-
Notifications
You must be signed in to change notification settings - Fork 70
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SECURITY.md file #1250
Merged
Merged
Add SECURITY.md file #1250
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This commit adds a SECURITY.md file, so panicked reporters will know how to report them. Since private reporting is enabled, I presume that's how this group wants the vulnerabilities reported. I also tweaked the README to point to it. Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: David A. Wheeler <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
Signed-off-by: Spencer Schrock <[email protected]>
spencerschrock
approved these changes
Sep 5, 2023
another-rex
referenced
this pull request
in google/osv-scanner
Oct 9, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.9` -> `v2.22.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->
EliSchleifer
referenced
this pull request
in trunk-io/plugins
Oct 11, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped)) | [`18.18.1` -> `18.18.4`](https://renovatebot.com/diffs/npm/@types%2fnode/18.18.1/18.18.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/18.18.1/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/18.18.1/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [eslint](https://eslint.org) ([source](https://togithub.com/eslint/eslint)) | [`8.50.0` -> `8.51.0`](https://renovatebot.com/diffs/npm/eslint/8.50.0/8.51.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/eslint/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/eslint/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/eslint/8.50.0/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint/8.50.0/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [github/codeql-action](https://togithub.com/github/codeql-action) | `v2.21.9` -> `v2.22.0` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/github%2fcodeql-action/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/github%2fcodeql-action/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/github%2fcodeql-action/v2.21.9/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/github%2fcodeql-action/v2.21.9/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | `v2.2.0` -> `v2.3.0` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/ossf%2fscorecard-action/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/ossf%2fscorecard-action/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/ossf%2fscorecard-action/v2.2.0/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ossf%2fscorecard-action/v2.2.0/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | action | minor | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v8.51.0`](https://togithub.com/eslint/eslint/releases/tag/v8.51.0) [Compare Source](https://togithub.com/eslint/eslint/compare/v8.50.0...v8.51.0) #### Features - [`0a9c433`](https://togithub.com/eslint/eslint/commit/0a9c43339a4adef24ef83034d0b078dd279cc977) feat: Add `--no-warn-ignored` CLI option for flat config ([#​17569](https://togithub.com/eslint/eslint/issues/17569)) (Domantas Petrauskas) - [`977e67e`](https://togithub.com/eslint/eslint/commit/977e67ec274a05cb7391665b5e3453e7f72f72b2) feat: logical-assignment-operators to report expressions with 3 operands ([#​17600](https://togithub.com/eslint/eslint/issues/17600)) (Yosuke Ota) #### Bug Fixes - [`f976b2f`](https://togithub.com/eslint/eslint/commit/f976b2f7bfe7cc78bb649f8b37e90fd519ff3bcc) fix: make rule severity case-sensitive in flat config ([#​17619](https://togithub.com/eslint/eslint/issues/17619)) (Milos Djermanovic) - [`0edfe36`](https://togithub.com/eslint/eslint/commit/0edfe369aa5bd80a98053022bb4c6b1ea0155f44) fix: Ensure crash error messages are not duplicated ([#​17584](https://togithub.com/eslint/eslint/issues/17584)) (Nicholas C. Zakas) - [`dd79abc`](https://togithub.com/eslint/eslint/commit/dd79abc0c1857b1d765acc312c0d6518e40d31c9) fix: `eslint-disable` to be able to parse quoted rule names ([#​17612](https://togithub.com/eslint/eslint/issues/17612)) (Yosuke Ota) - [`d2f6801`](https://togithub.com/eslint/eslint/commit/d2f68019b8882278877801c5ef2f74d55e2a10c1) fix: Ensure correct code path for && followed by ?? ([#​17618](https://togithub.com/eslint/eslint/issues/17618)) (Nicholas C. Zakas) #### Documentation - [`ee5be81`](https://togithub.com/eslint/eslint/commit/ee5be81fa3c4fe801c2f653854f098ed6a84dcef) docs: default to `sourceType: "module"` in rule examples ([#​17615](https://togithub.com/eslint/eslint/issues/17615)) (Francesco Trotta) - [`1aa26df`](https://togithub.com/eslint/eslint/commit/1aa26df9fbcfdf5b895743c6d2d3a216479544b1) docs: Add more examples for multiline-ternary ([#​17610](https://togithub.com/eslint/eslint/issues/17610)) (George Ashiotis) - [`47d0b44`](https://togithub.com/eslint/eslint/commit/47d0b446964f44d70b9457ecc368e721e1dc7c11) docs: Update README (GitHub Actions Bot) - [`dbf831e`](https://togithub.com/eslint/eslint/commit/dbf831e31f8eea0bc94df96cd33255579324b66e) docs: use generated og image ([#​17601](https://togithub.com/eslint/eslint/issues/17601)) (Percy Ma) - [`1866da5`](https://togithub.com/eslint/eslint/commit/1866da5e1d931787256ecb825a803cac5835b71c) docs: Update README (GitHub Actions Bot) #### Chores - [`1ef39ea`](https://togithub.com/eslint/eslint/commit/1ef39ea5b884453be717ebc929155d7eb584dcbf) chore: upgrade [@​eslint/js](https://togithub.com/eslint/js)[@​8](https://togithub.com/8).51.0 ([#​17624](https://togithub.com/eslint/eslint/issues/17624)) (Milos Djermanovic) - [`f8c7403`](https://togithub.com/eslint/eslint/commit/f8c7403255c11e99c402860aef3c0179f2b16628) chore: package.json update for [@​eslint/js](https://togithub.com/eslint/js) release (ESLint Jenkins) - [`2665552`](https://togithub.com/eslint/eslint/commit/2665552ba0057e8603f9fbece0fd236f189f5cf3) test: fix flat config linter tests to use Linter in flat config mode ([#​17616](https://togithub.com/eslint/eslint/issues/17616)) (Milos Djermanovic) - [`7b77bcc`](https://togithub.com/eslint/eslint/commit/7b77bccbb51bd36b2d20fea61bc782545c4029b3) chore: Refactor CodePathState ([#​17510](https://togithub.com/eslint/eslint/issues/17510)) (Nicholas C. Zakas) - [`bc77c9a`](https://togithub.com/eslint/eslint/commit/bc77c9af12539f350ef19e30611a153a5b869c6b) chore: Document and refactor ForkContext ([#​17566](https://togithub.com/eslint/eslint/issues/17566)) (Nicholas C. Zakas) - [`24e1f14`](https://togithub.com/eslint/eslint/commit/24e1f140ec68659e55c1ace0d7500addb135a2b4) chore: Refactor and document CodePath ([#​17558](https://togithub.com/eslint/eslint/issues/17558)) (Nicholas C. Zakas) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/trunk-io/plugins). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
ianlewis
referenced
this pull request
in slsa-framework/slsa-github-generator
