slsa-verifier

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-05-09 10:06:37 +00:00

Author	SHA1	Message	Date
Mend Renovate	1049da4841	chore(deps): update github-actions (#786 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/checkout](https://togithub.com/actions/checkout) \| action \| patch \| `v4.1.1` -> `v4.1.7` \| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| minor \| `v4.2.5` -> `v4.3.3` \| \| [actions/download-artifact](https://togithub.com/actions/download-artifact) \| action \| patch \| `v4.1.4` -> `v4.1.7` \| \| [actions/setup-go](https://togithub.com/actions/setup-go) \| action \| patch \| `v5.0.0` -> `v5.0.1` \| \| [actions/upload-artifact](https://togithub.com/actions/upload-artifact) \| action \| patch \| `v4.3.1` -> `v4.3.3` \| \| [actionsdesk/lfs-warning](https://togithub.com/actionsdesk/lfs-warning) \| action \| minor \| `v3.2` -> `v3.3` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v3.24.9` -> `v3.25.11` \| \| [golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action) \| action \| pinDigest \| -> `d6238b0` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| patch \| `v2.3.1` -> `v2.3.3` \| \| [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) \| action \| pinDigest \| -> `c747fe7` \| \| [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) \| action \| minor \| `v2.4.1` -> `v2.5.1` \| --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.7`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.6...v4.1.7) - Bump the minor-npm-dependencies group across 1 directory with 4 updates by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1739](https://togithub.com/actions/checkout/pull/1739) - Bump actions/checkout from 3 to 4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1697](https://togithub.com/actions/checkout/pull/1697) - Check out other refs/\* by commit by [@orhantoy](https://togithub.com/orhantoy) in [https://github.com/actions/checkout/pull/1774](https://togithub.com/actions/checkout/pull/1774) - Pin actions/checkout's own workflows to a known, good, stable version. by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1776](https://togithub.com/actions/checkout/pull/1776) ### [`v4.1.6`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.5...v4.1.6) - Check platform to set archive extension appropriately by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1732](https://togithub.com/actions/checkout/pull/1732) ### [`v4.1.5`](https://togithub.com/actions/checkout/releases/tag/v4.1.5) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.4...v4.1.5) #### What's Changed - Update NPM dependencies by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1703](https://togithub.com/actions/checkout/pull/1703) - Bump github/codeql-action from 2 to 3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1694](https://togithub.com/actions/checkout/pull/1694) - Bump actions/setup-node from 1 to 4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1696](https://togithub.com/actions/checkout/pull/1696) - Bump actions/upload-artifact from 2 to 4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1695](https://togithub.com/actions/checkout/pull/1695) - README: Suggest `user.email` to be `41898282+github-actions[bot]@users.noreply.github.com` by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1707](https://togithub.com/actions/checkout/pull/1707) Full Changelog: https://github.com/actions/checkout/compare/v4.1.4...v4.1.5 ### [`v4.1.4`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.3...v4.1.4) - Disable `extensions.worktreeConfig` when disabling `sparse-checkout` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1692](https://togithub.com/actions/checkout/pull/1692) - Add dependabot config by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1688](https://togithub.com/actions/checkout/pull/1688) - Bump the minor-actions-dependencies group with 2 updates by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1693](https://togithub.com/actions/checkout/pull/1693) - Bump word-wrap from 1.2.3 to 1.2.5 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/checkout/pull/1643](https://togithub.com/actions/checkout/pull/1643) ### [`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3) #### What's Changed - Update `actions/checkout` version in `update-main-version.yml` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650) - Check git version before attempting to disable `sparse-checkout` by [@jww3](https://togithub.com/jww3) in [https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656) - Add SSH user parameter by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685) Full Changelog: https://github.com/actions/checkout/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2) - Fix: Disable sparse checkout whenever `sparse-checkout` option is not present [@dscho](https://togithub.com/dscho) in [https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.3.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.3): Notes for v4.3.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3) #### What's Changed - Allow slashes in purl package names by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/765](https://togithub.com/actions/dependency-review-action/pull/765) - use the v3 version of the deps.dev API by [@josieang](https://togithub.com/josieang) in [https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741) - PR with suggestions - \[Improvement]: Help streamline / simplify dependency review action README by [@am-stead](https://togithub.com/am-stead) in [https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773) - fix show-openssf-scorecard-levels input by [@ramann](https://togithub.com/ramann) in [https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776) - Updates to the contribution guidelines by [@jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/778](https://togithub.com/actions/dependency-review-action/pull/778) - Create issue templates by [@jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/777](https://togithub.com/actions/dependency-review-action/pull/777) - Fix the max comment length issue by [@jhutchings1](https://togithub.com/jhutchings1) and [@elireisman](https://togithub.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/767](https://togithub.com/actions/dependency-review-action/pull/767) - Bump project version to 4.3.3 in prep for a release by [@elireisman](https://togithub.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/781](https://togithub.com/actions/dependency-review-action/pull/781) #### New Contributors - [@josieang](https://togithub.com/josieang) made their first contribution in [https://github.com/actions/dependency-review-action/pull/741](https://togithub.com/actions/dependency-review-action/pull/741) - [@am-stead](https://togithub.com/am-stead) made their first contribution in [https://github.com/actions/dependency-review-action/pull/773](https://togithub.com/actions/dependency-review-action/pull/773) - [@ramann](https://togithub.com/ramann) made their first contribution in [https://github.com/actions/dependency-review-action/pull/776](https://togithub.com/actions/dependency-review-action/pull/776) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3 ### [`v4.3.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.2) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2) #### What's Changed - Fix package-url parsing for allow-dependencies-licenses by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/761](https://togithub.com/actions/dependency-review-action/pull/761) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2 ### [`v4.3.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.1) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.3.0...v4.3.1) #### What's Changed This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See [https://github.com/actions/dependency-review-action/pull/753](https://togithub.com/actions/dependency-review-action/pull/753). Full Changelog: https://github.com/actions/dependency-review-action/compare/V4.3.0...v4.3.1 ### [`v4.3.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.3.0) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.5...v4.3.0) #### New Features - The `deny-packages` option can now be used without a version number to exclude all versions of a package. #### What's Changed - Fix action variable name for scorecard by [@lukehinds](https://togithub.com/lukehinds) in [https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735) - Fix extra https:// in summary by [@jhutchings1](https://togithub.com/jhutchings1) in [https://github.com/actions/dependency-review-action/pull/748](https://togithub.com/actions/dependency-review-action/pull/748) - Bump typescript from 5.3.3 to 5.4.5 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/744](https://togithub.com/actions/dependency-review-action/pull/744) - Bump eslint-plugin-github from 4.10.1 to 4.10.