chore(deps): update github-actions (#817)

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-06 08:37:00 +00:00

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | minor | `v4.1.7` -> `v4.2.2` |
|
[actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action)
| action | minor | `v4.3.3` -> `v4.5.0` |
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | patch | `v4.1.7` -> `v4.1.8` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.2` -> `v5.1.0` |
| [actions/setup-go](https://redirect.github.com/actions/setup-go) |
action | minor | `v5.0.1` -> `v5.1.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | minor | `v4.0.2` -> `v4.1.0` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.3.3` -> `v4.4.3` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.25.11` -> `v3.27.6` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[slsa-framework/slsa-verifier](https://redirect.github.com/slsa-framework/slsa-verifier)
| action | minor | `v2.5.1` -> `v2.6.0` |
|
[thehanimo/pr-title-checker](https://redirect.github.com/thehanimo/pr-title-checker)
| action | patch | `v1.4.2` -> `v1.4.3` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2)

- `url-helper.ts` now leverages well-known environment variables by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941)
- Expand unit test coverage for `isGhes` by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946)

###
[`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1)

- Check out other refs/\* by commit if provided, fall back to ref by
[@&#8203;orhantoy](https://redirect.github.com/orhantoy) in
[https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924)

###
[`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420)

[Compare
Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0)

- Add Ref and Commit outputs by
[@&#8203;lucacome](https://redirect.github.com/lucacome) in
[https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180)
- Dependency updates by
[@&#8203;dependabot-](https://redirect.github.com/dependabot-)
[https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777),
[https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.5.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.5.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.4.0...v4.5.0)

#### What's Changed

- Bump got from 14.4.2 to 14.4.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/844](https://redirect.github.com/actions/dependency-review-action/pull/844)
- Bump nodemon from 3.1.0 to 3.1.7 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/847](https://redirect.github.com/actions/dependency-review-action/pull/847)
- Bump [@&#8203;vercel/ncc](https://redirect.github.com/vercel/ncc) from
0.38.1 to 0.38.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/849](https://redirect.github.com/actions/dependency-review-action/pull/849)
- Overriding the cross-spawn dependency to use a safe version by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/850](https://redirect.github.com/actions/dependency-review-action/pull/850)
- fix: add summary comment on failure when warn-only: true by
[@&#8203;ebickle](https://redirect.github.com/ebickle) in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)
- Prepare for 4.5.0 release by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/851](https://redirect.github.com/actions/dependency-review-action/pull/851)

#### New Contributors

- [@&#8203;ebickle](https://redirect.github.com/ebickle) made their
first contribution in
[https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4...v4.5.0

###
[`v4.4.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.4.0)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0)

#### What's Changed

- Fix for merge_group event bug by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/846](https://redirect.github.com/actions/dependency-review-action/pull/846)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0

###
[`v4.3.5`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.5)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5)

#### What's Changed

- fix: getRefs function to handle merge_group events by
[@&#8203;louis-bompart](https://redirect.github.com/louis-bompart) in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- Create pull_request_template.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/794](https://redirect.github.com/actions/dependency-review-action/pull/794)
- Update CONTRIBUTING.md by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/793](https://redirect.github.com/actions/dependency-review-action/pull/793)
- Bump [@&#8203;types/node](https://redirect.github.com/types/node) from
20.11.28 to 20.16.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/815](https://redirect.github.com/actions/dependency-review-action/pull/815)
- Upgrade transitive micromatch library by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/829](https://redirect.github.com/actions/dependency-review-action/pull/829)
- Do not list changed dependencies in summary by
[@&#8203;hmaurer](https://redirect.github.com/hmaurer) in
[https://github.com/actions/dependency-review-action/pull/828](https://redirect.github.com/actions/dependency-review-action/pull/828)
- Update stale.yaml by
[@&#8203;jonjanego](https://redirect.github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/832](https://redirect.github.com/actions/dependency-review-action/pull/832)
- Bump got from 14.4.1 to 14.4.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/822](https://redirect.github.com/actions/dependency-review-action/pull/822)
- Bump eslint-plugin-jest and ts-jest by
[@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

#### New Contributors

- [@&#8203;louis-bompart](https://redirect.github.com/louis-bompart)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766)
- [@&#8203;Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah)
made their first contribution in
[https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840)

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5

###
[`v4.3.4`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4)

#### What's Changed

- Include all added dependencies in scorecard entries by
[@&#8203;elireisman](https://redirect.github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/783](https://redirect.github.com/actions/dependency-review-action/pull/783)
- Update SPDX Expression Parsing by
[@&#8203;febuiles](https://redirect.github.com/febuiles) in
[https://github.com/actions/dependency-review-action/pull/719](https://redirect.github.com/actions/dependency-review-action/pull/719)
- This PR is a significant refactor of SPDX expression parsing that
*may* fix some bugs, but unfortunately there are several related known
issues that remain unresolved as of this version.

