🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 #1270

spencerschrock · 2023-10-06T17:42:23Z

This bumps scorecard to the newly release v4.13.0, in preparation for the next release of scorecard action either v2.2.1 or v2.3.0.

Signed-off-by: Spencer Schrock <sschrock@google.com>

codecov · 2023-10-06T17:47:26Z

Codecov Report

Merging #1270 (202109d) into main (49787a6) will not change coverage.
The diff coverage is n/a.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1270   +/-   ##
=======================================
  Coverage   63.17%   63.17%           
=======================================
  Files           4        4           
  Lines         296      296           
=======================================
  Hits          187      187           
  Misses         94       94           
  Partials       15       15

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.9` -> `v2.22.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1270 - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1169 - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1225 ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1229 - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1221 - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [ossf/scorecard-action#1250 - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [ossf/scorecard-action#1258 #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [ossf/scorecard-action#1250 - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [ossf/scorecard-action#1258 **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on monday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv-scanner).

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `96f5310` -> `b4ffde6` | | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v4.0.0` -> `v4.1.1` | | [actions/setup-go](https://togithub.com/actions/setup-go) | action | minor | `v4.0.1` -> `v4.1.0` | | [actions/setup-java](https://togithub.com/actions/setup-java) | action | minor | `v3.12.0` -> `v3.13.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | minor | `v3.7.0` -> `v3.8.1` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | digest | `e33196f` -> `5e21ff4` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.2` -> `v2.22.4` | | [gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action) | action | minor | `v2.7.0` -> `v2.9.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer) | action | patch | `v3.1.1` -> `v3.1.2` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.1`](https://togithub.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://togithub.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@joshmgross](https://togithub.com/joshmgross) in [actions/checkout#1510 - Correct link to GitHub Docs by [@peterbe](https://togithub.com/peterbe) in [actions/checkout#1511 - Link to release page from what's new section by [@cory-miller](https://togithub.com/cory-miller) in [actions/checkout#1514 ##### New Contributors - [@joshmgross](https://togithub.com/joshmgross) made their first contribution in [actions/checkout#1510 - [@peterbe](https://togithub.com/peterbe) made their first contribution in [actions/checkout#1511 **Full Changelog**: actions/checkout@v4...v4.1.1 ### [`v4.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://togithub.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://togithub.com/actions/checkout/pull/1396) </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v4.1.0`](https://togithub.com/actions/setup-go/releases/tag/v4.1.0) [Compare Source](https://togithub.com/actions/setup-go/compare/v4.0.1...v4.1.0) #### What's Changed In scope of this release, slow installation on Windows was fixed by [@dsame](https://togithub.com/dsame) in [actions/setup-go#393 and OS version was added to `primaryKey` for Ubuntu runners to avoid conflicts ([actions/setup-go#383) This release also includes the following changes: - Remove implicit dependencies by [@nikolai-laevskii](https://togithub.com/nikolai-laevskii) in [actions/setup-go#378 - Update action.yml by [@mkelly](https://togithub.com/mkelly) in [actions/setup-go#379 - Added a description that go-version should be specified as a string type by [@n3xem](https://togithub.com/n3xem) in [actions/setup-go#367 - Add note about YAML parsing versions by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-go#382 - Automatic update of configuration files from 05/23/2023 by [@github-actions](https://togithub.com/github-actions) in [actions/setup-go#377 - Bump tough-cookie and [@azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@dependabot](https://togithub.com/dependabot) in [actions/setup-go#392 - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://togithub.com/dependabot) in [actions/setup-go#397 - Bump semver from 6.3.0 to 6.3.1 by [@dependabot](https://togithub.com/dependabot) in [actions/setup-go#396 #### New Contributors - [@mkelly](https://togithub.com/mkelly) made