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/737](https://togithub.com/actions/dependency-review-action/pull/737) - Show denied packages with red X by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/750](https://togithub.com/actions/dependency-review-action/pull/750) - deny-packages configuration option can deny specified version or all packages by [@febuiles](https://togithub.com/febuiles) and [@bteng22](https://togithub.com/bteng22) in [https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733) #### New Contributors - [@bteng22](https://togithub.com/bteng22) made their first contribution in [https://github.com/actions/dependency-review-action/pull/733](https://togithub.com/actions/dependency-review-action/pull/733) - [@lukehinds](https://togithub.com/lukehinds) made their first contribution in [https://github.com/actions/dependency-review-action/pull/735](https://togithub.com/actions/dependency-review-action/pull/735) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.2.5...V4.3.0 </details> <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.7`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.7) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.6...v4.1.7) #### What's Changed - Update [@actions/artifact](https://togithub.com/actions/artifact) dependency by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/325](https://togithub.com/actions/download-artifact/pull/325) Full Changelog: https://github.com/actions/download-artifact/compare/v4.1.6...v4.1.7 ### [`v4.1.6`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.6) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.5...v4.1.6) #### What's Changed - updating `@actions/artifact` dependency to v2.1.6 by [@eggyhead](https://togithub.com/eggyhead) in [https://github.com/actions/download-artifact/pull/324](https://togithub.com/actions/download-artifact/pull/324) Full Changelog: https://github.com/actions/download-artifact/compare/v4.1.5...v4.1.6 ### [`v4.1.5`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.5) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.4...v4.1.5) #### What's Changed - Update readme with v3/v2/v1 deprecation notice by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/322](https://togithub.com/actions/download-artifact/pull/322) - Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact` to v2.1.5 Full Changelog: https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5 </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.0.1`](https://togithub.com/actions/setup-go/releases/tag/v5.0.1) [Compare Source](https://togithub.com/actions/setup-go/compare/v5.0.0...v5.0.1) #### What's Changed - Bump undici from 5.28.2 to 5.28.3 and dependencies upgrade by [@dependabot](https://togithub.com/dependabot) , [@HarithaVattikuti](https://togithub.com/HarithaVattikuti) in [https://github.com/actions/setup-go/pull/465](https://togithub.com/actions/setup-go/pull/465) - Update documentation with latest V5 release notes by [@ab](https://togithub.com/ab) in [https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459) - Update version documentation by [@178inaba](https://togithub.com/178inaba) in [https://github.com/actions/setup-go/pull/458](https://togithub.com/actions/setup-go/pull/458) - Documentation update of `actions/setup-go` to v5 by [@chenrui333](https://togithub.com/chenrui333) in [https://github.com/actions/setup-go/pull/449](https://togithub.com/actions/setup-go/pull/449) #### New Contributors - [@ab](https://togithub.com/ab) made their first contribution in [https://github.com/actions/setup-go/pull/459](https://togithub.com/actions/setup-go/pull/459) Full Changelog: https://github.com/actions/setup-go/compare/v5.0.0...v5.0.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.3`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.2...v4.3.3) ##### What's Changed - updating `@actions/artifact` dependency to v2.1.6 by [@eggyhead](https://togithub.com/eggyhead) in [https://github.com/actions/upload-artifact/pull/565](https://togithub.com/actions/upload-artifact/pull/565) Full Changelog: https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3 ### [`v4.3.2`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.2) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.1...v4.3.2) #### What's Changed - Update release-new-action-version.yml by [@konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/upload-artifact/pull/516](https://togithub.com/actions/upload-artifact/pull/516) - Minor fix to the migration readme by [@andrewakim](https://togithub.com/andrewakim) in [https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523) - Update readme with v3/v2/v1 deprecation notice by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/561](https://togithub.com/actions/upload-artifact/pull/561) - updating `@actions/artifact` dependency to v2.1.5 and `@actions/core` to v1.0.1 by [@eggyhead](https://togithub.com/eggyhead) in [https://github.com/actions/upload-artifact/pull/562](https://togithub.com/actions/upload-artifact/pull/562) #### New Contributors - [@andrewakim](https://togithub.com/andrewakim) made their first contribution in [https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523) Full Changelog: https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2 </details> <details> <summary>actionsdesk/lfs-warning (actionsdesk/lfs-warning)</summary> ### [`v3.3`](https://togithub.com/ppremk/lfs-warning/releases/tag/v3.3) [Compare Source](https://togithub.com/actionsdesk/lfs-warning/compare/v3.2...v3.3) #### What's Changed - update node js to 16 by [@GlazerMann](https://togithub.com/GlazerMann) in [https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148) - Fixing README to match repo move by [@samthebest](https://togithub.com/samthebest) in [https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153) - Update CODEOWNERS by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158) - Bump http-cache-semantics from 4.1.0 to 4.1.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/151](https://togithub.com/ppremk/lfs-warning/pull/151) - Bump [@babel/traverse](https://togithub.com/babel/traverse) from 7.15.4 to 7.23.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/159](https://togithub.com/ppremk/lfs-warning/pull/159) - Bump tough-cookie from 4.0.0 to 4.1.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/160](https://togithub.com/ppremk/lfs-warning/pull/160) - Bump cacheable-request and gts by [@dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/152](https://togithub.com/ppremk/lfs-warning/pull/152) - Update emoji and convert file list to markdown list by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/161](https://togithub.com/ppremk/lfs-warning/pull/161) - Bump got and gts by [@dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/155](https://togithub.com/ppremk/lfs-warning/pull/155) - Exclude files without blob_url when getting PR blobs by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/162](https://togithub.com/ppremk/lfs-warning/pull/162) - Support pull_request_target by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/164](https://togithub.com/ppremk/lfs-warning/pull/164) - Update-node by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/163](https://togithub.com/ppremk/lfs-warning/pull/163) - Fix text setup for the issue comment by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/166](https://togithub.com/ppremk/lfs-warning/pull/166) - Validate PR changes to make sure there are no changes missing by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/165](https://togithub.com/ppremk/lfs-warning/pull/165) - Fix emoji by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ppremk/lfs-warning/pull/167](https://togithub.com/ppremk/lfs-warning/pull/167) - Bump undici from 5.28.2 to 5.28.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/ppremk/lfs-warning/pull/171](https://togithub.com/ppremk/lfs-warning/pull/171) #### New Contributors - [@GlazerMann](https://togithub.com/GlazerMann) made their first contribution in [https://github.com/ppremk/lfs-warning/pull/148](https://togithub.com/ppremk/lfs-warning/pull/148) - [@samthebest](https://togithub.com/samthebest) made their first contribution in [https://github.com/ppremk/lfs-warning/pull/153](https://togithub.com/ppremk/lfs-warning/pull/153) - [@rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/ppremk/lfs-warning/pull/158](https://togithub.com/ppremk/lfs-warning/pull/158) Full Changelog: https://github.com/ppremk/lfs-warning/compare/v3.2...v3.