chore(deps): update github-actions (#817)

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://redirect.github.com/actions/checkout) | action | minor | `v4.1.7` -> `v4.2.2` | | [actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action) | action | minor | `v4.3.3` -> `v4.5.0` | | [actions/download-artifact](https://redirect.github.com/actions/download-artifact) | action | patch | `v4.1.7` -> `v4.1.8` | | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v5.0.2` -> `v5.1.0` | | [actions/setup-go](https://redirect.github.com/actions/setup-go) | action | minor | `v5.0.1` -> `v5.1.0` | | [actions/setup-node](https://redirect.github.com/actions/setup-node) | action | minor | `v4.0.2` -> `v4.1.0` | | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | minor | `v4.3.3` -> `v4.4.3` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | minor | `v3.25.11` -> `v3.27.6` | | [ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [slsa-framework/slsa-verifier](https://redirect.github.com/slsa-framework/slsa-verifier) | action | minor | `v2.5.1` -> `v2.6.0` | | [thehanimo/pr-title-checker](https://redirect.github.com/thehanimo/pr-title-checker) | action | patch | `v1.4.2` -> `v1.4.3` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.2.2`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v422) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.1...v4.2.2) - `url-helper.ts` now leverages well-known environment variables by [@jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1941](https://redirect.github.com/actions/checkout/pull/1941) - Expand unit test coverage for `isGhes` by [@jww3](https://redirect.github.com/jww3) in [https://github.com/actions/checkout/pull/1946](https://redirect.github.com/actions/checkout/pull/1946) ### [`v4.2.1`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v421) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.2.0...v4.2.1) - Check out other refs/\* by commit if provided, fall back to ref by [@orhantoy](https://redirect.github.com/orhantoy) in [https://github.com/actions/checkout/pull/1924](https://redirect.github.com/actions/checkout/pull/1924) ### [`v4.2.0`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v420) [Compare Source](https://redirect.github.com/actions/checkout/compare/v4.1.7...v4.2.0) - Add Ref and Commit outputs by [@lucacome](https://redirect.github.com/lucacome) in [https://github.com/actions/checkout/pull/1180](https://redirect.github.com/actions/checkout/pull/1180) - Dependency updates by [@dependabot-](https://redirect.github.com/dependabot-) [https://github.com/actions/checkout/pull/1777](https://redirect.github.com/actions/checkout/pull/1777), [https://github.com/actions/checkout/pull/1872](https://redirect.github.com/actions/checkout/pull/1872) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v4.5.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.5.0) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.4.0...v4.5.0) #### What's Changed - Bump got from 14.4.2 to 14.4.3 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/844](https://redirect.github.com/actions/dependency-review-action/pull/844) - Bump nodemon from 3.1.0 to 3.1.7 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/847](https://redirect.github.com/actions/dependency-review-action/pull/847) - Bump [@vercel/ncc](https://redirect.github.com/vercel/ncc) from 0.38.1 to 0.38.3 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/849](https://redirect.github.com/actions/dependency-review-action/pull/849) - Overriding the cross-spawn dependency to use a safe version by [@Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/850](https://redirect.github.com/actions/dependency-review-action/pull/850) - fix: add summary comment on failure when warn-only: true by [@ebickle](https://redirect.github.com/ebickle) in [https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827) - Prepare for 4.5.0 release by [@Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/851](https://redirect.github.com/actions/dependency-review-action/pull/851) #### New Contributors - [@ebickle](https://redirect.github.com/ebickle) made their first contribution in [https://github.com/actions/dependency-review-action/pull/827](https://redirect.github.com/actions/dependency-review-action/pull/827) **Full Changelog**: actions/dependency-review-action@v4...v4.5.0 ### [`v4.4.0`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.4.0) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.5...v4.4.0) #### What's Changed - Fix for merge_group event bug by [@Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/846](https://redirect.github.com/actions/dependency-review-action/pull/846) **Full Changelog**: actions/dependency-review-action@v4.3.5...v4.4.0 ### [`v4.3.5`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.5) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.4...v4.3.5) #### What's Changed - fix: getRefs function to handle merge_group events by [@louis-bompart](https://redirect.github.com/louis-bompart) in [https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766) - Create pull_request_template.md by [@jonjanego](https://redirect.github.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/794](https://redirect.github.com/actions/dependency-review-action/pull/794) - Update CONTRIBUTING.md by [@jonjanego](https://redirect.github.