From 5062dc566ccb042bdaa703240ac612f12e9a7b79 Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 20 Sep 2024 08:54:46 -0600
Subject: [PATCH] chore(deps): update maru support dependencies (#128)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/create-github-app-token](https://redirect.github.com/actions/create-github-app-token)
| action | minor | `v1.10.3` -> `v1.11.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | patch | `v4.0.3` -> `v4.0.4` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | minor | `v4.3.4` -> `v4.4.0` |
| [anchore/sbom-action](https://redirect.github.com/anchore/sbom-action)
| action | minor | `v0.16.1` -> `v0.17.2` |
|
[docker/setup-buildx-action](https://redirect.github.com/docker/setup-buildx-action)
| action | minor | `v3.4.0` -> `n/a` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | minor | `v3.25.12` -> `v3.26.8` |
| morphy/revive-action | docker | digest | `087d4e6` -> `540bffd` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | minor | `v2.3.3` -> `v2.4.0` |
|
[sigstore/cosign-installer](https://redirect.github.com/sigstore/cosign-installer)
| action | minor | `v3.5.0` -> `n/a` |
| [zarf-dev/zarf](https://redirect.github.com/zarf-dev/zarf) | | minor |
`v0.39.0` -> `v0.40.1` |
---
### Release Notes
actions/create-github-app-token
(actions/create-github-app-token)
###
[`v1.11.0`](https://redirect.github.com/actions/create-github-app-token/releases/tag/v1.11.0)
[Compare
Source](https://redirect.github.com/actions/create-github-app-token/compare/v1.10.4...v1.11.0)
##### What's Changed
##### Features
- Allow repositories input to be comma or newline-separated by
[@peter-evans](https://redirect.github.com/peter-evans) in
[https://github.com/actions/create-github-app-token/pull/169](https://redirect.github.com/actions/create-github-app-token/pull/169)
##### New Contributors
- [@peter-evans](https://redirect.github.com/peter-evans) made
their first contribution in
[https://github.com/actions/create-github-app-token/pull/169](https://redirect.github.com/actions/create-github-app-token/pull/169)
**Full Changelog**:
https://github.com/actions/create-github-app-token/compare/v1.10.4...v1.11.0
###
[`v1.10.4`](https://redirect.github.com/actions/create-github-app-token/releases/tag/v1.10.4)
[Compare
Source](https://redirect.github.com/actions/create-github-app-token/compare/v1.10.3...v1.10.4)
##### Bug Fixes
- **deps:** bump the production-dependencies group across 1 directory
with 3 updates
([#166](https://redirect.github.com/actions/create-github-app-token/issues/166))
([e177c20](https://redirect.github.com/actions/create-github-app-token/commit/e177c20e0f736e68f4a37ffee6aa32c73da13988)),
closes
[#641](https://redirect.github.com/actions/create-github-app-token/issues/641)
[#641](https://redirect.github.com/actions/create-github-app-token/issues/641)
[#639](https://redirect.github.com/actions/create-github-app-token/issues/639)
[#638](https://redirect.github.com/actions/create-github-app-token/issues/638)
[#637](https://redirect.github.com/actions/create-github-app-token/issues/637)
[#636](https://redirect.github.com/actions/create-github-app-token/issues/636)
[#633](https://redirect.github.com/actions/create-github-app-token/issues/633)
[#632](https://redirect.github.com/actions/create-github-app-token/issues/632)
[#631](https://redirect.github.com/actions/create-github-app-token/issues/631)
[#630](https://redirect.github.com/actions/create-github-app-token/issues/630)
[#629](https://redirect.github.com/actions/create-github-app-token/issues/629)
[#714](https://redirect.github.com/actions/create-github-app-token/issues/714)
[#711](https://redirect.github.com/actions/create-github-app-token/issues/711)
[#714](https://redirect.github.com/actions/create-github-app-token/issues/714)
[#716](https://redirect.github.com/actions/create-github-app-token/issues/716)
[#711](https://redirect.github.com/actions/create-github-app-token/issues/711)
[#712](https://redirect.github.com/actions/create-github-app-token/issues/712)
[#710](https://redirect.github.com/actions/create-github-app-token/issues/710)
[#709](https://redirect.github.com/actions/create-github-app-token/issues/709)
[#708](https://redirect.github.com/actions/create-github-app-token/issues/708)
[#702](https://redirect.github.com/actions/create-github-app-token/issues/702)
[#706](https://redirect.github.com/actions/create-github-app-token/issues/706)
[#3458](https://redirect.github.com/actions/create-github-app-token/issues/3458)
