Skip to content

Commit

Permalink
chore(deps): update github-actions (#3642)
Browse files Browse the repository at this point in the history
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/checkout | action | digest | `b4ffde6` -> `a5ac7e5` |
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v4.1.1` -> `v4.1.6` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | patch | `v4.1.4` -> `v4.1.7` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v4.3.1` -> `v4.3.3` |
|
[ianlewis/todo-issue-reopener](https://togithub.com/ianlewis/todo-issue-reopener)
| action | patch | `v1.2.0` -> `v1.2.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.3.0` -> `v2.3.3` |
|
[sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer)
| action | minor | `v3.4.0` -> `v3.5.0` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.6`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.5...v4.1.6)

- Check platform to set archive extension appropriately by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1732](https://togithub.com/actions/checkout/pull/1732)

###
[`v4.1.5`](https://togithub.com/actions/checkout/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update NPM dependencies by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1703](https://togithub.com/actions/checkout/pull/1703)
- Bump github/codeql-action from 2 to 3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1694](https://togithub.com/actions/checkout/pull/1694)
- Bump actions/setup-node from 1 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1696](https://togithub.com/actions/checkout/pull/1696)
- Bump actions/upload-artifact from 2 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1695](https://togithub.com/actions/checkout/pull/1695)
- README: Suggest `user.email` to be
`41898282+github-actions[bot]@&#8203;users.noreply.github.com` by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1707](https://togithub.com/actions/checkout/pull/1707)

**Full Changelog**:
actions/checkout@v4.1.4...v4.1.5

###
[`v4.1.4`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.3...v4.1.4)

- Disable `extensions.worktreeConfig` when disabling `sparse-checkout`
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1692](https://togithub.com/actions/checkout/pull/1692)
- Add dependabot config by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1688](https://togithub.com/actions/checkout/pull/1688)
- Bump the minor-actions-dependencies group with 2 updates by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1693](https://togithub.com/actions/checkout/pull/1693)
- Bump word-wrap from 1.2.3 to 1.2.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1643](https://togithub.com/actions/checkout/pull/1643)

###
[`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3)

#### What's Changed

- Update `actions/checkout` version in `update-main-version.yml` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650)
- Check git version before attempting to disable `sparse-checkout` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656)
- Add SSH user parameter by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685)

**Full Changelog**:
actions/checkout@v4.1.2...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2)

- Fix: Disable sparse checkout whenever `sparse-checkout` option is not
present [@&#8203;dscho](https://togithub.com/dscho) in
[https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598)

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.7`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.7)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.6...v4.1.7)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
dependency by [@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/325](https://togithub.com/actions/download-artifact/pull/325)

**Full Changelog**:
actions/download-artifact@v4.1.6...v4.1.7

###
[`v4.1.6`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.6)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.5...v4.1.6)

#### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/download-artifact/pull/324](https://togithub.com/actions/download-artifact/pull/324)

**Full Changelog**:
actions/download-artifact@v4.1.5...v4.1.6

###
[`v4.1.5`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/322](https://togithub.com/actions/download-artifact/pull/322)
- Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact`
to v2.1.5

**Full Changelog**:
actions/download-artifact@v4.1.4...v4.1.5

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.3`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.3)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.2...v4.3.3)

##### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/565](https://togithub.com/actions/upload-artifact/pull/565)

**Full Changelog**:
actions/upload-artifact@v4.3.2...v4.3.3

###
[`v4.3.2`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.2)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.1...v4.3.2)

#### What's Changed

- Update release-new-action-version.yml by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/516](https://togithub.com/actions/upload-artifact/pull/516)
- Minor fix to the migration readme by
[@&#8203;andrewakim](https://togithub.com/andrewakim) in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)
- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/561](https://togithub.com/actions/upload-artifact/pull/561)
- updating `@actions/artifact` dependency to v2.1.5 and `@actions/core`
to v1.0.1 by [@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/562](https://togithub.com/actions/upload-artifact/pull/562)

#### New Contributors

- [@&#8203;andrewakim](https://togithub.com/andrewakim) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)

**Full Changelog**:
actions/upload-artifact@v4.3.1...v4.3.2

</details>

<details>
<summary>ianlewis/todo-issue-reopener
(ianlewis/todo-issue-reopener)</summary>

###
[`v1.2.1`](https://togithub.com/ianlewis/todo-issue-reopener/releases/tag/v1.2.1)

[Compare
Source](https://togithub.com/ianlewis/todo-issue-reopener/compare/v1.2.0...v1.2.1)

##### Fixed in 1.2.1

- Fixed the "error updating to TUF remote mirror: invalid key" error
([#&#8203;688](https://togithub.com/ianlewis/todo-issue-reopener/issues/688)).