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/793](https://redirect.github.com/actions/dependency-review-action/pull/793) - Bump [@types/node](https://redirect.github.com/types/node) from 20.11.28 to 20.16.0 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/815](https://redirect.github.com/actions/dependency-review-action/pull/815) - Upgrade transitive micromatch library by [@elireisman](https://redirect.github.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/829](https://redirect.github.com/actions/dependency-review-action/pull/829) - Do not list changed dependencies in summary by [@hmaurer](https://redirect.github.com/hmaurer) in [https://github.com/actions/dependency-review-action/pull/828](https://redirect.github.com/actions/dependency-review-action/pull/828) - Update stale.yaml by [@jonjanego](https://redirect.github.com/jonjanego) in [https://github.com/actions/dependency-review-action/pull/832](https://redirect.github.com/actions/dependency-review-action/pull/832) - Bump got from 14.4.1 to 14.4.2 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/actions/dependency-review-action/pull/822](https://redirect.github.com/actions/dependency-review-action/pull/822) - Bump eslint-plugin-jest and ts-jest by [@Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) in [https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840) #### New Contributors - [@louis-bompart](https://redirect.github.com/louis-bompart) made their first contribution in [https://github.com/actions/dependency-review-action/pull/766](https://redirect.github.com/actions/dependency-review-action/pull/766) - [@Ahmed3lmallah](https://redirect.github.com/Ahmed3lmallah) made their first contribution in [https://github.com/actions/dependency-review-action/pull/840](https://redirect.github.com/actions/dependency-review-action/pull/840) **Full Changelog**: actions/dependency-review-action@v4.3.4...v4.3.5 ### [`v4.3.4`](https://redirect.github.com/actions/dependency-review-action/releases/tag/v4.3.4) [Compare Source](https://redirect.github.com/actions/dependency-review-action/compare/v4.3.3...v4.3.4) #### What's Changed - Include all added dependencies in scorecard entries by [@elireisman](https://redirect.github.com/elireisman) in [https://github.com/actions/dependency-review-action/pull/783](https://redirect.github.com/actions/dependency-review-action/pull/783) - Update SPDX Expression Parsing by [@febuiles](https://redirect.github.com/febuiles) in [https://github.com/actions/dependency-review-action/pull/719](https://redirect.github.com/actions/dependency-review-action/pull/719) - This PR is a significant refactor of SPDX expression parsing that *may* fix some bugs, but unfortunately there are several related known issues that remain unresolved as of this version. **Full Changelog**: actions/dependency-review-action@v4.3.3...v4.3.4 </details> <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.8`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.8) [Compare Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.7...v4.1.8) #### What's Changed - Update [@actions/artifact](https://redirect.github.com/actions/artifact) version, bump dependencies by [@robherley](https://redirect.github.com/robherley) in [https://github.com/actions/download-artifact/pull/341](https://redirect.github.com/actions/download-artifact/pull/341) **Full Changelog**: actions/download-artifact@v4...v4.1.8 </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.1.0`](https://redirect.github.com/actions/setup-go/releases/tag/v5.1.0) [Compare Source](https://redirect.github.com/actions/setup-go/compare/v5.0.2...v5.1.0) ##### What's Changed - Add workflow file for publishing releases to immutable action package by [@Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500) - Upgrade IA Publish by [@Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/setup-go/pull/502](https://redirect.github.com/actions/setup-go/pull/502) - Add architecture to cache key by [@Zxilly](https://redirect.github.com/Zxilly) in [https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493) This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format. - Enhance workflows and Upgrade micromatch Dependency by [@priyagupta108](https://redirect.github.com/priyagupta108) in [https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510) **Bug Fixes** - Revise `isGhes` logic by [@jww3](https://redirect.github.com/jww3) in [https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511) ##### New Contributors - [@Zxilly](https://redirect.github.com/Zxilly) made their first contribution in [https://github.com/actions/setup-go/pull/493](https://redirect.github.com/actions/setup-go/pull/493) - [@Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/setup-go/pull/500](https://redirect.github.com/actions/setup-go/pull/500) - [@jww3](https://redirect.github.com/jww3) made their first contribution in [https://github.com/actions/setup-go/pull/511](https://redirect.github.com/actions/setup-go/pull/511) - [@priyagupta108](https://redirect.github.com/priyagupta108) made their first contribution in [https://github.com/actions/setup-go/pull/510](https://redirect.github.com/actions/setup-go/pull/510) **Full Changelog**: actions/setup-go@v5...v5.1.