their first contribution in [actions/setup-go#379 - [@n3xem](https://togithub.com/n3xem) made their first contribution in [actions/setup-go#367 **Full Changelog**: actions/setup-go@v4...v4.1.0 </details> <details> <summary>actions/setup-java (actions/setup-java)</summary> ### [`v3.13.0`](https://togithub.com/actions/setup-java/releases/tag/v3.13.0) [Compare Source](https://togithub.com/actions/setup-java/compare/v3.12.0...v3.13.0) ##### What's changed In the scope of this release, support for Dragonwell JDK was added by [@Accelerator1996](https://togithub.com/Accelerator1996) in [actions/setup-java#532 ```yaml steps: - name: Checkout uses: actions/checkout@v3 - name: Setup-java uses: actions/setup-java@v3 with: distribution: 'dragonwell' java-version: '17' ``` Several inaccuracies were also fixed: - Fix XML namespaces wrongly using https by [@gnodet](https://togithub.com/gnodet) in [actions/setup-java#503 - Fix typo and remove unintentional(?) word by [@CyberFlameGO](https://togithub.com/CyberFlameGO) in [actions/setup-java#518 - Fix usage link within the README.md file by [@dassiorleando](https://togithub.com/dassiorleando) in [actions/setup-java#525 ##### New Contributors - [@CyberFlameGO](https://togithub.com/CyberFlameGO) made their first contribution in [actions/setup-java#518 - [@dassiorleando](https://togithub.com/dassiorleando) made their first contribution in [actions/setup-java#525 - [@gnodet](https://togithub.com/gnodet) made their first contribution in [actions/setup-java#503 - [@Accelerator1996](https://togithub.com/Accelerator1996) made their first contribution in [actions/setup-java#532 **Full Changelog**: actions/setup-java@v3...v3.13.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#831. It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 ### [`v3.8.0`](https://togithub.com/actions/setup-node/releases/tag/v3.8.0) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.7.0...v3.8.0) ##### What's Changed ##### Bug fixes: - Add check for existing paths by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#803 - Resolve SymbolicLink by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#809 - Change passing logic for cache input by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#816 - Fix armv7 cache issue by [@louislam](https://togithub.com/louislam) in [actions/setup-node#794 - Update check-dist workflow name by [@sinchang](https://togithub.com/sinchang) in [actions/setup-node#710 ##### Feature implementations: - feat: handling the case where "node" is used for tool-versions file. by [@xytis](https://togithub.com/xytis) in [actions/setup-node#812 ##### Documentation changes: - Refer to semver package name in README.md by [@olleolleolle](https://togithub.com/olleolleolle) in [actions/setup-node#808 ##### Update dependencies: - Update toolkit cache to fix zstd by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#804 - Bump tough-cookie and [@azure/ms-rest-js](https://togithub.com/azure/ms-rest-js) by [@dependabot](https://togithub.com/dependabot) in [actions/setup-node#802 - Bump semver from 6.1.2 to 6.3.1 by [@dependabot](https://togithub.com/dependabot) in [actions/setup-node#807 - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://togithub.com/dependabot) in [actions/setup-node#815 ##### New Contributors - [@olleolleolle](https://togithub.com/olleolleolle) made their first contribution in [actions/setup-node#808 - [@louislam](https://togithub.com/louislam) made their first contribution in [actions/setup-node#794 - [@sinchang](https://togithub.com/sinchang) made their first contribution in [actions/setup-node#710 - [@xytis](https://togithub.com/xytis) made their first contribution in [actions/setup-node#812 **Full Changelog**: actions/setup-node@v3...v3.8.0 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@ljmf00](https://togithub.com/ljmf00) in [actions/upload-artifact#313 - Bump [@actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@bethanyj28](https://togithub.com/bethanyj28) in [actions/upload-artifact#436 **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) ### [`v2.21.4`](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.3...v2.21.4) ### [`v2.21.3`](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.2...v2.21.3) </details> <details> <summary>gradle/gradle-build-action (gradle/gradle-build-action)</summary> ### [`v2.9.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.9.