chore(deps): update github-actions (major) (#719)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | major | `v3.6.0` -> `v4.1.1` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | major | `v3.1.5` -> `v4.2.5` | | [actions/download-artifact](https://togithub.com/actions/download-artifact) | action | major | `v3.0.2` -> `v4.1.4` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | major | `v3` -> `v4` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | major | `v3.8.2` -> `v4.0.2` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | major | `v3.1.3` -> `v4.3.1` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | major | `v2.24.8` -> `v3.24.9` | | [golangci/golangci-lint-action](https://togithub.com/golangci/golangci-lint-action) | action | major | `v3` -> `v4` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@joshmgross](https://togithub.com/joshmgross) in [actions/checkout#1510 - Correct link to GitHub Docs by [@peterbe](https://togithub.com/peterbe) in [actions/checkout#1511 - Link to release page from what's new section by [@cory-miller](https://togithub.com/cory-miller) in [actions/checkout#1514 ##### New Contributors - [@joshmgross](https://togithub.com/joshmgross) made their first contribution in [actions/checkout#1510 - [@peterbe](https://togithub.com/peterbe) made their first contribution in [actions/checkout#1511 **Full Changelog**: actions/checkout@v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396) ### [`v4.0.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v400) [Compare Source](https://togithub.com/actions/checkout/compare/v3.6.0...v4.0.0) - [Support fetching without the --progress option](https://togithub.com/actions/checkout/pull/1067) - [Update to node20](https://togithub.com/actions/checkout/pull/1436) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.2.5`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.5): 4.2.5 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.4...v4.2.5) #### What's Changed - Fixed a bug where some configuration options in external files were not being properly picked up -- [actions/dependency-review-action#722 - Bump eslint from 8.56.0 to 8.57.0 **Full Changelog**: actions/dependency-review-action@v4.2.4...v4.2.5 ### [`v4.2.4`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.4) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.2.3...v4.2.4) #### What's Changed Fixed a bug in the output of OpenSSF cards for GitHub Actions. #### New Contributors - [@sporkmonger](https://togithub.com/sporkmonger) made their first contribution in [actions/dependency-review-action#721 **Full Changelog**: actions/dependency-review-action@v4.2.3...v4.2.4 ### [`v4.2.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.2.3): 4.2.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.3...v4.2.3) #### What's Changed - Set comment as output by [@jsoref](https://togithub.com/jsoref) in [actions/dependency-review-action#698 - Add support for calculating OpenSSF Scorecards by [@jhutchings1](https://togithub.com/jhutchings1) in [actions/dependency-review-action#709 - Add outputs for the changes data by [@laughedelic](https://togithub.com/laughedelic) in [actions/dependency-review-action#707 #### New Contributors - [@jhutchings1](https://togithub.com/jhutchings1) made their first contribution in [actions/dependency-review-action#709 - [@laughedelic](https://togithub.com/laughedelic) made their first contribution in [actions/dependency-review-action#707 **Full Changelog**: actions/dependency-review-action@v4.1.3...v4.2.3 ### [`v4.1.3`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.3): 4.1.3 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.2...v4.1.3) Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see [actions/dependency-review-action#697). **Full Changelog**: actions/dependency-review-action@v4.1.2...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.2): 4.1.2 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.1...v4.1.2) #### What's Changed - Expose dependency comment content by [@jsoref](https://togithub.com/jsoref) in [actions/dependency-review-action#696 **Full Changelog**: actions/dependency-review-action@v4.1.1...v4.1.2 ### [`v4.1.1`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.1): 4.1.1 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.1.0...v4.1.1) #### What's Changed - Bump `undici` to fix [GHSA-wqq4-5wpv-mx2g](https://togithub.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g) - Bump [@types/node](https://togithub.com/types/node) from 20.11.17 to 20.11.19 by [@dependabot](https://togithub.com/dependabot) in [actions/dependency-review-action#693 **Full Changelog**: actions/dependency-review-action@v4.1.0...