### [`v4.3.0`](https://redirect.github.com/actions/setup-java/compare/v4.2.2...v4.3.0) [Compare Source](https://redirect.github.com/actions/setup-java/compare/v4.2.2...v4.3.0) ### [`v4.2.2`](https://redirect.github.com/actions/setup-java/releases/tag/v4.2.2) [Compare Source](https://redirect.github.com/actions/setup-java/compare/v4.2.1...v4.2.2) ##### What's Changed ##### 

Bug fixes: - Fix macos latest check failures by [@​HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) in [https://github.com/actions/setup-java/pull/634](https://redirect.github.com/actions/setup-java/pull/634) - Fix dragonwell distribution parsing issues by [@​Accelerator1996](https://redirect.github.com/Accelerator1996) in [https://github.com/actions/setup-java/pull/643](https://redirect.github.com/actions/setup-java/pull/643) ##### Documentation changes - Update advanced documentation for java-version-file by [@​mahabaleshwars](https://redirect.github.com/mahabaleshwars) in [https://github.com/actions/setup-java/pull/622](https://redirect.github.com/actions/setup-java/pull/622) ##### Dependency updates: - Bump undici from 5.28.3 to 5.28.4 and other dependency updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/setup-java/pull/616](https://redirect.github.com/actions/setup-java/pull/616) **Full Changelog**: https://github.com/actions/setup-java/compare/v4...v4.2.2
actions/setup-node (actions/setup-node) ### [`v4.1.0`](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0) ### [`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)
actions/upload-artifact (actions/upload-artifact) ### [`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3) ##### What's Changed - Undo indirect dependency updates from [#​627](https://redirect.github.com/actions/upload-artifact/issues/627) by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3 ### [`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2) ##### What's Changed - Bump `@actions/artifact` to 2.1.11 by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627) - Includes fix for relative symlinks not resolving properly **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2 ### [`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1) ##### What's Changed - Add a section about hidden files by [@​joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607) - Add workflow file for publishing releases to immutable action package by [@​Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) - Update [@​actions/artifact](https://redirect.github.com/actions/artifact) to latest version, includes symlink and timeout fixes by [@​robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625) ##### New Contributors - [@​Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1 ### [`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) ### [`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)
geekyeggo/delete-artifact (geekyeggo/delete-artifact) ### [`v5.1.0`](https://redirect.github.com/GeekyEggo/delete-artifact/releases/tag/v5.1.0) [Compare Source](https://redirect.github.com/geekyeggo/delete-artifact/compare/v5.0.0...v5.1.0) - Mark deprecated token parameter as optional. - Bump undici dependency.
github/codeql-action (github/codeql-action) ### [`v3.27.9`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.8...v3.27.9) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.9 - 12 Dec 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.9/CHANGELOG.md) for more information. ### [`v3.27.8`](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8) ### [`v3.27.7`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.6...v3.27.7) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.7 - 10 Dec 2024 - We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. [#​2631](https://redirect.github.com/github/codeql-action/pull/2631) - Update default CodeQL bundle version to 2.20.0. [#​2636](https://redirect.github.com/github/codeql-action/pull/2636) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.7/CHANGELOG.md) for more information. ### [`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6) ### [`v3.27.5`](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5) ### [`v3.27.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.3...v3.27.4) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.4 - 14 Nov 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md) for more information. ### [`v3.27.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.2...v3.27.3) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.3 - 12 Nov 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md) for more information. ### [`v3.27.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.1...v3.27.2) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.2 - 12 Nov 2024 - Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". [#​2590](https://redirect.github.com/github/codeql-action/pull/2590) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md) for more information. ### [`v3.27.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.0...v3.27.1) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.1 - 08 Nov 2024 - The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. [#​2573](https://redirect.github.com/github/codeql-action/pull/2573) - Update default CodeQL bundle version to 2.19.3. [#​2576](https://redirect.github.com/github/codeql-action/pull/2576) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.1/CHANGELOG.md) for more information. ### [`v3.27.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.13...v3.27.0) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.0 - 22 Oct 2024 - Bump the minimum CodeQL bundle version to 2.14.6. [#​2549](https://redirect.github.com/github/codeql-action/pull/2549) - Fix an issue where the `upload-sarif` Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the `upload-sarif` Action. [#​2557](https://redirect.github.com/github/codeql-action/pull/2557) - Update default CodeQL bundle version to 2.19.2. [#​2552](https://redirect.github.com/github/codeql-action/pull/2552) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md) for more information. ### [`v3.26.13`](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13) ### [`v3.26.12`](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12) ### [`v3.26.11`](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11) ### [`v3.26.10`](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10) ### [`v3.26.9`](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9) ### [`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8) ### [`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) ### [`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) ### [`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) ### [`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4) ### [`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3) ### [`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2) ### [`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1) ### [`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)