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.8.1...v2.9.0) The GitHub [dependency-review-action](https://togithub.com/actions/dependency-review-action) helps you understand dependency changes (and the security impact of these changes) for a pull request. This release updates the GItHub Dependency Graph support to be compatible with the `dependency-review-action`. See [the documentation](https://togithub.com/gradle/gradle-build-action#integrating-the-dependency-review-action) for detailed examples. ##### Changelog - \[FIX] Use correct SHA for `pull-request` events [#882](https://togithub.com/gradle/gradle-build-action/issues/882) - \[FIX] Avoid generating dependency graph during cache cleanup [#905](https://togithub.com/gradle/gradle-build-action/issues/905) - \[NEW] Improve warning on failure to submit dependency graph - \[NEW] Compatibility with GitHub `dependency-review-action` [#879](https://togithub.com/gradle/gradle-build-action/issues/879) **Full-changelog**: gradle/gradle-build-action@v2.8.1...v2.9.0 ### [`v2.8.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.8.1) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.8.0...v2.8.1) Fixes an issue that prevented Dependency Graph submission when running on GitHub Enterprise Server. ##### Fixes - Incorrect endpoint used to submit Dependency Graph on GitHub Enterprise [#885](https://togithub.com/gradle/gradle-build-action/issues/885) ##### Changelog ### [`v2.8.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.8.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.7.1...v2.8.0) The `v2.8.0` release of the `gradle-build-action` introduces an easy mechanism to connect to Gradle Enterprise, as well improved support for self-hosted GitHub Actions runners. ##### Automatic injection of Gradle Enterprise connectivity It is now possible to connect a Gradle build to Gradle Enterprise without changing any of the Gradle project sources. This is achieved through Gradle Enterprise injection, where an init-script will apply the Gradle Enterprise plugin and associated configuration. This feature can be useful to easily trial Gradle Enterprise on a project, or to centralize Gradle Enterprise configuration for all GitHub Actions workflows in an organization. See [Gradle Enterprise injection in the README](https://togithub.com/gradle/gradle-build-action/blob/v2.8.0/README.md#gradle-enterprise-plugin-injection) for more info. ##### Restore Gradle User Home when directory already exists Previously, the Gradle User Home would not be restored if the directory already exists. This wasn't normally an issue with GitHub-hosted runners, but limited the usefulness of the action for persistent, self-hosted runners. This behaviour has been improved in this release: - The Job Summary now includes a useful error message when Gradle User Home was not restored because the directory already exists. - The action can now be configured to restore the Gradle User Home when the directory already exists, overwriting existing content with content from the GitHub Actions cache. See https://github.com/gradle/gradle-build-action#overwriting-an-existing-gradle-user-home for more details. ##### Changes **Issues fixed**: https://github.com/gradle/gradle-build-action/issues?q=milestone%3A2.8.0+is%3Aclosed **Full changelog**: gradle/gradle-build-action@v2.7.1...v2.8.0 ### [`v2.7.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v2.7.1) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v2.7.0...v2.7.1) This release contains no code changes, only dependency updates and documentation improvements. ##### Changelog </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1270 - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1169 - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1225 ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1229 - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1221 - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [ossf/scorecard-action#1250 - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [ossf/scorecard-action#1258 #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [ossf/scorecard-action#1250 - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [ossf/scorecard-action#1258 **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary> ### [`v3.1.2`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.1.2) [Compare Source](https://togithub.com/sigstore/cosign-installer/compare/v3.1.1...v3.1.2) #### What's Changed - Fix build and push step Readme missing id by [@hbenali](https://togithub.com/hbenali) in [sigstore/cosign-installer#138 - bump cosign to v2.2.0 by [@cpanato](https://togithub.com/cpanato) in [sigstore/cosign-installer#142 #### New Contributors - [@hbenali](https://togithub.com/hbenali) made their first contribution in [sigstore/cosign-installer#138 **Full Changelog**: sigstore/cosign-installer@v3...v3.1.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).  Signed-off-by: Mend Renovate <bot@renovateapp.