Oct 23, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `96f5310` -> `b4ffde6` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v4.0.0` -> `v4.1.1` | | [actions/setup-go](https://togithub.com/actions/setup-go) | action | minor | `v4.0.1` -> `v4.1.0` | | [actions/setup-java](https://togithub.com/actions/setup-java) | action | minor | `v3.12.0` -> `v3.13.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | minor | `v3.7.0` -> `v3.8.1` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | digest | `e33196f` -> `5e21ff4` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.2` -> `v2.22.4` | | [gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action) | action | minor | `v2.7.0` -> `v2.9.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer) | action | patch | `v3.1.1` -> `v3.1.2` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@​joshmgross](https://togithub.com/joshmgross) in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - Correct link to GitHub Docs by [@​peterbe](https://togithub.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@​cory-miller](https://togithub.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://togithub.com/actions/checkout/pull/1514) ##### New Contributors - [@​joshmgross](https://togithub.com/joshmgross) made their first contribution in [https://github.com/actions/checkout/pull/1510](https://togithub.com/actions/checkout/pull/1510) - [@​peterbe](https://togithub.com/peterbe) made their first contribution in [https://github.com/actions/checkout/pull/1511](https://togithub.com/actions/checkout/pull/1511) **Full Changelog**: actions/checkout@v4...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396) </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0) #### What's Changed In scope of this release, slow installation on Windows was fixed by [@​dsame](https://togithub.com/dsame) in [https://github.com/actions/setup-go/pull/393](https://togithub.com/actions/setup-go/pull/393) and OS version was added to `primaryKey` for Ubuntu runners to avoid conflicts ([https://github.com/actions/setup-go/pull/383](https://togithub.com/actions/setup-go/pull/383)) This release also includes the following changes: - Remove implicit dependencies by [@​nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [https://github.com/actions/setup-go/pull/378](https://togithub.com/actions/setup-go/pull/378) - Update action.yml by [@​mkelly](https://togithub.com/mkelly) in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - Added a description that go-version should be specified as a string type by [@​n3xem](https://togithub.com/n3xem) in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) - Add note about YAML parsing versions by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-go/pull/382](https://togithub.com/actions/setup-go/pull/382) - Automatic update of configuration files from 05/23/2023 by [@​github-actions](https://togithub.com/github-actions) in [https://github.com/actions/setup-go/pull/377](https://togithub.com/actions/setup-go/pull/377) - Bump tough-cookie and [@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/392](https://togithub.com/actions/setup-go/pull/392) - Bump word-wrap from 1.2.3 to 1.2.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/397](https://togithub.com/actions/setup-go/pull/397) - Bump semver from 6.3.0 to 6.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-go/pull/396](https://togithub.com/actions/setup-go/pull/396) #### New Contributors - [@​mkelly](https://togithub.com/mkelly) made their first contribution in [https://github.com/actions/setup-go/pull/379](https://togithub.com/actions/setup-go/pull/379) - [@​n3xem](https://togithub.com/n3xem) made their first contribution in [https://github.com/actions/setup-go/pull/367](https://togithub.com/actions/setup-go/pull/367) **Full Changelog**: actions/setup-go@v4...v4.1.0 </details> <details> <summary>actions/setup-java (actions/setup-java)</summary> ### [`v3.13.0`](https://togithub.com/actions/setup-java/releases/tag/v3.13.0) [Compare Source](https://togithub.com/actions/setup-java/compare/v3.12.0...v3.13.0) ##### What's changed In the scope of this release, support for Dragonwell JDK was added by [@​Accelerator1996](https://togithub.com/Accelerator1996) in [https://github.com/actions/setup-java/pull/532](https://togithub.com/actions/setup-java/pull/532) ```yaml steps: - name: Checkout uses: actions/checkout@v3 - name: Setup-java uses: actions/setup-java@v3 with: distribution: 'dragonwell' java-version: '17' ``` Several inaccuracies were also fixed: - Fix XML namespaces wrongly using https by [@​gnodet](https://togithub.com/gnodet) in [https://github.com/actions/setup-java/pull/503](https://togithub.com/actions/setup-java/pull/503) - Fix typo and remove unintentional(?) word by [@​CyberFlameGO](https://togithub.com/CyberFlameGO) in [https://github.com/actions/setup-java/pull/518](https://togithub.com/actions/setup-java/pull/518) - Fix usage link within the README.md file by [@​dassiorleando](https://togithub.com/dassiorleando) in [https://github.com/actions/setup-java/pull/525](https://togithub.com/actions/setup-java/pull/525) ##### New Contributors - [@​CyberFlameGO](https://togithub.com/CyberFlameGO) made their first contribution in [https://github.com/actions/setup-java/pull/518](https://togithub.com/actions/setup-java/pull/518) - [@​dassiorleando](https://togithub.com/dassiorleando) made their first contribution in [https://github.com/actions/setup-java/pull/525](https://togithub.com/actions/setup-java/pull/525) - [@​gnodet](https://togithub.com/gnodet) made their first contribution in [https://github.com/actions/setup-java/pull/503](https://togithub.com/actions/setup-java/pull/503) - [@​Accelerator1996](https://togithub.com/Accelerator1996) made their first contribution in [https://github.com/actions/setup-java/pull/532](https://togithub.com/actions/setup-java/pull/532) **Full Changelog**: actions/setup-java@v3...v3.13.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 ### [`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0) ##### What's Changed ##### Bug fixes: - Add check for existing paths by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/803](https://togithub.com/actions/setup-node/pull/803) - Resolve SymbolicLink by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/809](https://togithub.com/actions/setup-node/pull/809) - Change passing logic for cache input by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/816](https://togithub.com/actions/setup-node/pull/816) - Fix armv7 cache issue by [@​louislam](https://togithub.com/louislam) in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - Update check-dist workflow name by [@​sinchang](https://togithub.com/sinchang) in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) ##### Feature implementations: - feat: handling the case where "node" is used for tool-versions file. by [@​xytis](https://togithub.com/xytis) in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) ##### Documentation changes: - Refer to semver package name in README.md by [@​olleolleolle](https://togithub.com/olleolleolle) in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) ##### Update dependencies: - Update toolkit cache to fix zstd by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/804](https://togithub.com/actions/setup-node/pull/804) - Bump tough-cookie and [@​azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/802](https://togithub.com/actions/setup-node/pull/802) - Bump semver from 6.1.2 to 6.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/807](https://togithub.com/actions/setup-node/pull/807) - Bump word-wrap from 1.2.3 to 1.2.4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/actions/setup-node/pull/815](https://togithub.com/actions/setup-node/pull/815) ##### New Contributors - [@​olleolleolle](https://togithub.com/olleolleolle) made their first contribution in [https://github.com/actions/setup-node/pull/808](https://togithub.com/actions/setup-node/pull/808) - [@​louislam](https://togithub.com/louislam) made their first contribution in [https://github.com/actions/setup-node/pull/794](https://togithub.com/actions/setup-node/pull/794) - [@​sinchang](https://togithub.com/sinchang) made their first contribution in [https://github.com/actions/setup-node/pull/710](https://togithub.com/actions/setup-node/pull/710) - [@​xytis](https://togithub.com/xytis) made their first contribution in [https://github.com/actions/setup-node/pull/812](https://togithub.com/actions/setup-node/pull/812) **Full Changelog**: actions/setup-node@v3...v3.8.0 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) ### [`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) ### [`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) </details> <details> <summary>gradle/gradle-build-action (gradle/gradle-build-action)</summary> ### [`v2.9.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.9.