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4.1.0`](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.4...v4.1.0) ### [`v4.0.4`](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.3...v4.0.4) ### [`v4.0.3`](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3) [Compare Source](https://redirect.github.com/actions/setup-node/compare/v4.0.2...v4.0.3) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.4.3`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.3) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.2...v4.4.3) ##### What's Changed - Undo indirect dependency updates from [#627](https://redirect.github.com/actions/upload-artifact/issues/627) by [@joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/632](https://redirect.github.com/actions/upload-artifact/pull/632) **Full Changelog**: actions/upload-artifact@v4.4.2...v4.4.3 ### [`v4.4.2`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.2) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.1...v4.4.2) ##### What's Changed - Bump `@actions/artifact` to 2.1.11 by [@robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/627](https://redirect.github.com/actions/upload-artifact/pull/627) - Includes fix for relative symlinks not resolving properly **Full Changelog**: actions/upload-artifact@v4.4.1...v4.4.2 ### [`v4.4.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.4.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.4.0...v4.4.1) ##### What's Changed - Add a section about hidden files by [@joshmgross](https://redirect.github.com/joshmgross) in [https://github.com/actions/upload-artifact/pull/607](https://redirect.github.com/actions/upload-artifact/pull/607) - Add workflow file for publishing releases to immutable action package by [@Jcambass](https://redirect.github.com/Jcambass) in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) - Update [@actions/artifact](https://redirect.github.com/actions/artifact) to latest version, includes symlink and timeout fixes by [@robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/625](https://redirect.github.com/actions/upload-artifact/pull/625) ##### New Contributors - [@Jcambass](https://redirect.github.com/Jcambass) made their first contribution in [https://github.com/actions/upload-artifact/pull/621](https://redirect.github.com/actions/upload-artifact/pull/621) **Full Changelog**: actions/upload-artifact@v4.4.0...v4.4.1 ### [`v4.4.0`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.6...v4.4.0) ### [`v4.3.6`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.5...v4.3.6) ### [`v4.3.5`](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.3.4) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.3.3...v4.3.4) ##### What's Changed - Update [@actions/artifact](https://redirect.github.com/actions/artifact) version, bump dependencies by [@robherley](https://redirect.github.com/robherley) in [https://github.com/actions/upload-artifact/pull/584](https://redirect.github.com/actions/upload-artifact/pull/584) **Full Changelog**: actions/upload-artifact@v4.3.3...v4.3.4 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.27.6`](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.5...v3.27.6) ### [`v3.27.5`](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.4...v3.27.5) ### [`v3.27.4`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.3...v3.27.4) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.4 - 14 Nov 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.4/CHANGELOG.md) for more information. ### [`v3.27.3`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.2...v3.27.3) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.3 - 12 Nov 2024 No user facing changes. See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.3/CHANGELOG.md) for more information. ### [`v3.27.2`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.1...v3.27.2) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.2 - 12 Nov 2024 - Fixed an issue where setting up the CodeQL tools would sometimes fail with the message "Invalid value 'undefined' for header 'authorization'". [#2590](https://redirect.github.com/github/codeql-action/pull/2590) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.2/CHANGELOG.md) for more information. ### [`v3.27.1`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.27.0...v3.27.1) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.1 - 08 Nov 2024 - The CodeQL Action now downloads bundles compressed using Zstandard on GitHub Enterprise Server when using Linux or macOS runners. This speeds up the installation of the CodeQL tools. This feature is already available to GitHub.com users. [#2573](https://redirect.github.com/github/codeql-action/pull/2573) - Update default CodeQL bundle version to 2.19.3. [#2576](https://redirect.github.com/github/codeql-action/pull/2576) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.1/CHANGELOG.md) for more information. ### [`v3.27.0`](https://redirect.github.com/github/codeql-action/releases/tag/v3.27.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.13...v3.27.0) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. Note that the only difference between `v2` and `v3` of the CodeQL Action is the node version they support, with `v3` running on node 20 while we continue to release `v2` to support running on node 16. For example `3.22.11` was the first `v3` release and is functionally identical to `2.22.11`. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers. ##### 3.27.0 - 22 Oct 2024 - Bump the minimum CodeQL bundle version to 2.14.6. [#2549](https://redirect.github.com/github/codeql-action/pull/2549) - Fix an issue where the `upload-sarif` Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the `upload-sarif` Action. [#2557](https://redirect.github.com/github/codeql-action/pull/2557) - Update default CodeQL bundle version to 2.19.2. [#2552](https://redirect.github.com/github/codeql-action/pull/2552) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.27.0/CHANGELOG.md) for more information. ### [`v3.26.13`](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.12...v3.26.13) ### [`v3.26.12`](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.11...v3.26.12) ### [`v3.26.11`](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.10...v3.26.11) ### [`v3.26.10`](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.9...v3.26.10) ### [`v3.26.9`](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.8...v3.26.9) ### [`v3.26.8`](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.7...v3.26.8) ### [`v3.26.7`](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.6...v3.26.7) ### [`v3.26.6`](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.5...v3.26.6) ### [`v3.26.5`](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.4...v3.26.5) ### [`v3.26.4`](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.3...v3.26.4) ### [`v3.26.3`](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.2...v3.26.3) ### [`v3.26.2`](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.1...v3.26.2) ### [`v3.26.1`](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.26.0...v3.26.1) ### [`v3.26.0`](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.15...v3.26.0) ### [`v3.25.15`](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.14...v3.25.15) ### [`v3.25.14`](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.13...v3.25.14) ### [`v3.25.13`](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.12...v3.25.13) ### [`v3.25.12`](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.25.11...v3.25.12) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.0) [Compare Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) #### What's Changed This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the [v5.0.0 release notes](https://redirect.github.com/ossf/scorecard/releases/tag/v5.0.0). Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation. - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by [@spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1410](https://redirect.github.com/ossf/scorecard-action/pull/1410) - 🐛 lower license sarif alert threshold to 9 by [@spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1411](https://redirect.github.com/ossf/scorecard-action/pull/1411) ##### Documentation - docs: dogfooding badge by [@jkowalleck](https://redirect.github.com/jkowalleck) in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) #### New Contributors - [@jkowalleck](https://redirect.github.com/jkowalleck) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1399](https://redirect.github.com/ossf/scorecard-action/pull/1399) **Full Changelog**: ossf/scorecard-action@v2.3.3...v2.4.0 </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.6.0`](https://redirect.github.com/slsa-framework/slsa-verifier/releases/tag/v2.6.0) [Compare Source](https://redirect.github.com/slsa-framework/slsa-verifier/compare/v2.5.1...v2.6.0) #### What's Changed - chore: Update doc and digests for v2.5.1 by [@laurentsimon](https://redirect.github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/748](https://redirect.github.com/slsa-framework/slsa-verifier/pull/748) - fix(deps): update module google.golang.org/protobuf to v1.33.0 \[security] by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/743](https://redirect.github.com/slsa-framework/slsa-verifier/pull/743) - fix(deps): update dependency org.apache.maven:maven-core to v3.9.6 by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/718](https://redirect.github.com/slsa-framework/slsa-verifier/pull/718) - chore: Update [@actions/github](https://redirect.github.com/actions/github) v6 by [@laurentsimon](https://redirect.github.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/749](https://redirect.github.com/slsa-framework/slsa-verifier/pull/749) - fix: use sigstore/pkg/fulcioroots to lessen deps by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/746](https://redirect.github.com/slsa-framework/slsa-verifier/pull/746) - feat: add ramonpetgrave64 as CODEOWNER by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/750](https://redirect.github.com/slsa-framework/slsa-verifier/pull/750) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`1a8ece8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/1a8ece8) by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/701](https://redirect.github.com/slsa-framework/slsa-verifier/pull/701) - chore(deps): update github-actions (major) by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/719](https://redirect.github.com/slsa-framework/slsa-verifier/pull/719) - fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/751](https://redirect.github.com/slsa-framework/slsa-verifier/pull/751) - chore(deps): update npm dev (major) by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/753](https://redirect.github.com/slsa-framework/slsa-verifier/pull/753) - fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.11.0 by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/752](https://redirect.github.com/slsa-framework/slsa-verifier/pull/752) - feat: fixes [#547](https://redirect.github.com/slsa-framework/slsa-verifier/issues/547): add npm sigstore-tuf suport