From 190fddac0ef7fcc481d43c2c2fa714031f34c700 Mon Sep 17 00:00:00 2001
From: Mend Renovate <bot@renovateapp.com>
Date: Wed, 4 Dec 2024 19:00:06 +0100
Subject: [PATCH] chore(deps): update github-actions (#817)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | minor | `v4.1.7` -> `v4.2.2` |
|
[actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action)
| action | minor | `v4.3.3` -> `v4.5.0` |
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | patch | `v4.1.7` -> `v4.1.8` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.2` -> `v5.1.0` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.1` -> `v5.1.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | minor | `v4.0.2` -> `v4.1.0` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.3.3` -> `v4.4.3` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.25.11` -> `v3.27.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[slsa-framework/slsa-verifier](https://redirect.github.com/slsa-framework/slsa-verifier)
| action | minor | `v2.5.1` -> `v2.6.0` |
|
[thehanimo/pr-title-checker](https://redirect.github.com/thehanimo/pr-title-checker)
| action | patch | `v1.4.2` -> `v1.4.3` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2)

- `url-helper.ts` now leverages well-known environment variables by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941)
- Expand unit test coverage for `isGhes` by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946)

###
[`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1)

- Check out other refs/\* by commit if provided, fall back to ref by
[@&#8203;orhantoy](https://redirect.github.com/orhantoy) in
[https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924)

###
[`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0)

- Add Ref and Commit outputs by
[@&#8203;lucacome](https://redirect.github.com/lucacome) in
[https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180)
- Dependency updates by
[@&#8203;dependabot-](https://redirect.github.com/dependabot-)
[https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777),
[https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.5.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.5.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.4.0...v4.5.0)

#### What's Changed

- Bump got from 14.4.2 to 14.4.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/844](https://redirect.github.com/actions/dependency-review-action/pull/844)
- Bump nodemon from 3.1.0 to 3.1.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/847](https://redirect.github.com/actions/dependency-review-action/pull/847)
- Bump [@&#8203;vercel/ncc](https://redirect.github.com/vercel/ncc) from
0.38.1 to 0.38.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/849](https://redirect.github.com/actions/dependency-review-action/pull/849)
- Overriding the cross-spawn dependency to use a safe version by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/850](https://redirect.github.com/actions/dependency-review-action/pull/850)
- fix: add summary comment on failure when warn-only: true by
[@&#8203;ebickle](https://redirect.github.com/ebickle) in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)
- Prepare for 4.5.0 release by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/851](https://redirect.github.com/actions/dependency-review-action/pull/851)

#### New Contributors

- [@&#8203;ebickle](https://redirect.github.com/ebickle) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.5.0

###
[`v4.4.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.4.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0)

#### What's Changed

- Fix for merge_group event bug by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/846](https://redirect.github.com/actions/dependency-review-action/pull/846)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0

###
[`v4.3.5`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.5)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5)

#### What's Changed

- fix: getRefs function to handle merge_group events by
[@&#8203;louis-bompart](https://redirect.github.com/louis-bompart) in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- Create pull_request_template.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/794](https://redirect.github.com/actions/dependency-review-action/pull/794)
- Update CONTRIBUTING.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/793](https://redirect.github.com/actions/dependency-review-action/pull/793)
- Bump [@&#8203;types/node](https://redirect.github.com/types/node) from
20.11.28 to 20.16.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/815](https://redirect.github.com/actions/dependency-review-action/pull/815)
- Upgrade transitive micromatch library by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/829](https://redirect.github.com/actions/dependency-review-action/pull/829)
- Do not list changed dependencies in summary by
[@&#8203;hmaurer](https://redirect.github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/828](https://redirect.github.com/actions/dependency-review-action/pull/828)
- Update stale.yaml by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/832](https://redirect.github.com/actions/dependency-review-action/pull/832)
- Bump got from 14.4.1 to 14.4.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/822](https://redirect.github.com/actions/dependency-review-action/pull/822)
- Bump eslint-plugin-jest and ts-jest by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

#### New Contributors

- [@&#8203;louis-bompart](https://redirect.github.com/louis-bompart)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5