[#3461](https://redirect.github.com/actions/create-github-app-token/issues/3461)
[#3460](https://redirect.github.com/actions/create-github-app-token/issues/3460)
[#3454](https://redirect.github.com/actions/create-github-app-token/issues/3454)
[#3450](https://redirect.github.com/actions/create-github-app-token/issues/3450)
[#3445](https://redirect.github.com/actions/create-github-app-token/issues/3445)
actions/setup-node (actions/setup-node)
###
[`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)
[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4)
actions/upload-artifact (actions/upload-artifact)
###
[`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)
[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0)
###
[`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)
[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6)
###
[`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)
[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)
anchore/sbom-action (anchore/sbom-action)
###
[`v0.17.2`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.2)
[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.17.1...v0.17.2)
#### Changes in v0.17.2
- Update Syft to v1.11.1
([#485](https://redirect.github.com/anchore/sbom-action/issues/485))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]
###
[`v0.17.1`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.1)
[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.17.0...v0.17.1)
#### Changes in v0.17.1
- chore(deps): update Syft to v1.11.0
([#483](https://redirect.github.com/anchore/sbom-action/issues/483))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]
###
[`v0.17.0`](https://redirect.github.com/anchore/sbom-action/releases/tag/v0.17.0)
[Compare
Source](https://redirect.github.com/anchore/sbom-action/compare/v0.16.1...v0.17.0)
#### Changes in v0.17.0
- chore(deps): update Syft to v1.9.0
([#479](https://redirect.github.com/anchore/sbom-action/issues/479))
\[[anchore-actions-token-generator](https://redirect.github.com/anchore-actions-token-generator)]
docker/setup-buildx-action
(docker/setup-buildx-action)
###
[`v3.6.1`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v3.6.1)
[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.6.0...v3.6.1)
- Check for malformed docker context by
[@crazy-max](https://redirect.github.com/crazy-max) in
[https://github.com/docker/setup-buildx-action/pull/347](https://redirect.github.com/docker/setup-buildx-action/pull/347)
**Full Changelog**:
https://github.com/docker/setup-buildx-action/compare/v3.6.0...v3.6.1
###
[`v3.6.0`](https://redirect.github.com/docker/setup-buildx-action/releases/tag/v3.6.0)
[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.5.0...v3.6.0)
- Create temp docker context if default one has TLS data loaded before
creating a container builder by
[@crazy-max](https://redirect.github.com/crazy-max) in
[https://github.com/docker/setup-buildx-action/pull/341](https://redirect.github.com/docker/setup-buildx-action/pull/341)
**Full Changelog**:
https://github.com/docker/setup-buildx-action/compare/v3.5.0...v3.6.0
###
[`v3.5.0`](https://redirect.github.com/docker/setup-buildx-action/compare/v3.4.0...v3.5.0)
[Compare
Source](https://redirect.github.com/docker/setup-buildx-action/compare/v3.4.0...v3.5.0)
github/codeql-action (github/codeql-action)
###
[`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8)
###
[`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7)
###
[`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6)
###
[`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5)
###
[`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4)
###
[`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3)
###
[`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2)
###
[`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1)
###
[`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0)
###
[`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15)
###
[`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14)
###
[`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13)
ossf/scorecard-action (ossf/scorecard-action)
###
[`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0)
[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)
#### What's Changed
This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0).
Of special note to Scorecard Action is the Maintainer Annotation
feature, which can be used to suppress some Code Scanning false
positives. Alerts will not be generated for any Scorecard Check with an
annotation.