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.11`](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11) ### [`v3.25.10`](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10) ### [`v3.25.9`](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9) ### [`v3.25.8`](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8) ### [`v3.25.7`](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.6...v3.25.7) ### [`v3.25.6`](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.5...v3.25.6) ### [`v3.25.5`](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.4...v3.25.5) ### [`v3.25.4`](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.3...v3.25.4) ### [`v3.25.3`](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.2...v3.25.3) ### [`v3.25.2`](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.1...v3.25.2) ### [`v3.25.1`](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.0...v3.25.1) ### [`v3.25.0`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.25.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.11...v3.25.0) ### [`v3.24.11`](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.10...v3.24.11) ### [`v3.24.10`](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.9...v3.24.10) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3) > \[!NOTE]\ > There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1366](https://togithub.com/ossf/scorecard-action/pull/1366) - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1374](https://togithub.com/ossf/scorecard-action/pull/1374) - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1377](https://togithub.com/ossf/scorecard-action/pull/1377) For a full changelist of what these include, see the [v5.0.0-rc1](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc1) and [v5.0.0-rc2](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc2) release notes. ##### Documentation - 📖 Move token discussion out of main README. by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1279](https://togithub.com/ossf/scorecard-action/pull/1279) - 📖 link to `ossf/scorecard` workflow instead of maintaining an example by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1352](https://togithub.com/ossf/scorecard-action/pull/1352) - 📖 update api links to new scorecard.dev site by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1376](https://togithub.com/ossf/scorecard-action/pull/1376) Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3 ### [`v2.3.2`](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2) </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.5.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.5.1) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1) #### What's Changed - feat: Add cosign registry opts for provenance registry by [@saisatishkarra](https://togithub.com/saisatishkarra) in [https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729) and [https://github.com/slsa-framework/slsa-verifier/pull/736](https://togithub.com/slsa-framework/slsa-verifier/pull/736) - feat: Add support for DSSE Rekor type by [@haydentherapper](https://togithub.com/haydentherapper) in [https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742) #### New Contributors - [@saisatishkarra](https://togithub.com/saisatishkarra) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/729](https://togithub.com/slsa-framework/slsa-verifier/pull/729) - [@ramonpetgrave64](https://togithub.com/ramonpetgrave64) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/737](https://togithub.com/slsa-framework/slsa-verifier/pull/737) - [@haydentherapper](https://togithub.com/haydentherapper) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/742](https://togithub.com/slsa-framework/slsa-verifier/pull/742) Full Changelog: https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1 </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-07-01 17:21:38 +00:00
Mend Renovate	a8e21d5a83	chore(deps): update github-actions (major) (#719 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/checkout](https://togithub.com/actions/checkout) \| action \| major \| `v3.6.0` -> `v4.1.1` \| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| major \| `v3.1.5` -> `v4.2.5` \| \| [actions/download-artifact](https://togithub.com/actions/download-artifact) \| action \| major \| `v3.0.2` -> `v4.1.4` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| major \| `v3` -> `v4` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| major \| `v3.8.2` -> `v4.0.2` \| \| [actions/upload-artifact](https://togithub.com/actions/upload-artifact) \| action \| major \| `v3.1.3` -> `v4.3.1` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| major \| `v2.24.8` -> `v3.24.9` \| \| [golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action) \| action \| major \| `v3` -> `v4` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@joshmgross](https://togithub.com/joshmgross) in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - Correct link to GitHub Docs by [@peterbe](https://togithub.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514) ##### New Contributors - [@joshmgross](https://togithub.com/joshmgross) made their first contribution in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - [@peterbe](https://togithub.com/peterbe) made their first contribution in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) Full Changelog: https://github.com/actions/checkout/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396) ### [`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400) [Compare Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0) - [Support fetching without the --progress option](https://togithub.com/actions/checkout/pull/1067) - [Update to node20](https://togithub.com/actions/checkout/pull/1436) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5): 4.2.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5) #### What's Changed - Fixed a bug where some configuration options in external files were not being properly picked up -- [https://github.com/actions/dependency-review-action/pull/722](https://togithub.com/actions/dependency-review-action/pull/722) - Bump eslint from 8.56.0 to 8.57.0 Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5 ### [`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4) #### What's Changed Fixed a bug in the output of OpenSSF cards for GitHub Actions. #### New Contributors - [@sporkmonger](https://togithub.com/sporkmonger) made their first contribution in [https://github.com/actions/dependency-review-action/pull/721](https://togithub.com/actions/dependency-review-action/pull/721) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4 ### [`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3): 4.2.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3) #### What's Changed - Set comment as output by [@jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/698](https://togithub.com/actions/dependency-review-action/pull/698) - Add support for calculating OpenSSF Scorecards by [@jhutchings1](https://togithub.com/jhutchings1) in [https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709) - Add outputs for the changes data by [@laughedelic](https://togithub.com/laughedelic) in [https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707) #### New Contributors - [@jhutchings1](https://togithub.com/jhutchings1) made their first contribution in [https://github.com/actions/dependency-review-action/pull/709](https://togithub.com/actions/dependency-review-action/pull/709) - [@laughedelic](https://togithub.com/laughedelic) made their first contribution in [https://github.com/actions/dependency-review-action/pull/707](https://togithub.com/actions/dependency-review-action/pull/707) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3 ### [`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3): 4.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3) Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see [https://github.com/actions/dependency-review-action/issues/697](https://togithub.com/actions/dependency-review-action/issues/697)). Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2): 4.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2) #### What's Changed - Expose dependency comment content by [@jsoref](https://togithub.com/jsoref) in [https://github.com/actions/dependency-review-action/pull/696](https://togithub.com/actions/dependency-review-action/pull/696) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2 ### [`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1): 4.