From b0eae7ffdb416ff1322fe1b46ef224d38a826e20 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Mon, 23 Oct 2023 04:08:27 +0200 Subject: [PATCH] chore(deps): update github-actions (#2850) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `96f5310` -> `b4ffde6` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v4.0.0` -> `v4.1.1` | | [actions/setup-go](https://togithub.com/actions/setup-go) | action | minor | `v4.0.1` -> `v4.1.0` | | [actions/setup-java](https://togithub.com/actions/setup-java) | action | minor | `v3.12.0` -> `v3.13.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | minor | `v3.7.0` -> `v3.8.1` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | digest | `e33196f` -> `5e21ff4` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.2` -> `v2.22.4` | | [gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action) | action | minor | `v2.7.0` -> `v2.9.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer) | action | patch | `v3.1.1` -> `v3.1.2` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes
actions/checkout (actions/checkout) ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@​joshmgross](https://togithub.com/joshmgross) in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - Correct link to GitHub Docs by [@​peterbe](https://togithub.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@​cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514) ##### New Contributors - [@​joshmgross](https://togithub.com/joshmgross) made their first contribution in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - [@​peterbe](https://togithub.com/peterbe) made their first contribution in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) **Full Changelog**: https://github.com/actions/checkout/compare/v4...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396)
actions/setup-go (actions/setup-go) ### [`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0) #### What's Changed In scope of this release, slow installation on Windows was fixed by [@​dsame](https://togithub.com/dsame) in [https://github.com/actions/setup-go/pull/393](https://togithub.com/actions/setup-go/pull/393) and OS version was added to `primaryKey` for Ubuntu runners to avoid conflicts ([https://github.com/actions/setup-go/pull/383](https://togithub.com/actions/setup-go/pull/383)) This release also includes the following changes: - Remove implicit dependencies by [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-go/pull/378](https://togithub.com/actions/setup-go/pull/378) - Update action.yml by [@​mkelly](https://togithub.com/mkelly) in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - Added a description that go-version should be specified as a string type by [@​n3xem](https://togithub.com/n3xem) in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) - Add note about YAML parsing versions by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-go/pull/382](https://togithub.com/actions/setup-go/pull/382) - Automatic update of configuration files from 05/23/2023 by [@​github-actions](https://togithub.com/github-actions) in [https://github.com/actions/setup-go/pull/377](https://togithub.com/actions/setup-go/pull/377) - Bump tough-cookie and [@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/392](https://togithub.com/actions/setup-go/pull/392) - Bump word-wrap from 1.2.3 to 1.2.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/397](https://togithub.com/actions/setup-go/pull/397) - Bump semver from 6.3.0 to 6.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/396](https://togithub.com/actions/setup-go/pull/396) #### New Contributors - [@​mkelly](https://togithub.com/mkelly) made their first contribution in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - [@​n3xem](https://togithub.com/n3xem) made their first contribution in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) **Full Changelog**: https://github.com/actions/setup-go/compare/v4...v4.1.0