**Full Changelog**:
https://github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.8`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.8)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.7...v4.1.8)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/download-artifact/pull/341](https://redirect.github.com/actions/download-artifact/pull/341)

**Full Changelog**:
https://github.com/actions/download-artifact/compare/v4...v4.1.8

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.1.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-go/compare/v5.0.2...v5.1.0)

##### What's Changed

- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- Upgrade IA Publish by
[@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/setup-go/pull/502](https://redirect.github.com/actions/setup-go/pull/502)
- Add architecture to cache key by
[@&#8203;Zxilly](https://redirect.github.com/Zxilly) in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
This addresses issues with caching by adding the architecture (arch) to
the cache key, ensuring that cache keys are accurate to prevent
conflicts.
Note: This change may break previous cache keys as they will no longer
be compatible with the new format.
- Enhance workflows and Upgrade micromatch Dependency by
[@&#8203;priyagupta108](https://redirect.github.com/priyagupta108) in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Bug Fixes**

- Revise `isGhes` logic by
[@&#8203;jww3](https://redirect.github.com/jww3) in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)

##### New Contributors

- [@&#8203;Zxilly](https://redirect.github.com/Zxilly) made their first
contribution in
[https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493)
- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500)
- [@&#8203;jww3](https://redirect.github.com/jww3) made their first
contribution in
[https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511)
- [@&#8203;priyagupta108](https://redirect.github.com/priyagupta108)
made their first contribution in
[https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510)

**Full Changelog**:
https://github.com/actions/setup-go/compare/v5...v5.1.0

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.1.0`](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0)

###
[`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)

###
[`v4.0.3`](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3)

##### What's Changed

- Undo indirect dependency updates from
[#&#8203;627](https://redirect.github.com/actions/upload-artifact/issues/627)
by [@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3

###
[`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2)

##### What's Changed

- Bump `@actions/artifact` to 2.1.11 by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627)
    -   Includes fix for relative symlinks not resolving properly

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2

###
[`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1)

##### What's Changed

- Add a section about hidden files by
[@&#8203;joshmgross](https://redirect.github.com/joshmgross) in
[https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607)
- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)
- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
to latest version, includes symlink and timeout fixes by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625)

##### New Contributors

- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1

###
[`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)

###
[`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)

###
[`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

###
[`v4.3.4`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.4)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://redirect.github.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://redirect.github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/584](https://redirect.github.com/actions/upload-artifact/pull/584)

**Full Changelog**:
https://github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6)

###
[`v3.27.5`](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5)

###
[`v3.27.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.3...v3.27.4)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.4 - 14 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md)
for more information.

###
[`v3.27.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.2...v3.27.3)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.3 - 12 Nov 2024

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md)
for more information.

###
[`v3.27.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.1...v3.27.2)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.2 - 12 Nov 2024

- Fixed an issue where setting up the CodeQL tools would sometimes fail
with the message "Invalid value 'undefined' for header 'authorization'".
[#&#8203;2590](https://redirect.github.com/github/codeql-action/pull/2590)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md)
for more information.

###
[`v3.27.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.27.0...v3.27.1)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.1 - 08 Nov 2024

- The CodeQL Action now downloads bundles compressed using Zstandard on
GitHub Enterprise Server when using Linux or macOS runners. This speeds
up the installation of the CodeQL tools. This feature is already
available to GitHub.com users.
[#&#8203;2573](https://redirect.github.com/github/codeql-action/pull/2573)
- Update default CodeQL bundle version to 2.19.3.
[#&#8203;2576](https://redirect.github.com/github/codeql-action/pull/2576)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.1/CHANGELOG.md)
for more information.