###
[`v4.3.4`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4)

#### What's Changed

- Include all added dependencies in scorecard entries by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/783](https://redirect.github.com/actions/dependency-review-action/pull/783)
- Update SPDX Expression Parsing by
[@&#8203;febuiles](https://redirect.github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/719](https://redirect.github.com/actions/dependency-review-action/pull/719)
- This PR is a significant refactor of SPDX expression parsing that
*may* fix some bugs, but unfortunately there are several related known
issues that remain unresolved as of this version.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.8`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.8)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.7...v4.1.8)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/download-artifact/pull/341](https://redirect.github.com/actions/download-artifact/pull/341)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.8

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.1.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-go/compare/v5.0.2...v5.1.0)

##### What's Changed

- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- Upgrade IA Publish by
[@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/502](https://redirect.github.com/actions/setup-go/pull/502)
- Add architecture to cache key by
[@&#8203;Zxilly](https://redirect.github.com/Zxilly) in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
This addresses issues with caching by adding the architecture (arch) to
the cache key, ensuring that cache keys are accurate to prevent
conflicts.
Note: This change may break previous cache keys as they will no longer
be compatible with the new format.
- Enhance workflows and Upgrade micromatch Dependency by
[@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Bug Fixes**

- Revise `isGhes` logic by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)

##### New Contributors

- [@&#8203;Zxilly](https://redirect.github.com/Zxilly) made their first
contribution in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- [@&#8203;jww3](https://redirect.github.com/jww3) made their first
contribution in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)
- [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108)
made their first contribution in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5...v5.1.0

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.1.0`](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

###
[`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

###
[`v4.0.3`](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3)

##### What's Changed

- Undo indirect dependency updates from
[#&#8203;627](https://redirect.github.com/actions/upload-artifact/issues/627)
by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3

###
[`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2)

##### What's Changed

- Bump `@actions/artifact` to 2.1.11 by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627)
    -   Includes fix for relative symlinks not resolving properly

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2

###
[`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1)

##### What's Changed

- Add a section about hidden files by
[@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607)
- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)
- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
to latest version, includes symlink and timeout fixes by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625)

##### New Contributors

- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1

###
[`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

###
[`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

###
[`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

###
[`v4.3.4`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/584](https://redirect.github.com/actions/upload-artifact/pull/584)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

###
[`v3.27.5`](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

###
[`v3.27.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.3...v3.27.4)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.4 - 14 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md)
for more information.

###
[`v3.27.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.2...v3.27.3)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.3 - 12 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md)
for more information.

###
[`v3.27.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.1...v3.27.2)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.2 - 12 Nov 2024

- Fixed an issue where setting up the CodeQL tools would sometimes fail
with the message "Invalid value 'undefined' for header 'authorization'".
[#&#8203;2590](https://redirect.github.com/github/codeql-action/pull/2590)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md)
for more information.

###
[`v3.27.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.0...v3.27.1)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.1 - 08 Nov 2024

- The CodeQL Action now downloads bundles compressed using Zstandard on
GitHub Enterprise Server when using Linux or macOS runners. This speeds
up the installation of the CodeQL tools. This feature is already
available to GitHub.com users.
[#&#8203;2573](https://redirect.github.com/github/codeql-action/pull/2573)
- Update default CodeQL bundle version to 2.19.3.
[#&#8203;2576](https://redirect.github.com/github/codeql-action/pull/2576)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.1/CHANGELOG.md)
for more information.

###
[`v3.27.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.13...v3.27.0)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.0 - 22 Oct 2024

- Bump the minimum CodeQL bundle version to 2.14.6.
[#&#8203;2549](https://redirect.github.com/github/codeql-action/pull/2549)
- Fix an issue where the `upload-sarif` Action would fail with
"upload-sarif post-action step failed: Input required and not supplied:
token" when called in a composite Action that had a different set of
inputs to the ones expected by the `upload-sarif` Action.
[#&#8203;2557](https://redirect.github.com/github/codeql-action/pull/2557)
- Update default CodeQL bundle version to 2.19.2.
[#&#8203;2552](https://redirect.github.com/github/codeql-action/pull/2552)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md)
for more information.

