From 8add330e1dc1daadbf6458212a77c5dbaf88e5c8 Mon Sep 17 00:00:00 2001
From: Theodore Tsirpanis <teo@tsirpanis.gr>
Date: Tue, 28 Feb 2023 23:12:49 +0200
Subject: [PATCH 01/19] :book: Fix links. (#2703)

* Fix link.

Signed-off-by: Theodore Tsirpanis <teo@tsirpanis.gr>

* Update two more links.

Signed-off-by: Theodore Tsirpanis <teo@tsirpanis.gr>

---------

Signed-off-by: Theodore Tsirpanis <teo@tsirpanis.gr>
---
 README.md                        | 2 +-
 docs/checks.md                   | 2 +-
 docs/checks/internal/checks.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 8d9adeb392e..3e1f9d2f595 100644
--- a/README.md
+++ b/README.md
@@ -203,7 +203,7 @@ Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to identify y
 
 ###### Verifying SLSA provenance for downloaded releases
 
-We generate [SLSA3 signatures](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
+We generate [SLSA3 signatures](https://slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator) during the release process. To verify a release binary:
 1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation).
 2. Download the signature file `attestation.intoto.jsonl` from the [GitHub releases page](https://github.com/GoogleContainerTools/jib/releases/latest).
 3. Run the verifier:
diff --git a/docs/checks.md b/docs/checks.md
index f1174921c65..3d744a660e1 100644
--- a/docs/checks.md
+++ b/docs/checks.md
@@ -589,7 +589,7 @@ Signed releases attest to the provenance of the artifact.
 This check looks for the following filenames in the project's last five
 [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
 [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
-*.sig, *.sign, [*.intoto.jsonl](slsa.dev).
+*.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).
 
 If a signature is found in the assets for each release, a score of 8 is given.
 If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.
diff --git a/docs/checks/internal/checks.yaml b/docs/checks/internal/checks.yaml
index fe7477c2abc..a8ba343a069 100644
--- a/docs/checks/internal/checks.yaml
+++ b/docs/checks/internal/checks.yaml
@@ -621,7 +621,7 @@ checks:
       This check looks for the following filenames in the project's last five
       [release assets](https://docs.github.com/en/repositories/releasing-projects-on-github/about-releases):
       [*.minisig](https://github.com/jedisct1/minisign), *.asc (pgp),
-      *.sig, *.sign, [*.intoto.jsonl](slsa.dev).
+      *.sig, *.sign, [*.intoto.jsonl](https://slsa.dev).
 
       If a signature is found in the assets for each release, a score of 8 is given.
       If a [SLSA provenance file](https://slsa.dev/spec/v0.1/index) is found in the assets for each release (*.intoto.jsonl), the maximum score of 10 is given.

From c4bd0c5d73e80f9b0299dc5de49d5a44c73b18b2 Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Thu, 2 Mar 2023 10:52:38 -0600
Subject: [PATCH 02/19] :warning: Update date formats and fields to RFC3339
 (#2712)

- Update date format in multiple files from `YYYY-MM-DD` to `YYYY-MM-DDTHH:MM:SS-TZ`
- Update date from `2021-08-25` to `2023-03-02T10:30:43-06:00`
- Change date format from `2006-01-02` to `time.RFC3339`
- Add `time` import
- Update ScorecardResult

[pkg/testdata/check2.json]
- Change the date format from `YYYY-MM-DD` to `YYYY-MM-DDTHH:MM:SS-TZ`
[pkg/testdata/check1.json]
- Update date from `2021-08-25` to `2023-03-02T10:30:43-06:00`
[pkg/testdata/check3.json]
- Update the date field in `check3.json` from `2021-08-25` to `2023-03-02T10:30:43-06:00`
[pkg/testdata/check5.json]
- Update date in `check5.json` from 2021-08-25 to 2023-03-02T10:30:43-06:00
[pkg/json_test.go]
- Change date format from `2006-01-02` to `time.RFC3339`
- Update date from `2021-08-25` to `2023-03-02T10:30:43-06:00`
[pkg/testdata/check6.json]
- Change date from "2021-08-25" to "2023-03-02T10:30:43-06:00"
[pkg/json.go]
- Change the date format from "2006-01-02" to RFC3339
- Add "time" import
- Update the ScorecardResult struct to include the CommitSHA field
[pkg/testdata/check4.json]
- Update date from `2021-08-25` to `2023-03-02T10:30:43-06:00`
- Update commit from `68bc59901773ab4c051dfcea0cc4201a1567ab32`

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 pkg/json.go              | 3 ++-
 pkg/json_test.go         | 3 ++-
 pkg/testdata/check1.json | 2 +-
 pkg/testdata/check2.json | 2 +-
 pkg/testdata/check3.json | 2 +-
 pkg/testdata/check4.json | 2 +-
 pkg/testdata/check5.json | 2 +-
 pkg/testdata/check6.json | 2 +-
 8 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/pkg/json.go b/pkg/json.go
index 43e8d850723..608f969f169 100644
--- a/pkg/json.go
+++ b/pkg/json.go
@@ -18,6 +18,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"time"
 
 	"github.com/ossf/scorecard/v4/checker"
 	docs "github.com/ossf/scorecard/v4/docs/checks"
@@ -163,7 +164,7 @@ func (r *ScorecardResult) AsJSON2(showDetails bool,
 			Version: r.Scorecard.Version,
 			Commit:  r.Scorecard.CommitSHA,
 		},
-		Date:           r.Date.Format("2006-01-02"),
+		Date:           r.Date.Format(time.RFC3339),
 		Metadata:       r.Metadata,
 		AggregateScore: jsonFloatScore(score),
 	}
diff --git a/pkg/json_test.go b/pkg/json_test.go
index 382c4d6efcc..b9836bb8323 100644
--- a/pkg/json_test.go
+++ b/pkg/json_test.go
@@ -73,7 +73,8 @@ func TestJSONOutput(t *testing.T) {
 	scorecardCommit := "ccbc59901773ab4c051dfcea0cc4201a1567abdd"
 	scorecardVersion := "1.2.3"
 	repoName := "org/name"
-	date, e := time.Parse("2006-01-02", "2021-08-25")
+	date, e := time.Parse(time.RFC3339, "2023-03-02T10:30:43-06:00")
+	t.Logf("date: %v", date)
 	if e != nil {
 		panic(fmt.Errorf("time.Parse: %w", e))
 	}
diff --git a/pkg/testdata/check1.json b/pkg/testdata/check1.json
index d70f31d6779..6da954ce870 100644
--- a/pkg/testdata/check1.json
+++ b/pkg/testdata/check1.json
@@ -1,5 +1,5 @@
 {
-   "date": "2021-08-25",
+   "date": "2023-03-02T10:30:43-06:00",
    "repo": {
       "name": "org/name",
       "commit": "68bc59901773ab4c051dfcea0cc4201a1567ab32"
diff --git a/pkg/testdata/check2.json b/pkg/testdata/check2.json
index fca375d0fbb..9b2dea7f461 100644
--- a/pkg/testdata/check2.json
+++ b/pkg/testdata/check2.json
@@ -1,5 +1,5 @@
 {
-   "date": "2021-08-25",
+   "date": "2023-03-02T10:30:43-06:00",
    "repo": {
       "name": "org/name",
       "commit": "68bc59901773ab4c051dfcea0cc4201a1567ab32"
diff --git a/pkg/testdata/check3.json b/pkg/testdata/check3.json
index f23650f3f15..a8f632f6bad 100644
--- a/pkg/testdata/check3.json
+++ b/pkg/testdata/check3.json
@@ -1,5 +1,5 @@
 {
-   "date": "2021-08-25",
+   "date": "2023-03-02T10:30:43-06:00",
    "repo": {
       "name": "org/name",
       "commit": "68bc59901773ab4c051dfcea0cc4201a1567ab32"
diff --git a/pkg/testdata/check4.json b/pkg/testdata/check4.json
index e7f060f00bb..5f8ede97980 100644
--- a/pkg/testdata/check4.json
+++ b/pkg/testdata/check4.json
@@ -1,5 +1,5 @@
 {
-   "date": "2021-08-25",
+   "date": "2023-03-02T10:30:43-06:00",
    "repo": {
       "name": "org/name",
       "commit": "68bc59901773ab4c051dfcea0cc4201a1567ab32"
diff --git a/pkg/testdata/check5.json b/pkg/testdata/check5.json
index dde021ec99d..247387414cd 100644
--- a/pkg/testdata/check5.json
+++ b/pkg/testdata/check5.json
@@ -1,5 +1,5 @@
 {
-   "date": "2021-08-25",
+   "date": "2023-03-02T10:30:43-06:00",
    "repo": {
       "name": "org/name",
       "commit": "68bc59901773ab4c051dfcea0cc4201a1567ab32"
diff --git a/pkg/testdata/check6.json b/pkg/testdata/check6.json
index 45abe90e451..4fb521450bc 100644
--- a/pkg/testdata/check6.json
+++ b/pkg/testdata/check6.json
@@ -1,5 +1,5 @@
 {
-   "date": "2021-08-25",
+   "date": "2023-03-02T10:30:43-06:00",
    "repo": {
       "name": "org/name",
       "commit": "68bc59901773ab4c051dfcea0cc4201a1567ab32"

