From b72da83344a90ddc276e19b8bceae876eab379a6 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Fri, 1 Dec 2023 23:18:37 +0100 Subject: [PATCH] chore(deps): update github-actions (#695) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes
actions/checkout (actions/checkout) ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579)
actions/dependency-review-action (actions/dependency-review-action) ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@​oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@​oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@​sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@​sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) **Full Changelog**: https://github.com/actions/dependency-review-action/compare/v3...v3.0.8
actions/setup-node (actions/setup-node) ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: https://github.com/actions/setup-node/compare/v3...v3.8.1
actions/upload-artifact (actions/upload-artifact) ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v3...v3.1.3
github/codeql-action (github/codeql-action) ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5)
ossf/scorecard-action (ossf/scorecard-action) ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - :seedling: Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - :sparkles: Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - :bug: Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - :book: Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - :book: Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - :book: Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - :book: Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0
slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator) ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java).
slsa-framework/slsa-verifier (slsa-framework/slsa-verifier) ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592) - docs: Make npm package version and name non-optional by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591) - docs: npm provenance verification from GitHub runner by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595) - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v18.16.9 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597) - chore(deps): update dependency jasmine to v5 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598) - feat: BYOB verification support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604) - feat: Support for v1.0 verification in BYOB by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609) - feat: Use env variable to retrieve trigger workflow by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615) - test: Add test data for v1.6.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612) - fix: Verify the TRW tag is a semver tag by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619) - chore: Don't be verbose with tests locally by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620) - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621) - test: re-generate container-based tests by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627) - fix: revert to using resolvedDepdendencies for source verification by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629) - refactor: Provenance tests by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628) - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622) - fix: only allow hashes of 256 bits or more by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633) - fix: builder ID verification for testing by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635) - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634) - chore: update toc in README.md by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636) - fix: allow workflow_dispatch to trigger release.yml by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637) - test: add tests for v1.7.0 builders by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567) - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606) - chore(deps): update npm dev by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608) - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583) - feat: Verify provenance by build type by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632) - refactor: Use Go 1.20 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643) - test: Add more ProvenanceFromEnvelope tests by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640) - fix: pre-submit: e2e-cli.sh artifact download by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646) - refactor: Add more git utils by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645) - refactor: Use full builder id by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648) - feat: Use tags `vX.Y.Z-` for JReleaser builders by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651) - feat: move maven-plugin from slsa-github-generator by [@​AdamKorcz](https://togithub.com/AdamKorcz) in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - docs: Fix maven-plugin README by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671) - feat: Verification for when sha1 is specified in BYOB TRW by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641) - docs: Add example for maven verification plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676) - chore: Add Kris to codeowners by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678) - feat: Print byob builder by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677) - test: Add test data for v1.8.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666) - feat: Non-compulsory BuilderID for BYOB Builders by [@​enteraga6](https://togithub.com/enteraga6) in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) - chore(deps): update golang docker tag to v1.21 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686) - feat: GCB refactor for v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682) - feat: Allow byob builders ref at main for e2e tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689) - feat: Update doc and code for Maven plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680) - feat: gcb v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691) - feat: v1.9.0 regression tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696) - fix: release failure by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697) #### New Contributors - [@​AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - [@​enteraga6](https://togithub.com/enteraga6) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) **Full Changelog**: https://github.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0
--- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). Signed-off-by: Mend Renovate Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> --- .github/workflows/codeql-analysis.yml | 8 ++++---- .github/workflows/depsreview.yml | 4 ++-- .github/workflows/e2e.schedule.cli.yml | 2 +- .github/workflows/e2e.schedule.installer.yml | 10 +++++----- .github/workflows/pre-submit.actions.yml | 6 +++--- .github/workflows/pre-submit.cli.yml | 4 ++-- .github/workflows/pre-submit.e2e.yml | 4 ++-- .github/workflows/pre-submit.lfs.yml | 2 +- .github/workflows/pre-submit.lint.yml | 6 +++--- .github/workflows/pre-submit.references.yml | 2 +- .github/workflows/release.yml | 10 +++++----- .github/workflows/scorecards.yml | 8 ++++---- 12 files changed, 33 insertions(+), 33 deletions(-) diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 224cae3fb..6c3e987ed 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -40,11 +40,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 + uses: github/codeql-action/init@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -55,7 +55,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 + uses: github/codeql-action/autobuild@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 # Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -68,4 +68,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 + uses: github/codeql-action/analyze@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml index b314bd48a..58c36a2f2 100644 --- a/.github/workflows/depsreview.yml +++ b/.github/workflows/depsreview.yml @@ -9,6 +9,6 @@ jobs: runs-on: ubuntu-latest steps: - name: 'Checkout Repository' - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: 'Dependency Review' - uses: actions/dependency-review-action@7d90b4f05fea31dde1c4a1fb3fa787e197ea93ab # v3.0.7 + uses: actions/dependency-review-action@6c5ccdad469c9f8a2996bfecaec55a631a347034 # v3.1.0 diff --git a/.github/workflows/e2e.schedule.cli.yml b/.github/workflows/e2e.schedule.cli.yml index e1b57ba1d..6732f4858 100644 --- a/.github/workflows/e2e.schedule.cli.yml +++ b/.github/workflows/e2e.schedule.cli.yml @@ -28,7 +28,7 @@ jobs: ctned="true" fi echo "continue=$ctned" >> $GITHUB_OUTPUT - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 if: steps.name.outputs.continue == 'true' with: ref: main diff --git a/.github/workflows/e2e.schedule.installer.yml b/.github/workflows/e2e.schedule.installer.yml index 9124df803..7f93adefd 100644 --- a/.github/workflows/e2e.schedule.installer.yml +++ b/.github/workflows/e2e.schedule.installer.yml @@ -27,14 +27,14 @@ jobs: version: ${{ steps.generate-versions.outputs.version }} steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: # NOTE: the example-package needs to be checked out in the default workspace. repository: slsa-framework/example-package ref: main - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: path: __THIS_REPO__ @@ -77,7 +77,7 @@ jobs: - name: Checkout this repository # Skip release candidates unless specified explicitly. if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }} - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: ref: ${{ matrix.version }} @@ -196,7 +196,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: slsa-framework/example-package ref: main @@ -210,7 +210,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index fb4c518c7..702719bb7 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -11,10 +11,10 @@ jobs: check-dist: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Set Node.js 16 - uses: actions/setup-node@bea5baf987ba7aa777a8a0b4ace377a21c45c381 # v3.8.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 @@ -34,7 +34,7 @@ jobs: fi # If index.js was different from expected, upload the expected version as an artifact - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist diff --git a/.github/workflows/pre-submit.cli.yml b/.github/workflows/pre-submit.cli.yml index 04d5c1df8..6767ae307 100644 --- a/.github/workflows/pre-submit.cli.yml +++ b/.github/workflows/pre-submit.cli.yml @@ -15,7 +15,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: setup-go uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 @@ -28,7 +28,7 @@ jobs: run: | echo "$EVENT_NAME" > ./event_name.txt - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: event_name path: ./event_name.txt diff --git a/.github/workflows/pre-submit.e2e.yml b/.github/workflows/pre-submit.e2e.yml index 9551b25c1..e4ba8e396 100644 --- a/.github/workflows/pre-submit.e2e.yml +++ b/.github/workflows/pre-submit.e2e.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: path: __THIS_REPO__ @@ -27,7 +27,7 @@ jobs: go build -o slsa-verifier ./cli/slsa-verifier - name: Checkout e2e verification script - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: path: __EXAMPLE_PACKAGE__ repository: slsa-framework/example-package diff --git a/.github/workflows/pre-submit.lfs.yml b/.github/workflows/pre-submit.lfs.yml index 6efc4060e..52f6158a1 100644 --- a/.github/workflows/pre-submit.lfs.yml +++ b/.github/workflows/pre-submit.lfs.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - uses: actionsdesk/lfs-warning@e5f9a4c21f4bee104db7c0f23954dde59e5df909 # v3.2 with: token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index da06ab044..4a650a9b6 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -10,7 +10,7 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version-file: "go.mod" @@ -34,7 +34,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - env: YAMLLINT_VERSION: "1.26.3" run: | @@ -49,7 +49,7 @@ jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - uses: actions/setup-node@v3 with: node-version: 16 diff --git a/.github/workflows/pre-submit.references.yml b/.github/workflows/pre-submit.references.yml index 4f3f7c1d1..9dd985625 100644 --- a/.github/workflows/pre-submit.references.yml +++ b/.github/workflows/pre-submit.references.yml @@ -13,7 +13,7 @@ jobs: env: BODY: ${{ github.event.pull_request.body }} steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 - name: Check documentation is up-to-date run: | diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5fc6005f4..9983e2513 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -26,7 +26,7 @@ jobs: version: ${{ steps.ldflags.outputs.version }} steps: - id: checkout - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 - id: ldflags @@ -49,7 +49,7 @@ jobs: actions: read # For the detection of GitHub Actions environment. id-token: write # For signing. contents: write # For asset uploads. - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.8.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.9.0 with: # TODO(2680): re-enable go-version-file # go-version-file: "go.mod" @@ -65,7 +65,7 @@ jobs: permissions: read-all steps: - name: Install the verifier - uses: slsa-framework/slsa-verifier/actions/installer@v2.3.0 + uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0 - name: Download assets env: @@ -100,7 +100,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: slsa-framework/example-package ref: main @@ -114,7 +114,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 9d4501345..980d39bf3 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -25,12 +25,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 with: results_file: results.sarif results_format: sarif @@ -49,7 +49,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif @@ -57,6 +57,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@a09933a12a80f87b87005513f0abb1494c27a716 # v2.21.4 + uses: github/codeql-action/upload-sarif@fdcae64e1484d349b3366718cdfef3d404390e85 # v2.22.1 with: sarif_file: results.sarif