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.8.1...v2.9.0) The GitHub [dependency-review-action](https://togithub.com/actions/dependency-review-action) helps you understand dependency changes (and the security impact of these changes) for a pull request. This release updates the GItHub Dependency Graph support to be compatible with the `dependency-review-action`. See [the documentation](https://togithub.com/gradle/gradle-build-action#integrating-the-dependency-review-action) for detailed examples. ##### Changelog - \[FIX] Use correct SHA for `pull-request` events [#​882](https://togithub.com/gradle/gradle-build-action/issues/882) - \[FIX] Avoid generating dependency graph during cache cleanup [#​905](https://togithub.com/gradle/gradle-build-action/issues/905) - \[NEW] Improve warning on failure to submit dependency graph - \[NEW] Compatibility with GitHub `dependency-review-action` [#​879](https://togithub.com/gradle/gradle-build-action/issues/879) **Full-changelog**: gradle/gradle-build-action@v2.8.1...v2.9.0 ### [`v2.8.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.8.1) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.8.0...v2.8.1) Fixes an issue that prevented Dependency Graph submission when running on GitHub Enterprise Server. ##### Fixes - Incorrect endpoint used to submit Dependency Graph on GitHub Enterprise [#​885](https://togithub.com/gradle/gradle-build-action/issues/885) ##### Changelog ### [`v2.8.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.8.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.7.1...v2.8.0) The `v2.8.0` release of the `gradle-build-action` introduces an easy mechanism to connect to Gradle Enterprise, as well improved support for self-hosted GitHub Actions runners. ##### Automatic injection of Gradle Enterprise connectivity It is now possible to connect a Gradle build to Gradle Enterprise without changing any of the Gradle project sources. This is achieved through Gradle Enterprise injection, where an init-script will apply the Gradle Enterprise plugin and associated configuration. This feature can be useful to easily trial Gradle Enterprise on a project, or to centralize Gradle Enterprise configuration for all GitHub Actions workflows in an organization. See [Gradle Enterprise injection in the README](https://togithub.com/gradle/gradle-build-action/blob/v2.8.0/README.md#gradle-enterprise-plugin-injection) for more info. ##### Restore Gradle User Home when directory already exists Previously, the Gradle User Home would not be restored if the directory already exists. This wasn't normally an issue with GitHub-hosted runners, but limited the usefulness of the action for persistent, self-hosted runners. This behaviour has been improved in this release: - The Job Summary now includes a useful error message when Gradle User Home was not restored because the directory already exists. - The action can now be configured to restore the Gradle User Home when the directory already exists, overwriting existing content with content from the GitHub Actions cache. See https://github.com/gradle/gradle-build-action#overwriting-an-existing-gradle-user-home for more details. ##### Changes **Issues fixed**: https://github.com/gradle/gradle-build-action/issues?q=milestone%3A2.8.0+is%3Aclosed **Full changelog**: gradle/gradle-build-action@v2.7.1...v2.8.0 ### [`v2.7.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.7.1) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.7.0...v2.7.1) This release contains no code changes, only dependency updates and documentation improvements. ##### Changelog </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary> ### [`v3.1.2`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.1.2) [Compare Source](https://togithub.com/sigstore/cosign-installer/compare/v3.1.1...v3.1.2) #### What's Changed - Fix build and push step Readme missing id by [@​hbenali](https://togithub.com/hbenali) in [https://github.com/sigstore/cosign-installer/pull/138](https://togithub.com/sigstore/cosign-installer/pull/138) - bump cosign to v2.2.0 by [@​cpanato](https://togithub.com/cpanato) in [https://github.com/sigstore/cosign-installer/pull/142](https://togithub.com/sigstore/cosign-installer/pull/142) #### New Contributors - [@​hbenali](https://togithub.com/hbenali) made their first contribution in [https://github.com/sigstore/cosign-installer/pull/138](https://togithub.com/sigstore/cosign-installer/pull/138) **Full Changelog**: sigstore/cosign-installer@v3...v3.1.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-github-generator). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4xOS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <[email protected]>
laurentsimon
referenced
this pull request
in slsa-framework/slsa-verifier
Dec 1, 2023
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@​oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@​oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) **Full Changelog**: actions/dependency-review-action@v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@​sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@​sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) **Full Changelog**: actions/dependency-review-action@v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592) - docs: Make npm package version and name non-optional by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591) - docs: npm provenance verification from GitHub runner by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595) - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v18.16.9 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597) - chore(deps): update dependency jasmine to v5 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598) - feat: BYOB verification support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604) - feat: Support for v1.0 verification in BYOB by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609) - feat: Use env variable to retrieve trigger workflow by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615) - test: Add test data for v1.6.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612) - fix: Verify the TRW tag is a semver tag by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619) - chore: Don't be verbose with tests locally by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620) - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621) - test: re-generate container-based tests by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627) - fix: revert to using resolvedDepdendencies for source verification by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629) - refactor: Provenance tests by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628) - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622) - fix: only allow hashes of 256 bits or more by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633) - fix: builder ID verification for testing by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635) - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634) - chore: update toc in README.md by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636) - fix: allow workflow_dispatch to trigger release.yml by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637) - test: add tests for v1.7.0 builders by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567) - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606) - chore(deps): update npm dev by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608) - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583) - feat: Verify provenance by build type by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632) - refactor: Use Go 1.20 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643) - test: Add more ProvenanceFromEnvelope tests by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640) - fix: pre-submit: e2e-cli.sh artifact download by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646) - refactor: Add more git utils by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645) - refactor: Use full builder id by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648) - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651) - feat: move maven-plugin from slsa-github-generator by [@​AdamKorcz](https://togithub.com/AdamKorcz) in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - docs: Fix maven-plugin README by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671) - feat: Verification for when sha1 is specified in BYOB TRW by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641) - docs: Add example for maven verification plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676) - chore: Add Kris to codeowners by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678) - feat: Print byob builder by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677) - test: Add test data for v1.8.