actions/setup-java (actions/setup-java) ### [`v3.13.0`](https://togithub.com/actions/setup-java/releases/tag/v3.13.0) [Compare Source](https://togithub.com/actions/setup-java/compare/v3.12.0...v3.13.0) ##### What's changed In the scope of this release, support for Dragonwell JDK was added by [@​Accelerator1996](https://togithub.com/Accelerator1996) in [https://github.com/actions/setup-java/pull/532](https://togithub.com/actions/setup-java/pull/532) ```yaml steps: - name: Checkout uses: actions/checkout@v3 - name: Setup-java uses: actions/setup-java@v3 with: distribution: 'dragonwell' java-version: '17' ``` Several inaccuracies were also fixed: - Fix XML namespaces wrongly using https by [@​gnodet](https://togithub.com/gnodet) in [https://github.com/actions/setup-java/pull/503](https://togithub.com/actions/setup-java/pull/503) - Fix typo and remove unintentional(?) word by [@​CyberFlameGO](https://togithub.com/CyberFlameGO) in [https://github.com/actions/setup-java/pull/518](https://togithub.com/actions/setup-java/pull/518) - Fix usage link within the README.md file by [@​dassiorleando](https://togithub.com/dassiorleando) in [https://github.com/actions/setup-java/pull/525](https://togithub.com/actions/setup-java/pull/525) ##### New Contributors - [@​CyberFlameGO](https://togithub.com/CyberFlameGO) made their first contribution in [https://github.com/actions/setup-java/pull/518](https://togithub.com/actions/setup-java/pull/518) - [@​dassiorleando](https://togithub.com/dassiorleando) made their first contribution in [https://github.com/actions/setup-java/pull/525](https://togithub.com/actions/setup-java/pull/525) - [@​gnodet](https://togithub.com/gnodet) made their first contribution in [https://github.com/actions/setup-java/pull/503](https://togithub.com/actions/setup-java/pull/503) - [@​Accelerator1996](https://togithub.com/Accelerator1996) made their first contribution in [https://github.com/actions/setup-java/pull/532](https://togithub.com/actions/setup-java/pull/532) **Full Changelog**: https://github.com/actions/setup-java/compare/v3...v3.13.0
actions/setup-node (actions/setup-node) ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: https://github.com/actions/setup-node/compare/v3...v3.8.1 ### [`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0) ##### What's Changed ##### Bug fixes: - Add check for existing paths by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/803](https://togithub.com/actions/setup-node/pull/803) - Resolve SymbolicLink by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/809](https://togithub.com/actions/setup-node/pull/809) - Change passing logic for cache input by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/816](https://togithub.com/actions/setup-node/pull/816) - Fix armv7 cache issue by [@​louislam](https://togithub.com/louislam) in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - Update check-dist workflow name by [@​sinchang](https://togithub.com/sinchang) in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) ##### Feature implementations: - feat: handling the case where "node" is used for tool-versions file. by [@​xytis](https://togithub.com/xytis) in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) ##### Documentation changes: - Refer to semver package name in README.md by [@​olleolleolle](https://togithub.com/olleolleolle) in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) ##### Update dependencies: - Update toolkit cache to fix zstd by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/804](https://togithub.com/actions/setup-node/pull/804) - Bump tough-cookie and [@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/802](https://togithub.com/actions/setup-node/pull/802) - Bump semver from 6.1.2 to 6.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/807](https://togithub.com/actions/setup-node/pull/807) - Bump word-wrap from 1.2.3 to 1.2.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/815](https://togithub.com/actions/setup-node/pull/815) ##### New Contributors - [@​olleolleolle](https://togithub.com/olleolleolle) made their first contribution in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) - [@​louislam](https://togithub.com/louislam) made their first contribution in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - [@​sinchang](https://togithub.com/sinchang) made their first contribution in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) - [@​xytis](https://togithub.com/xytis) made their first contribution in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) **Full Changelog**: https://github.com/actions/setup-node/compare/v3...v3.8.0
actions/upload-artifact (actions/upload-artifact) ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) **Full Changelog**: https://github.com/actions/upload-artifact/compare/v3...v3.1.3
github/codeql-action (github/codeql-action) ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) ### [`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) ### [`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3)
