From 95ee1bc369a592583304e606f5f00f0e79024b26 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Thu, 5 Jan 2023 01:31:20 +0100 Subject: [PATCH] Update workflows (#898) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.1.0` -> `v3.2.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.0.6` -> `v2.1.2` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.6.1` -> `v1.6.4` | --- ### Release Notes
actions/checkout ### [`v3.2.0`](https://togithub.com/actions/checkout/releases/tag/v3.2.0) [Compare Source](https://togithub.com/actions/checkout/compare/v3.1.0...v3.2.0) #### What's Changed - Add GitHub Action to perform release by [@​rentziass](https://togithub.com/rentziass) in [https://github.com/actions/checkout/pull/942](https://togithub.com/actions/checkout/pull/942) - Fix status badge by [@​ScottBrenner](https://togithub.com/ScottBrenner) in [https://github.com/actions/checkout/pull/967](https://togithub.com/actions/checkout/pull/967) - Replace datadog/squid with ubuntu/squid Docker image by [@​cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1002](https://togithub.com/actions/checkout/pull/1002) - Wrap pipeline commands for submoduleForeach in quotes by [@​jokreliable](https://togithub.com/jokreliable) in [https://github.com/actions/checkout/pull/964](https://togithub.com/actions/checkout/pull/964) - Update [@​actions/io](https://togithub.com/actions/io) to 1.1.2 by [@​cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1029](https://togithub.com/actions/checkout/pull/1029) - Upgrading version to 3.2.0 by [@​vmjoseph](https://togithub.com/vmjoseph) in [https://github.com/actions/checkout/pull/1039](https://togithub.com/actions/checkout/pull/1039) #### New Contributors - [@​ScottBrenner](https://togithub.com/ScottBrenner) made their first contribution in [https://github.com/actions/checkout/pull/967](https://togithub.com/actions/checkout/pull/967) - [@​cory-miller](https://togithub.com/cory-miller) made their first contribution in [https://github.com/actions/checkout/pull/1002](https://togithub.com/actions/checkout/pull/1002) - [@​jokreliable](https://togithub.com/jokreliable) made their first contribution in [https://github.com/actions/checkout/pull/964](https://togithub.com/actions/checkout/pull/964) - [@​vmjoseph](https://togithub.com/vmjoseph) made their first contribution in [https://github.com/actions/checkout/pull/1039](https://togithub.com/actions/checkout/pull/1039) **Full Changelog**: https://github.com/actions/checkout/compare/v3...v3.2.0
ossf/scorecard-action ### [`v2.1.2`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.2) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2) #### What's Changed ##### Fixes - 🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf statement. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1054](https://togithub.com/ossf/scorecard-action/pull/1054) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2 ### [`v2.1.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1) #### Scorecard version This release use [Scorecard's v4.10.1](https://togithub.com/ossf/scorecard/releases/tag/v4.10.1) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1 ### [`v2.1.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.6...v2.1.0) #### What's Changed ##### Scorecard version This release uses [scorecard v4.10.0](https://togithub.com/ossf/scorecard/releases/tag/v4.10.0). ##### Improvements - Docker build workflow by [@​naveensrinivasan](https://togithub.com/naveensrinivasan) in [https://github.com/ossf/scorecard-action/pull/981](https://togithub.com/ossf/scorecard-action/pull/981) - Use root user in distroless to support GitHub Actions by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/994](https://togithub.com/ossf/scorecard-action/pull/994) - Disable pull_request_target by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/ossf/scorecard-action/pull/1031](https://togithub.com/ossf/scorecard-action/pull/1031) ##### Documentation - Add PAT section explaining risks by [@​olivekl](https://togithub.com/olivekl) in [https://github.com/ossf/scorecard-action/pull/1024](https://togithub.com/ossf/scorecard-action/pull/1024) - Make the badge text easier to copy by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1026](https://togithub.com/ossf/scorecard-action/pull/1026) #### New Contributors - [@​joycebrum](https://togithub.com/joycebrum) made their first contribution in [https://github.com/ossf/scorecard-action/pull/984](https://togithub.com/ossf/scorecard-action/pull/984) - [@​rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1026](https://togithub.com/ossf/scorecard-action/pull/1026) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.0.6...v2.1.0
pypa/gh-action-pypi-publish ### [`v1.6.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.4) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.3...v1.6.4) #### oh, boi! again? This is the last one tonight, promise! It fixes this embarrassing bug that was actually caught by the CI but got overlooked due to the lack of sleep. TL;DR GH passed `$HOME` from the external env into the container and that tricked the Python's `site` module to think that the home directory is elsewhere, adding non-existent paths to the env vars. See [#​115](https://togithub.com/pypa/gh-action-pypi-publish/issues/115). **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.6.3...v1.6.4 ### [`v1.6.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.3) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.2...v1.6.3) ### Another Release!? Why? In [https://github.com/pypa/gh-action-pypi-publish/issues/112#issuecomment-1340133013](https://togithub.com/pypa/gh-action-pypi-publish/issues/112#issuecomment-1340133013), it was discovered that passing a `$PATH` variable even breaks the shebang. So this version adds more safeguards to make sure it keeps working with a fully broken `$PATH`. **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.6.2...v1.6.3 ### [`v1.6.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.2) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.1...v1.6.2) #### What's Fixed - Made the `$PATH` and `$PYTHONPATH` environment variables resilient to broken values passed from the host runner environment, which previously allowed the users to accidentally break the container's internal runtime as reported in [https://github.com/pypa/gh-action-pypi-publish/issues/112](https://togithub.com/pypa/gh-action-pypi-publish/issues/112) #### Internal Maintenance Improvements - Added a devpi-based smoke-test GitHub Actions CI/CD workflow by [@​sesdaile-varmour](https://togithub.com/sesdaile-varmour) in [https://github.com/pypa/gh-action-pypi-publish/pull/111](https://togithub.com/pypa/gh-action-pypi-publish/pull/111) #### New Contributors - [@​sesdaile-varmour](https://togithub.com/sesdaile-varmour) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/111](https://togithub.com/pypa/gh-action-pypi-publish/pull/111) **Full Diff**: https://github.com/pypa/gh-action-pypi-publish/compare/v1.6.1...v1.6.2
--- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/google/osv.dev). --- .github/workflows/publish-to-pypi.yaml | 2 +- .github/workflows/scorecards.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yaml b/.github/workflows/publish-to-pypi.yaml index 42bab19ac29..107304ff992 100644 --- a/.github/workflows/publish-to-pypi.yaml +++ b/.github/workflows/publish-to-pypi.yaml @@ -43,7 +43,7 @@ jobs: build --sdist --wheel --outdir dist/ . - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@5d1679fa6b895587c6eb10c3fe82205b440a580e # v1.6.1 + uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc # v1.6.4 with: password: ${{ secrets.PYPI_API_TOKEN }} packages_dir: dist/ diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 2ffc0ff06be..21be5e02d90 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -22,12 +22,12 @@ jobs: id-token: write steps: - name: "Checkout code" - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 + uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6-alpha.2 + uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2-alpha.2 with: results_file: results.sarif results_format: sarif