From 82a122bc00b32afbb679efb78cfc0d9e41fd8d9e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 2 Mar 2023 17:26:21 +0000
Subject: [PATCH 03/19] :seedling: Bump sigstore/cosign-installer from 2.8.1 to
 3.0.1

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 2.8.1 to 3.0.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/9becc617647dfa20ae7b1151972e9b3a2c338a2b...c3667d99424e7e6047999fb6246c0da843953c65)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/publishimage.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publishimage.yml b/.github/workflows/publishimage.yml
index d66858b2fc7..fde531d2459 100644
--- a/.github/workflows/publishimage.yml
+++ b/.github/workflows/publishimage.yml
@@ -61,7 +61,7 @@ jobs:
             make install
             make scorecard-ko
      - name: Install Cosign
-       uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b
+       uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65
      - name: Sign image
        run: |
           cosign sign ghcr.io/${{github.repository_owner}}/scorecard/v4:${{ github.sha }}

From 846fb19724435f0c6465af44adf505ad6b2fc941 Mon Sep 17 00:00:00 2001
From: Azeem Shaikh <azeemshaikh38@gmail.com>
Date: Fri, 3 Mar 2023 00:50:12 +0530
Subject: [PATCH 04/19] Refactor githubrepo CheckRun logic (#2710)

Signed-off-by: Azeem Shaikh <azeemshaikh38@gmail.com>
---
 clients/githubrepo/checkruns.go          | 131 ++++++++++++++++++-
 clients/githubrepo/checkruns_e2e_test.go |  51 ++++++++
 clients/githubrepo/client.go             |  15 +--
 clients/githubrepo/graphql.go            | 153 ++---------------------
 clients/githubrepo/graphql_e2e_test.go   |  84 ++++++-------
 clients/githubrepo/repo.go               |   8 ++
 6 files changed, 236 insertions(+), 206 deletions(-)
 create mode 100644 clients/githubrepo/checkruns_e2e_test.go

diff --git a/clients/githubrepo/checkruns.go b/clients/githubrepo/checkruns.go
index 5514762f086..6ed5c04d5b3 100644
--- a/clients/githubrepo/checkruns.go
+++ b/clients/githubrepo/checkruns.go
@@ -17,31 +17,152 @@ package githubrepo
 import (
 	"context"
 	"fmt"
+	"strings"
+	"sync"
 
 	"github.com/google/go-github/v38/github"
+	"github.com/shurcooL/githubv4"
 
 	"github.com/ossf/scorecard/v4/clients"
 	sce "github.com/ossf/scorecard/v4/errors"
+	"github.com/ossf/scorecard/v4/log"
 )
 
+//nolint:govet
+type checkRunsGraphqlData struct {
+	Repository struct {
+		Object struct {
+			Commit struct {
+				History struct {
+					Nodes []struct {
+						AssociatedPullRequests struct {
+							Nodes []struct {
+								HeadRefOid githubv4.String
+								Commits    struct {
+									Nodes []struct {
+										Commit struct {
+											CheckSuites struct {
+												Nodes []struct {
+													App struct {
+														Slug githubv4.String
+													}
+													Conclusion githubv4.CheckConclusionState
+													Status     githubv4.CheckStatusState
+												}
+											} `graphql:"checkSuites(first: $checksToAnalyze)"`
+										}
+									}
+								} `graphql:"commits(last:1)"`
+							}
+						} `graphql:"associatedPullRequests(first: $pullRequestsToAnalyze)"`
+					}
+				} `graphql:"history(first: $commitsToAnalyze)"`
+			} `graphql:"... on Commit"`
+		} `graphql:"object(expression: $commitExpression)"`
+	} `graphql:"repository(owner: $owner, name: $name)"`
+	RateLimit struct {
+		Cost *int
+	}
+}
+
+type checkRunsByRef = map[string][]clients.CheckRun
+
+// nolint: govet
 type checkrunsHandler struct {
-	client  *github.Client
-	ctx     context.Context
-	repourl *repoURL
+	client         *github.Client
+	graphClient    *githubv4.Client
+	repourl        *repoURL
+	logger         *log.Logger
+	checkData      *checkRunsGraphqlData
+	setupOnce      *sync.Once
+	ctx            context.Context
+	commitDepth    int
+	checkRunsByRef checkRunsByRef
+	errSetup       error
 }
 
-func (handler *checkrunsHandler) init(ctx context.Context, repourl *repoURL) {
+func (handler *checkrunsHandler) init(ctx context.Context, repourl *repoURL, commitDepth int) {
 	handler.ctx = ctx
 	handler.repourl = repourl
+	handler.commitDepth = commitDepth
+	handler.logger = log.NewLogger(log.DefaultLevel)
+	handler.checkData = new(checkRunsGraphqlData)
+	handler.setupOnce = new(sync.Once)
+	handler.checkRunsByRef = checkRunsByRef{}
+}
+
+func (handler *checkrunsHandler) setup() error {
+	handler.setupOnce.Do(func() {
+		commitExpression := handler.repourl.commitExpression()
+		vars := map[string]interface{}{
+			"owner":                 githubv4.String(handler.repourl.owner),
+			"name":                  githubv4.String(handler.repourl.repo),
+			"pullRequestsToAnalyze": githubv4.Int(pullRequestsToAnalyze),
+			"commitsToAnalyze":      githubv4.Int(handler.commitDepth),
+			"commitExpression":      githubv4.String(commitExpression),
+			"checksToAnalyze":       githubv4.Int(checksToAnalyze),
+		}
+		// TODO(#2224):
+		// sast and ci checks causes cache miss if commits dont match number of check runs.
+		// paging for this needs to be implemented if using higher than 100 --number-of-commits
+		if handler.commitDepth > 99 {
+			vars["commitsToAnalyze"] = githubv4.Int(99)
+		}
+		if err := handler.graphClient.Query(handler.ctx, handler.checkData, vars); err != nil {
+			// quit early without setting crsErrSetup for "Resource not accessible by integration" error
+			// for whatever reason, this check doesn't work with a GITHUB_TOKEN, only a PAT
+			if strings.Contains(err.Error(), "Resource not accessible by integration") {
+				return
+			}
+			handler.errSetup = err
+			return
+		}
+		handler.checkRunsByRef = parseCheckRuns(handler.checkData)
+	})
+	return handler.errSetup
 }
 
 func (handler *checkrunsHandler) listCheckRunsForRef(ref string) ([]clients.CheckRun, error) {
+	if err := handler.setup(); err != nil {
+		return nil, fmt.Errorf("error during graphqlHandler.setupCheckRuns: %w", err)
+	}
+	if crs, ok := handler.checkRunsByRef[ref]; ok {
+		return crs, nil
+	}
+	msg := fmt.Sprintf("listCheckRunsForRef cache miss: %s/%s:%s", handler.repourl.owner, handler.repourl.repo, ref)
+	handler.logger.Info(msg)
+
 	checkRuns, _, err := handler.client.Checks.ListCheckRunsForRef(
 		handler.ctx, handler.repourl.owner, handler.repourl.repo, ref, &github.ListCheckRunsOptions{})
 	if err != nil {
 		return nil, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("ListCheckRunsForRef: %v", err))
 	}
-	return checkRunsFrom(checkRuns), nil
+	handler.checkRunsByRef[ref] = checkRunsFrom(checkRuns)
+	return handler.checkRunsByRef[ref], nil
+}
+
+func parseCheckRuns(data *checkRunsGraphqlData) checkRunsByRef {
+	checkCache := checkRunsByRef{}
+	for _, commit := range data.Repository.Object.Commit.History.Nodes {
+		for _, pr := range commit.AssociatedPullRequests.Nodes {
+			var crs []clients.CheckRun
+			for _, c := range pr.Commits.Nodes {
+				for _, checkRun := range c.Commit.CheckSuites.Nodes {
+					crs = append(crs, clients.CheckRun{
+						// the REST API returns lowercase. the graphQL API returns upper
+						Status:     strings.ToLower(string(checkRun.Status)),
+						Conclusion: strings.ToLower(string(checkRun.Conclusion)),
+						App: clients.CheckRunApp{
+							Slug: string(checkRun.App.Slug),
+						},
+					})
+				}
+			}
+			headRef := string(pr.HeadRefOid)
+			checkCache[headRef] = crs
+		}
+	}
+	return checkCache
 }
 
 func checkRunsFrom(data *github.ListCheckRunsResults) []clients.CheckRun {
diff --git a/clients/githubrepo/checkruns_e2e_test.go b/clients/githubrepo/checkruns_e2e_test.go
new file mode 100644
index 00000000000..45c5fad2bee
--- /dev/null
+++ b/clients/githubrepo/checkruns_e2e_test.go
@@ -0,0 +1,51 @@
+// Copyright 2021 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package githubrepo
+
+import (
+	"context"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+
+	"github.com/ossf/scorecard/v4/clients"
+)
+
+var _ = Describe("E2E TEST: githubrepo.checkrunsHandler", func() {
+	var checkrunshandler *checkrunsHandler
+
+	BeforeEach(func() {
+		checkrunshandler = &checkrunsHandler{
+			graphClient: graphClient,
+		}
+	})
+
+	// TODO: Add e2e tests for commit depth.
+
+	Context("E2E TEST: Validate query cost", func() {
+		It("Should not have increased query cost", func() {
+			repourl := &repoURL{
+				owner:     "ossf",
+				repo:      "scorecard",
+				commitSHA: clients.HeadSHA,
+			}
+			checkrunshandler.init(context.Background(), repourl, 30)
+			Expect(checkrunshandler.setup()).Should(BeNil())
+			Expect(checkrunshandler.checkData).ShouldNot(BeNil())
+			Expect(checkrunshandler.checkData.RateLimit.Cost).ShouldNot(BeNil())
+			Expect(*checkrunshandler.checkData.RateLimit.Cost).Should(BeNumerically("<=", 1))
+		})
+	})
+})
diff --git a/clients/githubrepo/client.go b/clients/githubrepo/client.go
index 9b3e14fbfd3..612ccc83e5e 100644
--- a/clients/githubrepo/client.go
+++ b/clients/githubrepo/client.go
@@ -103,7 +103,7 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitD
 	client.workflows.init(client.ctx, client.repourl)
 
