Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(ci): bump the ci-deps group with 9 updates #554

Merged
merged 1 commit into from
Oct 26, 2024
Merged

chore(ci): bump the ci-deps group with 9 updates #554

merged 1 commit into from
Oct 26, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 25, 2024
edited
Loading

Bumps the ci-deps group with 9 updates:

Package From To
step-security/harden-runner 2.7.0 2.10.1
baptiste0928/cargo-install 3.0.1 3.1.1
actions/deploy-pages 4.0.4 4.0.5
actions/dependency-review-action 4.1.3 4.3.5
actions/upload-artifact 4.3.1 4.4.3
actions/download-artifact 4.1.4 4.1.8
softprops/action-gh-release 2.0.3 2.0.8
ossf/scorecard-action 2.3.1 2.4.0
github/codeql-action 3.24.6 3.27.0

Updates step-security/harden-runner from 2.7.0 to 2.10.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.10.1

What's Changed

Release v2.10.1 by @​varunsh-coder in step-security/harden-runner#463 Bug fix: Resolves an issue where DNS resolution of .local domains was failing when using a Kind cluster in a GitHub Actions workflow.

Full Changelog: step-security/harden-runner@v2...v2.10.1

v2.10.0

What's Changed

Release v2.10.0 by @​h0x0er and @​varunsh-coder in step-security/harden-runner#455

ARM Support: Harden-Runner Enterprise tier now supports GitHub-hosted ARM runners. This includes all the features that apply to previously supported GitHub-hosted x64 Linux runners.

Full Changelog: step-security/harden-runner@v2...v2.10.0

v2.9.1

What's Changed

Release v2.9.1 by @​h0x0er and @​varunsh-coder in #440 This release includes two changes:

  1. Updated markdown displayed in the job summary by the Harden-Runner Action.
  2. Fixed a bug affecting Enterprise Tier customers where the agent attempted to upload telemetry for jobs with disable-telemetry set to true. No telemetry was uploaded as the endpoint was not in the allowed list.

Full Changelog: step-security/harden-runner@v2...v2.9.1

v2.9.0

What's Changed

Release v2.9.0 by @​h0x0er and @​varunsh-coder in step-security/harden-runner#435 This release includes:

  • Enterprise Tier - Telemetry Upload Enhancement: For the enterprise tier, this change helps overcome size constraints, allowing for more reliable telemetry uploads from the Harden-Runner agent to the StepSecurity backend API. No configuration change is needed to enable this.
  • Harden-Runner Agent Authentication: The Harden-Runner agent now uses a per-job key to authenticate to the StepSecurity backend API to submit telemetry. This change prevents the submission of telemetry data anonymously for a given job, improving the integrity of the data collection process. No configuration change is needed to enable this.
  • README Update: A Table of Contents has been added to the README file to improve navigation. This makes it easier for users to find the information they need quickly.
  • Dependency Update: Updated the braces npm package dependency to a non-vulnerable version. The vulnerability in braces did not affect the Harden Runner Action

Full Changelog: step-security/harden-runner@v2...v2.9.0

v2.8.1

What's Changed

  • Bug fix: Update isGitHubHosted implementation by @​varunsh-coder in step-security/harden-runner#425 The previous implementation incorrectly identified large GitHub-hosted runners as self-hosted runners. As a result, harden-runner was not executing on these large GitHub-hosted runners.

Full Changelog: step-security/harden-runner@v2...v2.8.1

v2.8.0

What's Changed

Release v2.8.0 by @​h0x0er and @​varunsh-coder in step-security/harden-runner#416 This release includes:

... (truncated)

Commits

Updates baptiste0928/cargo-install from 3.0.1 to 3.1.1

Release notes

Sourced from baptiste0928/cargo-install's releases.

v3.1.1

Fixed

  • Pre-release versions are ignored when resolving the latest version.

v3.1.0

Changed

  • Runner arch is included in the cache key.

Fixed

  • Fix runner os version resolution on macOS runners. (issue #24)
Changelog

Sourced from baptiste0928/cargo-install's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

[3.1.1] - 2024-06-24

Fixed

  • Pre-release versions are ignored when resolving the latest version.

[3.1.0] - 2024-04-10

Changed

  • Runner arch is included in the cache key.

Fixed

  • Fix runner os version resolution on macOS runners. (issue #24)

[3.0.1] - 2024-03-08

Fixed

  • Improve git tag/branch resolution. (issue #22)

[3.0.0] - 2024-02-01

Added

  • Runner os version is included in the cache key. (issue #21)

Changed

  • Breaking: The action now runs on Node.js 20.
  • Dependencies have been updated.

[2.2.0] - 2023-09-07

Added

  • Support alternative registries with the registry and index input parameters.

