Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update github-actions (slsa-framework#695)
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@​oerd](https://togithub.com/oerd) in [actions/dependency-review-action#551 #### New Contributors - [@​oerd](https://togithub.com/oerd) made their first contribution in [actions/dependency-review-action#551 **Full Changelog**: actions/dependency-review-action@v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@​sgmurphy](https://togithub.com/sgmurphy) in [actions/dependency-review-action#540 Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@​sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [actions/dependency-review-action#540 **Full Changelog**: actions/dependency-review-action@v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#831. It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://togithub.com/ljmf00) in [actions/upload-artifact#313 - Bump [@​actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://togithub.com/bethanyj28) in [actions/upload-artifact#436 **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1270 - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1169 - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1225 ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1229 - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1221 - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [ossf/scorecard-action#1250 - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [ossf/scorecard-action#1258 #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [ossf/scorecard-action#1250 - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [ossf/scorecard-action#1258 **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#592 - docs: Make npm package version and name non-optional by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#591 - docs: npm provenance verification from GitHub runner by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#595 - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v18.16.9 by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#596 - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#597 - chore(deps): update dependency jasmine to v5 by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#598 - feat: BYOB verification support by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#604 - feat: Support for v1.0 verification in BYOB by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#609 - feat: Use env variable to retrieve trigger workflow by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#615 - test: Add test data for v1.6.0 by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#612 - fix: Verify the TRW tag is a semver tag by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#619 - chore: Don't be verbose with tests locally by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#620 - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@​asraa](https://togithub.com/asraa) in [slsa-framework#621 - test: re-generate container-based tests by [@​asraa](https://togithub.com/asraa) in [slsa-framework#627 - fix: revert to using resolvedDepdendencies for source verification by [@​asraa](https://togithub.com/asraa) in [slsa-framework#629 - refactor: Provenance tests by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#628 - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#622 - fix: only allow hashes of 256 bits or more by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#633 - fix: builder ID verification for testing by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#635 - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@​asraa](https://togithub.com/asraa) in [slsa-framework#634 - chore: update toc in README.md by [@​asraa](https://togithub.com/asraa) in [slsa-framework#636 - fix: allow workflow_dispatch to trigger release.yml by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#637 - test: add tests for v1.7.0 builders by [@​asraa](https://togithub.com/asraa) in [slsa-framework#638 - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#607 - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#567 - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#606 - chore(deps): update npm dev by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#608 - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#583 - feat: Verify provenance by build type by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#632 - refactor: Use Go 1.20 by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#643 - test: Add more ProvenanceFromEnvelope tests by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#640 - fix: pre-submit: e2e-cli.sh artifact download by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#646 - refactor: Add more git utils by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#645 - refactor: Use full builder id by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#648 - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#644 - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#651 - feat: move maven-plugin from slsa-github-generator by [@​AdamKorcz](https://togithub.com/AdamKorcz) in [slsa-framework#664 - docs: Fix maven-plugin README by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#671 - feat: Verification for when sha1 is specified in BYOB TRW by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#641 - docs: Add example for maven verification plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#676 - chore: Add Kris to codeowners by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#678 - feat: Print byob builder by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#677 - test: Add test data for v1.8.0 by [@​ianlewis](https://togithub.com/ianlewis) in [slsa-framework#681 - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#666 - feat: Non-compulsory BuilderID for BYOB Builders by [@​enteraga6](https://togithub.com/enteraga6) in [slsa-framework#674 - chore(deps): update golang docker tag to v1.21 by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#687 - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#686 - feat: GCB refactor for v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#682 - feat: Allow byob builders ref at main for e2e tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#689 - feat: Update doc and code for Maven plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#680 - feat: gcb v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#691 - feat: v1.9.0 regression tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#696 - fix: release failure by [@​laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#697 #### New Contributors - [@​AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [slsa-framework#664 - [@​enteraga6](https://togithub.com/enteraga6) made their first contribution in [slsa-framework#674 **Full Changelog**: slsa-framework/slsa-verifier@v2.3.0...v2.4.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
- Loading branch information