 	// Setup checkrunsHandler.
-	client.checkruns.init(client.ctx, client.repourl)
+	client.checkruns.init(client.ctx, client.repourl, commitDepth)
 
 	// Setup statusesHandler.
 	client.statuses.init(client.ctx, client.repourl)
@@ -207,15 +207,7 @@ func (client *Client) ListSuccessfulWorkflowRuns(filename string) ([]clients.Wor
 
 // ListCheckRunsForRef implements RepoClient.ListCheckRunsForRef.
 func (client *Client) ListCheckRunsForRef(ref string) ([]clients.CheckRun, error) {
-	cachedCrs, err := client.graphClient.listCheckRunsForRef(ref)
-	if errors.Is(err, errNotCached) {
-		crs, err := client.checkruns.listCheckRunsForRef(ref)
-		if err == nil {
-			client.graphClient.cacheCheckRunsForRef(ref, crs)
-		}
-		return crs, err
-	}
-	return cachedCrs, err
+	return client.checkruns.listCheckRunsForRef(ref)
 }
 
 // ListStatuses implements RepoClient.ListStatuses.
@@ -276,7 +268,8 @@ func CreateGithubRepoClientWithTransport(ctx context.Context, rt http.RoundTripp
 			client: client,
 		},
 		checkruns: &checkrunsHandler{
-			client: client,
+			client:      client,
+			graphClient: graphClient,
 		},
 		statuses: &statusesHandler{
 			client: client,
diff --git a/clients/githubrepo/graphql.go b/clients/githubrepo/graphql.go
index eb3302f2704..93e4a9afbb4 100644
--- a/clients/githubrepo/graphql.go
+++ b/clients/githubrepo/graphql.go
@@ -16,7 +16,6 @@ package githubrepo
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"strings"
 	"sync"
@@ -26,7 +25,6 @@ import (
 
 	"github.com/ossf/scorecard/v4/clients"
 	sce "github.com/ossf/scorecard/v4/errors"
-	"github.com/ossf/scorecard/v4/log"
 )
 
 const (
@@ -38,8 +36,6 @@ const (
 	labelsToAnalyze        = 30
 )
 
-var errNotCached = errors.New("result not cached")
-
 //nolint:govet
 type graphqlData struct {
 	Repository struct {
@@ -134,61 +130,17 @@ type graphqlData struct {
 	}
 }
 
-//nolint:govet
-type checkRunsGraphqlData struct {
-	Repository struct {
-		Object struct {
-			Commit struct {
-				History struct {
-					Nodes []struct {
-						AssociatedPullRequests struct {
-							Nodes []struct {
-								HeadRefOid githubv4.String
-								Commits    struct {
-									Nodes []struct {
-										Commit struct {
-											CheckSuites struct {
-												Nodes []struct {
-													App struct {
-														Slug githubv4.String
-													}
-													Conclusion githubv4.CheckConclusionState
-													Status     githubv4.CheckStatusState
-												}
-											} `graphql:"checkSuites(first: $checksToAnalyze)"`
-										}
-									}
-								} `graphql:"commits(last:1)"`
-							}
-						} `graphql:"associatedPullRequests(first: $pullRequestsToAnalyze)"`
-					}
-				} `graphql:"history(first: $commitsToAnalyze)"`
-			} `graphql:"... on Commit"`
-		} `graphql:"object(expression: $commitExpression)"`
-	} `graphql:"repository(owner: $owner, name: $name)"`
-	RateLimit struct {
-		Cost *int
-	}
-}
-
-type checkRunCache = map[string][]clients.CheckRun
-
 type graphqlHandler struct {
-	checkRuns          checkRunCache
-	client             *githubv4.Client
-	data               *graphqlData
-	setupOnce          *sync.Once
-	checkData          *checkRunsGraphqlData
-	setupCheckRunsOnce *sync.Once
-	errSetupCheckRuns  error
-	logger             *log.Logger
-	ctx                context.Context
-	errSetup           error
-	repourl            *repoURL
-	commits            []clients.Commit
-	issues             []clients.Issue
-	archived           bool
-	commitDepth        int
+	client      *githubv4.Client
+	data        *graphqlData
+	setupOnce   *sync.Once
+	ctx         context.Context
+	errSetup    error
+	repourl     *repoURL
+	commits     []clients.Commit
+	issues      []clients.Issue
+	archived    bool
+	commitDepth int
 }
 
 func (handler *graphqlHandler) init(ctx context.Context, repourl *repoURL, commitDepth int) {
@@ -197,10 +149,6 @@ func (handler *graphqlHandler) init(ctx context.Context, repourl *repoURL, commi
 	handler.data = new(graphqlData)
 	handler.errSetup = nil
 	handler.setupOnce = new(sync.Once)
-	handler.checkData = new(checkRunsGraphqlData)
-	handler.setupCheckRunsOnce = new(sync.Once)
-	handler.checkRuns = checkRunCache{}
-	handler.logger = log.NewLogger(log.DefaultLevel)
 	handler.commitDepth = commitDepth
 	handler.commits = nil
 	handler.issues = nil
@@ -233,7 +181,7 @@ func populateCommits(handler *graphqlHandler, vars map[string]interface{}) ([]cl
 
 func (handler *graphqlHandler) setup() error {
 	handler.setupOnce.Do(func() {
-		commitExpression := handler.commitExpression()
+		commitExpression := handler.repourl.commitExpression()
 		vars := map[string]interface{}{
 			"owner":                  githubv4.String(handler.repourl.owner),
 			"name":                   githubv4.String(handler.repourl.repo),
@@ -264,37 +212,6 @@ func (handler *graphqlHandler) setup() error {
 	return handler.errSetup
 }
 
-func (handler *graphqlHandler) setupCheckRuns() error {
-	handler.setupCheckRunsOnce.Do(func() {
-		commitExpression := handler.commitExpression()
-		vars := map[string]interface{}{
-			"owner":                 githubv4.String(handler.repourl.owner),
-			"name":                  githubv4.String(handler.repourl.repo),
-			"pullRequestsToAnalyze": githubv4.Int(pullRequestsToAnalyze),
-			"commitsToAnalyze":      githubv4.Int(handler.commitDepth),
-			"commitExpression":      githubv4.String(commitExpression),
-			"checksToAnalyze":       githubv4.Int(checksToAnalyze),
-		}
-		// TODO(#2224):
-		// sast and ci checks causes cache miss if commits dont match number of check runs.
-		// paging for this needs to be implemented if using higher than 100 --number-of-commits
-		if handler.commitDepth > 99 {
-			vars["commitsToAnalyze"] = githubv4.Int(99)
-		}
-		if err := handler.client.Query(handler.ctx, handler.checkData, vars); err != nil {
-			// quit early without setting crsErrSetup for "Resource not accessible by integration" error
-			// for whatever reason, this check doesn't work with a GITHUB_TOKEN, only a PAT
-			if strings.Contains(err.Error(), "Resource not accessible by integration") {
-				return
-			}
-			handler.errSetupCheckRuns = err
-			return
-		}
-		handler.checkRuns = parseCheckRuns(handler.checkData)
-	})
-	return handler.errSetupCheckRuns
-}
-
 func (handler *graphqlHandler) getCommits() ([]clients.Commit, error) {
 	if err := handler.setup(); err != nil {
 		return nil, fmt.Errorf("error during graphqlHandler.setup: %w", err)
@@ -302,22 +219,6 @@ func (handler *graphqlHandler) getCommits() ([]clients.Commit, error) {
 	return handler.commits, nil
 }
 
-func (handler *graphqlHandler) cacheCheckRunsForRef(ref string, crs []clients.CheckRun) {
-	handler.checkRuns[ref] = crs
-}
-
-func (handler *graphqlHandler) listCheckRunsForRef(ref string) ([]clients.CheckRun, error) {
-	if err := handler.setupCheckRuns(); err != nil {
-		return nil, fmt.Errorf("error during graphqlHandler.setupCheckRuns: %w", err)
-	}
-	if crs, ok := handler.checkRuns[ref]; ok {
-		return crs, nil
-	}
-	msg := fmt.Sprintf("listCheckRunsForRef cache miss: %s/%s:%s", handler.repourl.owner, handler.repourl.repo, ref)
-	handler.logger.Info(msg)
-	return nil, errNotCached
-}
-
 func (handler *graphqlHandler) getIssues() ([]clients.Issue, error) {
 	if !strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
 		return nil, fmt.Errorf("%w: ListIssues only supported for HEAD queries", clients.ErrUnsupportedFeature)
@@ -338,38 +239,6 @@ func (handler *graphqlHandler) isArchived() (bool, error) {
 	return handler.archived, nil
 }
 