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1) #### What's Changed - Bump `undici` to fix [GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g) - Bump [@types/node](https://togithub.com/types/node) from 20.11.17 to 20.11.19 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/693](https://togithub.com/actions/dependency-review-action/pull/693) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0): 4.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0) #### What's Changed - Add `warn-only` by [@tgrall](https://togithub.com/tgrall) in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) Added a new configuration option (`warn-only`, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log. - Create stale.yaml by [@jonjanego](https://togithub.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - Use manual codeql config by [@juxtin](https://togithub.com/juxtin) in [https://github.com/actions/dependency-review-action/pull/678](https://togithub.com/actions/dependency-review-action/pull/678) - Multiple dependency updates (see the changelog below for more information) #### New Contributors - [@jonjanego](https://togithub.com/jonjanego) made their first contribution in [https://github.com/actions/dependency-review-action/pull/671](https://togithub.com/actions/dependency-review-action/pull/671) - [@tgrall](https://togithub.com/tgrall) made their first contribution in [https://github.com/actions/dependency-review-action/pull/432](https://togithub.com/actions/dependency-review-action/pull/432) Full Changelog: https://github.com/actions/dependency-review-action/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0) - Update action to Node 20 by [@takost](https://togithub.com/takost) in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) - Dependabot updates, see the full changelog for more details. #### New Contributors - [@takost](https://togithub.com/takost) made their first contribution in [https://github.com/actions/dependency-review-action/pull/639](https://togithub.com/actions/dependency-review-action/pull/639) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0 </details> <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4) ##### What's Changed - Update [@actions/artifact](https://togithub.com/actions/artifact) by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/307](https://togithub.com/actions/download-artifact/pull/307) Full Changelog: https://github.com/actions/download-artifact/compare/v4...v4.1.4 ### [`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3) ##### What's Changed - Update release-new-action-version.yml by [@konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/download-artifact/pull/292](https://togithub.com/actions/download-artifact/pull/292) - Update toolkit dependency with updated unzip logic by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299) - Update [@actions/artifact](https://togithub.com/actions/artifact) by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/download-artifact/pull/303](https://togithub.com/actions/download-artifact/pull/303) ##### New Contributors - [@bethanyj28](https://togithub.com/bethanyj28) made their first contribution in [https://github.com/actions/download-artifact/pull/299](https://togithub.com/actions/download-artifact/pull/299) Full Changelog: https://github.com/actions/download-artifact/compare/v4...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2) - Bump [@actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.1.1`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.0...v4.1.1) - Fix transient request timeouts [https://github.com/actions/download-artifact/issues/249](https://togithub.com/actions/download-artifact/issues/249) - Bump `@actions/artifacts` to latest version ### [`v4.1.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.0.0...v4.1.0) #### What's Changed - Some cleanup by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/247](https://togithub.com/actions/download-artifact/pull/247) - Fix default for run-id by [@stchr](https://togithub.com/stchr) in [https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252) - Support pattern matching to filter artifacts & merge to same directory by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/259](https://togithub.com/actions/download-artifact/pull/259) #### New Contributors - [@stchr](https://togithub.com/stchr) made their first contribution in [https://github.com/actions/download-artifact/pull/252](https://togithub.com/actions/download-artifact/pull/252) Full Changelog: https://github.com/actions/download-artifact/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0) #### What's Changed The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements. ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows. For more information, please see: 1. The [changelog](https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/) post. 2. The [README](https://togithub.com/actions/download-artifact/blob/main/README.md). 3. The [migration documentation](https://togithub.com/actions/upload-artifact/blob/main/docs/MIGRATION.md). 4. As well as the underlying npm package, [@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact) documentation. #### New Contributors - [@bflad](https://togithub.com/bflad) made their first contribution in [https://github.com/actions/download-artifact/pull/194](https://togithub.com/actions/download-artifact/pull/194) Full Changelog: https://github.com/actions/download-artifact/compare/v3...v4.0.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4`](https://togithub.com/actions/setup-node/compare/v3...v4) [Compare Source](https://togithub.com/actions/setup-node/compare/v3...v4) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1) - Bump [@actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0) ##### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/504](https://togithub.com/actions/upload-artifact/pull/504) - Add sub-action to merge artifacts by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/505](https://togithub.com/actions/upload-artifact/pull/505) Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.3.0 ### [`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0) ##### What's Changed - Ability to overwrite an Artifact by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/501](https://togithub.com/actions/upload-artifact/pull/501) Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.2.0 ### [`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0) #### What's Changed - Add migrations docs by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/482](https://togithub.com/actions/upload-artifact/pull/482) - Update README.md by [@samuelwine](https://togithub.com/samuelwine) in [https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492) - Support artifact-url output by [@konradpabjan](https://togithub.com/konradpabjan) in [https://github.com/actions/upload-artifact/pull/496](https://togithub.com/actions/upload-artifact/pull/496) - Update readme to reflect new 500 artifact per job limit by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/497](https://togithub.com/actions/upload-artifact/pull/497) #### New Contributors - [@samuelwine](https://togithub.com/samuelwine) made their first contribution in [https://github.com/actions/upload-artifact/pull/492](https://togithub.com/actions/upload-artifact/pull/492) Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.3...v4.0.0) #### What's Changed The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements. For more information, see the [@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact) documentation. #### New Contributors - [@vmjoseph](https://togithub.com/vmjoseph) made their first contribution in [https://github.com/actions/upload-artifact/pull/464](https://togithub.com/actions/upload-artifact/pull/464) Full Changelog: https://github.com/actions/upload-artifact/compare/v3...v4.0.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.9`](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9) ### [`v3.24.8`](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8) ### [`v3.24.7`](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7) ### [`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) ### [`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) ### [`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) ### [`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) ### [`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) ### [`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) ### [`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) ### [`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) ### [`v3.23.1`](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1) ### [`v3.23.0`](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0) ### [`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) ### [`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.9...v3.22.11) ### [`v2.24.9`](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9) </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v4`](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4) [Compare Source](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4) </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-04-01 15:26:46 +00:00