by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/731](https://redirect.github.com/slsa-framework/slsa-verifier/pull/731) - fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 \[security] by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/723](https://redirect.github.com/slsa-framework/slsa-verifier/pull/723) - chore(deps): update golang:1.21 docker digest to [`81811f8`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/81811f8) by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/693](https://redirect.github.com/slsa-framework/slsa-verifier/pull/693) - chore: slsa-framework/slsa-github-generator@v2.0.0: add testdata by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/758](https://redirect.github.com/slsa-framework/slsa-verifier/pull/758) - chore(deps): update golang:1.21 docker digest to [`d83472f`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/d83472f) by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/764](https://redirect.github.com/slsa-framework/slsa-verifier/pull/764) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`53745e9`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/53745e9) by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/763](https://redirect.github.com/slsa-framework/slsa-verifier/pull/763) - feat: workflow to update actions dist by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/760](https://redirect.github.com/slsa-framework/slsa-verifier/pull/760) - fix(deps): update dependency [@actions/core](https://redirect.github.com/actions/core) to v1.10.1 by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/717](https://redirect.github.com/slsa-framework/slsa-verifier/pull/717) - chore: fix pr-title-checker by [@ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/770](https://redirect.github.com/slsa-framework/slsa-verifier/pull/770) - chore: Update Renovate config by [@ianlewis](https://redirect.github.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/769](https://redirect.github.com/slsa-framework/slsa-verifier/pull/769) - fix: use pr_number as env variable by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/771](https://redirect.github.com/slsa-framework/slsa-verifier/pull/771) - fix: signoff commit by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/767](https://redirect.github.com/slsa-framework/slsa-verifier/pull/767) - chore(deps): bump golang.org/x/net from 0.22.0 to 0.23.0 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/781](https://redirect.github.com/slsa-framework/slsa-verifier/pull/781) - chore(deps): bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/782](https://redirect.github.com/slsa-framework/slsa-verifier/pull/782) - chore(deps): bump undici from 5.28.3 to 5.28.4 in /actions/installer by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/779](https://redirect.github.com/slsa-framework/slsa-verifier/pull/779) - chore(deps-dev): bump braces from 3.0.2 to 3.0.3 in /actions/installer by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/780](https://redirect.github.com/slsa-framework/slsa-verifier/pull/780) - chore(deps): bump the npm_and_yarn group across 2 directories with 2 updates by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/slsa-framework/slsa-verifier/pull/784](https://redirect.github.com/slsa-framework/slsa-verifier/pull/784) - fix(deps): update golang.org/x/exp digest to [`7f521ea`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/7f521ea) by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/775](https://redirect.github.com/slsa-framework/slsa-verifier/pull/775) - fix: make download-artifacts.sh more flexible by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/761](https://redirect.github.com/slsa-framework/slsa-verifier/pull/761) - chore(deps): update golang:1.21 docker digest to [`b405b62`](https://redirect.github.com/slsa-framework/slsa-verifier/commit/b405b62) by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/774](https://redirect.github.com/slsa-framework/slsa-verifier/pull/774) - chore(deps): update npm dev by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/650](https://redirect.github.com/slsa-framework/slsa-verifier/pull/650) - fix(deps): update dependency org.apache.maven:maven-core to v3.9.8 by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/787](https://redirect.github.com/slsa-framework/slsa-verifier/pull/787) - chore(deps): update github-actions by [@renovate-bot](https://redirect.github.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/786](https://redirect.github.com/slsa-framework/slsa-verifier/pull/786) - feat: vsa support by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/777](https://redirect.github.com/slsa-framework/slsa-verifier/pull/777) - fix: use tag for the builder in the release workflow by [@ramonpetgrave64](https://redirect.github.com/ramonpetgrave64) in [https://github.com/slsa-framework/slsa-verifier/pull/788](https://redirect.github.com/slsa-framework/slsa-verifier/pull/788) **Full Changelog**: v2.5.1...v2.6.0 </details> <details> <summary>thehanimo/pr-title-checker (thehanimo/pr-title-checker)</summary> ### [`v1.4.3`](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3) [Compare Source](https://redirect.github.com/thehanimo/pr-title-checker/compare/v1.4.2...v1.4.3) </details> --- ### Configuration 📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-verifier).
slsa-framework · Dec 4, 2024 · 190fdda · 190fdda
1 parent 17f7958
commit 190fdda
Show file tree