###
[`v3.27.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.13...v3.27.0)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

##### 3.27.0 - 22 Oct 2024

- Bump the minimum CodeQL bundle version to 2.14.6.
[#&#8203;2549](https://redirect.github.com/github/codeql-action/pull/2549)
- Fix an issue where the `upload-sarif` Action would fail with
"upload-sarif post-action step failed: Input required and not supplied:
token" when called in a composite Action that had a different set of
inputs to the ones expected by the `upload-sarif` Action.
[#&#8203;2557](https://redirect.github.com/github/codeql-action/pull/2557)
- Update default CodeQL bundle version to 2.19.2.
[#&#8203;2552](https://redirect.github.com/github/codeql-action/pull/2552)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md)
for more information.

###
[`v3.26.13`](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13)

###
[`v3.26.12`](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12)

###
[`v3.26.11`](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11)

###
[`v3.26.10`](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10)

###
[`v3.26.9`](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9)

###
[`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)

###
[`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)

###
[`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)

###
[`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)

###
[`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)

###
[`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)

###
[`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)

###
[`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)

###
[`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)

###
[`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)

###
[`v3.25.12`](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.6.0`](https://redirect.github.com/slsa-framework/slsa-verifier/releases/tag/v2.6.0)

[Compare
Source](https://redirect.github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0)

#### What's Changed

- chore: Update doc and digests for v2.5.1 by
[@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/748](https://redirect.github.com/slsa-framework/slsa-verifier/pull/748)
- fix(deps): update module google.golang.org/protobuf to v1.33.0
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/743](https://redirect.github.com/slsa-framework/slsa-verifier/pull/743)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/718](https://redirect.github.com/slsa-framework/slsa-verifier/pull/718)
- chore: Update
[@&#8203;actions/github](https://redirect.github.com/actions/github) v6
by [@&#8203;laurentsimon](https://redirect.github.com/laurentsimon) in
[https://github.com/slsa-framework/slsa-verifier/pull/749](https://redirect.github.com/slsa-framework/slsa-verifier/pull/749)
- fix: use sigstore/pkg/fulcioroots to lessen deps by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/746](https://redirect.github.com/slsa-framework/slsa-verifier/pull/746)
- feat: add ramonpetgrave64 as CODEOWNER by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/750](https://redirect.github.com/slsa-framework/slsa-verifier/pull/750)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`1a8ece8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/1a8ece8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/701](https://redirect.github.com/slsa-framework/slsa-verifier/pull/701)
- chore(deps): update github-actions (major) by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/719](https://redirect.github.com/slsa-framework/slsa-verifier/pull/719)
- fix(deps): update dependency org.apache.maven:maven-plugin-api to
v3.9.6 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/751](https://redirect.github.com/slsa-framework/slsa-verifier/pull/751)
- chore(deps): update npm dev (major) by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/753](https://redirect.github.com/slsa-framework/slsa-verifier/pull/753)
- fix(deps): update dependency
org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/752](https://redirect.github.com/slsa-framework/slsa-verifier/pull/752)
- feat: fixes
[#&#8203;547](https://redirect.github.com/slsa-framework/slsa-verifier/issues/547):
add npm sigstore-tuf suport by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/731](https://redirect.github.com/slsa-framework/slsa-verifier/pull/731)
- fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4
\[security] by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/723](https://redirect.github.com/slsa-framework/slsa-verifier/pull/723)
- chore(deps): update golang:1.21 docker digest to
[`81811f8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/81811f8)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/693](https://redirect.github.com/slsa-framework/slsa-verifier/pull/693)
- chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/758](https://redirect.github.com/slsa-framework/slsa-verifier/pull/758)
- chore(deps): update golang:1.21 docker digest to
[`d83472f`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/d83472f)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/764](https://redirect.github.com/slsa-framework/slsa-verifier/pull/764)
- chore(deps): update gcr.io/distroless/base:nonroot docker digest to
[`53745e9`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/53745e9)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/763](https://redirect.github.com/slsa-framework/slsa-verifier/pull/763)
- feat: workflow to update actions dist by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/760](https://redirect.github.com/slsa-framework/slsa-verifier/pull/760)
- fix(deps): update dependency
[@&#8203;actions/core](https://redirect.github.com/actions/core) to
v1.10.1 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/717](https://redirect.github.com/slsa-framework/slsa-verifier/pull/717)
- chore: fix pr-title-checker by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/770](https://redirect.github.com/slsa-framework/slsa-verifier/pull/770)
- chore: Update Renovate config by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/slsa-framework/slsa-verifier/pull/769](https://redirect.github.com/slsa-framework/slsa-verifier/pull/769)
- fix: use pr_number as env variable by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/771](https://redirect.github.com/slsa-framework/slsa-verifier/pull/771)
- fix: signoff commit by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/767](https://redirect.github.com/slsa-framework/slsa-verifier/pull/767)
- chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/781](https://redirect.github.com/slsa-framework/slsa-verifier/pull/781)
- chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to
0.7.7 by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/782](https://redirect.github.com/slsa-framework/slsa-verifier/pull/782)
- chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/779](https://redirect.github.com/slsa-framework/slsa-verifier/pull/779)
- chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/slsa-framework/slsa-verifier/pull/780](https://redirect.github.com/slsa-framework/slsa-verifier/pull/780)
- chore(deps): bump the npm_and_yarn group across 2 directories with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/slsa-framework/slsa-verifier/pull/784](https://redirect.github.com/slsa-framework/slsa-verifier/pull/784)
- fix(deps): update golang.org/x/exp digest to
[`7f521ea`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/7f521ea)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/775](https://redirect.github.com/slsa-framework/slsa-verifier/pull/775)
- fix: make download-artifacts.sh more flexible by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/761](https://redirect.github.com/slsa-framework/slsa-verifier/pull/761)
- chore(deps): update golang:1.21 docker digest to
[`b405b62`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/b405b62)
by [@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/774](https://redirect.github.com/slsa-framework/slsa-verifier/pull/774)
- chore(deps): update npm dev by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/650](https://redirect.github.com/slsa-framework/slsa-verifier/pull/650)
- fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/787](https://redirect.github.com/slsa-framework/slsa-verifier/pull/787)
- chore(deps): update github-actions by
[@&#8203;renovate-bot](https://redirect.github.com/renovate-bot) in
[https://github.com/slsa-framework/slsa-verifier/pull/786](https://redirect.github.com/slsa-framework/slsa-verifier/pull/786)
- feat: vsa support by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/777](https://redirect.github.com/slsa-framework/slsa-verifier/pull/777)
- fix: use tag for the builder in the release workflow by
[@&#8203;ramonpetgrave64](https://redirect.github.com/ramonpetgrave64)
in
[https://github.com/slsa-framework/slsa-verifier/pull/788](https://redirect.github.com/slsa-framework/slsa-verifier/pull/788)