Changed

... (truncated)

Commits

Updates actions/deploy-pages from 4.0.4 to 4.0.5

Release notes

Sourced from actions/deploy-pages's releases.

v4.0.5

Changelog

See details of all code changes since previous release.

⚠️ For use with products other than GitHub.com, such as GitHub Enterprise Server, please consult the compatibility table.

Commits
  • d6db901 Merge pull request #324 from actions/error-message-request-id
  • 055f425 compile changes
  • 5ab929b Include request id in the error message of an error response
  • 3ff795b Merge pull request #318 from actions/dependabot/npm_and_yarn/non-breaking-cha...
  • f5a2f0d Update distributables after Dependabot 🤖
  • 1364cde Bump the non-breaking-changes group with 2 updates
  • 2ed07f7 Merge pull request #316 from actions/dependabot/npm_and_yarn/non-breaking-cha...
  • d5a892b Bump the non-breaking-changes group with 1 update
  • 05977f5 Merge pull request #314 from actions/dependabot/npm_and_yarn/non-breaking-cha...
  • 9414024 Update distributables after Dependabot 🤖
  • Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.1.3 to 4.3.5

Release notes

Sourced from actions/dependency-review-action's releases.

v4.3.5

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.3.4...v4.3.5

v4.3.4

What's Changed

Full Changelog: actions/dependency-review-action@v4.3.3...v4.3.4

Notes for v4.3.3

What's Changed

New Contributors

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

v4.3.2

What's Changed

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

... (truncated)

Commits
  • a6993e2 Merge pull request #840 from actions/dependabot-updates
  • d92f08b Bump eslint-plugin-jest and ts-jest
  • 3e334b7 Merge pull request #822 from actions/dependabot/npm_and_yarn/got-14.4.2
  • 32b7d88 Merge pull request #832 from actions/jonjanego-patch-3
  • 14b94f8 Update stale.yaml
  • 6ea3b24 Merge pull request #828 from actions/hm/summary
  • 05042db update dist packaging
  • 6aacbe0 add a warning message if there is room in the summary prior to cutoff
  • 293ccdb add truncation escape valve to new file summary to avoid overflow
  • 83c7cc6 Do not list changes dependencies in summary
  • Additional commits viewable in compare view

Updates actions/upload-artifact from 4.3.1 to 4.4.3

Release notes

Sourced from actions/upload-artifact's releases.

v4.4.3

What's Changed

Full Changelog: actions/upload-artifact@v4.4.2...v4.4.3

v4.4.2

What's Changed

Full Changelog: actions/upload-artifact@v4.4.1...v4.4.2

v4.4.1

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v4.4.0...v4.4.1

v4.4.0

Notice: Breaking Changes ⚠️

We will no longer include hidden files and folders by default in the upload-artifact action of this version. This reduces the risk that credentials are accidentally uploaded into artifacts. Customers who need to continue to upload these files can use a new option, include-hidden-files, to continue to do so.

See "Notice of upcoming deprecations and breaking changes in GitHub Actions runners" changelog and this issue for more details.

What's Changed

Full Changelog: actions/upload-artifact@v4.3.6...v4.4.0

v4.3.6

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.3.6

v4.3.5

What's Changed

... (truncated)

Commits
  • b4b15b8 Merge pull request #632 from actions/joshmgross/undo-dependency-changes
  • 92b01eb Undo indirect dependency updates from #627
  • 8448086 Merge pull request #627 from actions/robherley/v4.4.2
  • b1d4642 add explicit relative and absolute symlinks to workflow
  • d50e660 bump version
  • aabe6f8 build with @​actions/artifact v2.1.11
  • 604373d Merge pull request #625 from actions/robherley/artifact-2.1.10
  • 0150148 paste right core version
  • a009b25 update licenses
  • 9f6f6f4 update @​actions/core and @​actions/artifact to latest versions
  • Additional commits viewable in compare view

Updates actions/download-artifact from 4.1.4 to 4.1.8

Release notes

Sourced from actions/download-artifact's releases.

v4.1.8

What's Changed

Full Changelog: actions/download-artifact@v4...v4.1.8

v4.1.7

What's Changed

Full Changelog: actions/download-artifact@v4.1.6...v4.1.7

v4.1.6

What's Changed

Full Changelog: actions/download-artifact@v4.1.5...v4.1.6

v4.1.5

What's Changed

Full Changelog: actions/download-artifact@v4.1.4...v4.1.5

Commits
  • fa0a91b Merge pull request #341 from actions/robherley/bump-pkgs
  • b54d088 Update @​actions/artifact version, bump dependencies
  • 65a9edc Merge pull request #325 from bethanyj28/main
  • fdd1595 licensed
  • c13dba1 update @​actions/artifact dependency
  • 0daa75e Merge pull request #324 from actions/eggyhead/use-artifact-v2.1.6
  • 9c19ed7 Merge branch 'main' into eggyhead/use-artifact-v2.1.6
  • 3d3ea87 updating license
  • 89af5db updating artifact package v2.1.6
  • b4aefff Merge pull request #323 from actions/eggyhead/update-artifact-v215
  • Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.0.3 to 2.0.8