gradle/gradle-build-action (gradle/gradle-build-action) ### [`v2.9.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.9.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.8.1...v2.9.0) The GitHub [dependency-review-action](https://togithub.com/actions/dependency-review-action) helps you understand dependency changes (and the security impact of these changes) for a pull request. This release updates the GItHub Dependency Graph support to be compatible with the `dependency-review-action`. See [the documentation](https://togithub.com/gradle/gradle-build-action#integrating-the-dependency-review-action) for detailed examples. ##### Changelog - \[FIX] Use correct SHA for `pull-request` events [#​882](https://togithub.com/gradle/gradle-build-action/issues/882) - \[FIX] Avoid generating dependency graph during cache cleanup [#​905](https://togithub.com/gradle/gradle-build-action/issues/905) - \[NEW] Improve warning on failure to submit dependency graph - \[NEW] Compatibility with GitHub `dependency-review-action` [#​879](https://togithub.com/gradle/gradle-build-action/issues/879) **Full-changelog**: https://github.com/gradle/gradle-build-action/compare/v2.8.1...v2.9.0 ### [`v2.8.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.8.1) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.8.0...v2.8.1) Fixes an issue that prevented Dependency Graph submission when running on GitHub Enterprise Server. ##### Fixes - Incorrect endpoint used to submit Dependency Graph on GitHub Enterprise [#​885](https://togithub.com/gradle/gradle-build-action/issues/885) ##### Changelog ### [`v2.8.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.8.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.7.1...v2.8.0) The `v2.8.0` release of the `gradle-build-action` introduces an easy mechanism to connect to Gradle Enterprise, as well improved support for self-hosted GitHub Actions runners. ##### Automatic injection of Gradle Enterprise connectivity It is now possible to connect a Gradle build to Gradle Enterprise without changing any of the Gradle project sources. This is achieved through Gradle Enterprise injection, where an init-script will apply the Gradle Enterprise plugin and associated configuration. This feature can be useful to easily trial Gradle Enterprise on a project, or to centralize Gradle Enterprise configuration for all GitHub Actions workflows in an organization. See [Gradle Enterprise injection in the README](https://togithub.com/gradle/gradle-build-action/blob/v2.8.0/README.md#gradle-enterprise-plugin-injection) for more info. ##### Restore Gradle User Home when directory already exists Previously, the Gradle User Home would not be restored if the directory already exists. This wasn't normally an issue with GitHub-hosted runners, but limited the usefulness of the action for persistent, self-hosted runners. This behaviour has been improved in this release: - The Job Summary now includes a useful error message when Gradle User Home was not restored because the directory already exists. - The action can now be configured to restore the Gradle User Home when the directory already exists, overwriting existing content with content from the GitHub Actions cache. See https://github.com/gradle/gradle-build-action#overwriting-an-existing-gradle-user-home for more details. ##### Changes **Issues fixed**: https://github.com/gradle/gradle-build-action/issues?q=milestone%3A2.8.0+is%3Aclosed **Full changelog**: https://github.com/gradle/gradle-build-action/compare/v2.7.1...v2.8.0 ### [`v2.7.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.7.1) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.7.0...v2.7.1) This release contains no code changes, only dependency updates and documentation improvements. ##### Changelog
ossf/scorecard-action (ossf/scorecard-action) ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - :seedling: Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - :sparkles: Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - :bug: Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - :book: Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - :book: Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - :book: Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - :book: Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0