#### All changes

- fix: Update slsa-verifier version by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/689](https://togithub.com/ianlewis/todo-issue-reopener/pull/689)
- chore(deps): Bump github/codeql-action from 3.23.2 to 3.25.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/711](https://togithub.com/ianlewis/todo-issue-reopener/pull/711)
- chore(deps): Bump codecov/codecov-action from 4.0.1 to 4.4.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/705](https://togithub.com/ianlewis/todo-issue-reopener/pull/705)
- chore(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/670](https://togithub.com/ianlewis/todo-issue-reopener/pull/670)
- chore(deps-dev): Bump
[@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.11 to
29.5.12 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/664](https://togithub.com/ianlewis/todo-issue-reopener/pull/664)
- chore(deps): Bump actions/setup-node from 4.0.1 to 4.0.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/605](https://togithub.com/ianlewis/todo-issue-reopener/pull/605)
- chore(deps): Bump yamllint from 1.33.0 to 1.35.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/598](https://togithub.com/ianlewis/todo-issue-reopener/pull/598)
- chore(deps-dev): Bump eslint-plugin-github from 4.9.1 to 4.10.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/592](https://togithub.com/ianlewis/todo-issue-reopener/pull/592)
- chore(deps): Bump thehanimo/pr-title-checker from 1.4.1 to 1.4.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/604](https://togithub.com/ianlewis/todo-issue-reopener/pull/604)
- chore(deps): Bump yaml from 2.3.4 to 2.4.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/727](https://togithub.com/ianlewis/todo-issue-reopener/pull/727)
- chore(deps-dev): Bump
[@&#8203;vercel/ncc](https://togithub.com/vercel/ncc) from 0.36.1 to
0.38.1 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/635](https://togithub.com/ianlewis/todo-issue-reopener/pull/635)
- chore(deps-dev): Bump eslint from 8.56.0 to 8.57.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/634](https://togithub.com/ianlewis/todo-issue-reopener/pull/634)
- chore(release): v1.2.1 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/833](https://togithub.com/ianlewis/todo-issue-reopener/pull/833)

**Full Changelog**:
ianlewis/todo-issue-reopener@v1.2.0...v1.2.1

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3)

> \[!NOTE]\
> There is no v2.3.2 release as a step was skipped in the release
process. This was fixed and re-released under the v2.3.3 tag

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to
github.com/ossf/scorecard/v5 (v5.0.0-rc1) by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1366](https://togithub.com/ossf/scorecard-action/pull/1366)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to
v5.0.0-rc2 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1374](https://togithub.com/ossf/scorecard-action/pull/1374)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to
v5.0.0-rc2.0.20240509182734-7ce860946928 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1377](https://togithub.com/ossf/scorecard-action/pull/1377)

For a full changelist of what these include, see the
[v5.0.0-rc1](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc1)
and
[v5.0.0-rc2](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc2)
release notes.

##### Documentation

- 📖 Move token discussion out of main README. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1279](https://togithub.com/ossf/scorecard-action/pull/1279)
- 📖 link to `ossf/scorecard` workflow instead of maintaining an
example by [@&#8203;spencerschrock](https://togithub.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1352](https://togithub.com/ossf/scorecard-action/pull/1352)
- 📖 update api links to new scorecard.dev site by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1376](https://togithub.com/ossf/scorecard-action/pull/1376)

**Full Changelog**:
ossf/scorecard-action@v2.3.1...v2.3.3

###
[`v2.3.2`](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

###
[`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.5.0`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.5.0)

[Compare
Source](https://togithub.com/sigstore/cosign-installer/compare/v3.4.0...v3.5.0)

#### What's Changed

- Bump actions/checkout from 4.1.1 to 4.1.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/157](https://togithub.com/sigstore/cosign-installer/pull/157)
- use go 1.22 now by
[@&#8203;bobcallaway](https://togithub.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/160](https://togithub.com/sigstore/cosign-installer/pull/160)
- bump default version to v2.2.4, prep for v3.5.0 release by
[@&#8203;bobcallaway](https://togithub.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/159](https://togithub.com/sigstore/cosign-installer/pull/159)

**Full Changelog**:
sigstore/cosign-installer@v3.4.0...v3.5.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNjMuNSIsInVwZGF0ZWRJblZlciI6IjM3LjM2My41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <[email protected]>
  • Loading branch information
renovate-bot authored May 17, 2024
1 parent a14d810 commit 5917e48
Show file tree
Hide file tree
Showing 29 changed files with 89 additions and 89 deletions.
2 changes: 1 addition & 1 deletion .github/actions/secure-builder-checkout/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ runs:
# and has an associated release. This will require exceptions
# for e2e tests.
- name: Checkout the repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: ${{ inputs.repository }}
ref: ${{ inputs.ref }}
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-download-artifact/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ runs:
echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}"
- name: Download the artifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: "${{ inputs.name }}"
path: "${{ steps.validate-path.outputs.folder_path }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-download-folder/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,7 @@ runs:
uses: slsa-framework/slsa-github-generator/.github/actions/rng@main