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666) - feat: Non-compulsory BuilderID for BYOB Builders by [@​enteraga6](https://togithub.com/enteraga6) in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) - chore(deps): update golang docker tag to v1.21 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686) - feat: GCB refactor for v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682) - feat: Allow byob builders ref at main for e2e tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689) - feat: Update doc and code for Maven plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680) - feat: gcb v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691) - feat: v1.9.0 regression tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696) - fix: release failure by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697) #### New Contributors - [@​AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - [@​enteraga6](https://togithub.com/enteraga6) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) **Full Changelog**: v2.3.0...v2.4.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <[email protected]> Co-authored-by: laurentsimon <[email protected]>
michaelkedar
referenced
this pull request
in google/osv.dev
Jan 9, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | gaurav-nelson/github-action-markdown-link-check | action | digest | `a996638` -> `0f074c8` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.9` -> `v2.23.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.1` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.8.10` -> `v1.8.11` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) ### [`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) ### [`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) ### [`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) ### [`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) ### [`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) ### [`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) ### [`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) ### [`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282) - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes **Full Changelog**: ossf/scorecard-action@v2.3.0...v2.3.1 ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.8.11`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.11) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11) #### 💅 Cosmetic output improvements [@​woodruffw](https://togithub.com/woodruffw) added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in [https://github.com/pypa/gh-action-pypi-publish/pull/190](https://togithub.com/pypa/gh-action-pypi-publish/pull/190). This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024. #### 📝 What's Documented [@​di](https://togithub.com/di) linked the configuration docs for Trusted Publishing in README via [https://github.com/pypa/gh-action-pypi-publish/pull/179](https://togithub.com/pypa/gh-action-pypi-publish/pull/179). #### 🛠️ Internal dependencies - Cryptography was bumped from 41.0.3 to 41.0.6 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/194](https://togithub.com/pypa/gh-action-pypi-publish/pull/194)ll/194 - Pip was bumped from 22.3.1 to 23.3 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/189](https://togithub.com/pypa/gh-action-pypi-publish/pull/189)ll/189 - pre-commit linters got autoupdated @&#[https://github.com/pypa/gh-action-pypi-publish/pull/184](https://togithub.com/pypa/gh-action-pypi-publish/pull/184)ll/184 - Urllib3 was bumped from 2.0.3 to 2.0.7 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/183](https://togithub.com/pypa/gh-action-pypi-publish/pull/183)ll/18[https://github.com/pypa/gh-action-pypi-publish/pull/185](https://togithub.com/pypa/gh-action-pypi-publish/pull/185)ll/185 #### 💪 New Contributors - [@​di](https://togithub.com/di) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/179](https://togithub.com/pypa/gh-action-pypi-publish/pull/179) **:mirror: Full Diff**: pypa/gh-action-pypi-publish@v1.8.10...v1.8.11 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMDMuMSIsInVwZGF0ZWRJblZlciI6IjM3LjEyNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->
anakinxc
referenced
this pull request
in secretflow/spu
Jan 12, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.1.2` -> `v2.3.1` | --- ### Release Notes <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282) - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes **Full Changelog**: ossf/scorecard-action@v2.3.0...v2.3.1 ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@​cynthia-sg](https://togithub.com/cynthia-sg) and [@​tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@​pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@​joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@​spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@​bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@​pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) **Full Changelog**: ossf/scorecard-action@v2.1.3...v2.2.0 ### [`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111) ##### Bug Fixes - Invalid SARIF files from a bug in scorecard - [#​1076](https://togithub.com/ossf/scorecard-action/issues/1076), [#​1094](https://togithub.com/ossf/scorecard-action/issues/1094) - Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner - [#​1092](https://togithub.com/ossf/scorecard-action/issues/1092) - Scorecard action not reporting binary artifacts in the repo - [#​1116](https://togithub.com/ossf/scorecard-action/issues/1116) **Full Scorecard Changelog**: ossf/scorecard@v4.10.2...v4.10.5 **Full Changelog**: ossf/scorecard-action@v2.1.2...v2.1.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/secretflow/spu). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMjcuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEyNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
pat-trunk-io
referenced
this pull request
in trunk-io/plugins
Jan 22, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [@types/node](https://togithub.com/DefinitelyTyped/DefinitelyTyped/tree/master/types/node) ([source](https://togithub.com/DefinitelyTyped/DefinitelyTyped)) | [`18.18.1` -> `18.18.4`](https://renovatebot.com/diffs/npm/@types%2fnode/18.18.1/18.18.4) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@types%2fnode/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@types%2fnode/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@types%2fnode/18.18.1/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@types%2fnode/18.18.1/18.18.4?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | patch | | [eslint](https://eslint.org) ([source](https://togithub.com/eslint/eslint)) | [`8.50.0` -> `8.51.0`](https://renovatebot.com/diffs/npm/eslint/8.50.0/8.51.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/eslint/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/eslint/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/eslint/8.50.0/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/eslint/8.50.0/8.51.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [github/codeql-action](https://togithub.com/github/codeql-action) | `v2.21.9` -> `v2.22.0` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/github%2fcodeql-action/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/github%2fcodeql-action/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/github%2fcodeql-action/v2.21.9/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/github%2fcodeql-action/v2.21.9/v2.22.