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.1.0): 4.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v4.0.0...v4.1.0) #### What's Changed - Add `warn-only` by [@tgrall](https://togithub.com/tgrall) in [actions/dependency-review-action#432 Added a new configuration option (`warn-only`, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log. - Create stale.yaml by [@jonjanego](https://togithub.com/jonjanego) in [actions/dependency-review-action#671 - Use manual codeql config by [@juxtin](https://togithub.com/juxtin) in [actions/dependency-review-action#678 - Multiple dependency updates (see the changelog below for more information) #### New Contributors - [@jonjanego](https://togithub.com/jonjanego) made their first contribution in [actions/dependency-review-action#671 - [@tgrall](https://togithub.com/tgrall) made their first contribution in [actions/dependency-review-action#432 **Full Changelog**: actions/dependency-review-action@v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.1.5...v4.0.0) - Update action to Node 20 by [@takost](https://togithub.com/takost) in [actions/dependency-review-action#639 - Dependabot updates, see the full changelog for more details. #### New Contributors - [@takost](https://togithub.com/takost) made their first contribution in [actions/dependency-review-action#639 **Full Changelog**: actions/dependency-review-action@v3.1.5...v4.0.0 </details> <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.4`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.4) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.3...v4.1.4) ##### What's Changed - Update [@actions/artifact](https://togithub.com/actions/artifact) by [@bethanyj28](https://togithub.com/bethanyj28) in [actions/download-artifact#307 **Full Changelog**: actions/download-artifact@v4...v4.1.4 ### [`v4.1.3`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.3) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.2...v4.1.3) ##### What's Changed - Update release-new-action-version.yml by [@konradpabjan](https://togithub.com/konradpabjan) in [actions/download-artifact#292 - Update toolkit dependency with updated unzip logic by [@bethanyj28](https://togithub.com/bethanyj28) in [actions/download-artifact#299 - Update [@actions/artifact](https://togithub.com/actions/artifact) by [@bethanyj28](https://togithub.com/bethanyj28) in [actions/download-artifact#303 ##### New Contributors - [@bethanyj28](https://togithub.com/bethanyj28) made their first contribution in [actions/download-artifact#299 **Full Changelog**: actions/download-artifact@v4...v4.1.3 ### [`v4.1.2`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.2) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.1...v4.1.2) - Bump [@actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.1.1`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.0...v4.1.1) - Fix transient request timeouts [actions/download-artifact#249 - Bump `@actions/artifacts` to latest version ### [`v4.1.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.0.0...v4.1.0) #### What's Changed - Some cleanup by [@robherley](https://togithub.com/robherley) in [actions/download-artifact#247 - Fix default for run-id by [@stchr](https://togithub.com/stchr) in [actions/download-artifact#252 - Support pattern matching to filter artifacts & merge to same directory by [@robherley](https://togithub.com/robherley) in [actions/download-artifact#259 #### New Contributors - [@stchr](https://togithub.com/stchr) made their first contribution in [actions/download-artifact#252 **Full Changelog**: actions/download-artifact@v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/download-artifact/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/download-artifact/compare/v3.0.2...v4.0.0) #### What's Changed The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements. ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads *must* use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows. For more information, please see: 1. The [changelog](https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/) post. 2. The [README](https://togithub.com/actions/download-artifact/blob/main/README.md). 3. The [migration documentation](https://togithub.com/actions/upload-artifact/blob/main/docs/MIGRATION.md). 4. As well as the underlying npm package, [@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact) documentation. #### New Contributors - [@bflad](https://togithub.com/bflad) made their first contribution in [actions/download-artifact#194 **Full Changelog**: actions/download-artifact@v3...v4.0.