**Full Changelog**:
https://github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0

</details>

<details>
<summary>thehanimo/pr-title-checker
(thehanimo/pr-title-checker)</summary>

###
[`v1.4.3`](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

[Compare
Source](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xOS4wIiwidXBkYXRlZEluVmVyIjoiMzkuNDIuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->

This commit is contained in:

Mend Renovate

2024-12-04 19:00:06 +01:00

committed by

GitHub

parent 17f79583c5

commit 190fddac0e

14 changed files with 45 additions and 45 deletions

									
										10

.github/workflows/codeql-analysis.yml
									
										vendored
									
												View File
												
				@@ -40,11 +40,11 @@ jobs:

				    steps:

				      - name: Checkout repository

				        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

				        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

				      # TODO(#740): Workaround for go1.21 compatibility. Remove when GHA runners have Go 1.21+.

				      - name: setup-go

				        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1

				        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0

				        with:

				          go-version-file: "go.mod"

				          # not needed but gets rid of warnings

				@@ -52,7 +52,7 @@ jobs:

				      # Initializes the CodeQL tools for scanning.

				      - name: Initialize CodeQL

				        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11

				        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6

				        with:

				          languages: ${{ matrix.language }}

				          # If you wish to specify custom queries, you can do so here or in a config file.

				@@ -63,7 +63,7 @@ jobs:

				      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).

				      # If this step fails, then you should remove it and run the build manually (see below)

				      - name: Autobuild

				        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11

				        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6

				      # Command-line programs to run using the OS shell.

				      # 📚 https://git.io/JvXDl

				@@ -76,4 +76,4 @@ jobs:

				      #     make release

				      - name: Perform CodeQL Analysis

				        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11

				        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6

chore(deps): update github-actions (#817)

10 .github/workflows/codeql-analysis.yml vendored Unescape Escape View File

10

.github/workflows/codeql-analysis.yml vendored

View File