Mend Renovate	594b179564	chore(deps): update github-actions (#741 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| patch \| `v3.1.0` -> `v3.1.5` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| patch \| `v3.8.1` -> `v3.8.2` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.22.1` -> `v2.24.8` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| patch \| `v2.3.0` -> `v2.3.1` \| \| [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) \| action \| minor \| `v1.9.0` -> `v1.10.0` \| \| [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) \| action \| patch \| `v2.4.0` -> `v2.4.1` \| --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.5): 3.1.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5) #### What's Changed - Smaller `per_page` when requesting diff by [@hmaurer](https://togithub.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/649](https://togithub.com/actions/dependency-review-action/pull/649) - Update dependencies: - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.10.0 to 6.13.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/630](https://togithub.com/actions/dependency-review-action/pull/630) - Bump prettier from 3.0.3 to 3.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/629](https://togithub.com/actions/dependency-review-action/pull/629) - Bump [@types/jest](https://togithub.com/types/jest) from 29.5.8 to 29.5.11 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/637](https://togithub.com/actions/dependency-review-action/pull/637) - Bump nodemon from 3.0.1 to 3.0.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/636](https://togithub.com/actions/dependency-review-action/pull/636) - Replace pip -> pypi in PURL examples by [@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/638](https://togithub.com/actions/dependency-review-action/pull/638) - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.12.0 to 6.15.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/644](https://togithub.com/actions/dependency-review-action/pull/644) - Bump eslint from 8.53.0 to 8.56.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/640](https://togithub.com/actions/dependency-review-action/pull/640) - Bump [@typescript-eslint/parser](https://togithub.com/typescript-eslint/parser) from 6.13.1 to 6.16.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/645](https://togithub.com/actions/dependency-review-action/pull/645) - Bump prettier from 3.1.0 to 3.1.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/646](https://togithub.com/actions/dependency-review-action/pull/646) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.4): 3.1.4 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.3...v3.1.4) #### What's Changed - Fixed a [bug](https://togithub.com/actions/dependency-review-action/issues/618) with severity filtering when using the `allow_ghsas` option: [https://github.com/actions/dependency-review-action/pull/623](https://togithub.com/actions/dependency-review-action/pull/623). - Updates dependencies: - Bump [@types/node](https://togithub.com/types/node) from 16.18.61 to 16.18.62 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/619](https://togithub.com/actions/dependency-review-action/pull/619) action/pull/620 - Bump [@typescript-eslint/eslint-plugin](https://togithub.com/typescript-eslint/eslint-plugin) from 6.11.0 to 6.12.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/625](https://togithub.com/actions/dependency-review-action/pull/625) - Bump typescript from 5.2.2 to 5.3.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/624](https://togithub.com/actions/dependency-review-action/pull/624) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.4 ### [`v3.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.3): 3.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.2...v3.1.3) #### What's Changed - Fixes purl "version must be percent-encoded" by [@theztefan](https://togithub.com/theztefan) in [https://github.com/actions/dependency-review-action/pull/617](https://togithub.com/actions/dependency-review-action/pull/617) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.3 ### [`v3.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.2): 3.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.1...v3.1.2) #### What's Changed - Fix a regression for setups using self-hosted runners behind HTTP proxies:[@febuiles](https://togithub.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/611](https://togithub.com/actions/dependency-review-action/pull/611) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.2 ### [`v3.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.1): 3.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1) #### What's Changed - Update a bunch of dependencies, including major version upgrades for `octokit`, `@actions/github` and `typescript`. Full Changelog: https://github.com/actions/dependency-review-action/compare/v3.1.0...v3.1.1 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.2`](https://togithub.com/actions/setup-node/releases/tag/v3.8.2) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.1...v3.8.2) ##### What's Changed - Update semver by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/861](https://togithub.com/actions/setup-node/pull/861) - Update temp directory creation by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/859](https://togithub.com/actions/setup-node/pull/859) - Bump [@babel/traverse](https://togithub.com/babel/traverse) from 7.15.4 to 7.23.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/870](https://togithub.com/actions/setup-node/pull/870) - Add notice about binaries not being updated yet by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/872](https://togithub.com/actions/setup-node/pull/872) - Update toolkit cache and core by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) and [@seongwon-privatenote](https://togithub.com/seongwon-privatenote) in [https://github.com/actions/setup-node/pull/875](https://togithub.com/actions/setup-node/pull/875) Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.8.2 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.24.8`](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.7...v2.24.8) ### [`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) ### [`v2.24.6`](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.5...v2.24.6) ### [`v2.24.5`](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.4...v2.24.5) ### [`v2.24.4`](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.3...v2.24.4) ### [`v2.24.3`](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.2...v2.24.3) ### [`v2.24.2`](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.1...v2.24.2) ### [`v2.24.1`](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.0...v2.24.1) ### [`v2.24.0`](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.2...v2.24.0) ### [`v2.23.2`](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2) ### [`v2.23.1`](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1) ### [`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) ### [`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) ### [`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) ### [`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) ### [`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) ### [`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) ### [`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) ### [`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) ### [`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282) - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.10.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v1100) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.1...v1.10.0) Release \[v1.10.