-func (handler *graphqlHandler) commitExpression() string {
-	if strings.EqualFold(handler.repourl.commitSHA, clients.HeadSHA) {
-		// TODO(#575): Confirm that this works as expected.
-		return fmt.Sprintf("heads/%s", handler.repourl.defaultBranch)
-	}
-	return handler.repourl.commitSHA
-}
-
-func parseCheckRuns(data *checkRunsGraphqlData) checkRunCache {
-	checkCache := checkRunCache{}
-	for _, commit := range data.Repository.Object.Commit.History.Nodes {
-		for _, pr := range commit.AssociatedPullRequests.Nodes {
-			var crs []clients.CheckRun
-			for _, c := range pr.Commits.Nodes {
-				for _, checkRun := range c.Commit.CheckSuites.Nodes {
-					crs = append(crs, clients.CheckRun{
-						// the REST API returns lowercase. the graphQL API returns upper
-						Status:     strings.ToLower(string(checkRun.Status)),
-						Conclusion: strings.ToLower(string(checkRun.Conclusion)),
-						App: clients.CheckRunApp{
-							Slug: string(checkRun.App.Slug),
-						},
-					})
-				}
-			}
-			headRef := string(pr.HeadRefOid)
-			checkCache[headRef] = crs
-		}
-	}
-	return checkCache
-}
-
 // nolint
 func commitsFrom(data *graphqlData, repoOwner, repoName string) ([]clients.Commit, error) {
 	ret := make([]clients.Commit, 0)
diff --git a/clients/githubrepo/graphql_e2e_test.go b/clients/githubrepo/graphql_e2e_test.go
index 9eb860ac183..eb4bc225f7d 100644
--- a/clients/githubrepo/graphql_e2e_test.go
+++ b/clients/githubrepo/graphql_e2e_test.go
@@ -38,12 +38,12 @@ var _ = Describe("E2E TEST: githubrepo.graphqlHandler", func() {
 
 	Context("E2E TEST: Confirm Paging Commits Works", func() {
 		It("Should only have 1 commit", func() {
-			_repourl := &repoURL{
+			repourl := &repoURL{
 				owner:     "ossf",
 				repo:      "scorecard",
 				commitSHA: clients.HeadSHA,
 			}
-			_vars := map[string]interface{}{
+			vars := map[string]interface{}{
 				"owner":                  githubv4.String("ossf"),
 				"name":                   githubv4.String("scorecard"),
 				"pullRequestsToAnalyze":  githubv4.Int(1),
@@ -55,28 +55,28 @@ var _ = Describe("E2E TEST: githubrepo.graphqlHandler", func() {
 				"commitExpression":       githubv4.String("heads/main"),
 				"historyCursor":          (*githubv4.String)(nil),
 			}
-			_ctx := context.Background()
-			_logger := log.NewLogger(log.DebugLevel)
-			_rt := roundtripper.NewTransport(_ctx, _logger)
-			_httpClient := &http.Client{
-				Transport: _rt,
+			ctx := context.Background()
+			logger := log.NewLogger(log.DebugLevel)
+			rt := roundtripper.NewTransport(ctx, logger)
+			httpClient := &http.Client{
+				Transport: rt,
 			}
-			_graphClient := githubv4.NewClient(_httpClient)
-			_handler := &graphqlHandler{
-				client: _graphClient,
+			graphClient := githubv4.NewClient(httpClient)
+			handler := &graphqlHandler{
+				client: graphClient,
 			}
-			_handler.init(context.Background(), _repourl, 1)
-			commits, err := populateCommits(_handler, _vars)
+			handler.init(context.Background(), repourl, 1)
+			commits, err := populateCommits(handler, vars)
 			Expect(err).To(BeNil())
 			Expect(len(commits)).Should(BeEquivalentTo(1))
 		})
 		It("Should have 30 commits", func() {
-			_repourl := &repoURL{
+			repourl := &repoURL{
 				owner:     "ossf",
 				repo:      "scorecard",
 				commitSHA: clients.HeadSHA,
 			}
-			_vars := map[string]interface{}{
+			vars := map[string]interface{}{
 				"owner":                  githubv4.String("ossf"),
 				"name":                   githubv4.String("scorecard"),
 				"pullRequestsToAnalyze":  githubv4.Int(1),
@@ -88,28 +88,28 @@ var _ = Describe("E2E TEST: githubrepo.graphqlHandler", func() {
 				"commitExpression":       githubv4.String("heads/main"),
 				"historyCursor":          (*githubv4.String)(nil),
 			}
-			_ctx := context.Background()
-			_logger := log.NewLogger(log.DebugLevel)
-			_rt := roundtripper.NewTransport(_ctx, _logger)
-			_httpClient := &http.Client{
-				Transport: _rt,
+			ctx := context.Background()
+			logger := log.NewLogger(log.DebugLevel)
+			rt := roundtripper.NewTransport(ctx, logger)
+			httpClient := &http.Client{
+				Transport: rt,
 			}
-			_graphClient := githubv4.NewClient(_httpClient)
-			_handler := &graphqlHandler{
-				client: _graphClient,
+			graphClient := githubv4.NewClient(httpClient)
+			handler := &graphqlHandler{
+				client: graphClient,
 			}
-			_handler.init(context.Background(), _repourl, 30)
-			commits, err := populateCommits(_handler, _vars)
+			handler.init(context.Background(), repourl, 30)
+			commits, err := populateCommits(handler, vars)
 			Expect(err).To(BeNil())
 			Expect(len(commits)).Should(BeEquivalentTo(30))
 		})
 		It("Should have 101 commits", func() {
-			_repourl := &repoURL{
+			repourl := &repoURL{
 				owner:     "ossf",
 				repo:      "scorecard",
 				commitSHA: clients.HeadSHA,
 			}
-			_vars := map[string]interface{}{
+			vars := map[string]interface{}{
 				"owner":                  githubv4.String("ossf"),
 				"name":                   githubv4.String("scorecard"),
 				"pullRequestsToAnalyze":  githubv4.Int(1),
@@ -121,18 +121,18 @@ var _ = Describe("E2E TEST: githubrepo.graphqlHandler", func() {
 				"commitExpression":       githubv4.String("heads/main"),
 				"historyCursor":          (*githubv4.String)(nil),
 			}
-			_ctx := context.Background()
-			_logger := log.NewLogger(log.DebugLevel)
-			_rt := roundtripper.NewTransport(_ctx, _logger)
-			_httpClient := &http.Client{
-				Transport: _rt,
+			ctx := context.Background()
+			logger := log.NewLogger(log.DebugLevel)
+			rt := roundtripper.NewTransport(ctx, logger)
+			httpClient := &http.Client{
+				Transport: rt,
 			}
-			_graphClient := githubv4.NewClient(_httpClient)
-			_handler := &graphqlHandler{
-				client: _graphClient,
+			graphClient := githubv4.NewClient(httpClient)
+			handler := &graphqlHandler{
+				client: graphClient,
 			}
-			_handler.init(context.Background(), _repourl, 101)
-			commits, err := populateCommits(_handler, _vars)
+			handler.init(context.Background(), repourl, 101)
+			commits, err := populateCommits(handler, vars)
 			Expect(err).To(BeNil())
 			Expect(len(commits)).Should(BeEquivalentTo(101))
 		})
@@ -163,17 +163,5 @@ var _ = Describe("E2E TEST: githubrepo.graphqlHandler", func() {
 			Expect(graphqlhandler.data.RateLimit.Cost).ShouldNot(BeNil())
 			Expect(*graphqlhandler.data.RateLimit.Cost).Should(BeNumerically("<=", 1))
 		})
-		It("Should not have increased for check run query", func() {
-			repourl := &repoURL{
-				owner:     "ossf",
-				repo:      "scorecard",
-				commitSHA: clients.HeadSHA,
-			}
-			graphqlhandler.init(context.Background(), repourl, 30)
-			Expect(graphqlhandler.setupCheckRuns()).Should(BeNil())
-			Expect(graphqlhandler.checkData).ShouldNot(BeNil())
-			Expect(graphqlhandler.checkData.RateLimit.Cost).ShouldNot(BeNil())
-			Expect(*graphqlhandler.checkData.RateLimit.Cost).Should(BeNumerically("<=", 1))
-		})
 	})
 })
diff --git a/clients/githubrepo/repo.go b/clients/githubrepo/repo.go
index f0f24da28b8..0f288cf7205 100644
--- a/clients/githubrepo/repo.go
+++ b/clients/githubrepo/repo.go
@@ -114,6 +114,14 @@ func (r *repoURL) Metadata() []string {
 	return r.metadata
 }
 
+func (r *repoURL) commitExpression() string {
+	if strings.EqualFold(r.commitSHA, clients.HeadSHA) {
+		// TODO(#575): Confirm that this works as expected.
+		return fmt.Sprintf("heads/%s", r.defaultBranch)
+	}
+	return r.commitSHA
+}
+
 // MakeGithubRepo takes input of form "owner/repo" or "github.com/owner/repo"
 // and returns an implementation of clients.Repo interface.
 func MakeGithubRepo(input string) (clients.Repo, error) {

From 36faeac0acfc5366d3b2fade3d2c01c2a21a8602 Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Fri, 3 Mar 2023 15:10:48 +0100
Subject: [PATCH 05/19] Consider 'src/test' test directories (#2706)

The Maven 'Standard Directory Layout' [0] is fairly widely used, not only
in Maven but also in adjacent ecosystems like Gradle and clojure.