google-github-actions/auth (google-github-actions/auth) ### [`v2.1.7`](https://redirect.github.com/google-github-actions/auth/releases/tag/v2.1.7) [Compare Source](https://redirect.github.com/google-github-actions/auth/compare/v2.1.6...v2.1.7) #### What's Changed - fix: update relase workflows by [@​verbanicm](https://redirect.github.com/verbanicm) in [https://github.com/google-github-actions/auth/pull/452](https://redirect.github.com/google-github-actions/auth/pull/452) - Release: v2.1.7 by [@​google-github-actions-bot](https://redirect.github.com/google-github-actions-bot) in [https://github.com/google-github-actions/auth/pull/453](https://redirect.github.com/google-github-actions/auth/pull/453) **Full Changelog**: https://github.com/google-github-actions/auth/compare/v2.1.6...v2.1.7 ### [`v2.1.6`](https://redirect.github.com/google-github-actions/auth/releases/tag/v2.1.6) [Compare Source](https://redirect.github.com/google-github-actions/auth/compare/v2.1.5...v2.1.6) ##### What's Changed - Recommend `gcloud storage` over `gsutil` by [@​sethvargo](https://redirect.github.com/sethvargo) in [https://github.com/google-github-actions/auth/pull/438](https://redirect.github.com/google-github-actions/auth/pull/438) - Add missing log line by [@​sethvargo](https://redirect.github.com/sethvargo) in [https://github.com/google-github-actions/auth/pull/448](https://redirect.github.com/google-github-actions/auth/pull/448) - Release: v2.1.6 by [@​google-github-actions-bot](https://redirect.github.com/google-github-actions-bot) in [https://github.com/google-github-actions/auth/pull/449](https://redirect.github.com/google-github-actions/auth/pull/449) **Full Changelog**: https://github.com/google-github-actions/auth/compare/v2.1.5...v2.1.6 ### [`v2.1.5`](https://redirect.github.com/google-github-actions/auth/releases/tag/v2.1.5) [Compare Source](https://redirect.github.com/google-github-actions/auth/compare/v2.1.4...v2.1.5) ##### What's Changed - Document ID Token lifetimes by [@​sethvargo](https://redirect.github.com/sethvargo) in [https://github.com/google-github-actions/auth/pull/433](https://redirect.github.com/google-github-actions/auth/pull/433) - fix !project_id error message typo by [@​seth-acuitymd](https://redirect.github.com/seth-acuitymd) in [https://github.com/google-github-actions/auth/pull/435](https://redirect.github.com/google-github-actions/auth/pull/435) - Update deps by [@​sethvargo](https://redirect.github.com/sethvargo) in [https://github.com/google-github-actions/auth/pull/436](https://redirect.github.com/google-github-actions/auth/pull/436) - Release: v2.1.5 by [@​google-github-actions-bot](https://redirect.github.com/google-github-actions-bot) in [https://github.com/google-github-actions/auth/pull/437](https://redirect.github.com/google-github-actions/auth/pull/437) ##### New Contributors - [@​seth-acuitymd](https://redirect.github.com/seth-acuitymd) made their first contribution in [https://github.com/google-github-actions/auth/pull/435](https://redirect.github.com/google-github-actions/auth/pull/435) **Full Changelog**: https://github.com/google-github-actions/auth/compare/v2.1.4...v2.1.5 ### [`v2.1.4`](https://redirect.github.com/google-github-actions/auth/releases/tag/v2.1.4) [Compare Source](https://redirect.github.com/google-github-actions/auth/compare/v2.1.3...v2.1.4) #### What's Changed - security: bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/google-github-actions/auth/pull/420](https://redirect.github.com/google-github-actions/auth/pull/420) - Update spelling and workflow versions by [@​sethvargo](https://redirect.github.com/sethvargo) in [https://github.com/google-github-actions/auth/pull/422](https://redirect.github.com/google-github-actions/auth/pull/422) - Update deps by [@​sethvargo](https://redirect.github.com/sethvargo) in [https://github.com/google-github-actions/auth/pull/430](https://redirect.github.com/google-github-actions/auth/pull/430) - Release: v2.1.4 by [@​google-github-actions-bot](https://redirect.github.com/google-github-actions-bot) in [https://github.com/google-github-actions/auth/pull/431](https://redirect.github.com/google-github-actions/auth/pull/431) **Full Changelog**: https://github.com/google-github-actions/auth/compare/v2.1.3...v2.1.4
ianlewis/todo-issue-reopener (ianlewis/todo-issue-reopener) ### [`v1.4.0`](https://redirect.github.com/ianlewis/todo-issue-reopener/releases/tag/v1.4.0) [Compare Source](https://redirect.github.com/ianlewis/todo-issue-reopener/compare/v1.3.0...v1.4.0) #### Updated in 1.4.0 - Updated the version of `todos` used to v0.10.0. #### All Changes Since v1.3.0 - chore(deps-dev): Bump eslint-plugin-prettier from 5.1.3 to 5.2.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1141](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1141) - chore(deps): Bump uuid from 7.0.3 to 10.0.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1148](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1148) - chore(deps): Bump actions/upload-artifact from 4.3.6 to 4.4.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1170](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1170) - chore(deps-dev): Bump [@​typescript-eslint/eslint-plugin](https://redirect.github.com/typescript-eslint/eslint-plugin) from 8.0.1 to 8.8.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1194](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1194) - chore(deps): Bump actions/setup-node from 4.0.2 to 4.0.