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@oerd](https://togithub.com/oerd) in [actions/dependency-review-action#551 #### New Contributors - [@oerd](https://togithub.com/oerd) made their first contribution in [actions/dependency-review-action#551 **Full Changelog**: actions/dependency-review-action@v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@sgmurphy](https://togithub.com/sgmurphy) in [actions/dependency-review-action#540 Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [actions/dependency-review-action#540 **Full Changelog**: actions/dependency-review-action@v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#831. It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@ljmf00](https://togithub.com/ljmf00) in [actions/upload-artifact#313 - Bump [@actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@bethanyj28](https://togithub.com/bethanyj28) in [actions/upload-artifact#436 **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1270 - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1169 - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1225 ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1229 - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1221 - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [ossf/scorecard-action#1250 - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [ossf/scorecard-action#1258 #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [ossf/scorecard-action#1250 - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [ossf/scorecard-action#1258 **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@ianlewis](https://togithub.com/ianlewis) in [#592 - docs: Make npm package version and name non-optional by [@laurentsimon](https://togithub.com/laurentsimon) in [#591 - docs: npm provenance verification from GitHub runner by [@laurentsimon](https://togithub.com/laurentsimon) in [#595 - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v18.16.9 by [@renovate-bot](https://togithub.com/renovate-bot) in [#596 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [#597 - chore(deps): update dependency jasmine to v5 by [@renovate-bot](https://togithub.com/renovate-bot) in [#598 - feat: BYOB verification support by [@laurentsimon](https://togithub.com/laurentsimon) in [#604 - feat: Support for v1.0 verification in BYOB by [@laurentsimon](https://togithub.com/laurentsimon) in [#609 - feat: Use env variable to retrieve trigger workflow by [@laurentsimon](https://togithub.com/laurentsimon) in [#615 - test: Add test data for v1.6.0 by [@ianlewis](https://togithub.com/ianlewis) in [#612 - fix: Verify the TRW tag is a semver tag by [@laurentsimon](https://togithub.com/laurentsimon) in [#619 - chore: Don't be verbose with tests locally by [@ianlewis](https://togithub.com/ianlewis) in [#620 - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@asraa](https://togithub.com/asraa) in [#621 - test: re-generate container-based tests by [@asraa](https://togithub.com/asraa) in [#627 - fix: revert to using resolvedDepdendencies for source verification by [@asraa](https://togithub.com/asraa) in [#629 - refactor: Provenance tests by [@ianlewis](https://togithub.com/ianlewis) in [#628 - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@renovate-bot](https://togithub.com/renovate-bot) in [#622 - fix: only allow hashes of 256 bits or more by [@laurentsimon](https://togithub.com/laurentsimon) in [#633 - fix: builder ID verification for testing by [@ianlewis](https://togithub.com/ianlewis) in [#635 - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@asraa](https://togithub.com/asraa) in [#634 - chore: update toc in README.md by [@asraa](https://togithub.com/asraa) in [#636 - fix: allow workflow_dispatch to trigger release.yml by [@ianlewis](https://togithub.com/ianlewis) in [#637 - test: add tests for v1.7.0 builders by [@asraa](https://togithub.com/asraa) in [#638 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [#607 - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@renovate-bot](https://togithub.com/renovate-bot) in [#567 - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@renovate-bot](https://togithub.com/renovate-bot) in [#606 - chore(deps): update npm dev by [@renovate-bot](https://togithub.com/renovate-bot) in [#608 - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@renovate-bot](https://togithub.com/renovate-bot) in [#583 - feat: Verify provenance by build type by [@ianlewis](https://togithub.com/ianlewis) in [#632 - refactor: Use Go 1.20 by [@ianlewis](https://togithub.com/ianlewis) in [#643 - test: Add more ProvenanceFromEnvelope tests by [@ianlewis](https://togithub.com/ianlewis) in [#640 - fix: pre-submit: e2e-cli.sh artifact download by [@ianlewis](https://togithub.com/ianlewis) in [#646 - refactor: Add more git utils by [@ianlewis](https://togithub.com/ianlewis) in [#645 - refactor: Use full builder id by [@ianlewis](https://togithub.com/ianlewis) in [#648 - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@laurentsimon](https://togithub.com/laurentsimon) in [#644 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [#651 - feat: move maven-plugin from slsa-github-generator by [@AdamKorcz](https://togithub.com/AdamKorcz) in [#664 - docs: Fix maven-plugin README by [@laurentsimon](https://togithub.com/laurentsimon) in [#671 - feat: Verification for when sha1 is specified