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | action | minor | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | `v2.2.0` -> `v2.3.0` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/ossf%2fscorecard-action/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/ossf%2fscorecard-action/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/ossf%2fscorecard-action/v2.2.0/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ossf%2fscorecard-action/v2.2.0/v2.3.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | action | minor | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v8.51.0`](https://togithub.com/eslint/eslint/releases/tag/v8.51.0) [Compare Source](https://togithub.com/eslint/eslint/compare/v8.50.0...v8.51.0) #### Features - [`0a9c433`](https://togithub.com/eslint/eslint/commit/0a9c43339a4adef24ef83034d0b078dd279cc977) feat: Add `--no-warn-ignored` CLI option for flat config ([#​17569](https://togithub.com/eslint/eslint/issues/17569)) (Domantas Petrauskas) - [`977e67e`](https://togithub.com/eslint/eslint/commit/977e67ec274a05cb7391665b5e3453e7f72f72b2) feat: logical-assignment-operators to report expressions with 3 operands ([#​17600](https://togithub.com/eslint/eslint/issues/17600)) (Yosuke Ota) #### Bug Fixes - [`f976b2f`](https://togithub.com/eslint/eslint/commit/f976b2f7bfe7cc78bb649f8b37e90fd519ff3bcc) fix: make rule severity case-sensitive in flat config ([#​17619](https://togithub.com/eslint/eslint/issues/17619)) (Milos Djermanovic) - [`0edfe36`](https://togithub.com/eslint/eslint/commit/0edfe369aa5bd80a98053022bb4c6b1ea0155f44) fix: Ensure crash error messages are not duplicated ([#​17584](https://togithub.com/eslint/eslint/issues/17584)) (Nicholas C. Zakas) - [`dd79abc`](https://togithub.com/eslint/eslint/commit/dd79abc0c1857b1d765acc312c0d6518e40d31c9) fix: `eslint-disable` to be able to parse quoted rule names ([#​17612](https://togithub.com/eslint/eslint/issues/17612)) (Yosuke Ota) - [`d2f6801`](https://togithub.com/eslint/eslint/commit/d2f68019b8882278877801c5ef2f74d55e2a10c1) fix: Ensure correct code path for && followed by ?? ([#​17618](https://togithub.com/eslint/eslint/issues/17618)) (Nicholas C. Zakas) #### Documentation - [`ee5be81`](https://togithub.com/eslint/eslint/commit/ee5be81fa3c4fe801c2f653854f098ed6a84dcef) docs: default to `sourceType: "module"` in rule examples ([#​17615](https://togithub.com/eslint/eslint/issues/17615)) (Francesco Trotta) - [`1aa26df`](https://togithub.com/eslint/eslint/commit/1aa26df9fbcfdf5b895743c6d2d3a216479544b1) docs: Add more examples for multiline-ternary ([#​17610](https://togithub.com/eslint/eslint/issues/17610)) (George Ashiotis) - [`47d0b44`](https://togithub.com/eslint/eslint/commit/47d0b446964f44d70b9457ecc368e721e1dc7c11) docs: Update README (GitHub Actions Bot) - [`dbf831e`](https://togithub.com/eslint/eslint/commit/dbf831e31f8eea0bc94df96cd33255579324b66e) docs: use generated og image ([#​17601](https://togithub.com/eslint/eslint/issues/17601)) (Percy Ma) - [`1866da5`](https://togithub.com/eslint/eslint/commit/1866da5e1d931787256ecb825a803cac5835b71c) docs: Update README (GitHub Actions Bot) #### Chores - [`1ef39ea`](https://togithub.com/eslint/eslint/commit/1ef39ea5b884453be717ebc929155d7eb584dcbf) chore: upgrade [@​eslint/js](https://togithub.com/eslint/js)[@​8](https://togithub.com/8).51.0 ([#​17624](https://togithub.com/eslint/eslint/issues/17624)) (Milos Djermanovic) - [`f8c7403`](https://togithub.com/eslint/eslint/commit/f8c7403255c11e99c402860aef3c0179f2b16628) chore: package.json update for [@​eslint/js](https://togithub.com/eslint/js) release (ESLint Jenkins) - [`2665552`](https://togithub.com/eslint/eslint/commit/2665552ba0057e8603f9fbece0fd236f189f5cf3) test: fix flat config linter tests to use Linter in flat config mode ([#​17616](https://togithub.com/eslint/eslint/issues/17616)) (Milos Djermanovic) - [`7b77bcc`](https://togithub.com/eslint/eslint/commit/7b77bccbb51bd36b2d20fea61bc782545c4029b3) chore: Refactor CodePathState ([#​17510](https://togithub.com/eslint/eslint/issues/17510)) (Nicholas C. Zakas) - [`bc77c9a`](https://togithub.com/eslint/eslint/commit/bc77c9af12539f350ef19e30611a153a5b869c6b) chore: Document and refactor ForkContext ([#​17566](https://togithub.com/eslint/eslint/issues/17566)) (Nicholas C. Zakas) - [`24e1f14`](https://togithub.com/eslint/eslint/commit/24e1f140ec68659e55c1ace0d7500addb135a2b4) chore: Refactor and document CodePath ([#​17558](https://togithub.com/eslint/eslint/issues/17558)) (Nicholas C. Zakas) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/trunk-io/plugins). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
codeboten
referenced
this pull request
in open-telemetry/opentelemetry-collector
Jan 30, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.1.0` -> `v3.6.0` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.0` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.2.4` -> `v2.23.2` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.23.1` -> `v3.23.2` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.1.2` -> `v2.3.1` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) ### [`v3.5.3`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v353) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.2...v3.5.3) - [Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in](https://togithub.com/actions/checkout/pull/1196) - [Fix typos found by codespell](https://togithub.com/actions/checkout/pull/1287) - [Add support for sparse checkouts](https://togithub.com/actions/checkout/pull/1369) ### [`v3.5.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v352) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.1...v3.5.2) - [Fix api endpoint for GHES](https://togithub.com/actions/checkout/pull/1289) ### [`v3.5.1`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v351) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.0...v3.5.1) - [Fix slow checkout on Windows](https://togithub.com/actions/checkout/pull/1246) ### [`v3.5.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v350) [Compare Source](https://togithub.com/actions/checkout/compare/v3.4.0...v3.5.0) - [Add new public key for known_hosts](https://togithub.com/actions/checkout/pull/1237) ### [`v3.4.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v340) [Compare Source](https://togithub.com/actions/checkout/compare/v3.3.0...v3.4.0) - [Upgrade codeql actions to v2](https://togithub.com/actions/checkout/pull/1209) - [Upgrade dependencies](https://togithub.com/actions/checkout/pull/1210) - [Upgrade @​actions/io](https://togithub.com/actions/checkout/pull/1225) ### [`v3.3.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v330) [Compare Source](https://togithub.com/actions/checkout/compare/v3.2.0...v3.3.0) - [Implement branch list using callbacks from exec function](https://togithub.com/actions/checkout/pull/1045) - [Add in explicit reference to private checkout options](https://togithub.com/actions/checkout/pull/1050) - [Fix comment typos (that got added in #​770)](https://togithub.com/actions/checkout/pull/1057) ### [`v3.2.