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1208](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1208) - chore(deps): Bump github/codeql-action from 3.26.0 to 3.26.13 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1267](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1267) - chore(deps-dev): Bump [@​typescript-eslint/eslint-plugin](https://redirect.github.com/typescript-eslint/eslint-plugin) from 8.8.0 to 8.10.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1241](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1241) - chore(deps): Bump codecov/codecov-action from 4.5.0 to 4.6.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1206](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1206) - chore(deps-dev): Bump [@​typescript-eslint/parser](https://redirect.github.com/typescript-eslint/parser) from 8.0.1 to 8.10.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1240](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1240) - chore(deps): Bump yaml from 2.4.0 to 2.6.0 by [@​ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/ianlewis/todo-issue-reopener/pull/1319](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1319) - chore(deps): Update todos version to v0.10.0 by [@​ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/ianlewis/todo-issue-reopener/pull/1330](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1330) - chore(release): v1.4.0 by [@​ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/ianlewis/todo-issue-reopener/pull/1341](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1341) **Full Changelog**: https://github.com/ianlewis/todo-issue-reopener/compare/v1.3.0...v1.4.0 ### [`v1.3.0`](https://redirect.github.com/ianlewis/todo-issue-reopener/releases/tag/v1.3.0) [Compare Source](https://redirect.github.com/ianlewis/todo-issue-reopener/compare/v1.2.1...v1.3.0) #### Updated in 1.3.0 - Updated the version of `todos` used to v0.9.0. #### All Changes - chore(deps): Bump codecov/codecov-action from 4.4.0 to 4.5.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/922](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/922) - chore(deps): Bump actions/checkout from 4.1.1 to 4.1.7 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/923](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/923) - chore(deps-dev): Bump ts-jest from 29.1.2 to 29.2.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/940](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/940) - chore(deps-dev): Bump [@​types/node](https://redirect.github.com/types/node) from 20.11.15 to 22.0.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/959](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/959) - chore: Update todos version by [@​ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/ianlewis/todo-issue-reopener/pull/988](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/988) - chore(deps-dev): Bump prettier from 3.0.1 to 3.3.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/952](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/952) - chore(deps): Bump ossf/scorecard-action from 2.3.1 to 2.4.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/970](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/970) - chore(deps): Bump actions/upload-artifact from 4.3.3 to 4.3.6 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1016](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1016) - chore(deps): Bump github/codeql-action from 3.25.5 to 3.26.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1020](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1020) - chore(deps-dev): Bump [@​types/node](https://redirect.github.com/types/node) from 22.0.2 to 22.1.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/ianlewis/todo-issue-reopener/pull/1022](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1022) - chore(deps): Update typescript by [@​ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/ianlewis/todo-issue-reopener/pull/1108](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1108) - chore(release): v1.3.0 by [@​ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/ianlewis/todo-issue-reopener/pull/1129](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1129) **Full Changelog**: https://github.com/ianlewis/todo-issue-reopener/compare/v1.2.1...v1.3.0
sigstore/cosign-installer (sigstore/cosign-installer) ### [`v3.7.0`](https://redirect.github.com/sigstore/cosign-installer/releases/tag/v3.7.0) [Compare Source](https://redirect.github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0) #### What's Changed - Bump actions/checkout from 4.1.7 to 4.2.0 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/172](https://redirect.github.com/sigstore/cosign-installer/pull/172) - bump for latest cosign v2.4.1 release by [@​bobcallaway](https://redirect.github.com/bobcallaway) in [https://github.com/sigstore/cosign-installer/pull/173](https://redirect.github.com/sigstore/cosign-installer/pull/173) **Full Changelog**: https://github.com/sigstore/cosign-installer/compare/v3.6.0...v3.7.0 ### [`v3.6.0`](https://redirect.github.com/sigstore/cosign-installer/releases/tag/v3.6.0) [Compare Source](https://redirect.github.com/sigstore/cosign-installer/compare/v3.5.0...v3.6.0) #### What's Changed - Bump actions/checkout from 4.1.2 to 4.1.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/161](https://redirect.github.com/sigstore/cosign-installer/pull/161) - Bump actions/checkout from 4.1.3 to 4.1.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/162](https://redirect.github.com/sigstore/cosign-installer/pull/162) - Bump actions/setup-go from 5.0.0 to 5.0.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/163](https://redirect.github.com/sigstore/cosign-installer/pull/163) - Bump actions/checkout from 4.1.4 to 4.1.5 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/164](https://redirect.github.com/sigstore/cosign-installer/pull/164) - Bump actions/checkout from 4.1.5 to 4.1.6 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/165](https://redirect.github.com/sigstore/cosign-installer/pull/165) - Bump actions/checkout from 4.1.6 to 4.1.7 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/166](https://redirect.github.com/sigstore/cosign-installer/pull/166) - Bump actions/setup-go from 5.0.1 to 5.0.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/sigstore/cosign-installer/pull/167](https://redirect.github.com/sigstore/cosign-installer/pull/167) - pin public key used for verification by [@​bobcallaway](https://redirect.github.com/bobcallaway) in [https://github.com/sigstore/cosign-installer/pull/169](https://redirect.github.com/sigstore/cosign-installer/pull/169) - bump default version to v2.4.0 release by [@​bobcallaway](https://redirect.github.com/bobcallaway) in [https://github.com/sigstore/cosign-installer/pull/168](https://redirect.github.com/sigstore/cosign-installer/pull/168) - update readme for new release by [@​bobcallaway](https://redirect.github.com/bobcallaway) in [https://github.com/sigstore/cosign-installer/pull/170](https://redirect.github.com/sigstore/cosign-installer/pull/170) **Full Changelog**: https://github.com/sigstore/cosign-installer/compare/v3...v3.6.0