###
[`v3.26.13`](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

###
[`v3.26.12`](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

###
[`v3.26.11`](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

###
[`v3.26.10`](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

###
[`v3.26.9`](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

###
[`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

###
[`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

###
[`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

###
[`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

###
[`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

###
[`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

###
[`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

###
[`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

###
[`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

###
[`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

###
[`v3.25.12`](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- :bug: lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.6.0`](https://redirect.github.com/slsa-framework/slsa-verifier/releases/tag/v2.6.0)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0)

#### What's Changed

- chore: Update doc and digests for v2.5.1 by
[@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/748](https://redirect.github.com/slsa-framework/slsa-verifier/pull/748)
- fix(deps): update module google.golang.org/protobuf to v1.33.0
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/743](https://redirect.github.com/slsa-framework/slsa-verifier/pull/743)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/718](https://redirect.github.com/slsa-framework/slsa-verifier/pull/718)
- chore: Update
[@&#8203;actions/github](https://redirect.github.com/actions/github) v6
by [@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/749](https://redirect.github.com/slsa-framework/slsa-verifier/pull/749)
- fix: use sigstore/pkg/fulcioroots to lessen deps by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/746](https://redirect.github.com/slsa-framework/slsa-verifier/pull/746)
- feat: add ramonpetgrave64 as CODEOWNER by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/750](https://redirect.github.com/slsa-framework/slsa-verifier/pull/750)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`1a8ece8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/1a8ece8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/701](https://redirect.github.com/slsa-framework/slsa-verifier/pull/701)
- chore(deps): update github-actions (major) by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/719](https://redirect.github.com/slsa-framework/slsa-verifier/pull/719)
- fix(deps): update dependency org.apache.maven:maven-plugin-api to
v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/751](https://redirect.github.com/slsa-framework/slsa-verifier/pull/751)
- chore(deps): update npm dev (major) by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/753](https://redirect.github.com/slsa-framework/slsa-verifier/pull/753)
- fix(deps): update dependency
org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/752](https://redirect.github.com/slsa-framework/slsa-verifier/pull/752)
- feat: fixes
[#&#8203;547](https://redirect.github.com/slsa-framework/slsa-verifier/issues/547):
add npm sigstore-tuf suport by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/731](https://redirect.github.com/slsa-framework/slsa-verifier/pull/731)
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/723](https://redirect.github.com/slsa-framework/slsa-verifier/pull/723)
- chore(deps): update golang:1.21 docker digest to
[`81811f8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/81811f8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/693](https://redirect.github.com/slsa-framework/slsa-verifier/pull/693)
- chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/758](https://redirect.github.com/slsa-framework/slsa-verifier/pull/758)
- chore(deps): update golang:1.21 docker digest to
[`d83472f`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/d83472f)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/764](https://redirect.github.com/slsa-framework/slsa-verifier/pull/764)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`53745e9`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/53745e9)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/763](https://redirect.github.com/slsa-framework/slsa-verifier/pull/763)
- feat: workflow to update actions dist by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/760](https://redirect.github.com/slsa-framework/slsa-verifier/pull/760)
- fix(deps): update dependency
[@&#8203;actions/core](https://redirect.github.com/actions/core) to
v1.10.1 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/717](https://redirect.github.com/slsa-framework/slsa-verifier/pull/717)
- chore: fix pr-title-checker by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/770](https://redirect.github.com/slsa-framework/slsa-verifier/pull/770)
- chore: Update Renovate config by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/769](https://redirect.github.com/slsa-framework/slsa-verifier/pull/769)
- fix: use pr_number as env variable by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/771](https://redirect.github.com/slsa-framework/slsa-verifier/pull/771)
- fix: signoff commit by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/767](https://redirect.github.com/slsa-framework/slsa-verifier/pull/767)
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/781](https://redirect.github.com/slsa-framework/slsa-verifier/pull/781)
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to
0.7.7 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/782](https://redirect.github.com/slsa-framework/slsa-verifier/pull/782)
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/779](https://redirect.github.com/slsa-framework/slsa-verifier/pull/779)
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/780](https://redirect.github.com/slsa-framework/slsa-verifier/pull/780)
- chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/slsa-framework/slsa-verifier/pull/784](https://redirect.github.com/slsa-framework/slsa-verifier/pull/784)
- fix(deps): update golang.org/x/exp digest to
[`7f521ea`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/7f521ea)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/775](https://redirect.github.com/slsa-framework/slsa-verifier/pull/775)
- fix: make download-artifacts.sh more flexible by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/761](https://redirect.github.com/slsa-framework/slsa-verifier/pull/761)
- chore(deps): update golang:1.21 docker digest to
[`b405b62`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/b405b62)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/774](https://redirect.github.com/slsa-framework/slsa-verifier/pull/774)
- chore(deps): update npm dev by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/650](https://redirect.github.com/slsa-framework/slsa-verifier/pull/650)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/787](https://redirect.github.com/slsa-framework/slsa-verifier/pull/787)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/786](https://redirect.github.com/slsa-framework/slsa-verifier/pull/786)
- feat: vsa support by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/777](https://redirect.github.com/slsa-framework/slsa-verifier/pull/777)
- fix: use tag for the builder in the release workflow by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/788](https://redirect.github.com/slsa-framework/slsa-verifier/pull/788)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0

