From 93d3714ab034b35c2eab3cf2e6f73ba5456065c5 Mon Sep 17 00:00:00 2001 From: Mend Renovate Date: Mon, 14 Nov 2022 01:14:05 +0100 Subject: [PATCH] Update workflows (#819) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.0.0` -> `v3.1.0` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.0` -> `v3.1.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | patch | `v2.0.0` -> `v2.0.6` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | digest | `5fb2f04` -> `37f50c2` | --- ### Release Notes
actions/checkout ### [`v3.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v310) [Compare Source](https://togithub.com/actions/checkout/compare/v3.0.2...v3.1.0) - [Use @​actions/core `saveState` and `getState`](https://togithub.com/actions/checkout/pull/939) - [Add `github-server-url` input](https://togithub.com/actions/checkout/pull/922) ### [`v3.0.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v302) [Compare Source](https://togithub.com/actions/checkout/compare/v3.0.1...v3.0.2) - [Add input `set-safe-directory`](https://togithub.com/actions/checkout/pull/770) ### [`v3.0.1`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v301) [Compare Source](https://togithub.com/actions/checkout/compare/v3.0.0...v3.0.1) - [Fixed an issue where checkout failed to run in container jobs due to the new git setting `safe.directory`](https://togithub.com/actions/checkout/pull/762) - [Bumped various npm package versions](https://togithub.com/actions/checkout/pull/744)
actions/upload-artifact ### [`v3.1.1`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.1) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.0...v3.1.1) - Update actions/core package to latest version to remove `set-output` deprecation warning [#​351](https://togithub.com/actions/upload-artifact/issues/351)
ossf/scorecard-action ### [`v2.0.6`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.6) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.5...v2.0.6) #### What's Changed - Fix - Broken dockerfile by [@​naveensrinivasan](https://togithub.com/naveensrinivasan) in [https://github.com/ossf/scorecard-action/pull/979](https://togithub.com/ossf/scorecard-action/pull/979) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.0.5...v2.0.6 ### [`v2.0.5`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.5) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.4...v2.0.5) #### What's Changed - Remove trailing space from example by [@​jamacku](https://togithub.com/jamacku) in [https://github.com/ossf/scorecard-action/pull/955](https://togithub.com/ossf/scorecard-action/pull/955) - :seedling: Bump actions/cache from 3.0.8 to 3.0.10 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/956](https://togithub.com/ossf/scorecard-action/pull/956) - :seedling: Bump github/codeql-action from 2.1.25 to 2.1.26 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/957](https://togithub.com/ossf/scorecard-action/pull/957) - :seedling: Bump step-security/harden-runner from 1.4.5 to 1.5.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/958](https://togithub.com/ossf/scorecard-action/pull/958) - :seedling: Bump debian from `5cf1d98` to `b46fc4e` by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/959](https://togithub.com/ossf/scorecard-action/pull/959) - :seedling: Bump github.com/sigstore/cosign from 1.12.1 to 1.13.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/962](https://togithub.com/ossf/scorecard-action/pull/962) - :seedling: Upgrade to go 1.19 by [@​naveensrinivasan](https://togithub.com/naveensrinivasan) in [https://github.com/ossf/scorecard-action/pull/961](https://togithub.com/ossf/scorecard-action/pull/961) - :seedling: Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/967](https://togithub.com/ossf/scorecard-action/pull/967) - :seedling: Bump golang from `c2a98a5` to `b850621` by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/966](https://togithub.com/ossf/scorecard-action/pull/966) - :seedling: Bump golang from `b850621` to `25de7b6` by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/968](https://togithub.com/ossf/scorecard-action/pull/968) - New release for Scorecard v4.8.0 by [@​naveensrinivasan](https://togithub.com/naveensrinivasan) in [https://github.com/ossf/scorecard-action/pull/969](https://togithub.com/ossf/scorecard-action/pull/969) #### New Contributors - [@​jamacku](https://togithub.com/jamacku) made their first contribution in [https://github.com/ossf/scorecard-action/pull/955](https://togithub.com/ossf/scorecard-action/pull/955) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.0.4...v2.0.5 ### [`v2.0.4`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.4) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.3...v2.0.4) Fixes [#​856](https://togithub.com/ossf/scorecard-action/issues/856) #### What's Changed - :seedling: Bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/934](https://togithub.com/ossf/scorecard-action/pull/934) - feat: do not run signing on pull requests by [@​laurentsimon](https://togithub.com/laurentsimon) in [https://github.com/ossf/scorecard-action/pull/935](https://togithub.com/ossf/scorecard-action/pull/935) - :seedling: Bump debian from 11.4-slim to 11.5-slim by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/936](https://togithub.com/ossf/scorecard-action/pull/936) - :seedling: Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/938](https://togithub.com/ossf/scorecard-action/pull/938) - :seedling: Bump github/codeql-action from 2.1.22 to 2.1.24 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/941](https://togithub.com/ossf/scorecard-action/pull/941) - 🐛 Restore behavior of ignoring scorecard runtime errors by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/948](https://togithub.com/ossf/scorecard-action/pull/948) - :seedling: Bump actions/dependency-review-action from 2.1.0 to 2.4.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/950](https://togithub.com/ossf/scorecard-action/pull/950) - :seedling: Bump github.com/sigstore/cosign from 1.12.0 to 1.12.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/947](https://togithub.com/ossf/scorecard-action/pull/947) - :seedling: Bump github/codeql-action from 2.1.24 to 2.1.25 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/949](https://togithub.com/ossf/scorecard-action/pull/949) - :seedling: Bump codecov/codecov-action from 3.1.0 to 3.1.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/ossf/scorecard-action/pull/942](https://togithub.com/ossf/scorecard-action/pull/942) - Create v2.0.4 patch by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/952](https://togithub.com/ossf/scorecard-action/pull/952) #### New Contributors - [@​spencerschrock](https://togithub.com/spencerschrock) made their first contribution in [https://github.com/ossf/scorecard-action/pull/948](https://togithub.com/ossf/scorecard-action/pull/948) **Full Changelog**: https://github.com/ossf/scorecard-action/compare/v2.0.3...v2.0.4 ### [`v2.0.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.2...v2.0.3) Patch for fix in [#​898](https://togithub.com/ossf/scorecard-action/issues/898) ### [`v2.0.2`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.2) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.1...v2.0.2) Fixes [https://github.com/ossf/scorecard-action/issues/895](https://togithub.com/ossf/scorecard-action/issues/895) ### [`v2.0.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.0...v2.0.1) Fix for [#​856](https://togithub.com/ossf/scorecard-action/issues/856)
--- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://app.renovatebot.com/dashboard#github/google/osv.dev). Co-authored-by: Andrew Pollock --- .github/workflows/publish-to-pypi.yaml | 2 +- .github/workflows/scorecards.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish-to-pypi.yaml b/.github/workflows/publish-to-pypi.yaml index 62036e696ce..b215e885fcc 100644 --- a/.github/workflows/publish-to-pypi.yaml +++ b/.github/workflows/publish-to-pypi.yaml @@ -41,7 +41,7 @@ jobs: build --sdist --wheel --outdir dist/ . - name: Publish distribution to PyPI - uses: pypa/gh-action-pypi-publish@5fb2f047e26679d7846a8370de1642ff160b9025 # v1.5.1 + uses: pypa/gh-action-pypi-publish@37f50c210e3d2f9450da2cd423303d6a14a6e29f # v1.5.1 with: password: ${{ secrets.PYPI_API_TOKEN }} packages_dir: dist/ diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml index 172ebb26e08..2ffc0ff06be 100644 --- a/.github/workflows/scorecards.yml +++ b/.github/workflows/scorecards.yml @@ -22,12 +22,12 @@ jobs: id-token: write steps: - name: "Checkout code" - uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 # v3.0.0 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 with: persist-credentials: false - name: "Run analysis" - uses: ossf/scorecard-action@066a051e5c2c336158e3c5728cd80ccb1276afbf # v2.0.0-alpha.2 + uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6-alpha.2 with: results_file: results.sarif results_format: sarif @@ -42,7 +42,7 @@ jobs: # Upload the results as artifacts (optional). - name: "Upload artifact" - uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.0 + uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1 with: name: SARIF file path: results.sarif