in BYOB TRW by [@ianlewis](https://togithub.com/ianlewis) in [#641 - docs: Add example for maven verification plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [#676 - chore: Add Kris to codeowners by [@laurentsimon](https://togithub.com/laurentsimon) in [#678 - feat: Print byob builder by [@laurentsimon](https://togithub.com/laurentsimon) in [#677 - test: Add test data for v1.8.0 by [@ianlewis](https://togithub.com/ianlewis) in [#681 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [#666 - feat: Non-compulsory BuilderID for BYOB Builders by [@enteraga6](https://togithub.com/enteraga6) in [#674 - chore(deps): update golang docker tag to v1.21 by [@renovate-bot](https://togithub.com/renovate-bot) in [#687 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [#686 - feat: GCB refactor for v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [#682 - feat: Allow byob builders ref at main for e2e tests by [@laurentsimon](https://togithub.com/laurentsimon) in [#689 - feat: Update doc and code for Maven plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [#680 - feat: gcb v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [#691 - feat: v1.9.0 regression tests by [@laurentsimon](https://togithub.com/laurentsimon) in [#696 - fix: release failure by [@laurentsimon](https://togithub.com/laurentsimon) in [#697 #### New Contributors - [@AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [#664 - [@enteraga6](https://togithub.com/enteraga6) made their first contribution in [#674 **Full Changelog**: v2.3.0...v2.4.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier).  Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | gaurav-nelson/github-action-markdown-link-check | action | digest | `a996638` -> `0f074c8` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.9` -> `v2.23.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.1` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.8.10` -> `v1.8.11` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.23.0`](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.12...v2.23.0) ### [`v2.22.12`](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.11...v2.22.12) ### [`v2.22.11`](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.10...v2.22.11) ### [`v2.22.10`](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.9...v2.22.10) ### [`v2.22.9`](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.8...v2.22.9) ### [`v2.22.8`](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.7...v2.22.8) ### [`v2.22.7`](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.6...v2.22.7) ### [`v2.22.6`](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.5...v2.22.6) ### [`v2.22.5`](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.4...v2.22.5) ### [`v2.22.4`](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.1...v2.22.2) ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1282 - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes **Full Changelog**: ossf/scorecard-action@v2.3.0...v2.3.1 ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1270 - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1169 - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1225 ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1229 - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1221 - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [ossf/scorecard-action#1250 - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [ossf/scorecard-action#1258 #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [ossf/scorecard-action#1250 - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [ossf/scorecard-action#1258 **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.8.11`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.11) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.10...v1.8.11) #### 💅 Cosmetic output improvements [@woodruffw](https://togithub.com/woodruffw) added a nudge suggesting the users storing passwords in a GitHub Actions repository secrets to switch to using secretless publishing in [pypa/gh-action-pypi-publish#190. This also reminds people that PyPI will start mandating two-factor authentication to perform uploads in 2024. #### 📝 What's Documented [@di](https://togithub.com/di) linked the configuration docs for Trusted Publishing in README via [pypa/gh-action-pypi-publish#179. #### 🛠️ Internal dependencies - Cryptography was bumped from 41.0.3 to 41.0.6 @&#[pypa/gh-action-pypi-publish#194 - Pip was bumped from 22.3.1 to 23.3 @&#[pypa/gh-action-pypi-publish#189 - pre-commit linters got autoupdated @&#[pypa/gh-action-pypi-publish#184 - Urllib3 was bumped from 2.0.3 to 2.0.7 @&#[pypa/gh-action-pypi-publish#183 #### 💪 New Contributors - [@di](https://togithub.com/di) made their first contribution in [pypa/gh-action-pypi-publish#179 **:mirror: Full Diff**: pypa/gh-action-pypi-publish@v1.8.10...v1.8.11 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv.dev).