softprops/action-gh-release (softprops/action-gh-release) ### [`v2.2.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.2.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.1.0...v2.2.0) ##### What's Changed ##### Exciting New Features 🎉 - feat: read the release assets asynchronously by [@​xen0n](https://redirect.github.com/xen0n) in [https://github.com/softprops/action-gh-release/pull/552](https://redirect.github.com/softprops/action-gh-release/pull/552) ##### Bug fixes 🐛 - fix(docs): clarify the default for tag_name by [@​alexeagle](https://redirect.github.com/alexeagle) in [https://github.com/softprops/action-gh-release/pull/544](https://redirect.github.com/softprops/action-gh-release/pull/544) ##### Other Changes 🔄 - chore(deps): bump typescript from 5.6.3 to 5.7.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/548](https://redirect.github.com/softprops/action-gh-release/pull/548) - chore(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.9.0 to 22.9.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/547](https://redirect.github.com/softprops/action-gh-release/pull/547) - chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/545](https://redirect.github.com/softprops/action-gh-release/pull/545) - chore(deps): bump [@​vercel/ncc](https://redirect.github.com/vercel/ncc) from 0.38.2 to 0.38.3 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/543](https://redirect.github.com/softprops/action-gh-release/pull/543) - chore(deps): bump prettier from 3.3.3 to 3.4.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/550](https://redirect.github.com/softprops/action-gh-release/pull/550) - chore(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.9.4 to 22.10.1 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/551](https://redirect.github.com/softprops/action-gh-release/pull/551) - chore(deps): bump prettier from 3.4.1 to 3.4.2 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/554](https://redirect.github.com/softprops/action-gh-release/pull/554) ##### New Contributors - [@​alexeagle](https://redirect.github.com/alexeagle) made their first contribution in [https://github.com/softprops/action-gh-release/pull/544](https://redirect.github.com/softprops/action-gh-release/pull/544) - [@​xen0n](https://redirect.github.com/xen0n) made their first contribution in [https://github.com/softprops/action-gh-release/pull/552](https://redirect.github.com/softprops/action-gh-release/pull/552) **Full Changelog**: https://github.com/softprops/action-gh-release/compare/v2.1.0...v2.2.0 ### [`v2.1.0`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.1.0) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.0.9...v2.1.0) #### What's Changed ##### Exciting New Features 🎉 - feat: add support for release assets with multiple spaces within the name by [@​dukhine](https://redirect.github.com/dukhine) in [https://github.com/softprops/action-gh-release/pull/518](https://redirect.github.com/softprops/action-gh-release/pull/518) - feat: preserve upload order by [@​richarddd](https://redirect.github.com/richarddd) in [https://github.com/softprops/action-gh-release/pull/500](https://redirect.github.com/softprops/action-gh-release/pull/500) ##### Other Changes 🔄 - chore(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.8.2 to 22.8.7 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/539](https://redirect.github.com/softprops/action-gh-release/pull/539) #### New Contributors - [@​dukhine](https://redirect.github.com/dukhine) made their first contribution in [https://github.com/softprops/action-gh-release/pull/518](https://redirect.github.com/softprops/action-gh-release/pull/518) - [@​richarddd](https://redirect.github.com/richarddd) made their first contribution in [https://github.com/softprops/action-gh-release/pull/500](https://redirect.github.com/softprops/action-gh-release/pull/500) **Full Changelog**: https://github.com/softprops/action-gh-release/compare/v2...v2.1.0 ### [`v2.0.9`](https://redirect.github.com/softprops/action-gh-release/releases/tag/v2.0.9) [Compare Source](https://redirect.github.com/softprops/action-gh-release/compare/v2.0.8...v2.0.9) #### What's Changed - maintenance release with updated dependencies #### New Contributors - [@​kbakdev](https://redirect.github.com/kbakdev) made their first contribution in [https://github.com/softprops/action-gh-release/pull/521](https://redirect.github.com/softprops/action-gh-release/pull/521) **Full Changelog**: https://github.com/softprops/action-gh-release/compare/v2...v2.0.9
thehanimo/pr-title-checker (thehanimo/pr-title-checker) ### [`v1.4.3`](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3) [Compare Source](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)
--- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-github-generator). Signed-off-by: Mend Renovate --- .github/actions/generate-builder/action.yml | 2 +- .../secure-builder-checkout/action.yaml | 2 +- .../secure-project-checkout-go/action.yml | 2 +- .../secure-project-checkout-node/action.yml | 2 +- .../secure-project-checkout/action.yaml | 2 +- .../actions/secure-upload-artifact/action.yml | 2 +- .../builder_container-based_slsa3.yml | 24 ++++++------ .github/workflows/builder_go_slsa3.yml | 6 +-- .github/workflows/codeql-analysis.yml | 8 ++-- .github/workflows/delegator_generic_slsa3.yml | 4 +- .../delegator_lowperms-generic_slsa3.yml | 4 +- ...ate-container_based-predicate.schedule.yml | 6 +-- .../e2e.detect-workflow-js.schedule.yml | 6 +-- .../e2e.sign-attestations.schedule.yml | 8 ++-- .../workflows/e2e.upload-folder.schedule.yml | 8 ++-- .../workflows/generator_container_slsa3.yml | 4 +- .github/workflows/generator_generic_slsa3.yml | 4 +- .github/workflows/pre-submit.actions.yml | 38 +++++++++---------- .github/workflows/pre-submit.apis.yml | 2 +- .github/workflows/pre-submit.delegators.yml | 2 +- ...pre-submit.e2e.container-based.default.yml | 2 +- .../pre-submit.e2e.generic.default.yml | 6 +-- ...-submit.e2e.go.config-ldflags-main-dir.yml | 2 +- .github/workflows/pre-submit.lint.yml | 24 ++++++------ .github/workflows/pre-submit.pr-title.yml | 2 +- .github/workflows/pre-submit.units.yml | 10 ++--- .github/workflows/release.yml | 4 +- .github/workflows/schedule.issue-reopener.yml | 4 +- .github/workflows/scorecards.yml | 6 +-- .../update-actions-dist-post-commit.yml | 6 +-- actions/gradle/publish/action.yml | 4 +- actions/maven/publish/action.yml | 2 +- internal/builders/bazel/action.yml | 2 +- internal/builders/gradle/action.yml | 4 +- internal/builders/maven/action.yml | 4 +- internal/builders/nodejs/action.yml | 2 +- 36 files changed, 110 insertions(+), 110 deletions(-) diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml index 250ea483bd..c19f7d5995 100644 --- a/.github/actions/generate-builder/action.yml +++ b/.github/actions/generate-builder/action.yml @@ -76,7 +76,7 @@ runs: token: ${{ inputs.token }} - name: Set up Go environment - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ inputs.go-version }} diff --git a/.github/actions/secure-builder-checkout/action.yaml b/.github/actions/secure-builder-checkout/action.yaml index 576e20fb94..2ebdc3c318 100644 --- a/.github/actions/secure-builder-checkout/action.yaml +++ b/.github/actions/secure-builder-checkout/action.yaml @@ -37,7 +37,7 @@ runs: # and has an associated release. This will require exceptions # for e2e tests. - name: Checkout the repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} diff --git a/.github/actions/secure-project-checkout-go/action.yml b/.github/actions/secure-project-checkout-go/action.yml index 0a9518dc12..a76410cfa9 100644 --- a/.github/actions/secure-project-checkout-go/action.yml +++ b/.github/actions/secure-project-checkout-go/action.yml @@ -65,7 +65,7 @@ runs: fi - name: Set up Go environment - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: ${{ steps.validate.outputs.go_version }} go-version-file: ${{ steps.validate.outputs.go_version_file }} diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml index a458e426a8..a1df329adc 100644 --- a/.github/actions/secure-project-checkout-node/action.yml +++ b/.github/actions/secure-project-checkout-node/action.yml @@ -41,6 +41,6 @@ runs: path: ${{ inputs.path }} - name: Set up Node environment - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ inputs.node-version }} diff --git a/.github/actions/secure-project-checkout/action.yaml b/.github/actions/secure-project-checkout/action.yaml index ab12781cd7..2daea036e5 100644 --- a/.github/actions/secure-project-checkout/action.yaml +++ b/.github/actions/secure-project-checkout/action.yaml @@ -40,7 +40,7 @@ runs: using: "composite" steps: - name: Checkout the repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: ${{ inputs.fetch-depth }} ref: ${{ inputs.checkout-sha1 }} diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml index 22e7d9f728..2fdd43c2b0 100644 --- a/.github/actions/secure-upload-artifact/action.yml +++ b/.github/actions/secure-upload-artifact/action.yml @@ -37,7 +37,7 @@ runs: path: "${{ inputs.path }}" - name: Upload the artifact - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ inputs.name }}" path: "${{ inputs.path }}" diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml index 6fc2fd3190..32d07cf025 100644 --- a/.github/workflows/builder_container-based_slsa3.yml +++ b/.github/workflows/builder_container-based_slsa3.yml @@ -209,7 +209,7 @@ jobs: allow-private-repository: ${{ inputs.rekor-log-public }} - name: Upload builder - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -228,7 +228,7 @@ jobs: runs-on: ubuntu-latest needs: [rng, detect-env, generate-builder] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Checkout builder repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: @@ -306,7 +306,7 @@ jobs: - id: auth name: Authenticate to Google Cloud if: inputs.gcp-workload-identity-provider != '' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: token_format: "access_token" workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }} @@ -372,7 +372,7 @@ jobs: set-executable: true - name: Checkout the source repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: fetch-depth: 1 persist-credentials: false @@ -462,7 +462,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a # secure upload or verify this against the SLSA layout file. id: upload-artifacts - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: ${{ steps.build.outputs.build-outputs-name }} path: /tmp/build-outputs-${{ needs.rng.outputs.value }} @@ -535,7 +535,7 @@ jobs: - name: Upload unsigned intoto attestations file for pull request if: ${{ github.event_name == 'pull_request' }} id: upload-unsigned - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "attestations-${{ needs.rng.outputs.value }}" @@ -556,7 +556,7 @@ jobs: - name: Upload the signed attestations id: upload-signed if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" @@ -598,7 +598,7 @@ jobs: path: "${{ needs.provenance.outputs.provenance-name }}" - name: Upload provenance new tag - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0 if: startsWith(github.ref, 'refs/tags/') && inputs.upload-tag-name == '' id: release-new-tags with: @@ -609,7 +609,7 @@ jobs: draft: ${{ inputs.draft-release }} - name: Upload provenance tag name - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0 if: inputs.upload-tag-name != '' with: prerelease: ${{ inputs.prerelease }} @@ -633,13 +633,13 @@ jobs: SLSA_OUTPUTS_NAME: ${{ needs.build.outputs.slsa-outputs-name }} RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.BUILD_DEFINITION_NAME }}-${{ env.RNG }}" useGlob: true - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.SLSA_OUTPUTS_NAME }}-${{ env.RNG }}" - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.BUILDER_BINARY }}-${{ env.RNG }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index b24a603122..f1b6e0bfa8 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -169,7 +169,7 @@ jobs: allow-private-repository: ${{ inputs.private-repository }} - name: Upload builder - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -358,7 +358,7 @@ jobs: --workingDir "$UNTRUSTED_WORKING_DIR" - name: Upload the signed provenance - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ steps.sign-prov.outputs.signed-provenance-name }}" path: "${{ steps.sign-prov.outputs.signed-provenance-name }}" @@ -399,7 +399,7 @@ jobs: sha256: "${{ needs.provenance.outputs.go-provenance-sha256 }}" - name: Upload provenance - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0 with: tag_name: ${{ inputs.upload-tag-name }} prerelease: ${{ inputs.prerelease }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3c2f537533..5d7da2596e 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -55,11 +55,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/init@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/autobuild@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 # Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,7 +85,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/analyze@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 # NOTE: Checks that the matrix job above completes successfully. # This is necessary because the matrix strategy generates new jobs with diff --git a/.github/workflows/delegator_generic_slsa3.yml b/.github/workflows/delegator_generic_slsa3.yml index 3935e2ca0b..e225aa52b1 100644 --- a/.github/workflows/delegator_generic_slsa3.yml +++ b/.github/workflows/delegator_generic_slsa3.yml @@ -294,9 +294,9 @@ jobs: env: RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}" - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}" diff --git a/.github/workflows/delegator_lowperms-generic_slsa3.yml b/.github/workflows/delegator_lowperms-generic_slsa3.yml index bfee2d7e95..dee83b5d93 100644 --- a/.github/workflows/delegator_lowperms-generic_slsa3.yml +++ b/.github/workflows/delegator_lowperms-generic_slsa3.yml @@ -297,9 +297,9 @@ jobs: env: RNG: ${{ needs.rng.outputs.value }} steps: - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_PREDICATE_FILE }}" - - uses: geekyeggo/delete-artifact@24928e75e6e6590170563b8ddae9fac674508aa1 # v5.0.0 + - uses: geekyeggo/delete-artifact@f275313e70c08f6120db482d7a6b98377786765b # v5.1.0 with: name: "${{ env.RNG }}-${{ env.SLSA_ARTIFACTS_FILE }}" diff --git a/.github/workflows/e2e.create-container_based-predicate.schedule.yml b/.github/workflows/e2e.create-container_based-predicate.schedule.yml index cf98d6c223..df19967065 100644 --- a/.github/workflows/e2e.create-container_based-predicate.schedule.yml +++ b/.github/workflows/e2e.create-container_based-predicate.schedule.yml @@ -39,7 +39,7 @@ jobs: permissions: id-token: write # Needed to detect the current reusable repository and ref. steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Detect the builder ref id: detect uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main @@ -71,7 +71,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -85,7 +85,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.detect-workflow-js.schedule.yml b/.github/workflows/e2e.detect-workflow-js.schedule.yml index cb803f447c..f440f52842 100644 --- a/.github/workflows/e2e.detect-workflow-js.schedule.yml +++ b/.github/workflows/e2e.detect-workflow-js.schedule.yml @@ -33,7 +33,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: detect uses: ./.github/actions/detect-workflow-js - id: verify @@ -70,7 +70,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -84,7 +84,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml index b3d279e770..946e74538a 100644 --- a/.github/workflows/e2e.sign-attestations.schedule.yml +++ b/.github/workflows/e2e.sign-attestations.schedule.yml @@ -33,14 +33,14 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - id: setup uses: ./.github/actions/sign-attestations with: attestations: .github/actions/sign-attestations/testdata/attestations output-folder: outputs - name: Setup node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 with: node-version: 20 - name: install sigstore-js @@ -62,7 +62,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -76,7 +76,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.upload-folder.schedule.yml b/.github/workflows/e2e.upload-folder.schedule.yml index cce2a8847e..382b1ba23d 100644 --- a/.github/workflows/e2e.upload-folder.schedule.yml +++ b/.github/workflows/e2e.upload-folder.schedule.yml @@ -37,7 +37,7 @@ jobs: sha256: ${{ steps.upload.outputs.sha256 }} sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Create folder run: | set -euo pipefail @@ -100,7 +100,7 @@ jobs: needs: [secure-upload-folder] runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Download in new folder uses: ./.github/actions/secure-download-folder @@ -180,7 +180,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -194,7 +194,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 5ef7bcb1a3..348ee0d459 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -158,14 +158,14 @@ jobs: - id: auth name: Authenticate to Google Cloud if: inputs.gcp-workload-identity-provider != '' - uses: google-github-actions/auth@71fee32a0bb7e97b4d33d548e7d957010649d8fa # v2.1.3 + uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 with: token_format: "access_token" workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }} service_account: ${{ inputs.gcp-service-account }} - id: cosign-install - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0 + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 with: cosign-release: v2.2.3 continue-on-error: true diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index 3b3d58fb17..32a5e9322f 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -239,7 +239,7 @@ jobs: - name: Upload the signed provenance id: upload-prov continue-on-error: true - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: "${{ steps.sign-prov.outputs.provenance-name }}" path: "${{ steps.sign-prov.outputs.provenance-name }}" @@ -285,7 +285,7 @@ jobs: sha256: "${{ needs.generator.outputs.provenance-sha256 }}" - name: Upload provenance - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 + uses: softprops/action-gh-release@7b4da11513bf3f43f9999e90eabced41ab8bb048 # v2.2.0 id: release with: draft: ${{ inputs.draft-release }} diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 6ead6c089f..eba9f47fc2 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -27,13 +27,13 @@ jobs: name: verify no checkout in Actions runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -75,10 +75,10 @@ jobs: - .github/actions/verify-token - .github/actions/detect-workflow-js steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set Node.js 18 - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 18 @@ -98,7 +98,7 @@ jobs: fi # If index.js was different from expected, upload the expected version as an artifact - - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist @@ -121,7 +121,7 @@ jobs: compute-sha256: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | echo "foo" > artifact - id: compute-sha256 @@ -136,7 +136,7 @@ jobs: rng: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | echo "foo" > artifact - id: rng @@ -150,10 +150,10 @@ jobs: references: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __THIS_REPO__ - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main @@ -176,7 +176,7 @@ jobs: secure-project-checkout-go: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -189,7 +189,7 @@ jobs: secure-project-checkout-node: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -209,7 +209,7 @@ jobs: UPLOAD_FOLDER_NO_ROOT_NAME: "upload-root/upload-folder" DOWNLOAD_FOLDER_NO_ROOT_NAME: "download-root/download-folder" steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Create folder run: | set -euo pipefail @@ -366,7 +366,7 @@ jobs: secure-download-artifact: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -393,7 +393,7 @@ jobs: secure-download-artifact-builder-name: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -426,7 +426,7 @@ jobs: secure-download-artifact-builder-repo-folder: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -460,7 +460,7 @@ jobs: secure-download-artifact-builder-repo-file: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __BUILDER_CHECKOUT_DIR__ @@ -494,7 +494,7 @@ jobs: generate-builder-generic-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -508,7 +508,7 @@ jobs: generate-builder-generic-no-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -526,7 +526,7 @@ jobs: generate-attestations: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations diff --git a/.github/workflows/pre-submit.apis.yml b/.github/workflows/pre-submit.apis.yml index f97a3c3899..f67be755fc 100644 --- a/.github/workflows/pre-submit.apis.yml +++ b/.github/workflows/pre-submit.apis.yml @@ -31,6 +31,6 @@ jobs: name: verify safe APIs runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Check safe file systems APIs run: ./.github/workflows/scripts/pre-submit.apis/verify-safefs.sh diff --git a/.github/workflows/pre-submit.delegators.yml b/.github/workflows/pre-submit.delegators.yml index bfe1c4f075..07b6d2818b 100644 --- a/.github/workflows/pre-submit.delegators.yml +++ b/.github/workflows/pre-submit.delegators.yml @@ -27,6 +27,6 @@ jobs: name: verify identical delegators runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Compare diff between the delegator workflows run: ./.github/workflows/scripts/pre-submit.delegators/compare-diff.sh diff --git a/.github/workflows/pre-submit.e2e.container-based.default.yml b/.github/workflows/pre-submit.e2e.container-based.default.yml index 699a17b28b..5dc9d90c73 100644 --- a/.github/workflows/pre-submit.e2e.container-based.default.yml +++ b/.github/workflows/pre-submit.e2e.container-based.default.yml @@ -45,7 +45,7 @@ jobs: HEAD_SHA: ${{ github.event.pull_request.head.sha }} GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build-container-based.outputs.build-outputs-name }} diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml index b2c10a899c..f140535513 100644 --- a/.github/workflows/pre-submit.e2e.generic.default.yml +++ b/.github/workflows/pre-submit.e2e.generic.default.yml @@ -47,7 +47,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build.outputs.provenance-name }} @@ -77,7 +77,7 @@ jobs: runs-on: ubuntu-latest needs: [build-continue-no-error] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build-continue-no-error.outputs.provenance-name }} @@ -108,7 +108,7 @@ jobs: runs-on: ubuntu-latest needs: [build, build-continue-invalid-subjects] steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build.outputs.provenance-name }} diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index 904c028df5..31cafd407d 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -64,7 +64,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 with: name: ${{ needs.build.outputs.go-binary-name }} diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index 76eca508ae..5a5e397879 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -31,8 +31,8 @@ jobs: formatting: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version: "1.22.3" - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2 @@ -73,8 +73,8 @@ jobs: markdownlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - run: make markdownlint @@ -82,8 +82,8 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version-file: "go.mod" - env: @@ -106,7 +106,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: shellcheck env: SHELLCHECK_VERSION: "0.10.0" @@ -146,7 +146,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - run: | set -euo pipefail @@ -159,8 +159,8 @@ jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - run: make eslint @@ -168,8 +168,8 @@ jobs: renovate-config-validator: runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 20 - run: make renovate-config-validator diff --git a/.github/workflows/pre-submit.pr-title.yml b/.github/workflows/pre-submit.pr-title.yml index 5e29b17658..589ae366be 100644 --- a/.github/workflows/pre-submit.pr-title.yml +++ b/.github/workflows/pre-submit.pr-title.yml @@ -26,7 +26,7 @@ jobs: name: Validate