Release notes

Sourced from softprops/action-gh-release's releases.

v2.0.8

What's Changed

Other Changes 🔄

Full Changelog: softprops/action-gh-release@v2...v2.0.8

v2.0.7

What's Changed

Bug fixes 🐛

Other Changes 🔄

New Contributors

Full Changelog: softprops/action-gh-release@v2.0.6...v2.0.7

v2.0.6

maintenance release with updated dependencies

v2.0.5

v2.0.4

Changelog

Sourced from softprops/action-gh-release's changelog.

2.0.8

Other Changes 🔄

2.0.7

Bug fixes 🐛

Other Changes 🔄

2.0.6

  • maintenance release with updated dependencies

2.0.5

2.0.4

2.0.3

  • Declare make_latest as an input field in action.yml #419

2.0.2

  • Revisit approach to #384 making unresolved pattern failures opt-in #417

2.0.1

... (truncated)

Commits
  • c062e08 release 2.0.8
  • 380635c chore(deps): bump @​actions/github from 5.1.1 to 6.0.0 (#470)
  • 20adb42 refactor: write jest config in ts (#485)
  • f808f15 chore(deps): bump glob from 10.4.2 to 11.0.0 (#477)
  • 6145241 chore(deps): bump @​octokit/plugin-throttling from 9.3.0 to 9.3.1 (#484)
  • 4ac522d chore(deps): bump @​types/node from 20.14.9 to 20.14.11 (#483)
  • 25849b1 chore(deps): bump prettier from 2.8.0 to 3.3.3 (#480)
  • 6206056 chore: update dependabot commit msg
  • 39aadf1 chore: run frizbee actions .github/workflows/
  • 6f3ab65 chore: update dist file
  • Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.3.1 to 2.4.0

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.0

What's Changed

This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.

Documentation

New Contributors

Full Changelog: ossf/scorecard-action@v2.3.3...v2.4.0

v2.3.3

[!NOTE]
There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag

What's Changed

For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.

Documentation

Full Changelog: ossf/scorecard-action@v2.3.1...v2.3.3

Commits
  • 62b2cac bump docker tag to v2.4.0 for release (#1414)
  • c09630c lower license score alert threshold to 9 (#1411)
  • cf8594c 🌱 Bump github.com/sigstore/cosign/v2 from 2.2.4 to 2.3.0 (#1413)
  • de5fcb9 🌱 Bump the github-actions group with 2 updates (#1412)
  • a46b90b bump scorecard to v5.0.0 release (#1410)
  • 9fc518d 🌱 Bump golang in the docker-images group (#1407)
  • a8eaa1b 🌱 Bump the github-actions group with 2 updates (#1408)
  • 873d5fd 🌱 Bump the github-actions group across 1 directory with 2 updates (#...
  • 54cc1fe 🌱 Bump the docker-images group with 2 updates (#1401)
  • 82bcb91 🌱 Bump golang.org/x/net from 0.26.0 to 0.27.0 (#1400)
  • Additional commits viewable in compare view

Updates github/codeql-action from 3.24.6 to 3.27.0

Release notes

Sourced from github/codeql-action's releases.

v3.27.0

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

3.27.0 - 22 Oct 2024

  • Bump the minimum CodeQL bundle version to 2.14.6. #2549
  • Fix an issue where the upload-sarif Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the upload-sarif Action. #2557
  • Update default CodeQL bundle version to 2.19.2. #2552

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

[UNRELEASED]

No user facing changes.

3.27.0 - 22 Oct 2024

  • Bump the minimum CodeQL bundle version to 2.14.6. #2549
  • Fix an issue where the upload-sarif Action would fail with "upload-sarif post-action step failed: Input required and not supplied: token" when called in a composite Action that had a different set of inputs to the ones expected by the upload-sarif Action. #2557
  • Update default CodeQL bundle version to 2.19.2. #2552

3.26.13 - 14 Oct 2024

No user facing changes.

3.26.12 - 07 Oct 2024

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.14.5 and earlier. These versions of CodeQL were discontinued on 24 September 2024 alongside GitHub Enterprise Server 3.10, and will be unsupported by CodeQL Action versions 3.27.0 and later and versions 2.27.0 and later. #2520

    • If you are using one of these versions, please update to CodeQL CLI version 2.14.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.