- :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@spencerschrock](https://redirect.github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410)
- :bug: lower license sarif alert threshold to 9 by
[@spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411)
##### Documentation
- docs: dogfooding badge by
[@jkowalleck](https://redirect.github.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)
#### New Contributors
- [@jkowalleck](https://redirect.github.com/jkowalleck) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399)
**Full Changelog**:
https://github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0
sigstore/cosign-installer (sigstore/cosign-installer)
###
[`v3.6.0`](https://redirect.github.com/sigstore/cosign-installer/releases/tag/v3.6.0)
[Compare
Source](https://redirect.github.com/sigstore/cosign-installer/compare/v3.5.0...v3.6.0)
#### What's Changed
- Bump actions/checkout from 4.1.2 to 4.1.3 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/161](https://redirect.github.com/sigstore/cosign-installer/pull/161)
- Bump actions/checkout from 4.1.3 to 4.1.4 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/162](https://redirect.github.com/sigstore/cosign-installer/pull/162)
- Bump actions/setup-go from 5.0.0 to 5.0.1 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/163](https://redirect.github.com/sigstore/cosign-installer/pull/163)
- Bump actions/checkout from 4.1.4 to 4.1.5 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/164](https://redirect.github.com/sigstore/cosign-installer/pull/164)
- Bump actions/checkout from 4.1.5 to 4.1.6 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/165](https://redirect.github.com/sigstore/cosign-installer/pull/165)
- Bump actions/checkout from 4.1.6 to 4.1.7 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/166](https://redirect.github.com/sigstore/cosign-installer/pull/166)
- Bump actions/setup-go from 5.0.1 to 5.0.2 by
[@dependabot](https://redirect.github.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/167](https://redirect.github.com/sigstore/cosign-installer/pull/167)
- pin public key used for verification by
[@bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/169](https://redirect.github.com/sigstore/cosign-installer/pull/169)
- bump default version to v2.4.0 release by
[@bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/168](https://redirect.github.com/sigstore/cosign-installer/pull/168)
- update readme for new release by
[@bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/170](https://redirect.github.com/sigstore/cosign-installer/pull/170)
**Full Changelog**:
https://github.com/sigstore/cosign-installer/compare/v3...v3.6.0
zarf-dev/zarf (zarf-dev/zarf)
###
[`v0.40.1`](https://redirect.github.com/zarf-dev/zarf/compare/v0.40.0...v0.40.1)
[Compare
Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.40.0...v0.40.1)
###
[`v0.40.0`](https://redirect.github.com/zarf-dev/zarf/compare/v0.39.0...v0.40.0)
[Compare
Source](https://redirect.github.com/zarf-dev/zarf/compare/v0.39.0...v0.40.0)
---
### Configuration
📅 **Schedule**: Branch creation - "after 12pm every weekday,before 11am
every weekday" in timezone America/New_York, Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
â™» **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/defenseunicorns/maru-runner).
---------
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Wayne Starr
---
.github/actions/install-tools/action.yaml | 10 ++--------
.github/actions/save-logs/action.yaml | 2 +-
.github/actions/zarf/action.yaml | 2 +-
.github/workflows/commitlint.yaml | 2 +-
.github/workflows/release.yaml | 4 ++--
.github/workflows/scan-codeql.yaml | 4 ++--
.github/workflows/scan-lint.yaml | 2 +-
.github/workflows/scorecard.yaml | 6 +++---
8 files changed, 13 insertions(+), 19 deletions(-)
diff --git a/.github/actions/install-tools/action.yaml b/.github/actions/install-tools/action.yaml
index 90b4032..c62aa23 100644
--- a/.github/actions/install-tools/action.yaml
+++ b/.github/actions/install-tools/action.yaml
@@ -4,11 +4,5 @@ description: "Install pipeline tools"
runs:
using: composite
steps:
- - uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
-
- - uses: anchore/sbom-action/download-syft@95b086ac308035dc0850b3853be5b7ab108236a8 # v0.16.1
-
- - run: "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin"
- shell: bash
-
- - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