sigstore/cosign-installer (sigstore/cosign-installer) ### [`v3.1.2`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.1.2) [Compare Source](https://togithub.com/sigstore/cosign-installer/compare/v3.1.1...v3.1.2) #### What's Changed - Fix build and push step Readme missing id by [@​hbenali](https://togithub.com/hbenali) in [https://github.com/sigstore/cosign-installer/pull/138](https://togithub.com/sigstore/cosign-installer/pull/138) - bump cosign to v2.2.0 by [@​cpanato](https://togithub.com/cpanato) in [https://github.com/sigstore/cosign-installer/pull/142](https://togithub.com/sigstore/cosign-installer/pull/142) #### New Contributors - [@​hbenali](https://togithub.com/hbenali) made their first contribution in [https://github.com/sigstore/cosign-installer/pull/138](https://togithub.com/sigstore/cosign-installer/pull/138) **Full Changelog**: https://github.com/sigstore/cosign-installer/compare/v3...v3.1.2
--- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-github-generator). Signed-off-by: Mend Renovate --- .github/actions/generate-builder/action.yml | 2 +- .../secure-builder-checkout/action.yaml | 2 +- .../secure-project-checkout-go/action.yml | 2 +- .../secure-project-checkout-node/action.yml | 2 +- .../secure-project-checkout/action.yaml | 2 +- .../actions/secure-upload-artifact/action.yml | 2 +- .../builder_container-based_slsa3.yml | 12 +++--- .github/workflows/builder_go_slsa3.yml | 4 +- .github/workflows/codeql-analysis.yml | 8 ++-- ...ate-container_based-predicate.schedule.yml | 6 +-- .../e2e.detect-workflow-js.schedule.yml | 6 +-- .../e2e.sign-attestations.schedule.yml | 8 ++-- .../workflows/e2e.upload-folder.schedule.yml | 8 ++-- .../workflows/generator_container_slsa3.yml | 2 +- .github/workflows/generator_generic_slsa3.yml | 2 +- .github/workflows/pre-submit.actions.yml | 38 +++++++++---------- .github/workflows/pre-submit.apis.yml | 2 +- .github/workflows/pre-submit.delegators.yml | 2 +- ...pre-submit.e2e.container-based.default.yml | 2 +- .../pre-submit.e2e.generic.default.yml | 6 +-- ...-submit.e2e.go.config-ldflags-main-dir.yml | 2 +- .github/workflows/pre-submit.lint.yml | 24 ++++++------ .github/workflows/pre-submit.units.yml | 10 ++--- .github/workflows/release.yml | 4 +- .github/workflows/scorecards.yml | 8 ++-- actions/gradle/publish/action.yml | 4 +- actions/maven/publish/action.yml | 2 +- internal/builders/bazel/action.yml | 2 +- internal/builders/gradle/action.yml | 6 +-- internal/builders/maven/action.yml | 4 +- internal/builders/nodejs/action.yml | 2 +- 31 files changed, 93 insertions(+), 93 deletions(-) diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml index 54f8d4d42c..42e718678e 100644 --- a/.github/actions/generate-builder/action.yml +++ b/.github/actions/generate-builder/action.yml @@ -76,7 +76,7 @@ runs: token: ${{ inputs.token }} - name: Set up Go environment - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ inputs.go-version }} diff --git a/.github/actions/secure-builder-checkout/action.yaml b/.github/actions/secure-builder-checkout/action.yaml index 064f12fa8d..71de1f5350 100644 --- a/.github/actions/secure-builder-checkout/action.yaml +++ b/.github/actions/secure-builder-checkout/action.yaml @@ -37,7 +37,7 @@ runs: # and has an associated release. This will require exceptions # for e2e tests. - name: Checkout the repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: ${{ inputs.repository }} ref: ${{ inputs.ref }} diff --git a/.github/actions/secure-project-checkout-go/action.yml b/.github/actions/secure-project-checkout-go/action.yml index 3d7d885a16..69680e3e79 100644 --- a/.github/actions/secure-project-checkout-go/action.yml +++ b/.github/actions/secure-project-checkout-go/action.yml @@ -65,7 +65,7 @@ runs: fi - name: Set up Go environment - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version: ${{ steps.validate.outputs.go_version }} go-version-file: ${{ steps.validate.outputs.go_version_file }} diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml index 3cfdd3dd8f..5c9726e514 100644 --- a/.github/actions/secure-project-checkout-node/action.yml +++ b/.github/actions/secure-project-checkout-node/action.yml @@ -41,6 +41,6 @@ runs: path: ${{ inputs.path }} - name: Set up Node environment - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: ${{ inputs.node-version }} diff --git a/.github/actions/secure-project-checkout/action.yaml b/.github/actions/secure-project-checkout/action.yaml index 9bd09b7591..b592687178 100644 --- a/.github/actions/secure-project-checkout/action.yaml +++ b/.github/actions/secure-project-checkout/action.yaml @@ -40,7 +40,7 @@ runs: using: "composite" steps: - name: Checkout the repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: ${{ inputs.fetch-depth }} ref: ${{ inputs.checkout-sha1 }} diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml index c4d54ad604..984b39a614 100644 --- a/.github/actions/secure-upload-artifact/action.yml +++ b/.github/actions/secure-upload-artifact/action.yml @@ -37,7 +37,7 @@ runs: path: "${{ inputs.path }}" - name: Upload the artifact - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ inputs.name }}" path: "${{ inputs.path }}" diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml index 063b7ee0f7..e560a0a73d 100644 --- a/.github/workflows/builder_container-based_slsa3.yml +++ b/.github/workflows/builder_container-based_slsa3.yml @@ -209,7 +209,7 @@ jobs: allow-private-repository: ${{ inputs.rekor-log-public }} - name: Upload builder - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -228,7 +228,7 @@ jobs: runs-on: ubuntu-latest needs: [rng, detect-env, generate-builder] steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Checkout builder repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main with: @@ -372,7 +372,7 @@ jobs: set-executable: true - name: Checkout the source repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: fetch-depth: 1 persist-credentials: false @@ -462,7 +462,7 @@ jobs: # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a # secure upload or verify this against the SLSA layout file. id: upload-artifacts - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: ${{ steps.build.outputs.build-outputs-name }} path: /tmp/build-outputs-${{ needs.rng.outputs.value }} @@ -535,7 +535,7 @@ jobs: - name: Upload unsigned intoto attestations file for pull request if: ${{ github.event_name == 'pull_request' }} id: upload-unsigned - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "attestations-${{ needs.rng.outputs.value }}" @@ -556,7 +556,7 @@ jobs: - name: Upload the signed attestations id: upload-signed if: ${{ github.event_name != 'pull_request' }} - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}" diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml index 095a938218..75ee9ddee7 100644 --- a/.github/workflows/builder_go_slsa3.yml +++ b/.github/workflows/builder_go_slsa3.yml @@ -169,7 +169,7 @@ jobs: allow-private-repository: ${{ inputs.private-repository }} - name: Upload builder - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}" path: "${{ env.BUILDER_BINARY }}" @@ -358,7 +358,7 @@ jobs: --workingDir "$UNTRUSTED_WORKING_DIR" - name: Upload the signed provenance - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ steps.sign-prov.outputs.signed-provenance-name }}" path: "${{ steps.sign-prov.outputs.signed-provenance-name }}" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 47a2343434..6dc5e5fecc 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -55,11 +55,11 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -72,7 +72,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 # Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -85,7 +85,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 # NOTE: Checks that the matrix job above completes successfully. # This is necessary because the matrix strategy generates new jobs with diff --git a/.github/workflows/e2e.create-container_based-predicate.schedule.yml b/.github/workflows/e2e.create-container_based-predicate.schedule.yml index 149ef224c6..f6bb413983 100644 --- a/.github/workflows/e2e.create-container_based-predicate.schedule.yml +++ b/.github/workflows/e2e.create-container_based-predicate.schedule.yml @@ -39,7 +39,7 @@ jobs: permissions: id-token: write # Needed to detect the current reusable repository and ref. steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Detect the builder ref id: detect uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main @@ -71,7 +71,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -85,7 +85,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.detect-workflow-js.schedule.yml b/.github/workflows/e2e.detect-workflow-js.schedule.yml index 27c10de907..c261b75e29 100644 --- a/.github/workflows/e2e.detect-workflow-js.schedule.yml +++ b/.github/workflows/e2e.detect-workflow-js.schedule.yml @@ -33,7 +33,7 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: detect uses: ./.github/actions/detect-workflow-js - id: verify @@ -70,7 +70,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -84,7 +84,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml index 8babbb6df2..ba488e8d22 100644 --- a/.github/workflows/e2e.sign-attestations.schedule.yml +++ b/.github/workflows/e2e.sign-attestations.schedule.yml @@ -33,14 +33,14 @@ jobs: id-token: write runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - id: setup uses: ./.github/actions/sign-attestations with: attestations: .github/actions/sign-attestations/testdata/attestations output-folder: outputs - name: Setup node - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3 with: node-version: 16 - name: install sigstore-js @@ -62,7 +62,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -76,7 +76,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/e2e.upload-folder.schedule.yml b/.github/workflows/e2e.upload-folder.schedule.yml index 573c655de7..98c182ca2b 100644 --- a/.github/workflows/e2e.upload-folder.schedule.yml +++ b/.github/workflows/e2e.upload-folder.schedule.yml @@ -37,7 +37,7 @@ jobs: sha256: ${{ steps.upload.outputs.sha256 }} sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Create folder run: | set -euo pipefail @@ -100,7 +100,7 @@ jobs: needs: [secure-upload-folder] runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Download in new folder uses: ./.github/actions/secure-download-folder @@ -180,7 +180,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -194,7 +194,7 @@ jobs: contents: read issues: write steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml index 371c33c89c..f9983d061d 100644 --- a/.github/workflows/generator_container_slsa3.yml +++ b/.github/workflows/generator_container_slsa3.yml @@ -147,7 +147,7 @@ jobs: service_account: ${{ inputs.gcp-service-account }} - id: cosign-install - uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1 + uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2 with: cosign-release: v2.0.0 continue-on-error: true diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index 49182c4ad9..cf787e07ed 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -251,7 +251,7 @@ jobs: - name: Upload the signed provenance id: upload-prov continue-on-error: true - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: "${{ steps.sign-prov.outputs.provenance-name }}" path: "${{ steps.sign-prov.outputs.provenance-name }}" diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml index cfb3e743dc..e93bf7c39e 100644 --- a/.github/workflows/pre-submit.actions.yml +++ b/.github/workflows/pre-submit.actions.yml @@ -27,13 +27,13 @@ jobs: name: verify no checkout in Actions runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: ./.github/workflows/scripts/pre-submit.actions/checkout.sh check-tscommon-tarball: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Untar the package tarball working-directory: .github/actions/tscommon @@ -75,10 +75,10 @@ jobs: - .github/actions/verify-token - .github/actions/detect-workflow-js steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set Node.js 18 - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 18 @@ -98,7 +98,7 @@ jobs: fi # If index.js was different from expected, upload the expected version as an artifact - - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 if: ${{ failure() && steps.diff.conclusion == 'failure' }} with: name: dist @@ -121,7 +121,7 @@ jobs: compute-sha256: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | echo "foo" > artifact - id: compute-sha256 @@ -136,7 +136,7 @@ jobs: rng: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: | echo "foo" > artifact - id: rng @@ -150,10 +150,10 @@ jobs: references: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __THIS_REPO__ - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main @@ -175,7 +175,7 @@ jobs: secure-project-checkout-go: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -188,7 +188,7 @@ jobs: secure-project-checkout-node: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -208,7 +208,7 @@ jobs: UPLOAD_FOLDER_NO_ROOT_NAME: "upload-root/upload-folder" DOWNLOAD_FOLDER_NO_ROOT_NAME: "download-root/download-folder" steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Create folder run: | set -euo pipefail @@ -365,7 +365,7 @@ jobs: secure-download-artifact: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -392,7 +392,7 @@ jobs: secure-download-artifact-builder-name: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -425,7 +425,7 @@ jobs: secure-download-artifact-builder-repo-folder: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -459,7 +459,7 @@ jobs: secure-download-artifact-builder-repo-file: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __BUILDER_CHECKOUT_DIR__ @@ -493,7 +493,7 @@ jobs: generate-builder-generic-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: ./.github/actions/generate-builder with: repository: "slsa-framework/slsa-github-generator" @@ -507,7 +507,7 @@ jobs: generate-builder-generic-no-compile: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Detect