mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-06 00:26:39 +00:00
417bde6e6f
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v5.1.0` -> `v5.3.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v4.4.3` -> `v4.6.0` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v3.27.6` -> `v3.28.1` | | [golangci/golangci-lint-action](https://redirect.github.com/golangci/golangci-lint-action) | action | minor | `v6.1.1` -> `v6.2.0` | --- ### Release Notes <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.3.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.3.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.2.0...v5.3.0) ##### What's Changed - Use the new cache service: upgrade `@actions/cache` to `^4.0.0` by [@​Link-](https://redirect.github.com/Link-) in [https://github.com/actions/setup-go/pull/531](https://redirect.github.com/actions/setup-go/pull/531) - Configure Dependabot settings by [@​HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) in [https://github.com/actions/setup-go/pull/530](https://redirect.github.com/actions/setup-go/pull/530) - Document update - permission section by [@​HarithaVattikuti](https://redirect.github.com/HarithaVattikuti) in [https://github.com/actions/setup-go/pull/533](https://redirect.github.com/actions/setup-go/pull/533) - Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/setup-go/pull/534](https://redirect.github.com/actions/setup-go/pull/534) ##### New Contributors - [@​Link-](https://redirect.github.com/Link-) made their first contribution in [https://github.com/actions/setup-go/pull/531](https://redirect.github.com/actions/setup-go/pull/531) **Full Changelog**: https://github.com/actions/setup-go/compare/v5...v5.3.0 ### [`v5.2.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.2.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.1.0...v5.2.0) #### What's Changed - Leveraging the raw API to retrieve the version-manifest, as it does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token for Github Enterprise Servers by [@​Shegox](https://redirect.github.com/Shegox) in [https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496) #### New Contributors - [@​Shegox](https://redirect.github.com/Shegox) made their first contribution in [https://github.com/actions/setup-go/pull/496](https://redirect.github.com/actions/setup-go/pull/496) **Full Changelog**: https://github.com/actions/setup-go/compare/v5...v5.2.0 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.6.0`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.5.0...v4.6.0) #### What's Changed - Expose env vars to control concurrency and timeout by [@​yacaovsnc](https://redirect.github.com/yacaovsnc) in [https://github.com/actions/upload-artifact/pull/662](https://redirect.github.com/actions/upload-artifact/pull/662) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v4...v4.6.0 ### [`v4.5.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.3...v4.5.0) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.28.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.28.0...v3.28.1) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 3.28.1 - 10 Jan 2025 - CodeQL Action v2 is now deprecated, and is no longer updated or supported. For better performance, improved security, and new features, upgrade to v3. For more information, see [this changelog post](https://github.blog/changelog/2025-01-10-code-scanning-codeql-action-v2-is-now-deprecated/). [#​2677](https://redirect.github.com/github/codeql-action/pull/2677) - Update default CodeQL bundle version to 2.20.1. [#​2678](https://redirect.github.com/github/codeql-action/pull/2678) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.1/CHANGELOG.md) for more information. ### [`v3.28.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.9...v3.28.0) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.28.0 - 20 Dec 2024 - Bump the minimum CodeQL bundle version to 2.15.5. [#​2655](https://redirect.github.com/github/codeql-action/pull/2655) - Don't fail in the unusual case that a file is on the search path. [#​2660](https://redirect.github.com/github/codeql-action/pull/2660). See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.0/CHANGELOG.md) for more information. ### [`v3.27.9`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.8...v3.27.9) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.9 - 12 Dec 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.9/CHANGELOG.md) for more information. ### [`v3.27.8`](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.7...v3.27.8) ### [`v3.27.7`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.6...v3.27.7) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.7 - 10 Dec 2024 - We are rolling out a change in December 2024 that will extract the CodeQL bundle directly to the toolcache to improve performance. [#​2631](https://redirect.github.com/github/codeql-action/pull/2631) - Update default CodeQL bundle version to 2.20.0. [#​2636](https://redirect.github.com/github/codeql-action/pull/2636) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.7/CHANGELOG.md) for more information. </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v6.2.0`](https://redirect.github.com/golangci/golangci-lint-action/releases/tag/v6.2.0) [Compare Source](https://redirect.github.com/golangci/golangci-lint-action/compare/v6.1.1...v6.2.0) <!-- Release notes generated using configuration in .github/release.yml at v6.2.0 --> #### What's Changed ##### Changes - chore: use new build tag syntax by [@​alexandear](https://redirect.github.com/alexandear) in [https://github.com/golangci/golangci-lint-action/pull/1133](https://redirect.github.com/golangci/golangci-lint-action/pull/1133) - feat: support linux arm64 public preview by [@​ldez](https://redirect.github.com/ldez) in [https://github.com/golangci/golangci-lint-action/pull/1144](https://redirect.github.com/golangci/golangci-lint-action/pull/1144) ##### Documentation - docs: update local development instructions by [@​dmitris](https://redirect.github.com/dmitris) in [https://github.com/golangci/golangci-lint-action/pull/1125](https://redirect.github.com/golangci/golangci-lint-action/pull/1125) ##### Dependencies - build(deps-dev): bump the dev-dependencies group with 3 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1112](https://redirect.github.com/golangci/golangci-lint-action/pull/1112) - build(deps): bump the dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1113](https://redirect.github.com/golangci/golangci-lint-action/pull/1113) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1114](https://redirect.github.com/golangci/golangci-lint-action/pull/1114) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.7.4 to 22.7.5 