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v320) [Compare Source](https://togithub.com/actions/checkout/compare/v3.1.0...v3.2.0) - [Add GitHub Action to perform release](https://togithub.com/actions/checkout/pull/942) - [Fix status badge](https://togithub.com/actions/checkout/pull/967) - [Replace datadog/squid with ubuntu/squid Docker image](https://togithub.com/actions/checkout/pull/1002) - [Wrap pipeline commands for submoduleForeach in quotes](https://togithub.com/actions/checkout/pull/964) - [Update @​actions/io to 1.1.2](https://togithub.com/actions/checkout/pull/1029) - [Upgrading version to 3.2.0](https://togithub.com/actions/checkout/pull/1039) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) **Full Changelog**: actions/upload-artifact@v3...v3.1.3 ### [`v3.1.2`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.2) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.1...v3.1.2) - Update all `@actions/*` NPM packages to their latest versions- [#​374](https://togithub.com/actions/upload-artifact/issues/374) - Update all dev dependencies to their most recent versions - [#​375](https://togithub.com/actions/upload-artifact/issues/375) ### [`v3.1.1`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.1) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.0...v3.1.1) - Update actions/core package to latest version to remove `set-output` deprecation warning [#​351](https://togithub.com/actions/upload-artifact/issues/351) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.23.2`](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.1...v2.23.2) ### [`v2.23.1`](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.23.0...v2.23.1) ### [`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) ### [`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) ### [`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) ### [`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) ### [`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) ### [`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) ### [`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) ### [`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) ### [`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) ### [`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) ### [`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) ### [`v2.21.2`](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.1...v2.21.2) ### [`v2.21.1`](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.0...v2.21.1) ### [`v2.21.0`](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.4...v2.21.0) ### [`v2.20.4`](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.3...v2.20.4) ### [`v2.20.3`](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.2...v2.20.3) ### [`v2.20.2`](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.1...v2.20.2) ### [`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) ### [`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) ### [`v2.3.6`](https://togithub.com/github/codeql-action/compare/v2.3.5...v2.3.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.5...v2.3.6) ### [`v2.3.5`](https://togithub.com/github/codeql-action/compare/v2.3.4...v2.3.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.4...v2.3.5) ### [`v2.3.4`](https://togithub.com/github/codeql-action/compare/v2.3.3...v2.3.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.3...v2.3.4) ### [`v2.3.3`](https://togithub.com/github/codeql-action/compare/v2.3.2...v2.3.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.2...v2.3.3) ### [`v2.3.2`](https://togithub.com/github/codeql-action/compare/v2.3.1...v2.3.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.1...v2.3.2) ### [`v2.3.1`](https://togithub.com/github/codeql-action/compare/v2.3.0...v2.3.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.0...v2.3.1) ### [`v2.3.0`](https://togithub.com/github/codeql-action/compare/v2.2.12...v2.3.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.12...v2.3.0) ### [`v2.2.12`](https://togithub.com/github/codeql-action/compare/v2.2.11...v2.2.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.11...v2.2.12) ### [`v2.2.11`](https://togithub.com/github/codeql-action/compare/v2.2.10...v2.2.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.10...v2.2.11) ### [`v2.2.10`](https://togithub.com/github/codeql-action/compare/v2.2.9...v2.2.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.9...v2.2.10) ### [`v2.2.9`](https://togithub.com/github/codeql-action/compare/v2.2.8...v2.2.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.8...v2.2.9) ### [`v2.2.8`](https://togithub.com/github/codeql-action/compare/v2.2.7...v2.2.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.7...v2.2.8) ### [`v2.2.7`](https://togithub.com/github/codeql-action/compare/v2.2.6...v2.2.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.6...v2.2.7) ### [`v2.2.6`](https://togithub.com/github/codeql-action/compare/v2.2.5...v2.2.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.5...v2.2.6) ### [`v2.2.5`](https://togithub.com/github/codeql-action/compare/v2.2.4...v2.2.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.2.4...v2.2.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282) - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes **Full Changelog**: ossf/scorecard-action@v2.3.0...v2.3.1 ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@​cynthia-sg](https://togithub.com/cynthia-sg) and [@​tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@​pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@​joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@​spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@​bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@​pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) **Full Changelog**: ossf/scorecard-action@v2.1.3...v2.2.0 ### [`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111) ##### Bug Fixes - Invalid SARIF files from a bug in scorecard - [#​1076](https://togithub.com/ossf/scorecard-action/issues/1076), [#​1094](https://togithub.com/ossf/scorecard-action/issues/1094) - Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner - [#​1092](https://togithub.com/ossf/scorecard-action/issues/1092) - Scorecard action not reporting binary artifacts in the repo - [#​1116](https://togithub.com/ossf/scorecard-action/issues/1116) **Full Scorecard Changelog**: ossf/scorecard@v4.10.2...v4.10.5 **Full Changelog**: ossf/scorecard-action@v2.1.2...v2.1.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on tuesday" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/open-telemetry/opentelemetry-collector). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Alex Boten <[email protected]>
1 task
github-merge-queue bot
referenced
this pull request
in AmadeusITGroup/otter
Mar 13, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | Type | Update | |---|---|---|---|---|---|---|---| | [@openapitools/openapi-generator-cli](https://togithub.com/OpenAPITools/openapi-generator-cli) | [`~2.11.0` -> `~2.12.0`](https://renovatebot.com/diffs/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | devDependencies | minor | | [@openapitools/openapi-generator-cli](https://togithub.com/OpenAPITools/openapi-generator-cli) | [`~2.11.0` -> `~2.12.0`](https://renovatebot.com/diffs/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | peerDependencies | minor | | [@openapitools/openapi-generator-cli](https://togithub.com/OpenAPITools/openapi-generator-cli) | [`~2.11.0` -> `~2.12.0`](https://renovatebot.com/diffs/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0) | [![age](https://developer.mend.io/api/mc/badges/age/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | dependencies | minor | | [github/codeql-action](https://togithub.com/github/codeql-action) | `v2.24.6` -> `v2.24.7` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/github%2fcodeql-action/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/github%2fcodeql-action/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/github%2fcodeql-action/v2.24.6/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/github%2fcodeql-action/v2.24.6/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | action | patch | | [github/codeql-action](https://togithub.com/github/codeql-action) | `v3.24.6` -> `v3.24.7` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/github%2fcodeql-action/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/github%2fcodeql-action/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/github%2fcodeql-action/v3.24.6/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/github%2fcodeql-action/v3.24.6/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | action | patch | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | `v2.0.6` -> `v2.3.1` | [![age](https://developer.mend.io/api/mc/badges/age/github-tags/ossf%2fscorecard-action/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/ossf%2fscorecard-action/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/ossf%2fscorecard-action/v2.0.6/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ossf%2fscorecard-action/v2.0.6/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | action | minor | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>OpenAPITools/openapi-generator-cli (@​openapitools/openapi-generator-cli)</summary> ### [`v2.12.0`](https://togithub.com/OpenAPITools/openapi-generator-cli/compare/v2.11.0...ad97182dac3fc2fec59c70fa96e7213d0a475dd3) [Compare Source](https://togithub.com/OpenAPITools/openapi-generator-cli/compare/v2.11.0...v2.12.0) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.24.7`](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.24.6...v2.24.7) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282) - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes **Full Changelog**: ossf/scorecard-action@v2.3.0...v2.3.1 ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@​cynthia-sg](https://togithub.com/cynthia-sg) and [@​tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@​pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@​joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@​spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@​bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@​pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) **Full Changelog**: ossf/scorecard-action@v2.1.3...v2.2.0 ### [`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1111](https://togithub.com/ossf/scorecard-action/pull/1111) ##### Bug Fixes - Invalid SARIF files from a bug in scorecard - [#​1076](https://togithub.com/ossf/scorecard-action/issues/1076), [#​1094](https://togithub.com/ossf/scorecard-action/issues/1094) - Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner - [#​1092](https://togithub.com/ossf/scorecard-action/issues/1092) - Scorecard action not reporting binary artifacts in the repo - [#​1116](https://togithub.com/ossf/scorecard-action/issues/1116) **Full Scorecard Changelog**: ossf/scorecard@v4.10.2...v4.10.5 **Full Changelog**: ossf/scorecard-action@v2.1.2...v2.1.3 ### [`v2.1.2`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.2) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2) #### What's Changed ##### Fixes - 🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf statement. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1054](https://togithub.com/ossf/scorecard-action/pull/1054) **Full Changelog**: ossf/scorecard-action@v2.1.1...v2.1.2 ### [`v2.1.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1) #### Scorecard version This release use [Scorecard's v4.10.1](https://togithub.com/ossf/scorecard/releases/tag/v4.10.1) **Full Changelog**: ossf/scorecard-action@v2.1.0...v2.1.1 ### [`v2.1.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.6...v2.1.0) #### What's Changed ##### Scorecard version This release uses [scorecard v4.10.0](https://togithub.com/ossf/scorecard/releases/tag/v4.10.0). ##### Improvements - Docker build workflow by [@​naveensrinivasan](https://togithub.com/naveensrinivasan) in [https://github.com/ossf/scorecard-action/pull/981](https://togithub.com/ossf/scorecard-action/pull/981) - Use root user in distroless to support GitHub Actions by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/994](https://togithub.com/ossf/scorecard-action/pull/994) - Disable pull_request_target by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/ossf/scorecard-action/pull/1031](https://togithub.com/ossf/scorecard-action/pull/1031) ##### Documentation - Add PAT section explaining risks by [@​olivekl](https://togithub.com/olivekl) in [https://github.com/ossf/scorecard-action/pull/1024](https://togithub.com/ossf/scorecard-action/pull/1024) - Make the badge text easier to copy by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1026](https://togithub.com/ossf/scorecard-action/pull/1026) #### New Contributors - [@​joycebrum](https://togithub.com/joycebrum) made their first contribution in [https://github.com/ossf/scorecard-action/pull/984](https://togithub.com/ossf/scorecard-action/pull/984) - [@​rajbos](https://togithub.com/rajbos) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1026](https://togithub.com/ossf/scorecard-action/pull/1026) **Full Changelog**: ossf/scorecard-action@v2.0.6...v2.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/AmadeusITGroup/otter). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
ramonpetgrave64
referenced
this pull request
in ramonpetgrave64/slsa-verifier
Apr 10, 2024
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@​oerd](https://togithub.com/oerd) in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) #### New Contributors - [@​oerd](https://togithub.com/oerd) made their first contribution in [https://github.com/actions/dependency-review-action/pull/551](https://togithub.com/actions/dependency-review-action/pull/551) **Full Changelog**: actions/dependency-review-action@v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@​sgmurphy](https://togithub.com/sgmurphy) in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@​sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [https://github.com/actions/dependency-review-action/pull/540](https://togithub.com/actions/dependency-review-action/pull/540) **Full Changelog**: actions/dependency-review-action@v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@​dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://togithub.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@​ljmf00](https://togithub.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://togithub.com/actions/upload-artifact/pull/313) - Bump [@​actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@​bethanyj28](https://togithub.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://togithub.com/actions/upload-artifact/pull/436) **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://togithub.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://togithub.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://togithub.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@​rajbos](https://togithub.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://togithub.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://togithub.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@​david-a-wheeler](https://togithub.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@​aabouzaid](https://togithub.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@​david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://togithub.com/ossf/scorecard-action/pull/1250) - [@​aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://togithub.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/592](https://togithub.com/slsa-framework/slsa-verifier/pull/592) - docs: Make npm package version and name non-optional by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/591](https://togithub.com/slsa-framework/slsa-verifier/pull/591) - docs: npm provenance verification from GitHub runner by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/595](https://togithub.com/slsa-framework/slsa-verifier/pull/595) - chore(deps): update dependency [@​types/node](https://togithub.com/types/node) to v18.16.9 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/596](https://togithub.com/slsa-framework/slsa-verifier/pull/596) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/597](https://togithub.com/slsa-framework/slsa-verifier/pull/597) - chore(deps): update dependency jasmine to v5 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/598](https://togithub.com/slsa-framework/slsa-verifier/pull/598) - feat: BYOB verification support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/604](https://togithub.com/slsa-framework/slsa-verifier/pull/604) - feat: Support for v1.0 verification in BYOB by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/609](https://togithub.com/slsa-framework/slsa-verifier/pull/609) - feat: Use env variable to retrieve trigger workflow by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/615](https://togithub.com/slsa-framework/slsa-verifier/pull/615) - test: Add test data for v1.6.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/612](https://togithub.com/slsa-framework/slsa-verifier/pull/612) - fix: Verify the TRW tag is a semver tag by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/619](https://togithub.com/slsa-framework/slsa-verifier/pull/619) - chore: Don't be verbose with tests locally by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/620](https://togithub.com/slsa-framework/slsa-verifier/pull/620) - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/621](https://togithub.com/slsa-framework/slsa-verifier/pull/621) - test: re-generate container-based tests by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/627](https://togithub.com/slsa-framework/slsa-verifier/pull/627) - fix: revert to using resolvedDepdendencies for source verification by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/629](https://togithub.com/slsa-framework/slsa-verifier/pull/629) - refactor: Provenance tests by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/628](https://togithub.com/slsa-framework/slsa-verifier/pull/628) - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/622](https://togithub.com/slsa-framework/slsa-verifier/pull/622) - fix: only allow hashes of 256 bits or more by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/633](https://togithub.com/slsa-framework/slsa-verifier/pull/633) - fix: builder ID verification for testing by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/635](https://togithub.com/slsa-framework/slsa-verifier/pull/635) - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/634](https://togithub.com/slsa-framework/slsa-verifier/pull/634) - chore: update toc in README.md by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/636](https://togithub.com/slsa-framework/slsa-verifier/pull/636) - fix: allow workflow_dispatch to trigger release.yml by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/637](https://togithub.com/slsa-framework/slsa-verifier/pull/637) - test: add tests for v1.7.0 builders by [@​asraa](https://togithub.com/asraa) in [https://github.com/slsa-framework/slsa-verifier/pull/638](https://togithub.com/slsa-framework/slsa-verifier/pull/638) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/607](https://togithub.com/slsa-framework/slsa-verifier/pull/607) - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/567](https://togithub.com/slsa-framework/slsa-verifier/pull/567) - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/606](https://togithub.com/slsa-framework/slsa-verifier/pull/606) - chore(deps): update npm dev by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/608](https://togithub.com/slsa-framework/slsa-verifier/pull/608) - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/583](https://togithub.com/slsa-framework/slsa-verifier/pull/583) - feat: Verify provenance by build type by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/632](https://togithub.com/slsa-framework/slsa-verifier/pull/632) - refactor: Use Go 1.20 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/643](https://togithub.com/slsa-framework/slsa-verifier/pull/643) - test: Add more ProvenanceFromEnvelope tests by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/640](https://togithub.com/slsa-framework/slsa-verifier/pull/640) - fix: pre-submit: e2e-cli.sh artifact download by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/646](https://togithub.com/slsa-framework/slsa-verifier/pull/646) - refactor: Add more git utils by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/645](https://togithub.com/slsa-framework/slsa-verifier/pull/645) - refactor: Use full builder id by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/648](https://togithub.com/slsa-framework/slsa-verifier/pull/648) - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/644](https://togithub.com/slsa-framework/slsa-verifier/pull/644) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/651](https://togithub.com/slsa-framework/slsa-verifier/pull/651) - feat: move maven-plugin from slsa-github-generator by [@​AdamKorcz](https://togithub.com/AdamKorcz) in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - docs: Fix maven-plugin README by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/671](https://togithub.com/slsa-framework/slsa-verifier/pull/671) - feat: Verification for when sha1 is specified in BYOB TRW by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/641](https://togithub.com/slsa-framework/slsa-verifier/pull/641) - docs: Add example for maven verification plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/676](https://togithub.com/slsa-framework/slsa-verifier/pull/676) - chore: Add Kris to codeowners by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/678](https://togithub.com/slsa-framework/slsa-verifier/pull/678) - feat: Print byob builder by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/677](https://togithub.com/slsa-framework/slsa-verifier/pull/677) - test: Add test data for v1.8.0 by [@​ianlewis](https://togithub.com/ianlewis) in [https://github.com/slsa-framework/slsa-verifier/pull/681](https://togithub.com/slsa-framework/slsa-verifier/pull/681) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/666](https://togithub.com/slsa-framework/slsa-verifier/pull/666) - feat: Non-compulsory BuilderID for BYOB Builders by [@​enteraga6](https://togithub.com/enteraga6) in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) - chore(deps): update golang docker tag to v1.21 by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/687](https://togithub.com/slsa-framework/slsa-verifier/pull/687) - chore(deps): update github-actions by [@​renovate-bot](https://togithub.com/renovate-bot) in [https://github.com/slsa-framework/slsa-verifier/pull/686](https://togithub.com/slsa-framework/slsa-verifier/pull/686) - feat: GCB refactor for v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/682](https://togithub.com/slsa-framework/slsa-verifier/pull/682) - feat: Allow byob builders ref at main for e2e tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/689](https://togithub.com/slsa-framework/slsa-verifier/pull/689) - feat: Update doc and code for Maven plugin by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/680](https://togithub.com/slsa-framework/slsa-verifier/pull/680) - feat: gcb v1.0 support by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/691](https://togithub.com/slsa-framework/slsa-verifier/pull/691) - feat: v1.9.0 regression tests by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/696](https://togithub.com/slsa-framework/slsa-verifier/pull/696) - fix: release failure by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/slsa-framework/slsa-verifier/pull/697](https://togithub.com/slsa-framework/slsa-verifier/pull/697) #### New Contributors - [@​AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/664](https://togithub.com/slsa-framework/slsa-verifier/pull/664) - [@​enteraga6](https://togithub.com/enteraga6) made their first contribution in [https://github.com/slsa-framework/slsa-verifier/pull/674](https://togithub.com/slsa-framework/slsa-verifier/pull/674) **Full Changelog**: slsa-framework/slsa-verifier@v2.3.0...v2.4.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40My4yIiwidXBkYXRlZEluVmVyIjoiMzcuOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Signed-off-by: Mend Renovate <[email protected]> Co-authored-by: laurentsimon <[email protected]> Signed-off-by: Ramon Petgrave <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit adds a SECURITY.md file, so panicked reporters will know how to report them. Since private reporting is enabled, I presume that's how this group wants the vulnerabilities reported.
I also tweaked the README to point to it.