- name: Download the artifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: "${{ inputs.name }}"
path: "${{ steps.rng.outputs.random }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-project-checkout/action.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ runs:
using: "composite"
steps:
- name: Checkout the repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: ${{ inputs.fetch-depth }}
ref: ${{ inputs.checkout-sha1 }}
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/secure-upload-artifact/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ runs:
path: "${{ inputs.path }}"

- name: Upload the artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ inputs.name }}"
path: "${{ inputs.path }}"
Expand Down
16 changes: 8 additions & 8 deletions .github/workflows/builder_container-based_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -209,7 +209,7 @@ jobs:
allow-private-repository: ${{ inputs.rekor-log-public }}

- name: Upload builder
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
Expand All @@ -228,7 +228,7 @@ jobs:
runs-on: ubuntu-latest
needs: [rng, detect-env, generate-builder]
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Checkout builder repository
uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
with:
Expand Down Expand Up @@ -372,7 +372,7 @@ jobs:
set-executable: true

- name: Checkout the source repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
fetch-depth: 1
persist-credentials: false
Expand Down Expand Up @@ -462,7 +462,7 @@ jobs:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
# secure upload or verify this against the SLSA layout file.
id: upload-artifacts
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: ${{ steps.build.outputs.build-outputs-name }}
path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
Expand Down Expand Up @@ -535,7 +535,7 @@ jobs:
- name: Upload unsigned intoto attestations file for pull request
if: ${{ github.event_name == 'pull_request' }}
id: upload-unsigned
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "attestations-${{ needs.rng.outputs.value }}"
Expand All @@ -556,7 +556,7 @@ jobs:
- name: Upload the signed attestations
id: upload-signed
if: ${{ github.event_name != 'pull_request' }}
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
Expand Down Expand Up @@ -584,15 +584,15 @@ jobs:
# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
# layout files and their checksums to validate the artifacts.
- name: Download artifacts
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: "${{ needs.build.outputs.build-outputs-name }}"
path: "${{ needs.build.outputs.build-outputs-name }}"

# TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
# secure-folder-download action.
- name: Download provenance
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: "${{ needs.provenance.outputs.provenance-name }}"
path: "${{ needs.provenance.outputs.provenance-name }}"
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/builder_go_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -169,7 +169,7 @@ jobs:
allow-private-repository: ${{ inputs.private-repository }}

- name: Upload builder
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
path: "${{ env.BUILDER_BINARY }}"
Expand Down Expand Up @@ -358,7 +358,7 @@ jobs:
--workingDir "$UNTRUSTED_WORKING_DIR"
- name: Upload the signed provenance
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ jobs:
permissions:
id-token: write # Needed to detect the current reusable repository and ref.
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Detect the builder ref
id: detect
uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main
Expand Down Expand Up @@ -71,7 +71,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand All @@ -85,7 +85,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/e2e.detect-workflow-js.schedule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- id: detect
uses: ./.github/actions/detect-workflow-js
- id: verify
Expand Down Expand Up @@ -70,7 +70,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand All @@ -84,7 +84,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/e2e.sign-attestations.schedule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ jobs:
id-token: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- id: setup
uses: ./.github/actions/sign-attestations
with:
Expand Down Expand Up @@ -62,7 +62,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand All @@ -76,7 +76,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/e2e.upload-folder.schedule.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ jobs:
sha256: ${{ steps.upload.outputs.sha256 }}
sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
- name: Create folder
run: |
set -euo pipefail
Expand Down Expand Up @@ -100,7 +100,7 @@ jobs:
needs: [secure-upload-folder]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

- name: Download in new folder
uses: ./.github/actions/secure-download-folder
Expand Down Expand Up @@ -180,7 +180,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand All @@ -194,7 +194,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
with:
repository: slsa-framework/example-package
ref: main
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/generator_container_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ jobs:
service_account: ${{ inputs.gcp-service-account }}

- id: cosign-install
uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
with:
cosign-release: v2.2.3
continue-on-error: true
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/generator_generic_slsa3.yml
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ jobs:
- name: Upload the signed provenance
id: upload-prov
continue-on-error: true
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: "${{ steps.sign-prov.outputs.provenance-name }}"
path: "${{ steps.sign-prov.outputs.provenance-name }}"
Expand Down
Loading

0 comments on commit 5917e48

Please sign in to comment.