</details>

<details>
<summary>thehanimo/pr-title-checker
(thehanimo/pr-title-checker)</summary>

###
[`v1.4.3`](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

[Compare
Source](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
---
 .github/workflows/codeql-analysis.yml              | 10 +++++-----
 .github/workflows/depsreview.yml                   |  4 ++--
 .github/workflows/e2e.schedule.cli.yml             |  4 ++--
 .github/workflows/e2e.schedule.installer.yml       | 10 +++++-----
 .github/workflows/pr-title.yml                     |  2 +-
 .github/workflows/pre-submit.actions.yml           |  6 +++---
 .github/workflows/pre-submit.cli.yml               |  6 +++---
 .github/workflows/pre-submit.e2e.yml               |  6 +++---
 .github/workflows/pre-submit.lfs.yml               |  2 +-
 .github/workflows/pre-submit.lint.yml              | 14 +++++++-------
 .github/workflows/pre-submit.references.yml        |  2 +-
 .github/workflows/release.yml                      |  8 ++++----
 .github/workflows/scorecards.yml                   |  8 ++++----
 .../workflows/update-actions-dist-post-commit.yml  |  8 ++++----
 14 files changed, 45 insertions(+), 45 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index adf95ca..1d424b7 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -40,11 +40,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # TODO(#740): Workaround for go1.21 compatibility. Remove when GHA runners have Go 1.21+.
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "go.mod"
           # not needed but gets rid of warnings
@@ -52,7 +52,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
       # Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
 
@@ -76,4 +76,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
index 5721218..6d7e446 100644
--- a/.github/workflows/depsreview.yml
+++ b/.github/workflows/depsreview.yml
@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
diff --git a/.github/workflows/e2e.schedule.cli.yml b/.github/workflows/e2e.schedule.cli.yml
index 5f174d8..fbdb230 100644
--- a/.github/workflows/e2e.schedule.cli.yml
+++ b/.github/workflows/e2e.schedule.cli.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     # See https://github.com/orgs/community/discussions/26238.
     steps:
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: event_name
       - name: Check event name
@@ -28,7 +28,7 @@ jobs:
             ctned="true"
           fi
           echo "continue=$ctned" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: steps.name.outputs.continue == 'true'
         with:
           ref: main
diff --git a/.github/workflows/e2e.schedule.installer.yml b/.github/workflows/e2e.schedule.installer.yml
index 5a12cd8..406f9f6 100644
--- a/.github/workflows/e2e.schedule.installer.yml
+++ b/.github/workflows/e2e.schedule.installer.yml
@@ -27,14 +27,14 @@ jobs:
       version: ${{ steps.generate-versions.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # NOTE: the example-package needs to be checked out in the default workspace.
           repository: slsa-framework/example-package
           ref: main
 
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: __THIS_REPO__
 
@@ -77,7 +77,7 @@ jobs:
       - name: Checkout this repository
         # Skip release candidates unless specified explicitly.
         if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ matrix.version }}
 
@@ -196,7 +196,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -210,7 +210,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
index 3464adf..d576ffc 100644
--- a/.github/workflows/pr-title.yml
+++ b/.github/workflows/pr-title.yml
@@ -10,7 +10,7 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: thehanimo/pr-title-checker@1d8cd483a2b73118406a187f54dca8a9415f1375 # v1.4.2
+      - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           configuration_path: ".github/pr-title-checker-config.json"
diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
index 0e1eca1..887c207 100644
--- a/.github/workflows/pre-submit.actions.yml
+++ b/.github/workflows/pre-submit.actions.yml
@@ -11,10 +11,10 @@ jobs:
   check-dist:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set Node.js 20
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
 