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1115](https://redirect.github.com/golangci/golangci-lint-action/pull/1115) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1117](https://redirect.github.com/golangci/golangci-lint-action/pull/1117) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.7.5 to 22.7.7 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1118](https://redirect.github.com/golangci/golangci-lint-action/pull/1118) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1119](https://redirect.github.com/golangci/golangci-lint-action/pull/1119) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.7.7 to 22.8.1 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1120](https://redirect.github.com/golangci/golangci-lint-action/pull/1120) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1122](https://redirect.github.com/golangci/golangci-lint-action/pull/1122) - build(deps): bump the dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1123](https://redirect.github.com/golangci/golangci-lint-action/pull/1123) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1126](https://redirect.github.com/golangci/golangci-lint-action/pull/1126) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.8.7 to 22.9.0 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1127](https://redirect.github.com/golangci/golangci-lint-action/pull/1127) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1128](https://redirect.github.com/golangci/golangci-lint-action/pull/1128) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.9.0 to 22.9.3 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1130](https://redirect.github.com/golangci/golangci-lint-action/pull/1130) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.9.3 to 22.10.1 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1131](https://redirect.github.com/golangci/golangci-lint-action/pull/1131) - build(deps-dev): bump the dev-dependencies group across 1 directory with 4 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1132](https://redirect.github.com/golangci/golangci-lint-action/pull/1132) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1134](https://redirect.github.com/golangci/golangci-lint-action/pull/1134) - build(deps): bump [@​actions/cache](https://redirect.github.com/actions/cache) from 3.3.0 to 4.0.0 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1135](https://redirect.github.com/golangci/golangci-lint-action/pull/1135) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1136](https://redirect.github.com/golangci/golangci-lint-action/pull/1136) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.10.1 to 22.10.2 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1137](https://redirect.github.com/golangci/golangci-lint-action/pull/1137) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1138](https://redirect.github.com/golangci/golangci-lint-action/pull/1138) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1139](https://redirect.github.com/golangci/golangci-lint-action/pull/1139) - build(deps-dev): bump the dev-dependencies group with 2 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1141](https://redirect.github.com/golangci/golangci-lint-action/pull/1141) - build(deps): bump [@​types/node](https://redirect.github.com/types/node) from 22.10.2 to 22.10.5 in the dependencies group by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1142](https://redirect.github.com/golangci/golangci-lint-action/pull/1142) - build(deps-dev): bump the dev-dependencies group with 3 updates by [@​dependabot](https://redirect.github.com/dependabot) in [https://github.com/golangci/golangci-lint-action/pull/1143](https://redirect.github.com/golangci/golangci-lint-action/pull/1143) #### New Contributors - [@​dmitris](https://redirect.github.com/dmitris) made their first contribution in [https://github.com/golangci/golangci-lint-action/pull/1125](https://redirect.github.com/golangci/golangci-lint-action/pull/1125) - [@​alexandear](https://redirect.github.com/alexandear) made their first contribution in [https://github.com/golangci/golangci-lint-action/pull/1133](https://redirect.github.com/golangci/golangci-lint-action/pull/1133) **Full Changelog**: https://github.com/golangci/golangci-lint-action/compare/v6.1.1...v6.2.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS44NS4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTA3LjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
80 lines
2.9 KiB
YAML
80 lines
2.9 KiB
YAML
# For most projects, this workflow file will not need changing; you simply need
|
|
# to commit it to your repository.
|
|
#
|
|
# You may wish to alter this file to override the set of languages analyzed,
|
|
# or to provide custom queries or build logic.
|
|
#
|
|
# ******** NOTE ********
|
|
# We have attempted to detect the languages in your repository. Please check
|
|
# the `language` matrix defined below to confirm you have the correct set of
|
|
# supported CodeQL languages.
|
|
#
|
|
name: "CodeQL"
|
|
|
|
on:
|
|
push:
|
|
branches: [main, "*"]
|
|
pull_request:
|
|
# The branches below must be a subset of the branches above
|
|
branches: [main]
|
|
schedule:
|
|
- cron: "30 0 * * 2"
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
language: ["go", "javascript"]
|
|
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
|
|
# Learn more about CodeQL language support at https://git.io/codeql-language-support
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
|
|
|
|
# TODO(#740): Workaround for go1.21 compatibility. Remove when GHA runners have Go 1.21+.
|
|
- name: setup-go
|
|
uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
|
|
with:
|
|
go-version-file: "go.mod"
|
|
# not needed but gets rid of warnings
|
|
cache: false
|
|
|
|
# Initializes the CodeQL tools for scanning.
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
# If you wish to specify custom queries, you can do so here or in a config file.
|
|
# By default, queries listed here will override any specified in a config file.
|
|
# Prefix the list here with "+" to use these queries and those in the config file.
|
|
# queries: ./path/to/local/query, your-org/your-repo/queries@main
|
|
|
|
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
|
# If this step fails, then you should remove it and run the build manually (see below)
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
|
|
# Command-line programs to run using the OS shell.
|
|
# 📚 https://git.io/JvXDl
|
|
|
|
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
|
|
# and modify them (or add more) to build your code if your project
|
|
# uses a compiled language
|
|
|
|
# - run: |
|
|
# make bootstrap
|
|
# make release
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@b6a472f63d85b9c78a3ac5e89422239fc15e9b3c # v3.28.1
|