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.1.2` -> `v2.3.1` | --- ### Release Notes <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1282 - Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the [v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1) release notes **Full Changelog**: ossf/scorecard-action@v2.3.0...v2.3.1 ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1270 - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1169 - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1225 ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1229 - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1221 - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [ossf/scorecard-action#1250 - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [ossf/scorecard-action#1258 #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [ossf/scorecard-action#1250 - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [ossf/scorecard-action#1258 **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1192 #### Scorecard Result Viewer Thanks to contributions from [@cynthia-sg](https://togithub.com/cynthia-sg) and [@tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [ossf/scorecard-webapp#406 - [ossf/scorecard-webapp#422 As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([ossf/scorecard-action#1156, resolved [ossf/scorecard-action#1150) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([ossf/scorecard-action#1191) #### Docs - 📖 Update README to accept fine-grained tokens by [@pnacht](https://togithub.com/pnacht) in [ossf/scorecard-action#1175 - 📖 Update installation instructions to match current GitHub UI by [@joycebrum](https://togithub.com/joycebrum) in [ossf/scorecard-action#1153 - 📖 Document the GitHub action workflow restrictions when publishing results. by [@spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [ossf/scorecard-action#1140 - [@pnacht](https://togithub.com/pnacht) made their first contribution in [ossf/scorecard-action#1175 **Full Changelog**: ossf/scorecard-action@v2.1.3...v2.2.0 ### [`v2.1.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.3) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1111 ##### Bug Fixes - Invalid SARIF files from a bug in scorecard - [#1076](https://togithub.com/ossf/scorecard-action/issues/1076), [#1094](https://togithub.com/ossf/scorecard-action/issues/1094) - Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner - [#1092](https://togithub.com/ossf/scorecard-action/issues/1092) - Scorecard action not reporting binary artifacts in the repo - [#1116](https://togithub.com/ossf/scorecard-action/issues/1116) **Full Scorecard Changelog**: ossf/scorecard@v4.10.2...v4.10.5 **Full Changelog**: ossf/scorecard-action@v2.1.2...v2.1.3 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/secretflow/spu).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | minor | `v3.5.3` -> `v3.6.0` | | [actions/dependency-review-action](https://togithub.com/actions/dependency-review-action) | action | minor | `v3.0.7` -> `v3.1.0` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v3.8.0` -> `v3.8.1` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.21.4` -> `v2.22.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [slsa-framework/slsa-github-generator](https://togithub.com/slsa-framework/slsa-github-generator) | action | minor | `v1.8.0` -> `v1.9.0` | | [slsa-framework/slsa-verifier](https://togithub.com/slsa-framework/slsa-verifier) | action | minor | `v2.3.0` -> `v2.4.0` | --- ### ⚠ Dependency Lookup Warnings ⚠ Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.6.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.3...v3.6.0) - [Fix: Mark test scripts with Bash'isms to be run via Bash](https://togithub.com/actions/checkout/pull/1377) - [Add option to fetch tags even if fetch-depth > 0](https://togithub.com/actions/checkout/pull/579) </details> <details> <summary>actions/dependency-review-action (actions/dependency-review-action)</summary> ### [`v3.1.0`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.1.0): 3.1.0 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.8...v3.1.0) #### What's New Added support for dependencies submitted through the [dependency submission API](https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/about-dependency-review#best-practices-for-using-the-dependency-review-api-and-the-dependency-submission-api-together). This includes two new configuration parameters: `retry-on-snapshot-warnings` and `retry-on-snapshot-warnings-timeout`. #### What's Changed - Fix(docs): Correct action input name by [@oerd](https://togithub.com/oerd) in [actions/dependency-review-action#551 #### New Contributors - [@oerd](https://togithub.com/oerd) made their first contribution in [actions/dependency-review-action#551 **Full Changelog**: actions/dependency-review-action@v3...v3.1.0 ### [`v3.0.8`](https://togithub.com/actions/dependency-review-action/releases/tag/v3.0.8): 3.0.8 [Compare Source](https://togithub.com/actions/dependency-review-action/compare/v3.0.7...v3.0.8) #### What's Changed Added `on-failure` option to `comment-summary-in-pr` setting by [@sgmurphy](https://togithub.com/sgmurphy) in [actions/dependency-review-action#540 Previous configuration files using `true`/`false` for `comment-summary-in-pr` will be mapped automatically to the new values, but we encourage you to update to `always`/`on-failure`/`never`. #### New Contributors - [@sgmurphy](https://togithub.com/sgmurphy) made their first contribution in [actions/dependency-review-action#540 **Full Changelog**: actions/dependency-review-action@v3...v3.0.8 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://togithub.