Longer-term this would become part of the default policy, see discussion
at https://github.com/ossf/scorecard/pull/1408#issuecomment-999806097 etc.

[0]: https://maven.apache.org/guides/introduction/introduction-to-the-standard-directory-layout.html

Signed-off-by: Arnout Engelen <arnout@bzzt.net>
---
 checks/fileparser/listing.go      | 4 +++-
 checks/fileparser/listing_test.go | 7 +++++++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/checks/fileparser/listing.go b/checks/fileparser/listing.go
index aab72e085c5..3efb8208991 100644
--- a/checks/fileparser/listing.go
+++ b/checks/fileparser/listing.go
@@ -52,7 +52,9 @@ func isMatchingPath(fullpath string, matchPathTo PathMatcher) (bool, error) {
 func isTestdataFile(fullpath string) bool {
 	// testdata/ or /some/dir/testdata/some/other
 	return strings.HasPrefix(fullpath, "testdata/") ||
-		strings.Contains(fullpath, "/testdata/")
+		strings.Contains(fullpath, "/testdata/") ||
+		strings.HasPrefix(fullpath, "src/test/") ||
+		strings.Contains(fullpath, "/src/test/")
 }
 
 // PathMatcher represents a query for a filepath.
diff --git a/checks/fileparser/listing_test.go b/checks/fileparser/listing_test.go
index 0c55518d223..7d3e7cbfacb 100644
--- a/checks/fileparser/listing_test.go
+++ b/checks/fileparser/listing_test.go
@@ -375,6 +375,13 @@ func Test_isTestdataFile(t *testing.T) {
 			},
 			want: true,
 		},
+		{
+			name: "testdata file",
+			args: args{
+				fullpath: "archiva-modules/archiva-base/archiva-checksum/src/test/resources/examples/redback-authz-open.jar",
+			},
+			want: true,
+		},
 	}
 	for _, tt := range tests {
 		tt := tt // Re-initializing variable so it is not changed while executing the closure below

From def5eadd77ef62d64617fa9d76b0c0b36a9618bd Mon Sep 17 00:00:00 2001
From: Arnout Engelen <arnout@bzzt.net>
Date: Fri, 3 Mar 2023 15:25:05 +0100
Subject: [PATCH 06/19] :book: update bigquery docs in README (#2714)

Signed-off-by: Arnout Engelen <arnout@bzzt.net>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 3e1f9d2f595..ad0b17243d1 100644
--- a/README.md
+++ b/README.md
@@ -101,7 +101,7 @@ This data is available in the public BigQuery dataset
 `openssf:scorecardcron.scorecard-v2`. The latest results are available in the
 BigQuery view `openssf:scorecardcron.scorecard-v2_latest`.
 