the builder ref id: detect uses: ./.github/actions/detect-workflow-js @@ -525,7 +525,7 @@ jobs: generate-attestations: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Test generate attestations id: generate uses: ./.github/actions/generate-attestations diff --git a/.github/workflows/pre-submit.apis.yml b/.github/workflows/pre-submit.apis.yml index 5bb7c25afb..81ee7c2d64 100644 --- a/.github/workflows/pre-submit.apis.yml +++ b/.github/workflows/pre-submit.apis.yml @@ -31,6 +31,6 @@ jobs: name: verify safe APIs runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Check safe file systems APIs run: ./.github/workflows/scripts/pre-submit.apis/verify-safefs.sh diff --git a/.github/workflows/pre-submit.delegators.yml b/.github/workflows/pre-submit.delegators.yml index e3e815f54f..8bb86549eb 100644 --- a/.github/workflows/pre-submit.delegators.yml +++ b/.github/workflows/pre-submit.delegators.yml @@ -27,6 +27,6 @@ jobs: name: verify identical delegators runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Compare diff between the delegator workflows run: ./.github/workflows/scripts/pre-submit.delegators/compare-diff.sh diff --git a/.github/workflows/pre-submit.e2e.container-based.default.yml b/.github/workflows/pre-submit.e2e.container-based.default.yml index 445b9cc054..4aad66f266 100644 --- a/.github/workflows/pre-submit.e2e.container-based.default.yml +++ b/.github/workflows/pre-submit.e2e.container-based.default.yml @@ -45,7 +45,7 @@ jobs: HEAD_SHA: ${{ github.event.pull_request.head.sha }} GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@e9ef242655d12993efdcda9058dee2db83a2cb9b with: name: ${{ needs.build-container-based.outputs.build-outputs-name }} diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml index 2c0ba0be4c..716d472720 100644 --- a/.github/workflows/pre-submit.e2e.generic.default.yml +++ b/.github/workflows/pre-submit.e2e.generic.default.yml @@ -46,7 +46,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build.outputs.provenance-name }} @@ -75,7 +75,7 @@ jobs: runs-on: ubuntu-latest needs: [build-continue-no-error] steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build-continue-no-error.outputs.provenance-name }} @@ -105,7 +105,7 @@ jobs: runs-on: ubuntu-latest needs: [build, build-continue-invalid-subjects] steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build.outputs.provenance-name }} diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml index 287fa91042..f64fde5710 100644 --- a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml +++ b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml @@ -64,7 +64,7 @@ jobs: needs: [build] if: ${{ always() }} steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2 with: name: ${{ needs.build.outputs.go-binary-name }} diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml index 00ea428c85..d63e7ad7f5 100644 --- a/.github/workflows/pre-submit.lint.yml +++ b/.github/workflows/pre-submit.lint.yml @@ -31,8 +31,8 @@ jobs: markdownlint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 - run: make markdownlint @@ -42,10 +42,10 @@ jobs: runs-on: ubuntu-latest steps: - name: Setup Node.js 16 - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - run: make markdown-toc - name: markdown-toc run: ./.github/workflows/scripts/pre-submit.markdown/markdown-toc.sh @@ -53,8 +53,8 @@ jobs: golangci-lint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version-file: "go.mod" - env: @@ -77,7 +77,7 @@ jobs: shellcheck: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: shellcheck env: SHELLCHECK_VERSION: "0.8.0" @@ -117,7 +117,7 @@ jobs: yamllint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - env: YAMLLINT_VERSION: "1.26.3" run: | @@ -132,8 +132,8 @@ jobs: eslint: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 - run: make eslint @@ -141,8 +141,8 @@ jobs: autogen: runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: mbrukman/autogen ref: 9026b78e17573b5dda4bff79033c352443551dc5 diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml index c77bf180b5..69f8b1054d 100644 --- a/.github/workflows/pre-submit.units.yml +++ b/.github/workflows/pre-submit.units.yml @@ -35,15 +35,15 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: setup-go - uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 with: go-version-file: "go.mod" - name: Set Node.js 16 - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: 16 @@ -58,12 +58,12 @@ jobs: if: ${{ always() }} steps: - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: generator - name: Checkout - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: verifier repository: slsa-framework/slsa-verifier diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 47ad17eec2..5e5e6b49b2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,10 +34,10 @@ jobs: name: pre release refs verification runs-on: ubuntu-latest steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: path: __THIS_REPO__ - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: repository: slsa-framework/example-package ref: main diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 3dadbc293d..b6a72e6374 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -39,12 +39,12 @@ jobs: steps: - name: "Checkout code" - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0 + uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0 with: results_file: results.sarif results_format: sarif @@ -63,7 +63,7 @@ jobs: # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # format to the repository Actions tab. - name: "Upload artifact" - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 + uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 with: name: SARIF file path: results.sarif @@ -71,6 +71,6 @@ jobs: # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2 + uses: github/codeql-action/upload-sarif@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4 with: sarif_file: results.sarif diff --git a/actions/gradle/publish/action.yml b/actions/gradle/publish/action.yml index d2475f9cb5..5fef2d7b46 100644 --- a/actions/gradle/publish/action.yml +++ b/actions/gradle/publish/action.yml @@ -50,9 +50,9 @@ inputs: runs: using: "composite" steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up JDK - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/actions/maven/publish/action.yml b/actions/maven/publish/action.yml index 9a3c77e458..e7e24fd0ad 100644 --- a/actions/maven/publish/action.yml +++ b/actions/maven/publish/action.yml @@ -47,7 +47,7 @@ runs: - name: Checkout the project repository uses: slsa-framework/slsa-github-generator/.github/actions/secure-project-checkout@main # needed because we run javadoc and sources. - name: Set up Java for publishing to Maven Central Repository - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 env: MAVEN_USERNAME: ${{ inputs.maven-username }} MAVEN_PASSWORD: ${{ inputs.maven-password }} diff --git a/internal/builders/bazel/action.yml b/internal/builders/bazel/action.yml index f98ee51898..191ec0fa8f 100644 --- a/internal/builders/bazel/action.yml +++ b/internal/builders/bazel/action.yml @@ -53,7 +53,7 @@ runs: - name: Setup Java id: java - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: distribution: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-distribution }}" java-version: "${{ fromJson(inputs.slsa-workflow-inputs).user-java-version }}" diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml index ef41da1690..1d7c29a31d 100644 --- a/internal/builders/gradle/action.yml +++ b/internal/builders/gradle/action.yml @@ -56,14 +56,14 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - name: Set up JDK - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} - name: Setup Gradle - uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c # v2.7.0 + uses: gradle/gradle-build-action@842c587ad8aa4c68eeba24c396e15af4c2e9f30a # v2.9.0 - name: Run gradle builder id: run_gradle_builder shell: bash diff --git a/internal/builders/maven/action.yml b/internal/builders/maven/action.yml index 2d7697d8d2..bc3ad649ed 100644 --- a/internal/builders/maven/action.yml +++ b/internal/builders/maven/action.yml @@ -56,9 +56,9 @@ on: runs: using: "composite" steps: - - uses: actions/checkout@96f53100ba2a5449eb71d2e6604bbcd94b9449b5 # v 3.5.2 + - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v 3.5.2 - name: Set up JDK - uses: actions/setup-java@cd89f46ac9d01407894225f350157564c9c7cee2 # v3.12.0 + uses: actions/setup-java@0ab4596768b603586c0de567f2430c30f5b0d2b0 # v3.13.0 with: distribution: temurin java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }} diff --git a/internal/builders/nodejs/action.yml b/internal/builders/nodejs/action.yml index 1328dfb4be..f605d6207b 100644 --- a/internal/builders/nodejs/action.yml +++ b/internal/builders/nodejs/action.yml @@ -65,7 +65,7 @@ runs: # checkout ourselves. - name: Setup Node - uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0 + uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 with: node-version: ${{ fromJson(inputs.slsa-workflow-inputs).node-version }} node-version-file: ${{ fromJson(inputs.slsa-workflow-inputs).node-version-file }}