PR Title runs-on: ubuntu-latest steps: - - uses: thehanimo/pr-title-checker@1d8cd483a2b73118406a187f54dca8a9415f1375 # v1.4.2 + - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3 with: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} configuration_path: ".github/pr-title-checker-config.json" diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index 049b39ea17..a018fbe6d6 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -35,15 +35,15 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: setup-go - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 + uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 with: go-version-file: "go.mod" - name: Set Node.js 16 - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: 16 @@ -58,12 +58,12 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: generator - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: verifier repository: slsa-framework/slsa-verifier diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index dd3ccfc980..4e4b5fcce7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,10 +34,10 @@ jobs: name: pre release refs verification runs-on: ubuntu-latest steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: path: __THIS_REPO__ - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/schedule.issue-reopener.yml b/.github/workflows/schedule.issue-reopener.yml index c47edfe355..c68a38c99b 100644 --- a/.github/workflows/schedule.issue-reopener.yml +++ b/.github/workflows/schedule.issue-reopener.yml @@ -27,6 +27,6 @@ jobs: permissions: issues: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Issue Reopener - uses: ianlewis/todo-issue-reopener@339a05bfcc934adf6aa425b968a2d2f2af4f12ad # v1.2.1 + uses: ianlewis/todo-issue-reopener@1a99cfd93fb95eb4f212a1ebaf3e9ef8ba4c46f8 # v1.4.0 diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 627da1a154..dc47550615 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,7 +39,7 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: persist-credentials: false @@ -63,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: SARIF file path: results.sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15 + uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 with: sarif_file: results.sarif diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml index c5debf276c..b64909ad22 100644 --- a/.github/workflows/update-actions-dist-post-commit.yml +++ b/.github/workflows/update-actions-dist-post-commit.yml @@ -46,7 +46,7 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: repository: ${{ github.repository }} persist-credentials: false @@ -75,7 +75,7 @@ jobs: [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT" - name: upload - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5 + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: changes.patch path: changes.patch @@ -90,7 +90,7 @@ jobs: contents: write steps: - name: checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: checkout-pr env: GH_TOKEN: ${{ github.token }} diff --git a/actions/gradle/publish/action.yml b/actions/gradle/publish/action.yml index 842b5d4532..a3cc41ea03 100644 --- a/actions/gradle/publish/action.yml +++ b/actions/gradle/publish/action.yml @@ -50,9 +50,9 @@ inputs: runs: using: "composite" steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 34775f3fb0..6ce598c7d5 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -47,7 +47,7 @@ runs: - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/internal/builders/bazel/action.yml b/internal/builders/bazel/action.yml index d5388162f5..ad53f1f6bc 100644 --- a/internal/builders/bazel/action.yml +++ b/internal/builders/bazel/action.yml @@ -53,7 +53,7 @@ runs: - name: Setup Java id: java - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-distribution }}" java-version: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-version }}" diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index 52674ae484..756e1e20ce 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -56,9 +56,9 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 5aafd4f22b..9ee7012dd2 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -56,9 +56,9 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@9a9194f87191a7e9055e3e9b95b8cfb13023bb08 # v 3.5.2 + - uses: actions/checkout@cbb722410c2e876e24abbe8de2cc27693e501dcb # v 3.5.2 - name: Set up JDK - uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1 + uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4.5.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/nodejs/action.yml b/internal/builders/nodejs/action.yml index f7bfd7564d..de5f72a1d6 100644 --- a/internal/builders/nodejs/action.yml +++ b/internal/builders/nodejs/action.yml @@ -65,7 +65,7 @@ runs: # checkout ourselves. - name: Setup Node - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }} node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }} From 491ff0a601aedcb13a7e6c45335bc7f6c9ec2dc7 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Fri, 13 Dec 2024 12:24:22 +0100 Subject: [PATCH 2/2] chore(deps): update dependency org.apache.maven.plugins:maven-plugin-plugin to v3.15.1 (#3821) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [org.apache.maven.plugins:maven-plugin-plugin](https://maven.apache.org/plugin-tools) | `3.6.0` -> `3.15.1` | [![age](https://developer.mend.io/api/mc/badges/age/maven/org.apache.maven.plugins:maven-plugin-plugin/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/maven/org.apache.maven.plugins:maven-plugin-plugin/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/maven/org.apache.maven.plugins:maven-plugin-plugin/3.6.0/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/maven/org.apache.maven.plugins:maven-plugin-plugin/3.6.0/3.15.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-github-generator). Signed-off-by: Mend Renovate --- actions/maven/publish/slsa-hashing-plugin/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/actions/maven/publish/slsa-hashing-plugin/pom.xml b/actions/maven/publish/slsa-hashing-plugin/pom.xml index 2746d79345..feef30fe5f 100644 --- a/actions/maven/publish/slsa-hashing-plugin/pom.xml +++ b/actions/maven/publish/slsa-hashing-plugin/pom.xml @@ -48,7 +48,7 @@ org.apache.maven.plugins maven-plugin-plugin - 3.6.0 + 3.15.1 true