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.10.0). ##### v1.10.0: TUF fix - The cosign TUF roots were fixed ([#3350](https://togithub.com/slsa-framework/slsa-github-generator/issues/3350)). More details [here](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.10.0/README.md#error-updating-to-tuf-remote-mirror-invalid). ##### v1.10.0: Gradle Builder - The Gradle Builder was fixed when the project root is the same as the repository root ([#2727](https://togithub.com/slsa-framework/slsa-github-generator/issues/2727)) ##### v1.10.0: Go Builder - The `go-version-file` input was fixed so that it can find the `go.mod` file ([#2661](https://togithub.com/slsa-framework/slsa-github-generator/issues/2661)) ##### v1.10.0: Container Generator - A new `provenance-repository` input was added to allow reading provenance from a different container repository than the image itself ([#2956](https://togithub.com/slsa-framework/slsa-github-generator/issues/2956)) ### [`v1.9.1`](https://togithub.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.1) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.9.0...v1.9.1) This is an un-finalized release. See the [CHANGELOG](./CHANGELOG.md) for details. </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.1`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.1) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1) #### What's Changed - Fix a verification issue when verifying npm's publish attestations - Low severity https://github.com/slsa-framework/slsa-verifier/security/advisories/GHSA-r2xv-vpr2-42m9. This part of the code remains experimental. #### New Contributors - [@trishankatdatadog](https://togithub.com/trishankatdatadog) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/702](https://togithub.com/slsa-framework/slsa-verifier/pull/702) Full Changelog: https://github.com/slsa-framework/slsa-verifier/compare/v2.4.0...v2.4.1 </details> --- ### Configuration 📅 Schedule: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2024-03-22 00:59:31 -07:00
Ramon Petgrave	74119b2a7f	fix(deps): update go to 1.21 (#738 ) Fixing the existing PR https://github.com/slsa-framework/slsa-verifier/pull/498 to also change the github actions to use the go 1.21 sourced directly from `go.mod`. - `07e64b653f/.github/workflows/builder_go_slsa3.yml (L56)` - https://github.com/actions/setup-go?tab=readme-ov-file#getting-go-version-from-the-gomod-file - https://github.com/slsa-framework/slsa-verifier/actions/runs/7559933600/job/20584856777?pr=498 > ... Error: We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.15.5/x64/codeql/go/tools/autobuild.sh". Exit code was 1 and error was: 2024/01/17 18:06:58 Autobuilder was built with go1.21.5, environment has go1.20.12 ... Also fixing some more lint checks about repeated strings --------- Signed-off-by: Mend Renovate <bot@renovateapp.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Co-authored-by: Mend Renovate <bot@renovateapp.com>	2024-01-24 09:29:20 -08:00
Mend Renovate	b72da83344	chore(deps): update github-actions (#695 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/checkout](https://togithub.com/actions/checkout) \| action \| minor \| `v3.5.3` -> `v3.6.0` \| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| minor \| `v3.0.7` -> `v3.1.0` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| patch \| `v3.8.0` -> `v3.8.1` \| \| [actions/upload-artifact](https://togithub.com/actions/upload-artifact) \| action \| patch \| `v3.1.2` -> `v3.1.3` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.21.4` -> `v2.22.1` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| minor \| `v2.2.0` -> `v2.3.0` \| \| [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) \| action \| minor \| `v1.8.0` -> `v1.9.0` \| \| [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) \| action \| minor \| `v2.3.0` -> `v2.4.0` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) Full Changelog: https://github.com/actions/upload-artifact/compare/v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - New: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - New: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - New: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - New: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592) - docs: Make npm package version and name non-optional by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591) - docs: npm provenance verification from GitHub runner by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595) - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v18.16.9 by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597) - chore(deps): update dependency jasmine to v5 by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598) - feat: BYOB verification support by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604) - feat: Support for v1.0 verification in BYOB by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609) - feat: Use env variable to retrieve trigger workflow by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615) - test: Add test data for v1.6.0 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612) - fix: Verify the TRW tag is a semver tag by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619) - chore: Don't be verbose with tests locally by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620) - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621) - test: re-generate container-based tests by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627) - fix: revert to using resolvedDepdendencies for source verification by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629) - refactor: Provenance tests by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628) - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622) - fix: only allow hashes of 256 bits or more by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633) - fix: builder ID verification for testing by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635) - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634) - chore: update toc in README.md by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636) - fix: allow workflow_dispatch to trigger release.yml by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637) - test: add tests for v1.7.0 builders by [@asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567) - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606) - chore(deps): update npm dev by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608) - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583) - feat: Verify provenance by build type by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632) - refactor: Use Go 1.20 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643) - test: Add more ProvenanceFromEnvelope tests by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640) - fix: pre-submit: e2e-cli.sh artifact download by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646) - refactor: Add more git utils by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645) - refactor: Use full builder id by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648) - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651) - feat: move maven-plugin from slsa-github-generator by [@AdamKorcz](https://togithub.com/AdamKorcz) in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - docs: Fix maven-plugin README by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671) - feat: Verification for when sha1 is specified in BYOB TRW by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641) - docs: Add example for maven verification plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676) - chore: Add Kris to codeowners by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678) - feat: Print byob builder by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677) - test: Add test data for v1.8.0 by [@ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666) - feat: Non-compulsory BuilderID for BYOB Builders by [@enteraga6](https://togithub.com/enteraga6) in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) - chore(deps): update golang docker tag to v1.21 by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687) - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686) - feat: GCB refactor for v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682) - feat: Allow byob builders ref at main for e2e tests by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689) - feat: Update doc and code for Maven plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680) - feat: gcb v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691) - feat: v1.9.0 regression tests by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696) - fix: release failure by [@laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697) #### New Contributors - [@AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - [@enteraga6](https://togithub.com/enteraga6) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) Full Changelog: https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>	2023-12-01 22:18:37 +00:00