-You can query the data using [BigQuery Explorer](http://console.cloud.google.com/bigquery) by navigating to Add Data > Pin a Project > Enter Project Name > 'openssf'.
+You can query the data using [BigQuery Explorer](http://console.cloud.google.com/bigquery) by navigating to Add Data > Star a project by name > 'openssf'.
 For example, you may be interested in how a project's score has changed over time:
 
 ```sql

From b8bc65f4c48d89690e1368c11f9935a22359bbee Mon Sep 17 00:00:00 2001
From: Pedro Nacht <pnacht@google.com>
Date: Fri, 3 Mar 2023 15:53:50 -0300
Subject: [PATCH 07/19] Add projects to cronjob (#2716)

Adds:
- bufbuild/protoc-gen-validate
- rust-lang/cfg-if
- codemirror/codemirror5
- firebase/flutterfire
- google/zerocopy
- openjdk/jdk19u
- tukaani-project/xz

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>
---
 cron/internal/data/projects.csv | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/cron/internal/data/projects.csv b/cron/internal/data/projects.csv
index 322356ef824..c413885739e 100755
--- a/cron/internal/data/projects.csv
+++ b/cron/internal/data/projects.csv
@@ -329716,6 +329716,7 @@ github.com/bufanpeng/react-ts-cli,
 github.com/bufanpeng/reactTsCli,num_dependents_deps.dev:0
 github.com/bufbuild/buf,"criticality_score:0.481250,num_dependents_deps.dev:3"
 github.com/bufbuild/makego,num_dependents_deps.dev:0
+github.com/bufbuild/protoc-gen-validate,
 github.com/bufbuild/wellknowntypes,num_dependents_deps.dev:0
 github.com/bufemc/a1pamfax,
 github.com/buff2017/generator-gulp-es6,num_dependents_deps.dev:0
@@ -372616,6 +372617,7 @@ github.com/codemirror/basic-setup,num_dependents_deps.dev:2
 github.com/codemirror/buildhelper,num_dependents_deps.dev:0
 github.com/codemirror/closebrackets,num_dependents_deps.dev:52
 github.com/codemirror/codemirror.next,"criticality_score:0.526480,num_dependents_deps.dev:39"
+github.com/codemirror/codemirror5,
 github.com/codemirror/collab,num_dependents_deps.dev:0
 github.com/codemirror/commands,num_dependents_deps.dev:48
 github.com/codemirror/comment,num_dependents_deps.dev:58
@@ -502789,6 +502791,7 @@ github.com/firebase/firebaseui-web,"Google,criticality_score:0.528730,num_depend
 github.com/firebase/firebaseui-web-react,"Google,criticality_score:0.397290,num_dependents_deps.dev:2"
 github.com/firebase/firechat,num_dependents_deps.dev:0
 github.com/firebase/firepad,num_dependents_deps.dev:2
+github.com/firebase/flutterfire,Google
 github.com/firebase/friendlyeats-android,Google
 github.com/firebase/friendlyeats-ios,Google
 github.com/firebase/friendlyeats-web,Google
@@ -547351,6 +547354,7 @@ github.com/google/ytstatistics-demo,Google
 github.com/google/zarathustra,Google
 github.com/google/zazu,Google
 github.com/google/zero-touch-reseller-tool,Google
+github.com/google/zerocopy,Google
 github.com/google/zeroshell-linode,Google
 github.com/google/zetasketch,"Google,num_dependents_deps.dev:4"
 github.com/google/zetasql,"Google,criticality_score:0.349680,num_dependents_deps.dev:47"
@@ -888832,6 +888836,7 @@ github.com/openjax/root,num_dependents_deps.dev:0
 github.com/openjck/standard-javascript,num_dependents_deps.dev:0
 github.com/openjdk/asmtools,num_dependents_deps.dev:0
 github.com/openjdk/jdk,criticality_score:0.834270
+github.com/openjdk/jdk19u,
 github.com/openjdk/jfx,"criticality_score:0.695640,num_dependents_deps.dev:1344"
 github.com/openjdk/jmc,"criticality_score:0.502480,num_dependents_deps.dev:30"
 github.com/openjdk/jmh,criticality_score:0.614800
@@ -993693,6 +993698,7 @@ github.com/rust-lang/bitflags,num_dependents_deps.dev:0
 github.com/rust-lang/book,criticality_score:0.622680
 github.com/rust-lang/cargo,"criticality_score:0.805960,num_dependents_deps.dev:833"
 github.com/rust-lang/cargo-bisect-rustc,num_dependents_deps.dev:0
+github.com/rust-lang/cfg-if,
 github.com/rust-lang/chalk,"criticality_score:0.540200,num_dependents_deps.dev:671"
 github.com/rust-lang/compiler-builtins,num_dependents_deps.dev:0
 github.com/rust-lang/crater,criticality_score:0.459790
@@ -1139114,6 +1139120,7 @@ github.com/tujlaky/passwordless-tokenstore-test,num_dependents_deps.dev:0
 github.com/tujoworker/alva,num_dependents_deps.dev:0
 github.com/tujoworker/gatsby-plugin-wrap-pages,num_dependents_deps.dev:0
 github.com/tujoworker/prettier-plugin-rational-order,num_dependents_deps.dev:0
+github.com/tukaani-project/xz,
 github.com/tukaelu/sesame-client-go,num_dependents_deps.dev:0
 github.com/tukaianirban/sdk.go.spotify,num_dependents_deps.dev:0
 github.com/tukangremot/go,num_dependents_deps.dev:0

From c06ac740cc49fea404c54c036000731d5ea6ebe3 Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Fri, 3 Mar 2023 15:25:42 -0600
Subject: [PATCH 08/19] :seedling: Removed failing tests (#2718)

fixes https://github.com/ossf/scorecard/issues/2715

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 dependencydiff/dependencydiff_test.go | 43 ---------------------------
 1 file changed, 43 deletions(-)

diff --git a/dependencydiff/dependencydiff_test.go b/dependencydiff/dependencydiff_test.go
index 1c5aa06c5cd..9a4699fcdb6 100644
--- a/dependencydiff/dependencydiff_test.go
+++ b/dependencydiff/dependencydiff_test.go
@@ -20,53 +20,10 @@ import (
 	"path"
 	"testing"
 
-	"github.com/ossf/scorecard/v4/clients"
 	sclog "github.com/ossf/scorecard/v4/log"
 	"github.com/ossf/scorecard/v4/pkg"
 )
 
-// Test_fetchRawDependencyDiffData is a test function for fetchRawDependencyDiffData.
-func Test_fetchRawDependencyDiffData(t *testing.T) {
-	//nolint
-	tests := []struct {
-		name      string
-		dCtx      dependencydiffContext
-		wantEmpty bool
-		wantErr   bool
-	}{
-		{
-			name: "error response",
-			dCtx: dependencydiffContext{
-				logger:    sclog.NewLogger(sclog.InfoLevel),
-				ctx:       context.Background(),
-				ownerName: "no_such_owner",
-				repoName:  "repo_not_exist",
-				base:      "main",
-				head:      clients.HeadSHA,
-			},
-			wantEmpty: true,
-			wantErr:   true,
-		},
-		// Considering of the token usage, normal responses are tested in the e2e test.
-	}
-	for _, tt := range tests {
-		tt := tt
-		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
-			err := fetchRawDependencyDiffData(&tt.dCtx)
-			if (err != nil) != tt.wantErr {
-				t.Errorf("fetchRawDependencyDiffData() error = {%v}, want error: %v", err, tt.wantErr)
-				return
-			}
-			lenResults := len(tt.dCtx.dependencydiffs)
-			if (lenResults == 0) != tt.wantEmpty {
-				t.Errorf("want empty results: %v, got len of results:%d", tt.wantEmpty, lenResults)
-				return
-			}
-		})
-	}
-}
-
 func Test_initRepoAndClientByChecks(t *testing.T) {
 	//nolint
 	tests := []struct {

From 61866a06c922ba7c6684b3d71b106feea60b683c Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Fri, 3 Mar 2023 18:14:09 -0800
Subject: [PATCH 09/19] =?UTF-8?q?=F0=9F=90=9B=20Check=20OSS=20Fuzz=20build?=
 =?UTF-8?q?=20file=20for=20Fuzzing=20check=20(#2719)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Check OSS-Fuzz using project list

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Use clients.RepoClient interface to perform the new OSS Fuzz check

Signed-off-by: Spencer Schrock <sschrock@google.com>

* wip: add eager client for better repeated lookup of projects

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Split lazy and eager behavior into different implementations.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add tests and benchmarks

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Switch to always parsing JSON to determine if a project is present. The other approach of looking for a substring match would lead to false positives.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add eager constructor to surface status file errors sooner.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Switch existing users to new OSS Fuzz client

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Mark old method as deprecated in the godoc

Signed-off-by: Spencer Schrock <sschrock@google.com>

* remove unused comment.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Use new OSS Fuzz client in e2e test.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* fix typo.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Fix potential path bug with test server.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Force include the two JSON files which were being ignored by .gitignore

Signed-off-by: Spencer Schrock <sschrock@google.com>

* trim the status json file

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 checker/client.go                     |  11 +-
 clients/githubrepo/client.go          |   3 +
 clients/ossfuzz/client.go             | 259 ++++++++++++++++++++++++++
 clients/ossfuzz/client_test.go        | 182 ++++++++++++++++++
 clients/ossfuzz/testdata/invalid.json |  10 +
 clients/ossfuzz/testdata/status.json  |  24 +++
 cmd/serve.go                          |   3 +-
 cron/internal/worker/main.go          |   5 +-
 e2e/fuzzing_test.go                   |  13 +-
 9 files changed, 492 insertions(+), 18 deletions(-)
 create mode 100644 clients/ossfuzz/client.go
 create mode 100644 clients/ossfuzz/client_test.go
 create mode 100644 clients/ossfuzz/testdata/invalid.json
 create mode 100644 clients/ossfuzz/testdata/status.json

diff --git a/checker/client.go b/checker/client.go
index b65173b9a27..1fd646fec28 100644
--- a/checker/client.go
+++ b/checker/client.go
@@ -21,6 +21,7 @@ import (
 	"github.com/ossf/scorecard/v4/clients"
 	ghrepo "github.com/ossf/scorecard/v4/clients/githubrepo"
 	"github.com/ossf/scorecard/v4/clients/localdir"
+	"github.com/ossf/scorecard/v4/clients/ossfuzz"
 	"github.com/ossf/scorecard/v4/log"
 )
 
@@ -59,16 +60,10 @@ func GetClients(ctx context.Context, repoURI, localURI string, logger *log.Logge
 			fmt.Errorf("getting local directory client: %w", errGitHub)
 	}
 
-	ossFuzzRepoClient, errOssFuzz := ghrepo.CreateOssFuzzRepoClient(ctx, logger)
-	var retErr error
-	if errOssFuzz != nil {
-		retErr = fmt.Errorf("getting OSS-Fuzz repo client: %w", errOssFuzz)
-	}
-	// TODO(repo): Should we be handling the OSS-Fuzz client error like this?
 	return githubRepo, /*repo*/
 		ghrepo.CreateGithubRepoClient(ctx, logger), /*repoClient*/
-		ossFuzzRepoClient, /*ossFuzzClient*/
+		ossfuzz.CreateOSSFuzzClient(ossfuzz.StatusURL), /*ossFuzzClient*/
 		clients.DefaultCIIBestPracticesClient(), /*ciiClient*/
 		clients.DefaultVulnerabilitiesClient(), /*vulnClient*/
-		retErr
+		nil
 }
diff --git a/clients/githubrepo/client.go b/clients/githubrepo/client.go
index 612ccc83e5e..a8b44e7d793 100644
--- a/clients/githubrepo/client.go
+++ b/clients/githubrepo/client.go
@@ -304,6 +304,9 @@ func CreateGithubRepoClient(ctx context.Context, logger *log.Logger) clients.Rep
 
 // CreateOssFuzzRepoClient returns a RepoClient implementation
 // intialized to `google/oss-fuzz` GitHub repository.
+//
+// Deprecated: Searching the github.com/google/oss-fuzz repo for projects is flawed. Use a constructor
+// from clients/ossfuzz instead. https://github.com/ossf/scorecard/issues/2670
 func CreateOssFuzzRepoClient(ctx context.Context, logger *log.Logger) (clients.RepoClient, error) {
 	ossFuzzRepo, err := MakeGithubRepo("google/oss-fuzz")
 	if err != nil {
diff --git a/clients/ossfuzz/client.go b/clients/ossfuzz/client.go
new file mode 100644
index 00000000000..a942c28945c
--- /dev/null
+++ b/clients/ossfuzz/client.go
@@ -0,0 +1,259 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ossfuzz
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/ossf/scorecard/v4/clients"
+)
+
+const (
+	StatusURL = "https://oss-fuzz-build-logs.storage.googleapis.com/status.json"
+)
+
+var (
+	errUnreachableStatusFile = errors.New("could not fetch OSS Fuzz status file")
+	errMalformedURL          = errors.New("malformed repo url")
+)
+
+type client struct {
+	err       error
+	projects  map[string]bool
+	statusURL string
+	once      sync.Once
+}
+
+type ossFuzzStatus struct {
+	Projects []struct {
+		RepoURI string `json:"main_repo"`
+	} `json:"projects"`
+}
+
+// CreateOSSFuzzClient returns a client which implements RepoClient interface.
+func CreateOSSFuzzClient(ossFuzzStatusURL string) clients.RepoClient {
+	return &client{
+		statusURL: ossFuzzStatusURL,
+		projects:  map[string]bool{},
+	}
+}
+
+// CreateOSSFuzzClientEager returns a OSS Fuzz Client which has already fetched and parsed the status file.
+func CreateOSSFuzzClientEager(ossFuzzStatusURL string) (clients.RepoClient, error) {
+	c := client{
+		statusURL: ossFuzzStatusURL,
+		projects:  map[string]bool{},
+	}
+	c.once.Do(func() {
+		c.init()
+	})
+	if c.err != nil {
+		return nil, c.err
+	}
+	return &c, nil
+}
+
+// Search implements RepoClient.Search.
+func (c *client) Search(request clients.SearchRequest) (clients.SearchResponse, error) {
+	c.once.Do(func() {
+		c.init()
+	})
+	var sr clients.SearchResponse
+	if c.err != nil {
+		return sr, c.err
+	}
+	if c.projects[request.Query] {
+		sr.Hits = 1
+	}
+	return sr, nil
+}
+
+func (c *client) init() {
+	b, err := fetchStatusFile(c.statusURL)
+	if err != nil {
+		c.err = err
+		return
+	}
+	if err = parseStatusFile(b, c.projects); err != nil {
+		c.err = err
+		return
+	}
+}
+
+func parseStatusFile(contents []byte, m map[string]bool) error {
+	status := ossFuzzStatus{}
+	if err := json.Unmarshal(contents, &status); err != nil {
+		return fmt.Errorf("parse status file: %w", err)
+	}
+	for i := range status.Projects {
+		repoURI := status.Projects[i].RepoURI
+		normalizedRepoURI, err := normalize(repoURI)
+		if err != nil {
+			continue
+		}
+		m[normalizedRepoURI] = true
+	}
+	return nil
+}
+
+func fetchStatusFile(uri string) ([]byte, error) {
+	//nolint:gosec // URI comes from a constant or a test HTTP server, not user input
+	resp, err := http.Get(uri)
+	if err != nil {
+		return nil, fmt.Errorf("http.Get: %w", err)
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		return nil, fmt.Errorf("%s: %w", resp.Status, errUnreachableStatusFile)
+	}
+	b, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("io.ReadAll: %w", err)
+	}
+	return b, nil
+}
+
+func normalize(rawURL string) (string, error) {
+	u, err := url.Parse(rawURL)
+	if err != nil {
+		return "", fmt.Errorf("url.Parse: %w", err)
+	}
+	const splitLen = 2
+	split := strings.SplitN(strings.Trim(u.Path, "/"), "/", splitLen)
+	if len(split) != splitLen {
+		return "", fmt.Errorf("%s: %w", rawURL, errMalformedURL)
+	}
+	org := split[0]
+	repo := strings.TrimSuffix(split[1], ".git")
+	return fmt.Sprintf("%s/%s/%s", u.Host, org, repo), nil
+}
+
+// URI implements RepoClient.URI.
+func (c *client) URI() string {
+	return c.statusURL
+}
+
+// InitRepo implements RepoClient.InitRepo.
+func (c *client) InitRepo(inputRepo clients.Repo, commitSHA string, commitDepth int) error {
+	return fmt.Errorf("InitRepo: %w", clients.ErrUnsupportedFeature)
+}
+
+// IsArchived implements RepoClient.IsArchived.
+func (c *client) IsArchived() (bool, error) {
+	return false, fmt.Errorf("IsArchived: %w", clients.ErrUnsupportedFeature)
+}
+
+// LocalPath implements RepoClient.LocalPath.
+func (c *client) LocalPath() (string, error) {
+	return "", fmt.Errorf("LocalPath: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListFiles implements RepoClient.ListFiles.
+func (c *client) ListFiles(predicate func(string) (bool, error)) ([]string, error) {
+	return nil, fmt.Errorf("ListFiles: %w", clients.ErrUnsupportedFeature)
+}
+
+// GetFileContent implements RepoClient.GetFileContent.
+func (c *client) GetFileContent(filename string) ([]byte, error) {
+	return nil, fmt.Errorf("GetFileContent: %w", clients.ErrUnsupportedFeature)
+}
+
+// GetBranch implements RepoClient.GetBranch.
+func (c *client) GetBranch(branch string) (*clients.BranchRef, error) {
+	return nil, fmt.Errorf("GetBranch: %w", clients.ErrUnsupportedFeature)
+}
+
+// GetDefaultBranch implements RepoClient.GetDefaultBranch.
+func (c *client) GetDefaultBranch() (*clients.BranchRef, error) {
+	return nil, fmt.Errorf("GetDefaultBranch: %w", clients.ErrUnsupportedFeature)
+}
+
+// GetDefaultBranchName implements RepoClient.GetDefaultBranchName.
+func (c *client) GetDefaultBranchName() (string, error) {
+	return "", fmt.Errorf("GetDefaultBranchName: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListCommits implements RepoClient.ListCommits.
+func (c *client) ListCommits() ([]clients.Commit, error) {
+	return nil, fmt.Errorf("ListCommits: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListIssues implements RepoClient.ListIssues.
+func (c *client) ListIssues() ([]clients.Issue, error) {
+	return nil, fmt.Errorf("ListIssues: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListReleases implements RepoClient.ListReleases.
+func (c *client) ListReleases() ([]clients.Release, error) {
+	return nil, fmt.Errorf("ListReleases: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListContributors implements RepoClient.ListContributors.
+func (c *client) ListContributors() ([]clients.User, error) {
+	return nil, fmt.Errorf("ListContributors: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListSuccessfulWorkflowRuns implements RepoClient.ListSuccessfulWorkflowRuns.
+func (c *client) ListSuccessfulWorkflowRuns(filename string) ([]clients.WorkflowRun, error) {
+	return nil, fmt.Errorf("ListSuccessfulWorkflowRuns: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListCheckRunsForRef implements RepoClient.ListCheckRunsForRef.
+func (c *client) ListCheckRunsForRef(ref string) ([]clients.CheckRun, error) {
+	return nil, fmt.Errorf("ListCheckRunsForRef: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListStatuses implements RepoClient.ListStatuses.
+func (c *client) ListStatuses(ref string) ([]clients.Status, error) {
+	return nil, fmt.Errorf("ListStatuses: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListWebhooks implements RepoClient.ListWebhooks.
+func (c *client) ListWebhooks() ([]clients.Webhook, error) {
+	return nil, fmt.Errorf("ListWebhooks: %w", clients.ErrUnsupportedFeature)
+}
+
+// SearchCommits implements RepoClient.SearchCommits.
+func (c *client) SearchCommits(request clients.SearchCommitsOptions) ([]clients.Commit, error) {
+	return nil, fmt.Errorf("SearchCommits: %w", clients.ErrUnsupportedFeature)
+}
+
+// Close implements RepoClient.Close.
+func (c *client) Close() error {
+	return nil
+}
+
+// ListProgrammingLanguages implements RepoClient.ListProgrammingLanguages.
+func (c *client) ListProgrammingLanguages() ([]clients.Language, error) {
+	return nil, fmt.Errorf("ListProgrammingLanguages: %w", clients.ErrUnsupportedFeature)
+}
+
+// ListLicenses implements RepoClient.ListLicenses.
+func (c *client) ListLicenses() ([]clients.License, error) {
+	return nil, fmt.Errorf("ListLicenses: %w", clients.ErrUnsupportedFeature)
+}
+
+// GetCreatedAt implements RepoClient.GetCreatedAt.
+func (c *client) GetCreatedAt() (time.Time, error) {
+	return time.Time{}, fmt.Errorf("GetCreatedAt: %w", clients.ErrUnsupportedFeature)
+}
diff --git a/clients/ossfuzz/client_test.go b/clients/ossfuzz/client_test.go
new file mode 100644
index 00000000000..d7c18720afe
--- /dev/null
+++ b/clients/ossfuzz/client_test.go
@@ -0,0 +1,182 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package ossfuzz
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"testing"
+
+	"github.com/ossf/scorecard/v4/clients"
+)
+
+func TestClient(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name       string
+		project    string
+		statusFile string
+		wantHit    bool
+		wantErr    bool
+	}{
+		{
+			name:       "present project",
+			project:    "github.com/ossf/scorecard",
+			statusFile: "status.json",
+			wantHit:    true,
+			wantErr:    false,
+		},
+		{
+			name:       "non existent project",
+			project:    "github.com/not/here",
+			statusFile: "status.json",
+			wantHit:    false,
+			wantErr:    false,
+		},
+		{
+			name:       "non existent project which is a substring of a present project",
+			project:    "github.com/ossf/score",
+			statusFile: "status.json",
+			wantHit:    false,
+			wantErr:    false,
+		},
+		{
+			name:       "non existent status file",
+			project:    "github.com/ossf/scorecard",
+			statusFile: "not_here.json",
+			wantHit:    false,
+			wantErr:    true,
+		},
+		{
+			name:       "invalid status file",
+			project:    "github.com/ossf/scorecard",
+			statusFile: "invalid.json",
+			wantHit:    false,
+			wantErr:    true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			url := setupServer(t)