Hide file tree

Showing 14 changed files with 45 additions and 45 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -40,19 +40,19 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       # TODO(#740): Workaround for go1.21 compatibility. Remove when GHA runners have Go 1.21+.
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "go.mod"
           # not needed but gets rid of warnings
           cache: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -63,7 +63,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/autobuild@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
       # Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
 
@@ -76,4 +76,4 @@ jobs:
       #     make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/analyze@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
diff --git a/.github/workflows/depsreview.yml b/.github/workflows/depsreview.yml
@@ -9,6 +9,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
+        uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
diff --git a/.github/workflows/e2e.schedule.cli.yml b/.github/workflows/e2e.schedule.cli.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     # See https://github.com/orgs/community/discussions/26238.
     steps:
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: event_name
       - name: Check event name
@@ -28,7 +28,7 @@ jobs:
             ctned="true"
           fi
           echo "continue=$ctned" >> $GITHUB_OUTPUT
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         if: steps.name.outputs.continue == 'true'
         with:
           ref: main

diff --git a/.github/workflows/e2e.schedule.installer.yml b/.github/workflows/e2e.schedule.installer.yml
@@ -27,14 +27,14 @@ jobs:
       version: ${{ steps.generate-versions.outputs.version }}
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           # NOTE: the example-package needs to be checked out in the default workspace.
           repository: slsa-framework/example-package
           ref: main
 
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: __THIS_REPO__
 
@@ -77,7 +77,7 @@ jobs:
       - name: Checkout this repository
         # Skip release candidates unless specified explicitly.
         if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ matrix.version }}
 
@@ -196,7 +196,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -210,7 +210,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -10,7 +10,7 @@ jobs:
   validate:
     runs-on: ubuntu-latest
     steps:
-      - uses: thehanimo/pr-title-checker@1d8cd483a2b73118406a187f54dca8a9415f1375 # v1.4.2
+      - uses: thehanimo/pr-title-checker@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70 # v1.4.3
         with:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           configuration_path: ".github/pr-title-checker-config.json"
diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
@@ -11,10 +11,10 @@ jobs:
   check-dist:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Set Node.js 20
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
 
@@ -34,7 +34,7 @@ jobs:
           fi
 
       # If index.js was different from expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

diff --git a/.github/workflows/pre-submit.cli.yml b/.github/workflows/pre-submit.cli.yml
@@ -15,10 +15,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "go.mod"
           # not needed but gets rid of warnings
@@ -30,7 +30,7 @@ jobs:
         run: |
           echo "$EVENT_NAME" > ./event_name.txt
 
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: event_name
           path: ./event_name.txt

diff --git a/.github/workflows/pre-submit.e2e.yml b/.github/workflows/pre-submit.e2e.yml
@@ -11,12 +11,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: __THIS_REPO__
 
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "__THIS_REPO__/go.mod"
           # not needed but gets rid of warnings
@@ -29,7 +29,7 @@ jobs:
           go build -o slsa-verifier ./cli/slsa-verifier
 
       - name: Checkout e2e verification script
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: __EXAMPLE_PACKAGE__
           repository: slsa-framework/example-package

diff --git a/.github/workflows/pre-submit.lfs.yml b/.github/workflows/pre-submit.lfs.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actionsdesk/lfs-warning@4b98a8a5e6c429c23c34eee02d71553bca216425 # v3.3
         with:
           token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml
@@ -10,8 +10,8 @@ jobs:
   golangci-lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
           go-version-file: "go.mod"
           # not needed but gets rid of warnings
@@ -27,7 +27,7 @@ jobs:
   yamllint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - run: |
           set -euo pipefail
 
@@ -40,17 +40,17 @@ jobs:
   eslint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
       - run: make eslint
 
   renovate-config-validator:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: 20
       - run: make renovate-config-validator
diff --git a/.github/workflows/pre-submit.references.yml b/.github/workflows/pre-submit.references.yml
@@ -13,7 +13,7 @@ jobs:
     env:
       BODY: ${{ github.event.pull_request.body }}
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: Check documentation is up-to-date
         run: |

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
       version: ${{ steps.ldflags.outputs.version }}
     steps:
       - id: checkout
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - id: ldflags
@@ -63,7 +63,7 @@ jobs:
     permissions: read-all
     steps:
       - name: Install the verifier
-        uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1
+        uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0
 
       - name: Download assets
         env:
@@ -98,7 +98,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -112,7 +112,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -25,12 +25,12 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -49,14 +49,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3.27.6
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml
@@ -32,7 +32,7 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: checkout
-              uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
               with:
                   repository: ${{ github.repository }}
                   persist-credentials: false
@@ -57,7 +57,7 @@ jobs:
                   [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
                   echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
             - name: upload
-              uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+              uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
               with:
                   name: changes.patch
                   path: changes.patch
@@ -72,14 +72,14 @@ jobs:
             contents: write
         steps:
             - name: checkout
-              uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
             - name: checkout-pr
               env:
                   GH_TOKEN: ${{ github.token }}
                   PR_NUMBER: ${{ inputs.pr_number }}
               run: gh pr checkout "$PR_NUMBER"
             - name: download-patch
-              uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+              uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
               with:
                   name: changes.patch
             - id: apply