Mend Renovate	b9a0e6babf	chore(deps): update github-actions (#686 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) \| action \| patch \| `v3.0.6` -> `v3.0.7` \| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| minor \| `v3.7.0` -> `v3.8.0` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| patch \| `v2.21.3` -> `v2.21.4` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.0.7`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.7): 3.0.7 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.6...v3.0.7) #### What's Changed - Make GHES support / setup more clear by [@rajbos](https://togithub.com/rajbos) in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - Add an option to deny packages or groups of packages by [@adrienpessu](https://togithub.com/adrienpessu) in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) #### New Contributors - [@rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/actions/dependency-review-action/pull/534](https://togithub.com/actions/dependency-review-action/pull/534) - [@adrienpessu](https://togithub.com/adrienpessu) made their first contribution in [https://github.com/actions/dependency-review-action/pull/544](https://togithub.com/actions/dependency-review-action/pull/544) Full Changelog: https://github.com/actions/dependency-review-action/compare/v3...v3.0.7 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0) #### What's Changed ##### Bug fixes: - Add check for existing paths by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/803](https://togithub.com/actions/setup-node/pull/803) - Resolve SymbolicLink by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/809](https://togithub.com/actions/setup-node/pull/809) - Change passing logic for cache input by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/816](https://togithub.com/actions/setup-node/pull/816) - Fix armv7 cache issue by [@louislam](https://togithub.com/louislam) in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - Update check-dist workflow name by [@sinchang](https://togithub.com/sinchang) in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) ##### Feature implementations: - feat: handling the case where "node" is used for tool-versions file. by [@xytis](https://togithub.com/xytis) in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) ##### Documentation changes: - Refer to semver package name in README.md by [@olleolleolle](https://togithub.com/olleolleolle) in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) ##### Update dependencies: - Update toolkit cache to fix zstd by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/804](https://togithub.com/actions/setup-node/pull/804) - Bump tough-cookie and [@azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/802](https://togithub.com/actions/setup-node/pull/802) - Bump semver from 6.1.2 to 6.3.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/807](https://togithub.com/actions/setup-node/pull/807) - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/815](https://togithub.com/actions/setup-node/pull/815) #### New Contributors - [@olleolleolle](https://togithub.com/olleolleolle) made their first contribution in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) - [@louislam](https://togithub.com/louislam) made their first contribution in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - [@sinchang](https://togithub.com/sinchang) made their first contribution in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) - [@xytis](https://togithub.com/xytis) made their first contribution in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.8.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDAuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-08-14 22:44:36 +00:00
Mend Renovate	57e3f65b43	chore(deps): update github-actions (#666 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/setup-go](https://togithub.com/actions/setup-go) \| action \| minor \| `v4.0.1` -> `v4.1.0` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.20.4` -> `v2.21.3` \| \| [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) \| action \| minor \| `v1.7.0` -> `v1.8.0` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0) ##### What's Changed In scope of this release, slow installation on Windows was fixed by [@dsame](https://togithub.com/dsame) in [https://github.com/actions/setup-go/pull/393](https://togithub.com/actions/setup-go/pull/393) and OS version was added to `primaryKey` for Ubuntu runners to avoid conflicts ([https://github.com/actions/setup-go/pull/383](https://togithub.com/actions/setup-go/pull/383)) This release also includes the following changes: - Remove implicit dependencies by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-go/pull/378](https://togithub.com/actions/setup-go/pull/378) - Update action.yml by [@mkelly](https://togithub.com/mkelly) in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - Added a description that go-version should be specified as a string type by [@n3xem](https://togithub.com/n3xem) in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) - Add note about YAML parsing versions by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-go/pull/382](https://togithub.com/actions/setup-go/pull/382) - Automatic update of configuration files from 05/23/2023 by [@github-actions](https://togithub.com/github-actions) in [https://github.com/actions/setup-go/pull/377](https://togithub.com/actions/setup-go/pull/377) - Bump tough-cookie and [@azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/392](https://togithub.com/actions/setup-go/pull/392) - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/397](https://togithub.com/actions/setup-go/pull/397) - Bump semver from 6.3.0 to 6.3.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/396](https://togithub.com/actions/setup-go/pull/396) ##### New Contributors - [@mkelly](https://togithub.com/mkelly) made their first contribution in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - [@n3xem](https://togithub.com/n3xem) made their first contribution in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) Full Changelog: https://github.com/actions/setup-go/compare/v4...v4.1.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) ### [`v2.21.2`](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2) ### [`v2.21.1`](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1) ### [`v2.21.0`](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0) </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.8.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v180) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0) Release \[v1.8.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.7.0...v1.8.0). ##### v1.8.0: Generic Generator - Added: A new [`base64-subjects-as-file`](https://togithub.com/slsa-framework/slsa-github-generator/blob/v1.8.0/internal/builders/generic/README.md#workflow-inputs) was added to allow for specifying a large subject list. ##### v1.8.0: Node.js Builder (beta) - Fixed: Publishing for non-scoped packages was fixed (See [#2359](https://togithub.com/slsa-framework/slsa-github-generator/issues/2359)) - Fixed: Documentation was updated to clarify that the GitHub Actions `deployment` event is not supported. - Changed: The file extension for the generated provenance file was changed from `.sigstore` to `.build.slsa` in order to make it easier to identify provenance files regardless of file format. - Fixed: The publish action was fixed to address an issue with the package name when using Node 16. </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4xMS4wIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-08-09 08:24:24 +09:00