    • Alternatively, if you want to continue using a version of the CodeQL CLI between 2.13.5 and 2.14.5, you can replace github/codeql-action/*@v3 by github/codeql-action/*@v3.26.11 and github/codeql-action/*@v2 by github/codeql-action/*@v2.26.11 in your code scanning workflow to ensure you continue using this version of the CodeQL Action.

3.26.11 - 03 Oct 2024

  • Upcoming breaking change: Add support for using actions/download-artifact@v4 to programmatically consume CodeQL Action debug artifacts.

    Starting November 30, 2024, GitHub.com customers will no longer be able to use actions/download-artifact@v3. Therefore, to avoid breakage, customers who programmatically download the CodeQL Action debug artifacts should set the CODEQL_ACTION_ARTIFACT_V4_UPGRADE environment variable to true and bump actions/download-artifact@v3 to actions/download-artifact@v4 in their workflows. The CodeQL Action will enable this behavior by default in early November and workflows that have not yet bumped to actions/download-artifact@v3 to actions/download-artifact@v4 will begin failing then.

    This change is currently unavailable for GitHub Enterprise Server customers, as actions/upload-artifact@v4 and actions/download-artifact@v4 are not yet compatible with GHES.

  • Update default CodeQL bundle version to 2.19.1. #2519

3.26.10 - 30 Sep 2024

  • We are rolling out a feature in September/October 2024 that sets up CodeQL using a bundle compressed with Zstandard. Our aim is to improve the performance of setting up CodeQL. <...

    Description has been truncated

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 25, 2024
@V0ldek
Copy link
Member

V0ldek commented Oct 26, 2024

@dependabot rebase

@dependabot
chore(ci): bump the ci-deps group with 9 updates
2184e98 
Bumps the ci-deps group with 9 updates:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.7.0` | `2.10.1` |
| [baptiste0928/cargo-install](https://github.com/baptiste0928/cargo-install) | `3.0.1` | `3.1.1` |
| [actions/deploy-pages](https://github.com/actions/deploy-pages) | `4.0.4` | `4.0.5` |
| [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.1.3` | `4.3.5` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `4.3.1` | `4.4.3` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.1.4` | `4.1.8` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `2.0.3` | `2.0.8` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.3.1` | `2.4.0` |
| [github/codeql-action](https://github.com/github/codeql-action) | `3.24.6` | `3.27.0` |


Updates `step-security/harden-runner` from 2.7.0 to 2.10.1
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@63c24ba...91182cc)

Updates `baptiste0928/cargo-install` from 3.0.1 to 3.1.1
- [Release notes](https://github.com/baptiste0928/cargo-install/releases)
- [Changelog](https://github.com/baptiste0928/cargo-install/blob/main/CHANGELOG.md)
- [Commits](baptiste0928/cargo-install@94e1849...904927d)

Updates `actions/deploy-pages` from 4.0.4 to 4.0.5
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@decdde0...d6db901)

Updates `actions/dependency-review-action` from 4.1.3 to 4.3.5
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](actions/dependency-review-action@9129d7d...a6993e2)

Updates `actions/upload-artifact` from 4.3.1 to 4.4.3
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@5d5d22a...b4b15b8)

Updates `actions/download-artifact` from 4.1.4 to 4.1.8
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@c850b93...fa0a91b)

Updates `softprops/action-gh-release` from 2.0.3 to 2.0.8
- [Release notes](https://github.com/softprops/action-gh-release/releases)
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md)
- [Commits](softprops/action-gh-release@3198ee1...c062e08)

Updates `ossf/scorecard-action` from 2.3.1 to 2.4.0
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@0864cf1...62b2cac)

Updates `github/codeql-action` from 3.24.6 to 3.27.0
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@8a470fd...6624720)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ci-deps
- dependency-name: baptiste0928/cargo-install
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ci-deps
- dependency-name: actions/deploy-pages
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: ci-deps
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ci-deps
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ci-deps
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: ci-deps
- dependency-name: softprops/action-gh-release
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: ci-deps
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ci-deps
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: ci-deps
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/github_actions/ci-deps-9a554bf504 branch from cba5706 to 2184e98 Compare October 26, 2024 15:23
@V0ldek V0ldek enabled auto-merge (squash) October 26, 2024 16:34
@V0ldek V0ldek disabled auto-merge October 26, 2024 16:34
@V0ldek V0ldek merged commit dac9944 into main Oct 26, 2024
50 checks passed
@V0ldek V0ldek deleted the dependabot/github_actions/ci-deps-9a554bf504 branch October 26, 2024 16:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@V0ldek V0ldek V0ldek approved these changes

Assignees

@V0ldek V0ldek

Labels
dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@V0ldek