+ # used by goreleaser to create SBOMs
+ - uses: anchore/sbom-action/download-syft@61119d458adab75f756bc0b9e4bde25725f86a7a # v0.17.2
diff --git a/.github/actions/save-logs/action.yaml b/.github/actions/save-logs/action.yaml
index 23cdef6..69bf4a5 100644
--- a/.github/actions/save-logs/action.yaml
+++ b/.github/actions/save-logs/action.yaml
@@ -4,7 +4,7 @@ description: "Save debug logs"
runs:
using: composite
steps:
- - uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+ - uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: debug-log
path: /tmp/maru-*.log
diff --git a/.github/actions/zarf/action.yaml b/.github/actions/zarf/action.yaml
index ec7eb84..de33ec4 100644
--- a/.github/actions/zarf/action.yaml
+++ b/.github/actions/zarf/action.yaml
@@ -7,4 +7,4 @@ runs:
- uses: defenseunicorns/setup-zarf@main
with:
# renovate: datasource=github-tags depName=zarf-dev/zarf
- version: v0.39.0
+ version: v0.40.1
diff --git a/.github/workflows/commitlint.yaml b/.github/workflows/commitlint.yaml
index e661cce..19abb9d 100644
--- a/.github/workflows/commitlint.yaml
+++ b/.github/workflows/commitlint.yaml
@@ -21,7 +21,7 @@ jobs:
fetch-depth: 0
- name: Setup Node.js
- uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
+ uses: actions/setup-node@0a44ba7841725637a19e28fa30b79a866c81b0a6 # v4.0.4
- name: Install commitlint
run: npm install --save-dev @commitlint/{config-conventional,cli}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 5f69d41..4cfa529 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -24,7 +24,7 @@ jobs:
# Upload the contents of the build directory for later stages to use
- name: Upload build artifacts
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: build-artifacts
path: build/
@@ -104,7 +104,7 @@ jobs:
- name: Get Brew tap repo token
id: brew-tap-token
- uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
+ uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0
with:
app-id: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_ID }}
private-key: ${{ secrets.HOMEBREW_TAP_WORKFLOW_GITHUB_APP_SECRET }}
diff --git a/.github/workflows/scan-codeql.yaml b/.github/workflows/scan-codeql.yaml
index f13b49a..97ad74c 100644
--- a/.github/workflows/scan-codeql.yaml
+++ b/.github/workflows/scan-codeql.yaml
@@ -45,7 +45,7 @@ jobs:
run: make build-cli-linux-amd
- name: Initialize CodeQL
- uses: github/codeql-action/init@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+ uses: github/codeql-action/init@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
env:
CODEQL_EXTRACTOR_GO_BUILD_TRACING: on
with:
@@ -54,6 +54,6 @@ jobs:
- name: Perform CodeQL Analysis
- uses: github/codeql-action/analyze@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+ uses: github/codeql-action/analyze@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
with:
category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/scan-lint.yaml b/.github/workflows/scan-lint.yaml
index ad9dc13..8467f11 100644
--- a/.github/workflows/scan-lint.yaml
+++ b/.github/workflows/scan-lint.yaml
@@ -26,7 +26,7 @@ jobs:
extra_args: --all-files --verbose # pre-commit run --all-files --verbose
- name: Run Revive Action by pulling pre-built image
- uses: docker://morphy/revive-action:v2@sha256:087d4e61077087755711ab7e9fae3cc899b7bb07ff8f6a30c3dfb240b1620ae8
+ uses: docker://morphy/revive-action:v2@sha256:540bffd78895d1525b034b861d29edcb96577bcb3b187a5199342dc8656034ee
with:
config: revive.toml
# Exclude patterns, separated by semicolons (optional)
diff --git a/.github/workflows/scorecard.yaml b/.github/workflows/scorecard.yaml
index f64b7ec..f5560a5 100644
--- a/.github/workflows/scorecard.yaml
+++ b/.github/workflows/scorecard.yaml
@@ -27,7 +27,7 @@ jobs:
persist-credentials: false
- name: "Run analysis"
- uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+ uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
with:
results_file: results.sarif
results_format: sarif
@@ -37,7 +37,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
- uses: actions/upload-artifact@0b2256b8c012f0828dc542b3febcab082c67f72b # v4.3.4
+ uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: SARIF file
path: results.sarif
@@ -45,6 +45,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@4fa2a7953630fd2f3fb380f21be14ede0169dd4f # v3.25.12
+ uses: github/codeql-action/upload-sarif@294a9d92911152fe08befb9ec03e240add280cb3 # v3.26.8
with:
sarif_file: results.sarif