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://togithub.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@dmitry-shibanov](https://togithub.com/dmitry-shibanov) in [actions/setup-node#831. It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@ljmf00](https://togithub.com/ljmf00) in [actions/upload-artifact#313 - Bump [@actions/artifact](https://togithub.com/actions/artifact) version to v1.1.2 by [@bethanyj28](https://togithub.com/bethanyj28) in [actions/upload-artifact#436 **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.1`](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.21.4...v2.21.5) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1270 - For a full changelist of what this includes, see the [v4.12.0](https://togithub.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://togithub.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1169 - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1225 ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://togithub.com/rajbos) in [ossf/scorecard-action#1229 - 📖 Add package comments. by [@spencerschrock](https://togithub.com/spencerschrock) in [ossf/scorecard-action#1221 - 📖 Add SECURITY.md file by [@david-a-wheeler](https://togithub.com/david-a-wheeler) in [ossf/scorecard-action#1250 - 📖 Fix typo in token input docs by [@aabouzaid](https://togithub.com/aabouzaid) in [ossf/scorecard-action#1258 #### New Contributors - [@david-a-wheeler](https://togithub.com/david-a-wheeler) made their first contribution in [ossf/scorecard-action#1250 - [@aabouzaid](https://togithub.com/aabouzaid) made their first contribution in [ossf/scorecard-action#1258 **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>slsa-framework/slsa-github-generator (slsa-framework/slsa-github-generator)</summary> ### [`v1.9.0`](https://togithub.com/slsa-framework/slsa-github-generator/blob/HEAD/CHANGELOG.md#v190) [Compare Source](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0) Release \[v1.9.0] includes bug fixes and new features. See the [full change list](https://togithub.com/slsa-framework/slsa-github-generator/compare/v1.8.0...v1.9.0). ##### v1.9.0: BYOB framework (beta) - **New**: A [new framework](https://togithub.com/slsa-framework/slsa-github-generator/blob/main/BYOB.md) to turn GitHub Actions into SLSA compliant builders. ##### v1.9.0: Maven builder (beta) - **New**: A [Maven builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/maven) to build Java projects and publish to Maven central. ##### v1.9.0: Gradle builder (beta) - **New**: A [Gradle builder](https://togithub.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle) to build Java projects and publish to Maven central. ##### v1.9.0: JReleaser builder - **New**: A [JReleaser builder](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java) that wraps the official [JReleaser Action](https://togithub.com/jreleaser/release-action/tree/v1.0.0-java). </details> <details> <summary>slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)</summary> ### [`v2.4.0`](https://togithub.com/slsa-framework/slsa-verifier/releases/tag/v2.4.0) [Compare Source](https://togithub.com/slsa-framework/slsa-verifier/compare/v2.3.0...v2.4.0) #### Summary Support for BYOB-based builders released in https://github.com/slsa-framework/slsa-github-generator/releases/tag/v1.9.0 #### What's Changed - chore: Update SHA256SUM.md for v2.3.0 by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#592 - docs: Make npm package version and name non-optional by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#591 - docs: npm provenance verification from GitHub runner by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#595 - chore(deps): update dependency [@types/node](https://togithub.com/types/node) to v18.16.9 by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#596 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#597 - chore(deps): update dependency jasmine to v5 by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#598 - feat: BYOB verification support by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#604 - feat: Support for v1.0 verification in BYOB by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#609 - feat: Use env variable to retrieve trigger workflow by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#615 - test: Add test data for v1.6.0 by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#612 - fix: Verify the TRW tag is a semver tag by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#619 - chore: Don't be verbose with tests locally by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#620 - fix: use ExternalParameters\["source"] for the Source URI for SLSA v1.0 provenance by [@asraa](https://togithub.com/asraa) in [slsa-framework#621 - test: re-generate container-based tests by [@asraa](https://togithub.com/asraa) in [slsa-framework#627 - fix: revert to using resolvedDepdendencies for source verification by [@asraa](https://togithub.com/asraa) in [slsa-framework#629 - refactor: Provenance tests by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#628 - fix(deps): update module github.com/sigstore/rekor to v1.2.0 \[security] by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#622 - fix: only allow hashes of 256 bits or more by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#633 - fix: builder ID verification for testing by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#635 - feat: remove experimental on Sigstore bundle and v1.0 SLSA provenance format by [@asraa](https://togithub.com/asraa) in [slsa-framework#634 - chore: update toc in README.md by [@asraa](https://togithub.com/asraa) in [slsa-framework#636 - fix: allow workflow_dispatch to trigger release.yml by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#637 - test: add tests for v1.7.0 builders by [@asraa](https://togithub.com/asraa) in [slsa-framework#638 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#607 - chore(deps): update gcr.io/distroless/base:nonroot docker digest to [`c623859`](https://togithub.com/slsa-framework/slsa-verifier/commit/c623859) by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#567 - fix(deps): update github.com/sigstore/protobuf-specs digest to [`5ef5406`](https://togithub.com/slsa-framework/slsa-verifier/commit/5ef5406) by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#606 - chore(deps): update npm dev by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#608 - chore(deps): update golang:1.19 docker digest to [`83f9f84`](https://togithub.com/slsa-framework/slsa-verifier/commit/83f9f84) by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#583 - feat: Verify provenance by build type by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#632 - refactor: Use Go 1.20 by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#643 - test: Add more ProvenanceFromEnvelope tests by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#640 - fix: pre-submit: e2e-cli.sh artifact download by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#646 - refactor: Add more git utils by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#645 - refactor: Use full builder id by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#648 - feat: Use tags `vX.Y.Z-<language>` for JReleaser builders by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#644 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#651 - feat: move maven-plugin from slsa-github-generator by [@AdamKorcz](https://togithub.com/AdamKorcz) in [slsa-framework#664 - docs: Fix maven-plugin README by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#671 - feat: Verification for when sha1 is specified in BYOB TRW by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#641 - docs: Add example for maven verification plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#676 - chore: Add Kris to codeowners by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#678 - feat: Print byob builder by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#677 - test: Add test data for v1.8.0 by [@ianlewis](https://togithub.com/ianlewis) in [slsa-framework#681 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#666 - feat: Non-compulsory BuilderID for BYOB Builders by [@enteraga6](https://togithub.com/enteraga6) in [slsa-framework#674 - chore(deps): update golang docker tag to v1.21 by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#687 - chore(deps): update github-actions by [@renovate-bot](https://togithub.com/renovate-bot) in [slsa-framework#686 - feat: GCB refactor for v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#682 - feat: Allow byob builders ref at main for e2e tests by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#689 - feat: Update doc and code for Maven plugin by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#680 - feat: gcb v1.0 support by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#691 - feat: v1.9.0 regression tests by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#696 - fix: release failure by [@laurentsimon](https://togithub.com/laurentsimon) in [slsa-framework#697 #### New Contributors - [@AdamKorcz](https://togithub.com/AdamKorcz) made their first contribution in [slsa-framework#664 - [@enteraga6](https://togithub.com/enteraga6) made their first contribution in [slsa-framework#674 **Full Changelog**: slsa-framework/slsa-verifier@v2.3.0...v2.4.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-verifier).  Signed-off-by: Mend Renovate <bot@renovateapp.com> Co-authored-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

spencerschrock added 2 commits October 6, 2023 10:37

upgrade scorecard to v4.13.0

fdc2343

Signed-off-by: Spencer Schrock <sschrock@google.com>

upgrade makefile for scorecard v4.13.0

202109d

Signed-off-by: Spencer Schrock <sschrock@google.com>

laurentsimon approved these changes Oct 6, 2023

View reviewed changes

spencerschrock merged commit 5d35913 into ossf:main Oct 6, 2023
11 checks passed

spencerschrock deleted the dep/scorecard-v4.13.0 branch October 6, 2023 17:54

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 #1270

🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 #1270

spencerschrock commented Oct 6, 2023

codecov bot commented Oct 6, 2023

🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 #1270

🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 #1270

Conversation

spencerschrock commented Oct 6, 2023

codecov bot commented Oct 6, 2023

Codecov Report