From c8e000bb3249a31d325bb63ba6bb924236a9bdaf Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Wed, 12 Jul 2023 09:21:52 +0200 Subject: [PATCH] chore(deps): update github-actions (#2352) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/setup-java | action | digest | `1f2faad` -> `75c6561` | | [actions/setup-java](https://togithub.com/actions/setup-java) | action | pinDigest | -> `5ffc13f` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | minor | `v3.6.0` -> `v3.7.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | digest | `64ed1c7` -> `e33196f` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v2.20.1` -> `v2.20.3` | | [gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action) | action | minor | `v2.4.2` -> `v2.6.0` | | [sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer) | action | patch | `v3.1.0` -> `v3.1.1` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes
actions/setup-node (actions/setup-node) ### [`v3.7.0`](https://togithub.com/actions/setup-node/releases/tag/v3.7.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.6.0...v3.7.0) ##### What's Changed In scope of this release we added a logic to save an additional cache path for yarn 3 ([related pull request](https://togithub.com/actions/setup-node/pull/744) and [feature request](https://togithub.com/actions/setup-node/issues/325)). Moreover, we added functionality to use all the sub directories derived from `cache-dependency-path` input and add detect all dependencies directories to cache (related [pull request](https://togithub.com/actions/setup-node/pull/735) and [feature request](https://togithub.com/actions/setup-node/issues/488)). ##### Besides, we made such changes as: - Replace workflow badge with new badge by [@​jongwooo](https://togithub.com/jongwooo) in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - Fix a minor typo by [@​phanan](https://togithub.com/phanan) in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - docs: fix typo in advanced-usage.md by [@​remarkablemark](https://togithub.com/remarkablemark) in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by [@​domdomegg](https://togithub.com/domdomegg) in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - Update to node 18.x by [@​feelepxyz](https://togithub.com/feelepxyz) in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - Remove implicit dependencies by [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - Fix description about ensuring workflow access to private package by [@​x86chi](https://togithub.com/x86chi) in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) ##### New Contributors - [@​jongwooo](https://togithub.com/jongwooo) made their first contribution in [https://github.com/actions/setup-node/pull/653](https://togithub.com/actions/setup-node/pull/653) - [@​phanan](https://togithub.com/phanan) made their first contribution in [https://github.com/actions/setup-node/pull/662](https://togithub.com/actions/setup-node/pull/662) - [@​remarkablemark](https://togithub.com/remarkablemark) made their first contribution in [https://github.com/actions/setup-node/pull/697](https://togithub.com/actions/setup-node/pull/697) - [@​domdomegg](https://togithub.com/domdomegg) made their first contribution in [https://github.com/actions/setup-node/pull/718](https://togithub.com/actions/setup-node/pull/718) - [@​feelepxyz](https://togithub.com/feelepxyz) made their first contribution in [https://github.com/actions/setup-node/pull/751](https://togithub.com/actions/setup-node/pull/751) - [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii) made their first contribution in [https://github.com/actions/setup-node/pull/758](https://togithub.com/actions/setup-node/pull/758) - [@​x86chi](https://togithub.com/x86chi) made their first contribution in [https://github.com/actions/setup-node/pull/704](https://togithub.com/actions/setup-node/pull/704) **Full Changelog**: https://github.com/actions/setup-node/compare/v3...v3.7.0
github/codeql-action (github/codeql-action) ### [`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) ### [`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2)
gradle/gradle-build-action (gradle/gradle-build-action) ### [`v2.6.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.6.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.5.1...v2.6.0) ##### GitHub Dependency Graph support (Experimental) This release brings experimental support for submitting a [GitHub Dependency Graph](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-the-dependency-graph) snapshot via the [GitHub Dependency Submission API](https://docs.github.com/en/rest/dependency-graph/dependency-submission?apiVersion=2022-11-28). The dependency graph snapshot is generated via integration with the [GitHub Dependency Graph Gradle Plugin](https://plugins.gradle.org/plugin/org.gradle.github-dependency-graph-gradle-plugin), and saved as a workflow artifact. The generated snapshot files can be submitted either in the same job, or in a subsequent job (in the same or a dependent workflow). The generated dependency graph snapshot reports all of the dependencies that were resolved during a bulid execution, and is used by GitHub to generate [Dependabot Alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) for vulnerable dependencies, as well as to populate the [Dependency Graph insights view](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/exploring-the-dependencies-of-a-repository#viewing-the-dependency-graph). Check out the README chapter for more details on how this works and how to configure a workflow that submits a dependency graph. ##### Changelog ### [`v2.5.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.5.1) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.5.0...v2.5.1) Fixes a regression in v2.5.0 that resulted in failure when running a workflow that has a name containing a comma. ##### Fixes - Cache key Validation Error when workflow name contains a comma [#​756](https://togithub.com/gradle/gradle-build-action/issues/756) ##### Changelog ### [`v2.5.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.5.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.4.2...v2.5.0) This minor release fixes a couple of issues that affected the action in particular scenarios, and updates all dependencies to recent versions. ##### Fixes - Parallel workflows containing jobs with the same name use the same cache key [#​699](https://togithub.com/gradle/gradle-build-action/issues/699) - Build scans are not captured when GE plugin is applied within `settingsEvaluated` [#​626](https://togithub.com/gradle/gradle-build-action/issues/626) **Full changelog**: https://github.com/gradle/gradle-build-action/compare/v2.4.2...v2.5.0