@@ -34,7 +34,7 @@ jobs:
           fi
 
       # If index.js was different from expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist
diff --git a/.github/workflows/pre-submit.cli.yml b/.github/workflows/pre-submit.cli.yml
index 4fa79d8..89b8e5e 100644
--- a/.github/workflows/pre-submit.cli.yml
+++ b/.github/workflows/pre-submit.cli.yml
@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "go.mod"
           # not needed but gets rid of warnings
@@ -30,7 +30,7 @@ jobs:
         run: |
           echo "$EVENT_NAME" > ./event_name.txt
 
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: event_name
           path: ./event_name.txt
diff --git a/.github/workflows/pre-submit.e2e.yml b/.github/workflows/pre-submit.e2e.yml
index ec1e046..3e9705d 100644
--- a/.github/workflows/pre-submit.e2e.yml
+++ b/.github/workflows/pre-submit.e2e.yml
@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: __THIS_REPO__
 
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "__THIS_REPO__/go.mod"
           # not needed but gets rid of warnings
@@ -29,7 +29,7 @@ jobs:
           go build -o slsa-verifier ./cli/slsa-verifier
 
       - name: Checkout e2e verification script
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: __EXAMPLE_PACKAGE__
           repository: slsa-framework/example-package
diff --git a/.github/workflows/pre-submit.lfs.yml b/.github/workflows/pre-submit.lfs.yml
index b0e45b5..43277bc 100644
--- a/.github/workflows/pre-submit.lfs.yml
+++ b/.github/workflows/pre-submit.lfs.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actionsdesk/lfs-warning@4b98a8a5e6c429c23c34eee02d71553bca216425 # v3.3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml
index 4b84ba1..6b60cab 100644
--- a/.github/workflows/pre-submit.lint.yml
+++ b/.github/workflows/pre-submit.lint.yml
@@ -10,8 +10,8 @@ jobs:
   golangci-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "go.mod"
           # not needed but gets rid of warnings
@@ -27,7 +27,7 @@ jobs:
   yamllint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: |
           set -euo pipefail
 
@@ -40,8 +40,8 @@ jobs:
   eslint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
       - run: make eslint
@@ -49,8 +49,8 @@ jobs:
   renovate-config-validator:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
       - run: make renovate-config-validator
diff --git a/.github/workflows/pre-submit.references.yml b/.github/workflows/pre-submit.references.yml
index d9f1d6f..3402c06 100644
--- a/.github/workflows/pre-submit.references.yml
+++ b/.github/workflows/pre-submit.references.yml
@@ -13,7 +13,7 @@ jobs:
     env:
       BODY: ${{ github.event.pull_request.body }}
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Check documentation is up-to-date
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index d9ae73e..62c2342 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
       version: ${{ steps.ldflags.outputs.version }}
     steps:
       - id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - id: ldflags
@@ -63,7 +63,7 @@ jobs:
     permissions: read-all
     steps:
       - name: Install the verifier
-        uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1
+        uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0
 
       - name: Download assets
         env:
@@ -98,7 +98,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -112,7 +112,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 34e5f86..27a5eb5 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -49,7 +49,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml
index a3f7772..39a15df 100644
--- a/.github/workflows/update-actions-dist-post-commit.yml
+++ b/.github/workflows/update-actions-dist-post-commit.yml
@@ -32,7 +32,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: checkout
-              uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   repository: ${{ github.repository }}
                   persist-credentials: false
@@ -57,7 +57,7 @@ jobs:
                   [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
                   echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
             - name: upload
-              uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+              uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
               with:
                   name: changes.patch
                   path: changes.patch
@@ -72,14 +72,14 @@ jobs:
             contents: write
         steps:
             - name: checkout
-              uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
             - name: checkout-pr
               env:
                   GH_TOKEN: ${{ github.token }}
                   PR_NUMBER: ${{ inputs.pr_number }}
               run: gh pr checkout "$PR_NUMBER"
             - name: download-patch
-              uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+              uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
               with:
                   name: changes.patch
             - id: apply