Upgrade: Bump goreleaser/goreleaser-action from 6.0.0 to 6.1.0

[dependabot]

Bumps goreleaser/goreleaser-action from 6.0.0 to 6.1.0.

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v6.1.0

What's Changed

• chore(deps): bump braces from 3.0.2 to 3.0.3 by @​dependabot in goreleaser/goreleaser-action#467
• chore(deps): bump docker/bake-action from 4 to 5 by @​dependabot in goreleaser/goreleaser-action#468
• chore(deps): bump semver from 7.6.2 to 7.6.3 by @​dependabot in goreleaser/goreleaser-action#470
• chore(deps): bump @​actions/http-client from 2.2.1 to 2.2.2 by @​dependabot in goreleaser/goreleaser-action#473
• chore(deps): bump @​actions/http-client from 2.2.2 to 2.2.3 by @​dependabot in goreleaser/goreleaser-action#474
• chore(deps): bump micromatch from 4.0.5 to 4.0.8 by @​dependabot in goreleaser/goreleaser-action#475
• chore(deps): bump @​actions/core from 1.10.1 to 1.11.1 by @​dependabot in goreleaser/goreleaser-action#478
• docs: bump upload-artifact version by @​dunglas in goreleaser/goreleaser-action#479
• chore: update generated content by @​crazy-max in goreleaser/goreleaser-action#480

New Contributors

• @​dunglas made their first contribution in goreleaser/goreleaser-action#479

Full Changelog: goreleaser/goreleaser-action@v6.0.0...v6.1.0

Commits

• 9ed2f89 chore: update generated content (#480)
• cf63508 docs: bump upload-artifact version (#479)
• f7623f3 chore(deps): bump @​actions/core from 1.10.1 to 1.11.1 (#478)
• 006a7a4 chore: update
• e4066e6 chore(deps): bump micromatch from 4.0.5 to 4.0.8 (#475)
• 22f558e chore(deps): bump @​actions/http-client from 2.2.2 to 2.2.3 (#474)
• 6e33108 chore(deps): bump @​actions/http-client from 2.2.1 to 2.2.2 (#473)
• 7ca6450 chore(deps): bump semver from 7.6.2 to 7.6.3 (#470)
• d33b6f6 chore(deps): bump docker/bake-action from 4 to 5 (#468)
• 85d0b9d chore(deps): bump braces from 3.0.2 to 3.0.3 (#467)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The provided code change updates the version of the goreleaser-action used in the GitHub Actions workflow for releasing a project, which is important for maintaining a secure release process by regularly reviewing and updating dependencies, ensuring secure signing and verification, handling sensitive environment variables, and reviewing verification scripts.

Expand for full summary

Summary:

The provided code change is related to the GitHub Actions workflow for releasing a project. The changes focus on updating the version of the goreleaser-action used in the workflow. From an application security perspective, the key points to consider are:

1. Dependency Management: The workflow is using specific versions of various GitHub Actions, such as sigstore/cosign-installer, anchore/sbom-action/download-syft, and goreleaser/goreleaser-action. It's important to regularly review and update these dependencies to ensure they are using the latest secure versions.

2. Signing and Verification: The workflow includes steps for installing cosign and syft, which are likely used for signing and verifying the released artifacts. Maintaining secure signing and verification processes is crucial to ensure the integrity and authenticity of the released software.

3. Environment Variables: The workflow is using the GITHUB_TOKEN environment variable, which is a sensitive token provided by GitHub Actions. It's important to ensure that this token is used securely and not exposed in any logs or other outputs.

4. Verification Script: The workflow includes a step to run a verification script (./.github/workflows/verify.sh). It's a good practice to review the contents of this script to ensure that it performs appropriate checks and validations on the released artifacts.

Files Changed:

• .github/workflows/release.yaml: This file contains the GitHub Actions workflow for releasing the project. The changes focus on updating the version of the goreleaser-action used in the workflow, which is a common practice to ensure the use of the latest secure version of the action. However, it's important to regularly review the entire workflow and its dependencies to maintain a secure release process.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.