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4`](https://togithub.com/actions/setup-node/compare/v3...v4) [Compare Source](https://togithub.com/actions/setup-node/compare/v3...v4) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.1`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.1) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.0...v4.3.1) - Bump [@actions/artifacts](https://togithub.com/actions/artifacts) to latest version to include [updated GHES host check](https://togithub.com/actions/toolkit/pull/1648) ### [`v4.3.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.2.0...v4.3.0) ##### What's Changed - Reorganize upload code in prep for merge logic & add more tests by [@robherley](https://togithub.com/robherley) in [actions/upload-artifact#504 - Add sub-action to merge artifacts by [@robherley](https://togithub.com/robherley) in [actions/upload-artifact#505 **Full Changelog**: actions/upload-artifact@v4...v4.3.0 ### [`v4.2.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.2.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.1.0...v4.2.0) ##### What's Changed - Ability to overwrite an Artifact by [@robherley](https://togithub.com/robherley) in [actions/upload-artifact#501 **Full Changelog**: actions/upload-artifact@v4...v4.2.0 ### [`v4.1.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.0.0...v4.1.0) #### What's Changed - Add migrations docs by [@robherley](https://togithub.com/robherley) in [actions/upload-artifact#482 - Update README.md by [@samuelwine](https://togithub.com/samuelwine) in [actions/upload-artifact#492 - Support artifact-url output by [@konradpabjan](https://togithub.com/konradpabjan) in [actions/upload-artifact#496 - Update readme to reflect new 500 artifact per job limit by [@robherley](https://togithub.com/robherley) in [actions/upload-artifact#497 #### New Contributors - [@samuelwine](https://togithub.com/samuelwine) made their first contribution in [actions/upload-artifact#492 **Full Changelog**: actions/upload-artifact@v4...v4.1.0 ### [`v4.0.0`](https://togithub.com/actions/upload-artifact/releases/tag/v4.0.0) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.3...v4.0.0) #### What's Changed The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements. For more information, see the [@actions/artifact](https://togithub.com/actions/toolkit/tree/main/packages/artifact) documentation. #### New Contributors - [@vmjoseph](https://togithub.com/vmjoseph) made their first contribution in [actions/upload-artifact#464 **Full Changelog**: actions/upload-artifact@v3...v4.0.0 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.24.9`](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.8...v3.24.9) ### [`v3.24.8`](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.7...v3.24.8) ### [`v3.24.7`](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.6...v3.24.7) ### [`v3.24.6`](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.5...v3.24.6) ### [`v3.24.5`](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.4...v3.24.5) ### [`v3.24.4`](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.3...v3.24.4) ### [`v3.24.3`](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.2...v3.24.3) ### [`v3.24.2`](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.1...v3.24.2) ### [`v3.24.1`](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.24.0...v3.24.1) ### [`v3.24.0`](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.2...v3.24.0) ### [`v3.23.2`](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.1...v3.23.2) ### [`v3.23.1`](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.23.0...v3.23.1) ### [`v3.23.0`](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.22.12...v3.23.0) ### [`v3.22.12`](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.22.11...v3.22.12) ### [`v3.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.11...v3.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.9...v3.22.11) ### [`v2.24.9`](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.8...v2.24.9) </details> <details> <summary>golangci/golangci-lint-action (golangci/golangci-lint-action)</summary> ### [`v4`](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4) [Compare Source](https://togithub.com/golangci/golangci-lint-action/compare/v3...v4) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier).  Signed-off-by: Mend Renovate <bot@renovateapp.com>
slsa-framework · Apr 1, 2024 · a8e21d5 · a8e21d5
1 parent 363e8da
commit a8e21d5
Show file tree

