mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-09 18:16:35 +00:00
59f6ba3e00
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/setup-node](https://togithub.com/actions/setup-node) | action | minor | `v3.6.0` -> `v3.7.0` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.3.6` -> `v2.20.4` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.1.3` -> `v2.2.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0) ##### What's Changed In scope of this release we added a logic to save an additional cache path for yarn 3 ([related pull request](https://togithub.com/actions/setup-node/pull/744) and [feature request](https://togithub.com/actions/setup-node/issues/325)). Moreover, we added functionality to use all the sub directories derived from `cache-dependency-path` input and add detect all dependencies directories to cache (related [pull request](https://togithub.com/actions/setup-node/pull/735) and [feature request](https://togithub.com/actions/setup-node/issues/488)). ##### Besides, we made such changes as: - Replace workflow badge with new badge by [@​jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - Fix a minor typo by [@​phanan](https://togithub.com/phanan) in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - docs: fix typo in advanced-usage.md by [@​remarkablemark](https://togithub.com/remarkablemark) in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by [@​domdomegg](https://togithub.com/domdomegg) in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - Update to node 18.x by [@​feelepxyz](https://togithub.com/feelepxyz) in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - Remove implicit dependencies by [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - Fix description about ensuring workflow access to private package by [@​x86chi](https://togithub.com/x86chi) in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) ##### New Contributors - [@​jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - [@​phanan](https://togithub.com/phanan) made their first contribution in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - [@​remarkablemark](https://togithub.com/remarkablemark) made their first contribution in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - [@​domdomegg](https://togithub.com/domdomegg) made their first contribution in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - [@​feelepxyz](https://togithub.com/feelepxyz) made their first contribution in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii) made their first contribution in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - [@​x86chi](https://togithub.com/x86chi) made their first contribution in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) **Full Changelog**: https://github.com/actions/setup-node/compare/v3...v3.7.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) ### [`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) ### [`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) ### [`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) ### [`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@​cynthia-sg](https://togithub.com/cynthia-sg) and [@​tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](08b4669551/README.md (scorecard-badge)) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](08b4669551/README.md (workflow-restrictions)) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@​pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@​joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@​spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@​bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@​pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Signed-off-by: Mend Renovate <bot@renovateapp.com>
72 lines
2.5 KiB
YAML
72 lines
2.5 KiB
YAML
# For most projects, this workflow file will not need changing; you simply need
|
|
# to commit it to your repository.
|
|
#
|
|
# You may wish to alter this file to override the set of languages analyzed,
|
|
# or to provide custom queries or build logic.
|
|
#
|
|
# ******** NOTE ********
|
|
# We have attempted to detect the languages in your repository. Please check
|
|
# the `language` matrix defined below to confirm you have the correct set of
|
|
# supported CodeQL languages.
|
|
#
|
|
name: "CodeQL"
|
|
|
|
on:
|
|
push:
|
|
branches: [main, "*"]
|
|
pull_request:
|
|
# The branches below must be a subset of the branches above
|
|
branches: [main]
|
|
schedule:
|
|
- cron: "30 0 * * 2"
|
|
|
|
permissions: read-all
|
|
|
|
jobs:
|
|
analyze:
|
|
name: Analyze
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
actions: read
|
|
contents: read
|
|
security-events: write
|
|
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
language: ["go", "javascript"]
|
|
# CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
|
|
# Learn more about CodeQL language support at https://git.io/codeql-language-support
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
|
|
|
|
# Initializes the CodeQL tools for scanning.
|
|
- name: Initialize CodeQL
|
|
uses: github/codeql-action/init@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4
|
|
with:
|
|
languages: ${{ matrix.language }}
|
|
# If you wish to specify custom queries, you can do so here or in a config file.
|
|
# By default, queries listed here will override any specified in a config file.
|
|
# Prefix the list here with "+" to use these queries and those in the config file.
|
|
# queries: ./path/to/local/query, your-org/your-repo/queries@main
|
|
|
|
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
|
# If this step fails, then you should remove it and run the build manually (see below)
|
|
- name: Autobuild
|
|
uses: github/codeql-action/autobuild@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4
|
|
# Command-line programs to run using the OS shell.
|
|
# 📚 https://git.io/JvXDl
|
|
|
|
# ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
|
|
# and modify them (or add more) to build your code if your project
|
|
# uses a compiled language
|
|
|
|
# - run: |
|
|
# make bootstrap
|
|
# make release
|
|
|
|
- name: Perform CodeQL Analysis
|
|
uses: github/codeql-action/analyze@489225d82a57396c6f426a40e66d461b16b3461d # v2.20.4
|