Mend Renovate	59f6ba3e00	chore(deps): update github-actions (#651 ) [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [actions/setup-node](https://togithub.com/actions/setup-node) \| action \| minor \| `v3.6.0` -> `v3.7.0` \| \| [github/codeql-action](https://togithub.com/github/codeql-action) \| action \| minor \| `v2.3.6` -> `v2.20.4` \| \| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) \| action \| minor \| `v2.1.3` -> `v2.2.0` \| --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0) ##### What's Changed In scope of this release we added a logic to save an additional cache path for yarn 3 ([related pull request](https://togithub.com/actions/setup-node/pull/744) and [feature request](https://togithub.com/actions/setup-node/issues/325)). Moreover, we added functionality to use all the sub directories derived from `cache-dependency-path` input and add detect all dependencies directories to cache (related [pull request](https://togithub.com/actions/setup-node/pull/735) and [feature request](https://togithub.com/actions/setup-node/issues/488)). ##### Besides, we made such changes as: - Replace workflow badge with new badge by [@jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - Fix a minor typo by [@phanan](https://togithub.com/phanan) in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - docs: fix typo in advanced-usage.md by [@remarkablemark](https://togithub.com/remarkablemark) in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by [@domdomegg](https://togithub.com/domdomegg) in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - Update to node 18.x by [@feelepxyz](https://togithub.com/feelepxyz) in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - Remove implicit dependencies by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - Fix description about ensuring workflow access to private package by [@x86chi](https://togithub.com/x86chi) in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) ##### New Contributors - [@jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - [@phanan](https://togithub.com/phanan) made their first contribution in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - [@remarkablemark](https://togithub.com/remarkablemark) made their first contribution in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - [@domdomegg](https://togithub.com/domdomegg) made their first contribution in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - [@feelepxyz](https://togithub.com/feelepxyz) made their first contribution in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) made their first contribution in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - [@x86chi](https://togithub.com/x86chi) made their first contribution in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) Full Changelog: https://github.com/actions/setup-node/compare/v3...v3.7.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) ### [`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) ### [`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) ### [`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) ### [`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@cynthia-sg](https://togithub.com/cynthia-sg) and [@tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](`08b4669551/README.md (scorecard-badge)`) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](`08b4669551/README.md (workflow-restrictions)`) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0 </details> --- ### Configuration 📅 Schedule: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 Immortal: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>	2023-07-18 10:51:23 +09:00
Mend Renovate	3ee6cee147	chore(deps): update github-actions (#607 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-06-12 09:44:31 +09:00
Mend Renovate	8da58c6c6d	chore(deps): update github/codeql-action action to v2.3.3 (#585 ) Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: asraa <asraa@google.com>	2023-05-08 16:30:17 +00:00
Mend Renovate	515b41ca3f	chore(deps): update github/codeql-action action to v2.3.2 (#569 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-05-01 09:48:55 +09:00
Mend Renovate	e1ea1da472	chore(deps): update github-actions (#560 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-04-18 10:52:54 +09:00
Mend Renovate	9c3152fe9f	chore(deps): update github-actions (#544 ) Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-04-11 02:09:29 +00:00
Mend Renovate	ed7976a0d4	chore(deps): update github-actions (#529 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-03-24 14:36:38 +00:00
Mend Renovate	9f57e6add9	chore(deps): update github-actions (#502 ) Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: Ian Lewis <ianlewis@google.com>	2023-03-06 00:48:50 +00:00
Mend Renovate	13b4c3e75b	chore(deps): update github/codeql-action action to v2.2.4 (#480 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-02-13 14:36:07 +00:00
Mend Renovate	9578b3838e	chore(deps): update github-actions (#460 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-01-30 05:33:14 -08:00
Mend Renovate	5eea7c5537	chore(deps): update github/codeql-action action to v2.1.39 (#452 ) Signed-off-by: Renovate Bot <bot@renovateapp.com> Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: asraa <asraa@google.com>	2023-01-25 15:59:45 +00:00
Mend Renovate	71e72f0a1f	chore(deps): update github/codeql-action action to v2.1.38 (#444 ) Signed-off-by: Renovate Bot <bot@renovateapp.com>	2023-01-16 10:37:41 +09:00
Ian Lewis	1da39d7e06	ci: Add javascript to CodeQL analysis (#413 ) Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com>	2023-01-11 10:21:11 -06:00
Mend Renovate	b06fbf5b04	chore(deps): update github-actions (#436 ) * chore(deps): update github-actions Signed-off-by: Renovate Bot <bot@renovateapp.com> * Use tag for actions/upload-artifact Signed-off-by: Renovate Bot <bot@renovateapp.com> Co-authored-by: asraa <asraa@google.com>	2023-01-09 15:28:47 +00:00
Mend Renovate	b40d88c1e7	chore(deps): update github-actions (#384 ) Co-authored-by: Ian Lewis <ianlewis@google.com>	2022-12-15 01:59:36 +00:00
Mend Renovate	0ef57a2b08	chore(deps): update github-actions (#359 ) * chore(deps): update github-actions * Update release.yml Co-authored-by: asraa <asraa@google.com>	2022-11-28 18:02:24 +00:00
Ian Lewis	28b554f525	Add golangci-lint and yamllint (#365 ) * Add Makefile and yamllint config Signed-off-by: Ian Lewis <ianmlewis@gmail.com> * Add golangci-lint config Signed-off-by: Ian Lewis <ianmlewis@gmail.com> * Add golangci-lint config Signed-off-by: Ian Lewis <ianmlewis@gmail.com> * add linters to pre-submit Signed-off-by: Ian Lewis <ianmlewis@gmail.com> * add issue link to todos Signed-off-by: Ian Lewis <ianmlewis@gmail.com> * Fix whitespace issue Signed-off-by: Ian Lewis <ianmlewis@gmail.com> Signed-off-by: Ian Lewis <ianmlewis@gmail.com>	2022-11-28 10:19:59 +09:00
Mend Renovate	6cd5d4ac68	chore(deps): update github-actions (#351 ) Co-authored-by: Ian Lewis <ianlewis@google.com>	2022-11-14 22:55:08 +00:00
WhiteSource Renovate	1dfd8ba693	chore(deps): update github-actions (#342 )	2022-10-31 18:13:42 +00:00
WhiteSource Renovate	b7b67c6740	chore(deps): update github-actions (#295 )	2022-10-12 09:15:59 -05:00
WhiteSource Renovate	35fd91f381	chore(deps): update github-actions (#284 )	2022-10-03 09:46:34 +09:00
WhiteSource Renovate	3ee3cca59d	chore(deps): update github-actions (#274 ) Co-authored-by: asraa <asraa@google.com>	2022-09-26 11:22:46 +00:00
WhiteSource Renovate	aa75f1b7bb	chore(deps): update github/codeql-action action to v2.1.24 (#262 )	2022-09-21 16:48:34 +00:00
WhiteSource Renovate	a040702c4e	chore(deps): update github/codeql-action action to v2.1.22 (#249 )	2022-09-06 08:40:16 -05:00
WhiteSource Renovate	2adefa0e01	chore(deps): update github-actions (#240 ) Co-authored-by: asraa <asraa@google.com>	2022-09-02 16:01:16 +00:00
WhiteSource Renovate	ab70a51d20	chore(deps): update github-actions (#222 )	2022-08-22 14:47:52 -07:00
WhiteSource Renovate	691fbbe75b	chore(deps): update github/codeql-action action to v2.1.18 (#195 ) Co-authored-by: asraa <asraa@google.com>	2022-08-08 16:51:08 +00:00
WhiteSource Renovate	ab278de311	chore(deps): update github-actions (#175 ) Co-authored-by: asraa <asraa@google.com>	2022-08-02 19:28:36 +00:00
WhiteSource Renovate	6dc5a273c7	chore(deps): update github-actions (#165 )	2022-07-25 20:31:40 +00:00
laurentsimon	05def419b2	update (#170 )	2022-07-25 20:14:00 +00:00
laurentsimon	6a2f070bf8	feat: Group GHA removatebot updates (#153 ) * update * update	2022-07-18 16:32:46 +00:00
dependabot[bot]	54a8196e78	🌱 Bump github/codeql-action from 1 to 2 (#39 ) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/v1...v2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2022-04-27 17:44:31 -07:00
dependabot[bot]	32e4468647	🌱 Bump actions/checkout from 2 to 3 (#15 ) * 🌱 Bump actions/checkout from 2 to 3 Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * update version comment Signed-off-by: Asra Ali <asraa@google.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Asra Ali <asraa@google.com>	2022-03-31 11:37:16 -05:00
Joshua Lock	25528e0083	fix(codeql): fix branch wildcard (#11 ) * is a special character in YAML, so we must use quotes https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#filter-pattern-cheat-sheet Signed-off-by: Joshua Lock <jlock@vmware.com>	2022-03-29 18:02:06 +01:00
laurentsimon	6cdcbf9a66	Transffer from github.com/gossts/slsa-provenance (#1 )	2022-03-28 08:46:38 -07:00

42 Commits