Hide file tree

Showing 12 changed files with 33 additions and 33 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -40,7 +40,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # TODO(#740): Workaround for go1.21 compatibility. Remove when GHA runners have Go 1.21+.
       - name: setup-go
@@ -52,7 +52,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@c2dc67199a2e650d535d7de586a07597aea4d9c7 # v2.24.8
+        uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@c2dc67199a2e650d535d7de586a07597aea4d9c7 # v2.24.8
+        uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
       # Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
 
@@ -76,4 +76,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@c2dc67199a2e650d535d7de586a07597aea4d9c7 # v2.24.8
+        uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@c74b580d73376b7750d3d2a50bfb8adc2c937507 # v3.1.5
+        uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
diff --git a/.github/workflows/e2e.schedule.cli.yml b/.github/workflows/e2e.schedule.cli.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     # See https://github.com/orgs/community/discussions/26238.
     steps:
-      - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
+      - uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: event_name
       - name: Check event name
@@ -28,7 +28,7 @@ jobs:
             ctned="true"
           fi
           echo "continue=$ctned" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         if: steps.name.outputs.continue == 'true'
         with:
           ref: main

diff --git a/.github/workflows/e2e.schedule.installer.yml b/.github/workflows/e2e.schedule.installer.yml
@@ -27,14 +27,14 @@ jobs:
       version: ${{ steps.generate-versions.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           # NOTE: the example-package needs to be checked out in the default workspace.
           repository: slsa-framework/example-package
           ref: main
 
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           path: __THIS_REPO__
 
@@ -77,7 +77,7 @@ jobs:
       - name: Checkout this repository
         # Skip release candidates unless specified explicitly.
         if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           ref: ${{ matrix.version }}
 
@@ -196,7 +196,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -210,7 +210,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
@@ -11,10 +11,10 @@ jobs:
   check-dist:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Set Node.js 16
-        uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           node-version: 16
 
@@ -34,7 +34,7 @@ jobs:
           fi
 
       # If index.js was different from expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

diff --git a/.github/workflows/pre-submit.cli.yml b/.github/workflows/pre-submit.cli.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: setup-go
         uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
@@ -30,7 +30,7 @@ jobs:
         run: |
           echo "$EVENT_NAME" > ./event_name.txt
 
-      - uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+      - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: event_name
           path: ./event_name.txt

diff --git a/.github/workflows/pre-submit.e2e.yml b/.github/workflows/pre-submit.e2e.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           path: __THIS_REPO__
 
@@ -29,7 +29,7 @@ jobs:
           go build -o slsa-verifier ./cli/slsa-verifier
 
       - name: Checkout e2e verification script
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           path: __EXAMPLE_PACKAGE__
           repository: slsa-framework/example-package

diff --git a/.github/workflows/pre-submit.lfs.yml b/.github/workflows/pre-submit.lfs.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actionsdesk/lfs-warning@e5f9a4c21f4bee104db7c0f23954dde59e5df909 # v3.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml
@@ -10,13 +10,13 @@ jobs:
   golangci-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
         with:
           go-version-file: "go.mod"
           # not needed but gets rid of warnings
           cache: false
-      - uses: golangci/golangci-lint-action@v3
+      - uses: golangci/golangci-lint-action@v4
         name: golangci-lint
         with:
           # Require: The version of golangci-lint to use.
@@ -27,7 +27,7 @@ jobs:
   yamllint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - env:
           YAMLLINT_VERSION: "1.26.3"
         run: |
@@ -42,8 +42,8 @@ jobs:
   eslint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/setup-node@v4
         with:
           node-version: 16
       - run: make eslint
diff --git a/.github/workflows/pre-submit.references.yml b/.github/workflows/pre-submit.references.yml
@@ -13,7 +13,7 @@ jobs:
     env:
       BODY: ${{ github.event.pull_request.body }}
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Check documentation is up-to-date
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
       version: ${{ steps.ldflags.outputs.version }}
     steps:
       - id: checkout
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 0
       - id: ldflags
@@ -98,7 +98,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -112,7 +112,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
@@ -49,14 +49,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@c2dc67199a2e650d535d7de586a07597aea4d9c7 # v2.24.8
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           sarif_file: results.sarif