sigstore/cosign-installer (sigstore/cosign-installer) ### [`v3.1.1`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.1.1) [Compare Source](https://togithub.com/sigstore/cosign-installer/compare/v3.1.0...v3.1.1) #### What's Changed - default cosign to v2.1.1 by [@​cpanato](https://togithub.com/cpanato) in [https://github.com/sigstore/cosign-installer/pull/137](https://togithub.com/sigstore/cosign-installer/pull/137) **Full Changelog**: https://github.com/sigstore/cosign-installer/compare/v3.1.0...v3.1.1
--- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-github-generator). Signed-off-by: Mend Renovate Signed-off-by: Noah Elzner --- .github/actions/secure-project-checkout-node/action.yml | 2 +- .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/e2e.sign-attestations.schedule.yml | 2 +- .github/workflows/generator_container_slsa3.yml | 2 +- .github/workflows/pre-submit.actions.yml | 2 +- .github/workflows/pre-submit.lint.yml | 6 +++--- .github/workflows/pre-submit.units.yml | 2 +- .github/workflows/publish_maven.yml | 2 +- .github/workflows/scorecards.yml | 2 +- actions/nodejs/publish/action.yml | 2 +- internal/builders/gradle/action.yml | 2 +- internal/builders/maven/action.yml | 2 +- internal/builders/nodejs/action.yml | 2 +- 13 files changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml index 34bdcde275..3cfdd3dd8f 100644 --- a/.github/actions/secure-project-checkout-node/action.yml +++ b/.github/actions/secure-project-checkout-node/action.yml @@ -41,6 +41,6 @@ runs: path: ${{ inputs.path }} - name: Set up Node environment - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: ${{ inputs.node-version }} diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index e4ac40edd6..0040bafd98 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -59,7 +59,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + uses: github/codeql-action/init@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + uses: github/codeql-action/autobuild@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 # Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,7 +85,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + uses: github/codeql-action/analyze@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 # NOTE: Checks that the matrix job above completes successfully. # This is necessary because the matrix strategy generates new jobs with diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml index 40c7db21a2..8d6f38a8f6 100644 --- a/.github/workflows/e2e.sign-attestations.schedule.yml +++ b/.github/workflows/e2e.sign-attestations.schedule.yml @@ -40,7 +40,7 @@ jobs: attestations: .github/actions/sign-attestations/testdata/attestations output-folder: outputs - name: Setup node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3 with: node-version: 16 - name: install sigstore-js diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index cbcc715820..371c33c89c 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -147,7 +147,7 @@ jobs: service_account: ${{ inputs.gcp-service-account }} - id: cosign-install - uses: sigstore/cosign-installer@d13028333d784fcc802b67ec924bcebe75aa0a5f # v3.1.0 + uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 with: cosign-release: v2.0.0 continue-on-error: true diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index 8cb47768f3..4d26570a4f 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -78,7 +78,7 @@ jobs: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - name: Set Node.js 18 - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: 18 diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index 2f5cf40a17..4c321763ab 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -32,7 +32,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: 16 - run: make markdownlint @@ -42,7 +42,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup Node.js 16 - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: 16 - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 @@ -133,7 +133,7 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 - - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: 16 - run: make eslint diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index ff25093a4c..7371643271 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -42,7 +42,7 @@ jobs: go-version-file: "go.mod" - name: Set Node.js 16 - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: 16 diff --git a/.github/workflows/publish_maven.yml b/.github/workflows/publish_maven.yml index 102937b86b..d4b3cafd17 100644 --- a/.github/workflows/publish_maven.yml +++ b/.github/workflows/publish_maven.yml @@ -48,7 +48,7 @@ jobs: - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main - name: Set up Java for publishing to Maven Central Repository - uses: actions/setup-java@v3 + uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3 env: MAVEN_USERNAME: ${{ secrets.maven-username }} MAVEN_PASSWORD: ${{ secrets.maven-password }} diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index e59be7dce2..4486f8d2c0 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@f6e388ebf0efc915c6c5b165b019ee61a6746a38 # v2.20.1 + uses: github/codeql-action/upload-sarif@46ed16ded91731b2df79a2893d3aea8e9f03b5c4 # v2.20.3 with: sarif_file: results.sarif diff --git a/actions/nodejs/publish/action.yml b/actions/nodejs/publish/action.yml index a5356766b6..cd1c40e84a 100644 --- a/actions/nodejs/publish/action.yml +++ b/actions/nodejs/publish/action.yml @@ -56,7 +56,7 @@ runs: using: "composite" steps: - name: Setup Node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: ${{ inputs.node-version }} node-version-file: ${{ inputs.node-version-file }} diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index 589aa456b9..deb3124c42 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -52,7 +52,7 @@ runs: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} - name: Setup Gradle - uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 # v2.4.2 + uses: gradle/gradle-build-action@bd5760595778326ba7f1441bcf7e88b49de61a25 # v2.6.0 with: arguments: build -x test - name: Put release artifacts in one directory diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 95a00ae9c0..9fa3d2668d 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -54,7 +54,7 @@ runs: steps: - uses: actions/checkout@96f53100ba2a5449eb71d2e6604bbcd94b9449b5 # v 3.5.2 - name: Set up JDK - uses: actions/setup-java@1f2faad7e0bc7efd1f6da4ca0a0f2b23b03a3a7d # v 3.11.0 + uses: actions/setup-java@75c6561172d237e514a15dfd831cb331e5506d5e # v 3.11.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/nodejs/action.yml b/internal/builders/nodejs/action.yml index e3f8efb6cd..1328dfb4be 100644 --- a/internal/builders/nodejs/action.yml +++ b/internal/builders/nodejs/action.yml @@ -65,7 +65,7 @@ runs: # checkout ourselves. - name: Setup Node - uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 + uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 with: node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }} node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }}