Skip to content

Commit

Permalink
chore(deps): update github-actions (#786)
Browse files Browse the repository at this point in the history
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action |
patch | `v4.1.1` -> `v4.1.7` |
|
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
| action | minor | `v4.2.5` -> `v4.3.3` |
|
[actions/download-artifact](https://github.com/actions/download-artifact)
| action | patch | `v4.1.4` -> `v4.1.7` |
| [actions/setup-go](https://github.com/actions/setup-go) | action |
patch | `v5.0.0` -> `v5.0.1` |
|
[actions/upload-artifact](https://github.com/actions/upload-artifact)
| action | patch | `v4.3.1` -> `v4.3.3` |
|
[actionsdesk/lfs-warning](https://github.com/actionsdesk/lfs-warning)
| action | minor | `v3.2` -> `v3.3` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | minor | `v3.24.9` -> `v3.25.11` |
|
[golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action)
| action | pinDigest | -> `d6238b0` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | patch | `v2.3.1` -> `v2.3.3` |
|
[slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)
| action | pinDigest | -> `c747fe7` |
|
[slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier)
| action | minor | `v2.4.1` -> `v2.5.1` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.7`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417)

[Compare
Source](https://github.com/actions/checkout/compare/v4.1.6...v4.1.7)

- Bump the minor-npm-dependencies group across 1 directory with 4
updates by [@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/checkout/pull/1739](https://github.com/actions/checkout/pull/1739)
- Bump actions/checkout from 3 to 4 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/checkout/pull/1697](https://github.com/actions/checkout/pull/1697)
- Check out other refs/\* by commit by
[@&#8203;orhantoy](https://github.com/orhantoy) in
[https://github.com/actions/checkout/pull/1774](https://github.com/actions/checkout/pull/1774)
- Pin actions/checkout's own workflows to a known, good, stable version.
by [@&#8203;jww3](https://github.com/jww3) in
[https://github.com/actions/checkout/pull/1776](https://github.com/actions/checkout/pull/1776)

###
[`v4.1.6`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416)

[Compare
Source](https://github.com/actions/checkout/compare/v4.1.5...v4.1.6)

- Check platform to set archive extension appropriately by
[@&#8203;cory-miller](https://github.com/cory-miller) in
[https://github.com/actions/checkout/pull/1732](https://github.com/actions/checkout/pull/1732)

###
[`v4.1.5`](https://github.com/actions/checkout/releases/tag/v4.1.5)

[Compare
Source](https://github.com/actions/checkout/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update NPM dependencies by
[@&#8203;cory-miller](https://github.com/cory-miller) in
[https://github.com/actions/checkout/pull/1703](https://github.com/actions/checkout/pull/1703)
- Bump github/codeql-action from 2 to 3 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/checkout/pull/1694](https://github.com/actions/checkout/pull/1694)
- Bump actions/setup-node from 1 to 4 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/checkout/pull/1696](https://github.com/actions/checkout/pull/1696)
- Bump actions/upload-artifact from 2 to 4 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/checkout/pull/1695](https://github.com/actions/checkout/pull/1695)
- README: Suggest `user.email` to be
`41898282+github-actions[bot]@&#8203;users.noreply.github.com` by
[@&#8203;cory-miller](https://github.com/cory-miller) in
[https://github.com/actions/checkout/pull/1707](https://github.com/actions/checkout/pull/1707)

**Full Changelog**:
actions/checkout@v4.1.4...v4.1.5

###
[`v4.1.4`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414)

[Compare
Source](https://github.com/actions/checkout/compare/v4.1.3...v4.1.4)

- Disable `extensions.worktreeConfig` when disabling `sparse-checkout`
by [@&#8203;jww3](https://github.com/jww3) in
[https://github.com/actions/checkout/pull/1692](https://github.com/actions/checkout/pull/1692)
- Add dependabot config by
[@&#8203;cory-miller](https://github.com/cory-miller) in
[https://github.com/actions/checkout/pull/1688](https://github.com/actions/checkout/pull/1688)
- Bump the minor-actions-dependencies group with 2 updates by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/checkout/pull/1693](https://github.com/actions/checkout/pull/1693)
- Bump word-wrap from 1.2.3 to 1.2.5 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/checkout/pull/1643](https://github.com/actions/checkout/pull/1643)

###
[`v4.1.3`](https://github.com/actions/checkout/releases/tag/v4.1.3)

[Compare
Source](https://github.com/actions/checkout/compare/v4.1.2...v4.1.3)

#### What's Changed

- Update `actions/checkout` version in `update-main-version.yml` by
[@&#8203;jww3](https://github.com/jww3) in
[https://github.com/actions/checkout/pull/1650](https://github.com/actions/checkout/pull/1650)
- Check git version before attempting to disable `sparse-checkout` by
[@&#8203;jww3](https://github.com/jww3) in
[https://github.com/actions/checkout/pull/1656](https://github.com/actions/checkout/pull/1656)
- Add SSH user parameter by
[@&#8203;cory-miller](https://github.com/cory-miller) in
[https://github.com/actions/checkout/pull/1685](https://github.com/actions/checkout/pull/1685)

**Full Changelog**:
actions/checkout@v4.1.2...v4.1.3

###
[`v4.1.2`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412)

[Compare
Source](https://github.com/actions/checkout/compare/v4.1.1...v4.1.2)

- Fix: Disable sparse checkout whenever `sparse-checkout` option is not
present [@&#8203;dscho](https://github.com/dscho) in
[https://github.com/actions/checkout/pull/1598](https://github.com/actions/checkout/pull/1598)

</details>

<details>
<summary>actions/dependency-review-action
(actions/dependency-review-action)</summary>

###
[`v4.3.3`](https://github.com/actions/dependency-review-action/releases/tag/v4.3.3):
Notes for v4.3.3

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.3.2...v4.3.3)

#### What's Changed

- Allow slashes in purl package names by
[@&#8203;juxtin](https://github.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/765](https://github.com/actions/dependency-review-action/pull/765)
- use the v3 version of the deps.dev API by
[@&#8203;josieang](https://github.com/josieang) in
[https://github.com/actions/dependency-review-action/pull/741](https://github.com/actions/dependency-review-action/pull/741)
- PR with suggestions - \[Improvement]: Help streamline / simplify
dependency review action README by
[@&#8203;am-stead](https://github.com/am-stead) in
[https://github.com/actions/dependency-review-action/pull/773](https://github.com/actions/dependency-review-action/pull/773)
- fix show-openssf-scorecard-levels input by
[@&#8203;ramann](https://github.com/ramann) in
[https://github.com/actions/dependency-review-action/pull/776](https://github.com/actions/dependency-review-action/pull/776)
- Updates to the contribution guidelines by
[@&#8203;jonjanego](https://github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/778](https://github.com/actions/dependency-review-action/pull/778)
- Create issue templates by
[@&#8203;jonjanego](https://github.com/jonjanego) in
[https://github.com/actions/dependency-review-action/pull/777](https://github.com/actions/dependency-review-action/pull/777)
- Fix the max comment length issue by
[@&#8203;jhutchings1](https://github.com/jhutchings1) and
[@&#8203;elireisman](https://github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/767](https://github.com/actions/dependency-review-action/pull/767)
- Bump project version to 4.3.3 in prep for a release by
[@&#8203;elireisman](https://github.com/elireisman) in
[https://github.com/actions/dependency-review-action/pull/781](https://github.com/actions/dependency-review-action/pull/781)

#### New Contributors

- [@&#8203;josieang](https://github.com/josieang) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/741](https://github.com/actions/dependency-review-action/pull/741)
- [@&#8203;am-stead](https://github.com/am-stead) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/773](https://github.com/actions/dependency-review-action/pull/773)
- [@&#8203;ramann](https://github.com/ramann) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/776](https://github.com/actions/dependency-review-action/pull/776)

**Full Changelog**:
actions/dependency-review-action@v4.3.2...v4.3.3

###
[`v4.3.2`](https://github.com/actions/dependency-review-action/releases/tag/v4.3.2)

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.3.1...v4.3.2)

#### What's Changed

- Fix package-url parsing for allow-dependencies-licenses by
[@&#8203;juxtin](https://github.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/761](https://github.com/actions/dependency-review-action/pull/761)

**Full Changelog**:
actions/dependency-review-action@v4.3.1...v4.3.2

###
[`v4.3.1`](https://github.com/actions/dependency-review-action/releases/tag/v4.3.1)

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.3.0...v4.3.1)

#### What's Changed

This release fixes some bugs related to package-url parsing that were
introduced in 4.3.0. See
[https://github.com/actions/dependency-review-action/pull/753](https://github.com/actions/dependency-review-action/pull/753).

**Full Changelog**:
actions/dependency-review-action@V4.3.0...v4.3.1

###
[`v4.3.0`](https://github.com/actions/dependency-review-action/releases/tag/v4.3.0)

[Compare
Source](https://github.com/actions/dependency-review-action/compare/v4.2.5...v4.3.0)

#### New Features

- The `deny-packages` option can now be used without a version number to
exclude *all* versions of a package.

#### What's Changed

- Fix action variable name for scorecard by
[@&#8203;lukehinds](https://github.com/lukehinds) in
[https://github.com/actions/dependency-review-action/pull/735](https://github.com/actions/dependency-review-action/pull/735)
- Fix extra https:// in summary by
[@&#8203;jhutchings1](https://github.com/jhutchings1) in
[https://github.com/actions/dependency-review-action/pull/748](https://github.com/actions/dependency-review-action/pull/748)
- Bump typescript from 5.3.3 to 5.4.5 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/744](https://github.com/actions/dependency-review-action/pull/744)
- Bump eslint-plugin-github from 4.10.1 to 4.10.2 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/actions/dependency-review-action/pull/737](https://github.com/actions/dependency-review-action/pull/737)
- Show denied packages with red X by
[@&#8203;juxtin](https://github.com/juxtin) in
[https://github.com/actions/dependency-review-action/pull/750](https://github.com/actions/dependency-review-action/pull/750)
- deny-packages configuration option can deny specified version or all
packages by [@&#8203;febuiles](https://github.com/febuiles) and
[@&#8203;bteng22](https://github.com/bteng22) in
[https://github.com/actions/dependency-review-action/pull/733](https://github.com/actions/dependency-review-action/pull/733)

#### New Contributors

- [@&#8203;bteng22](https://github.com/bteng22) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/733](https://github.com/actions/dependency-review-action/pull/733)
- [@&#8203;lukehinds](https://github.com/lukehinds) made their first
contribution in
[https://github.com/actions/dependency-review-action/pull/735](https://github.com/actions/dependency-review-action/pull/735)

**Full Changelog**:
actions/dependency-review-action@v4.2.5...V4.3.0

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.7`](https://github.com/actions/download-artifact/releases/tag/v4.1.7)

[Compare
Source](https://github.com/actions/download-artifact/compare/v4.1.6...v4.1.7)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://github.com/actions/artifact)
dependency by [@&#8203;bethanyj28](https://github.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/325](https://github.com/actions/download-artifact/pull/325)

**Full Changelog**:
actions/download-artifact@v4.1.6...v4.1.7

###
[`v4.1.6`](https://github.com/actions/download-artifact/releases/tag/v4.1.6)

[Compare
Source](https://github.com/actions/download-artifact/compare/v4.1.5...v4.1.6)

#### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://github.com/eggyhead) in
[https://github.com/actions/download-artifact/pull/324](https://github.com/actions/download-artifact/pull/324)

**Full Changelog**:
actions/download-artifact@v4.1.5...v4.1.6

###
[`v4.1.5`](https://github.com/actions/download-artifact/releases/tag/v4.1.5)

[Compare
Source](https://github.com/actions/download-artifact/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://github.com/robherley) in
[https://github.com/actions/download-artifact/pull/322](https://github.com/actions/download-artifact/pull/322)
- Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact`
to v2.1.5

**Full Changelog**:
actions/download-artifact@v4.1.4...v4.1.5

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.0.1`](https://github.com/actions/setup-go/releases/tag/v5.0.1)

[Compare
Source](https://github.com/actions/setup-go/compare/v5.0.0...v5.0.1)

#### What's Changed

- Bump undici from 5.28.2 to 5.28.3 and dependencies upgrade by
[@&#8203;dependabot](https://github.com/dependabot) ,
[@&#8203;HarithaVattikuti](https://github.com/HarithaVattikuti) in
[https://github.com/actions/setup-go/pull/465](https://github.com/actions/setup-go/pull/465)
- Update documentation with latest V5 release notes by
[@&#8203;ab](https://github.com/ab) in
[https://github.com/actions/setup-go/pull/459](https://github.com/actions/setup-go/pull/459)
- Update version documentation by
[@&#8203;178inaba](https://github.com/178inaba) in
[https://github.com/actions/setup-go/pull/458](https://github.com/actions/setup-go/pull/458)
- Documentation update of `actions/setup-go` to v5 by
[@&#8203;chenrui333](https://github.com/chenrui333) in
[https://github.com/actions/setup-go/pull/449](https://github.com/actions/setup-go/pull/449)

#### New Contributors

- [@&#8203;ab](https://github.com/ab) made their first contribution in
[https://github.com/actions/setup-go/pull/459](https://github.com/actions/setup-go/pull/459)

**Full Changelog**:
actions/setup-go@v5.0.0...v5.0.1

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.3`](https://github.com/actions/upload-artifact/releases/tag/v4.3.3)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v4.3.2...v4.3.3)

##### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://github.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/565](https://github.com/actions/upload-artifact/pull/565)

**Full Changelog**:
actions/upload-artifact@v4.3.2...v4.3.3

###
[`v4.3.2`](https://github.com/actions/upload-artifact/releases/tag/v4.3.2)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v4.3.1...v4.3.2)

#### What's Changed

- Update release-new-action-version.yml by
[@&#8203;konradpabjan](https://github.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/516](https://github.com/actions/upload-artifact/pull/516)
- Minor fix to the migration readme by
[@&#8203;andrewakim](https://github.com/andrewakim) in
[https://github.com/actions/upload-artifact/pull/523](https://github.com/actions/upload-artifact/pull/523)
- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://github.com/robherley) in
[https://github.com/actions/upload-artifact/pull/561](https://github.com/actions/upload-artifact/pull/561)
- updating `@actions/artifact` dependency to v2.1.5 and `@actions/core`
to v1.0.1 by [@&#8203;eggyhead](https://github.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/562](https://github.com/actions/upload-artifact/pull/562)

#### New Contributors

- [@&#8203;andrewakim](https://github.com/andrewakim) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/523](https://github.com/actions/upload-artifact/pull/523)

**Full Changelog**:
actions/upload-artifact@v4.3.1...v4.3.2

</details>

<details>
<summary>actionsdesk/lfs-warning (actionsdesk/lfs-warning)</summary>

### [`v3.3`](https://github.com/ppremk/lfs-warning/releases/tag/v3.3)

[Compare
Source](https://github.com/actionsdesk/lfs-warning/compare/v3.2...v3.3)

#### What's Changed

- update node js to 16 by
[@&#8203;GlazerMann](https://github.com/GlazerMann) in
[https://github.com/ppremk/lfs-warning/pull/148](https://github.com/ppremk/lfs-warning/pull/148)
- Fixing README to match repo move by
[@&#8203;samthebest](https://github.com/samthebest) in
[https://github.com/ppremk/lfs-warning/pull/153](https://github.com/ppremk/lfs-warning/pull/153)
- Update CODEOWNERS by [@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/158](https://github.com/ppremk/lfs-warning/pull/158)
- Bump http-cache-semantics from 4.1.0 to 4.1.1 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/151](https://github.com/ppremk/lfs-warning/pull/151)
- Bump [@&#8203;babel/traverse](https://github.com/babel/traverse)
from 7.15.4 to 7.23.4 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/159](https://github.com/ppremk/lfs-warning/pull/159)
- Bump tough-cookie from 4.0.0 to 4.1.3 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/160](https://github.com/ppremk/lfs-warning/pull/160)
- Bump cacheable-request and gts by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/152](https://github.com/ppremk/lfs-warning/pull/152)
- Update emoji and convert file list to markdown list by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/161](https://github.com/ppremk/lfs-warning/pull/161)
- Bump got and gts by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/155](https://github.com/ppremk/lfs-warning/pull/155)
- Exclude files without blob_url when getting PR blobs by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/162](https://github.com/ppremk/lfs-warning/pull/162)
- Support pull_request_target by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/164](https://github.com/ppremk/lfs-warning/pull/164)
- Update-node by [@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/163](https://github.com/ppremk/lfs-warning/pull/163)
- Fix text setup for the issue comment by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/166](https://github.com/ppremk/lfs-warning/pull/166)
- Validate PR changes to make sure there are no changes missing by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/165](https://github.com/ppremk/lfs-warning/pull/165)
- Fix emoji by [@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ppremk/lfs-warning/pull/167](https://github.com/ppremk/lfs-warning/pull/167)
- Bump undici from 5.28.2 to 5.28.4 by
[@&#8203;dependabot](https://github.com/dependabot) in
[https://github.com/ppremk/lfs-warning/pull/171](https://github.com/ppremk/lfs-warning/pull/171)

#### New Contributors

- [@&#8203;GlazerMann](https://github.com/GlazerMann) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/148](https://github.com/ppremk/lfs-warning/pull/148)
- [@&#8203;samthebest](https://github.com/samthebest) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/153](https://github.com/ppremk/lfs-warning/pull/153)
- [@&#8203;rajbos](https://github.com/rajbos) made their first
contribution in
[https://github.com/ppremk/lfs-warning/pull/158](https://github.com/ppremk/lfs-warning/pull/158)

**Full Changelog**:
ppremk/lfs-warning@v3.2...v3.3

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.25.11`](https://github.com/github/codeql-action/compare/v3.25.10...v3.25.11)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.10...v3.25.11)

###
[`v3.25.10`](https://github.com/github/codeql-action/compare/v3.25.9...v3.25.10)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.9...v3.25.10)

###
[`v3.25.9`](https://github.com/github/codeql-action/compare/v3.25.8...v3.25.9)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.8...v3.25.9)

###
[`v3.25.8`](https://github.com/github/codeql-action/compare/v3.25.7...v3.25.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.7...v3.25.8)

###
[`v3.25.7`](https://github.com/github/codeql-action/compare/v3.25.6...v3.25.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.6...v3.25.7)

###
[`v3.25.6`](https://github.com/github/codeql-action/compare/v3.25.5...v3.25.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.5...v3.25.6)

###
[`v3.25.5`](https://github.com/github/codeql-action/compare/v3.25.4...v3.25.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.4...v3.25.5)

###
[`v3.25.4`](https://github.com/github/codeql-action/compare/v3.25.3...v3.25.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.3...v3.25.4)

###
[`v3.25.3`](https://github.com/github/codeql-action/compare/v3.25.2...v3.25.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.2...v3.25.3)

###
[`v3.25.2`](https://github.com/github/codeql-action/compare/v3.25.1...v3.25.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.1...v3.25.2)

###
[`v3.25.1`](https://github.com/github/codeql-action/compare/v3.25.0...v3.25.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.25.0...v3.25.1)

###
[`v3.25.0`](https://github.com/github/codeql-action/compare/v3.24.10...v3.25.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.24.11...v3.25.0)

###
[`v3.24.11`](https://github.com/github/codeql-action/compare/v3.24.10...v3.24.11)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.24.10...v3.24.11)

###
[`v3.24.10`](https://github.com/github/codeql-action/compare/v3.24.9...v3.24.10)

[Compare
Source](https://github.com/github/codeql-action/compare/v3.24.9...v3.24.10)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.3`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.3)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3)

> \[!NOTE]\
> There is no v2.3.2 release as a step was skipped in the release
process. This was fixed and re-released under the v2.3.3 tag

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to
github.com/ossf/scorecard/v5 (v5.0.0-rc1) by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1366](https://github.com/ossf/scorecard-action/pull/1366)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to
v5.0.0-rc2 by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1374](https://github.com/ossf/scorecard-action/pull/1374)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to
v5.0.0-rc2.0.20240509182734-7ce860946928 by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1377](https://github.com/ossf/scorecard-action/pull/1377)

For a full changelist of what these include, see the
[v5.0.0-rc1](https://github.com/ossf/scorecard/releases/tag/v5.0.0-rc1)
and
[v5.0.0-rc2](https://github.com/ossf/scorecard/releases/tag/v5.0.0-rc2)
release notes.

##### Documentation

- 📖 Move token discussion out of main README. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1279](https://github.com/ossf/scorecard-action/pull/1279)
- 📖 link to `ossf/scorecard` workflow instead of maintaining an
example by [@&#8203;spencerschrock](https://github.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1352](https://github.com/ossf/scorecard-action/pull/1352)
- 📖 update api links to new scorecard.dev site by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1376](https://github.com/ossf/scorecard-action/pull/1376)

**Full Changelog**:
ossf/scorecard-action@v2.3.1...v2.3.3

###
[`v2.3.2`](https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

</details>

<details>
<summary>slsa-framework/slsa-verifier
(slsa-framework/slsa-verifier)</summary>

###
[`v2.5.1`](https://github.com/slsa-framework/slsa-verifier/releases/tag/v2.5.1)

[Compare
Source](https://github.com/slsa-framework/slsa-verifier/compare/v2.4.1...v2.5.1)

#### What's Changed

- feat: Add cosign registry opts for provenance registry by
[@&#8203;saisatishkarra](https://github.com/saisatishkarra) in
[https://github.com/slsa-framework/slsa-verifier/pull/729](https://github.com/slsa-framework/slsa-verifier/pull/729)
and
[https://github.com/slsa-framework/slsa-verifier/pull/736](https://github.com/slsa-framework/slsa-verifier/pull/736)
- feat: Add support for DSSE Rekor type by
[@&#8203;haydentherapper](https://github.com/haydentherapper) in
[https://github.com/slsa-framework/slsa-verifier/pull/742](https://github.com/slsa-framework/slsa-verifier/pull/742)

#### New Contributors

- [@&#8203;saisatishkarra](https://github.com/saisatishkarra) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/729](https://github.com/slsa-framework/slsa-verifier/pull/729)
- [@&#8203;ramonpetgrave64](https://github.com/ramonpetgrave64) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/737](https://github.com/slsa-framework/slsa-verifier/pull/737)
- [@&#8203;haydentherapper](https://github.com/haydentherapper) made
their first contribution in
[https://github.com/slsa-framework/slsa-verifier/pull/742](https://github.com/slsa-framework/slsa-verifier/pull/742)

**Full Changelog**:
v2.4.1...v2.5.1

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
  • Loading branch information
renovate-bot and ramonpetgrave64 authored Jul 1, 2024
1 parent 903cddc commit 1049da4
Show file tree
Hide file tree
Showing 13 changed files with 44 additions and 44 deletions.
10 changes: 5 additions & 5 deletions .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,19 +40,19 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

# TODO(#740): Workaround for go1.21 compatibility. Remove when GHA runners have Go 1.21+.
- name: setup-go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: "go.mod"
# not needed but gets rid of warnings
cache: false

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
languages: ${{ matrix.language }}
# If you wish to specify custom queries, you can do so here or in a config file.
Expand All @@ -63,7 +63,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl

Expand All @@ -76,4 +76,4 @@ jobs:
# make release

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
4 changes: 2 additions & 2 deletions .github/workflows/depsreview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: 'Dependency Review'
uses: actions/dependency-review-action@5bbc3ba658137598168acb2ab73b21c432dd411b # v4.2.5
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
4 changes: 2 additions & 2 deletions .github/workflows/e2e.schedule.cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
# See https://github.com/orgs/community/discussions/26238.
steps:
- uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
- uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: event_name
- name: Check event name
Expand All @@ -28,7 +28,7 @@ jobs:
ctned="true"
fi
echo "continue=$ctned" >> $GITHUB_OUTPUT
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
if: steps.name.outputs.continue == 'true'
with:
ref: main
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/e2e.schedule.installer.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,14 @@ jobs:
version: ${{ steps.generate-versions.outputs.version }}
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
# NOTE: the example-package needs to be checked out in the default workspace.
repository: slsa-framework/example-package
ref: main

- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: __THIS_REPO__

Expand Down Expand Up @@ -77,7 +77,7 @@ jobs:
- name: Checkout this repository
# Skip release candidates unless specified explicitly.
if: ${{ inputs.version != '' || ! contains(matrix.version, '-rc' ) }}
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ matrix.version }}

Expand Down Expand Up @@ -196,7 +196,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
Expand All @@ -210,7 +210,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/pre-submit.actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ jobs:
check-dist:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Set Node.js 20
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
Expand All @@ -34,7 +34,7 @@ jobs:
fi
# If index.js was different from expected, upload the expected version as an artifact
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
if: ${{ failure() && steps.diff.conclusion == 'failure' }}
with:
name: dist
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/pre-submit.cli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,10 +15,10 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: setup-go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: "go.mod"
# not needed but gets rid of warnings
Expand All @@ -30,7 +30,7 @@ jobs:
run: |
echo "$EVENT_NAME" > ./event_name.txt
- uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: event_name
path: ./event_name.txt
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/pre-submit.e2e.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: __THIS_REPO__

- name: setup-go
uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: "__THIS_REPO__/go.mod"
# not needed but gets rid of warnings
Expand All @@ -29,7 +29,7 @@ jobs:
go build -o slsa-verifier ./cli/slsa-verifier
- name: Checkout e2e verification script
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
path: __EXAMPLE_PACKAGE__
repository: slsa-framework/example-package
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/pre-submit.lfs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actionsdesk/lfs-warning@e5f9a4c21f4bee104db7c0f23954dde59e5df909 # v3.2
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actionsdesk/lfs-warning@4b98a8a5e6c429c23c34eee02d71553bca216425 # v3.3
with:
token: ${{ secrets.GITHUB_TOKEN }}
filesizelimit: 10MB
Expand Down
12 changes: 6 additions & 6 deletions .github/workflows/pre-submit.lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,13 @@ jobs:
golangci-lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
with:
go-version-file: "go.mod"
# not needed but gets rid of warnings
cache: false
- uses: golangci/golangci-lint-action@v4
- uses: golangci/golangci-lint-action@d6238b002a20823d52840fda27e2d4891c5952dc # v4
name: golangci-lint
with:
# Require: The version of golangci-lint to use.
Expand All @@ -27,7 +27,7 @@ jobs:
yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- env:
YAMLLINT_VERSION: "1.26.3"
run: |
Expand All @@ -42,7 +42,7 @@ jobs:
eslint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 20
Expand All @@ -51,7 +51,7 @@ jobs:
renovate-config-validator:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: 20
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pre-submit.references.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
env:
BODY: ${{ github.event.pull_request.body }}
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

- name: Check documentation is up-to-date
run: |
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ jobs:
version: ${{ steps.ldflags.outputs.version }}
steps:
- id: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 0
- id: ldflags
Expand All @@ -49,7 +49,7 @@ jobs:
actions: read # For the detection of GitHub Actions environment.
id-token: write # For signing.
contents: write # For asset uploads.
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.10.0
uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@c747fe7769adf3656dc7d588b161cb614d7abfee # v1.10.0
with:
go-version-file: "go.mod"
config-file: .slsa-goreleaser/${{matrix.os}}-${{matrix.arch}}.yml
Expand All @@ -63,7 +63,7 @@ jobs:
permissions: read-all
steps:
- name: Install the verifier
uses: slsa-framework/slsa-verifier/actions/installer@v2.4.1
uses: slsa-framework/slsa-verifier/actions/installer@eb7007070baa04976cb9e25a0d8034f8db030a86 # v2.5.1

- name: Download assets
env:
Expand Down Expand Up @@ -98,7 +98,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
Expand All @@ -112,7 +112,7 @@ jobs:
contents: read
issues: write
steps:
- uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: slsa-framework/example-package
ref: main
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/scorecards.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,12 +25,12 @@ jobs:

steps:
- name: "Checkout code"
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
with:
results_file: results.sarif
results_format: sarif
Expand All @@ -49,14 +49,14 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab.
- name: "Upload artifact"
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: SARIF file
path: results.sarif
retention-days: 5

# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
with:
sarif_file: results.sarif
8 changes: 4 additions & 4 deletions .github/workflows/update-actions-dist-post-commit.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
repository: ${{ github.repository }}
persist-credentials: false
Expand All @@ -57,7 +57,7 @@ jobs:
[ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
- name: upload
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
with:
name: changes.patch
path: changes.patch
Expand All @@ -72,14 +72,14 @@ jobs:
contents: write
steps:
- name: checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: checkout-pr
env:
GH_TOKEN: ${{ github.token }}
PR_NUMBER: ${{ inputs.pr_number }}
run: gh pr checkout "$PR_NUMBER"
- name: download-patch
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
with:
name: changes.patch
- id: apply
Expand Down

0 comments on commit 1049da4

Please sign in to comment.