+			statusURL := fmt.Sprintf("%s/%s", url, tt.statusFile)
+			c := CreateOSSFuzzClient(statusURL)
+			req := clients.SearchRequest{Query: tt.project}
+			resp, err := c.Search(req)
+			if (err != nil) != tt.wantErr {
+				t.Fatalf("got err %v, wantedErr: %t", err, tt.wantErr)
+			}
+			if (resp.Hits > 0) != tt.wantHit {
+				t.Errorf("wantHit: %t, got %d hits", tt.wantHit, resp.Hits)
+			}
+		})
+	}
+}
+
+func TestClientEager(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		name          string
+		project       string
+		statusFile    string
+		wantHit       bool
+		wantSearchErr bool
+		wantCreateErr bool
+	}{
+		{
+			name:          "present project",
+			project:       "github.com/ossf/scorecard",
+			statusFile:    "status.json",
+			wantHit:       true,
+			wantSearchErr: false,
+			wantCreateErr: false,
+		},
+		{
+			name:          "non existent project",
+			project:       "github.com/not/here",
+			statusFile:    "status.json",
+			wantHit:       false,
+			wantSearchErr: false,
+			wantCreateErr: false,
+		},
+		{
+			name:          "non existent project which is a substring of a present project",
+			project:       "github.com/ossf/score",
+			statusFile:    "status.json",
+			wantHit:       false,
+			wantSearchErr: false,
+			wantCreateErr: false,
+		},
+		{
+			name:          "non existent status file",
+			project:       "github.com/ossf/scorecard",
+			statusFile:    "not_here.json",
+			wantHit:       false,
+			wantSearchErr: false,
+			wantCreateErr: true,
+		},
+		{
+			name:          "invalid status file",
+			project:       "github.com/ossf/scorecard",
+			statusFile:    "invalid.json",
+			wantHit:       false,
+			wantSearchErr: false,
+			wantCreateErr: true,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			url := setupServer(t)
+			statusURL := fmt.Sprintf("%s/%s", url, tt.statusFile)
+			c, err := CreateOSSFuzzClientEager(statusURL)
+			if (err != nil) != tt.wantCreateErr {
+				t.Fatalf("got err %v, wantCreateErr: %t", err, tt.wantCreateErr)
+			}
+			if c == nil && tt.wantCreateErr {
+				return
+			}
+			req := clients.SearchRequest{Query: tt.project}
+			resp, err := c.Search(req)
+			if (err != nil) != tt.wantSearchErr {
+				t.Fatalf("got err %v, wantSearchErr: %t", err, tt.wantSearchErr)
+			}
+			if (resp.Hits > 0) != tt.wantHit {
+				t.Errorf("wantHit: %t, got %d hits", tt.wantHit, resp.Hits)
+			}
+		})
+	}
+}
+
+func setupServer(t *testing.T) string {
+	t.Helper()
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		b, err := os.ReadFile("./testdata" + r.URL.Path)
+		if err != nil {
+			t.Logf("os.ReadFile: %v", err)
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		w.WriteHeader(http.StatusOK)
+		//nolint:errcheck
+		w.Write(b)
+	}))
+	t.Cleanup(server.Close)
+	return server.URL
+}
diff --git a/clients/ossfuzz/testdata/invalid.json b/clients/ossfuzz/testdata/invalid.json
new file mode 100644
index 00000000000..394408f38cd
--- /dev/null
+++ b/clients/ossfuzz/testdata/invalid.json
@@ -0,0 +1,10 @@
+}
+  "projects": [
+    {
+      "name": "ansible"
+    },
+    {
+      "name": "zydis"
+    }
+  ]
+{
diff --git a/clients/ossfuzz/testdata/status.json b/clients/ossfuzz/testdata/status.json
new file mode 100644
index 00000000000..913ad5e7391
--- /dev/null
+++ b/clients/ossfuzz/testdata/status.json
@@ -0,0 +1,24 @@
+{
+  "projects": [
+    {
+      "name": "ossf-scorecard",
+      "main_repo": "https://github.com/ossf/scorecard"
+    },
+    {
+      "name": "scorecard-web",
+      "main_repo": "https://github.com/ossf/scorecard-webapp"
+    },
+    {
+      "name": "xz",
+      "main_repo": "https://git.tukaani.org/xz.git"
+    },
+    {
+      "name": "zetasql",
+      "main_repo": null
+    },
+    {
+      "name": "zydis",
+      "main_repo": "https://github.com/zyantific/zydis.git"
+    }
+  ]
+}
diff --git a/cmd/serve.go b/cmd/serve.go
index 412db075ca5..65f4ea50bca 100644
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -26,6 +26,7 @@ import (
 	"github.com/ossf/scorecard/v4/checks"
 	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
+	"github.com/ossf/scorecard/v4/clients/ossfuzz"
 	"github.com/ossf/scorecard/v4/log"
 	"github.com/ossf/scorecard/v4/options"
 	"github.com/ossf/scorecard/v4/pkg"
@@ -60,7 +61,7 @@ func serveCmd(o *options.Options) *cobra.Command {
 				}
 				ctx := r.Context()
 				repoClient := githubrepo.CreateGithubRepoClient(ctx, logger)
-				ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(ctx, logger)
+				ossFuzzRepoClient, err := ossfuzz.CreateOSSFuzzClientEager(ossfuzz.StatusURL)
 				vulnsClient := clients.DefaultVulnerabilitiesClient()
 				if err != nil {
 					logger.Error(err, "initializing clients")
diff --git a/cron/internal/worker/main.go b/cron/internal/worker/main.go
index f5555f1a2f1..422d4da2792 100644
--- a/cron/internal/worker/main.go
+++ b/cron/internal/worker/main.go
@@ -30,6 +30,7 @@ import (
 	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
 	githubstats "github.com/ossf/scorecard/v4/clients/githubrepo/stats"
+	"github.com/ossf/scorecard/v4/clients/ossfuzz"
 	"github.com/ossf/scorecard/v4/cron/config"
 	"github.com/ossf/scorecard/v4/cron/data"
 	format "github.com/ossf/scorecard/v4/cron/internal/format"
@@ -92,8 +93,8 @@ func newScorecardWorker() (*ScorecardWorker, error) {
 	sw.logger = log.NewLogger(log.InfoLevel)
 	sw.repoClient = githubrepo.CreateGithubRepoClient(sw.ctx, sw.logger)
 	sw.ciiClient = clients.BlobCIIBestPracticesClient(ciiDataBucketURL)
-	if sw.ossFuzzRepoClient, err = githubrepo.CreateOssFuzzRepoClient(sw.ctx, sw.logger); err != nil {
-		return nil, fmt.Errorf("githubrepo.CreateOssFuzzRepoClient: %w", err)
+	if sw.ossFuzzRepoClient, err = ossfuzz.CreateOSSFuzzClientEager(ossfuzz.StatusURL); err != nil {
+		return nil, fmt.Errorf("ossfuzz.CreateOSSFuzzClientEager: %w", err)
 	}
 
 	sw.vulnsClient = clients.DefaultVulnerabilitiesClient()
diff --git a/e2e/fuzzing_test.go b/e2e/fuzzing_test.go
index e85f80b5ab0..ad872ea3e12 100644
--- a/e2e/fuzzing_test.go
+++ b/e2e/fuzzing_test.go
@@ -25,21 +25,20 @@ import (
 	"github.com/ossf/scorecard/v4/checks/raw"
 	"github.com/ossf/scorecard/v4/clients"
 	"github.com/ossf/scorecard/v4/clients/githubrepo"
+	"github.com/ossf/scorecard/v4/clients/ossfuzz"
 	scut "github.com/ossf/scorecard/v4/utests"
 )
 
 var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 	Context("E2E TEST:Validating use of fuzzing tools", func() {
 		It("Should return use of OSS-Fuzz", func() {
-			//nolint:lll
-			Skip("Skipping OSS-Fuzz test due to issues searching google/oss-fuzz with the REST API. https://github.com/ossf/scorecard/issues/2670")
 			dl := scut.TestDetailLogger{}
 			repo, err := githubrepo.MakeGithubRepo("tensorflow/tensorflow")
 			Expect(err).Should(BeNil())
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
 			err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
 			Expect(err).Should(BeNil())
-			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
+			ossFuzzRepoClient, err := ossfuzz.CreateOSSFuzzClientEager(ossfuzz.StatusURL)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:         context.Background(),
@@ -67,7 +66,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
 			err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
 			Expect(err).Should(BeNil())
-			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
+			ossFuzzRepoClient, err := ossfuzz.CreateOSSFuzzClientEager(ossfuzz.StatusURL)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:         context.Background(),
@@ -95,7 +94,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
 			err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
 			Expect(err).Should(BeNil())
-			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
+			ossFuzzRepoClient, err := ossfuzz.CreateOSSFuzzClientEager(ossfuzz.StatusURL)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:         context.Background(),
@@ -123,7 +122,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
 			err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
 			Expect(err).Should(BeNil())
-			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
+			ossFuzzRepoClient, err := ossfuzz.CreateOSSFuzzClientEager(ossfuzz.StatusURL)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:         context.Background(),
@@ -143,7 +142,7 @@ var _ = Describe("E2E TEST:"+checks.CheckFuzzing, func() {
 			repoClient := githubrepo.CreateGithubRepoClient(context.Background(), logger)
 			err = repoClient.InitRepo(repo, clients.HeadSHA, 0)
 			Expect(err).Should(BeNil())
-			ossFuzzRepoClient, err := githubrepo.CreateOssFuzzRepoClient(context.Background(), logger)
+			ossFuzzRepoClient, err := ossfuzz.CreateOSSFuzzClientEager(ossfuzz.StatusURL)
 			Expect(err).Should(BeNil())
 			req := checker.CheckRequest{
 				Ctx:         context.Background(),

From 0bed3da7f1ff224df9584b9acc46d6d7d507e6b4 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 6 Mar 2023 12:48:08 -0600
Subject: [PATCH 10/19] :seedling: Bump github.com/jszwec/csvutil from 1.7.1 to
 1.8.0 (#2698)

Bumps [github.com/jszwec/csvutil](https://github.com/jszwec/csvutil) from 1.7.1 to 1.8.0.
- [Release notes](https://github.com/jszwec/csvutil/releases)
- [Commits](https://github.com/jszwec/csvutil/compare/v1.7.1...v1.8.0)

---
updated-dependencies:
- dependency-name: github.com/jszwec/csvutil
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 2 +-
 go.sum | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/go.mod b/go.mod
index 7a348da0004..7542a96aac7 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/google/go-github/v38 v38.1.0
 	github.com/grafeas/kritis v0.2.3-0.20210120183821-faeba81c520c
 	github.com/h2non/filetype v1.1.3
-	github.com/jszwec/csvutil v1.7.1
+	github.com/jszwec/csvutil v1.8.0
 	github.com/moby/buildkit v0.10.3
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/onsi/gomega v1.24.2
diff --git a/go.sum b/go.sum
index c01c589fcf2..c1bcd5d036d 100644
--- a/go.sum
+++ b/go.sum
@@ -667,8 +667,8 @@ github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnr
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
-github.com/jszwec/csvutil v1.7.1 h1:btxPxFwms8lHMgl0OIgOQ4Tayfqo0xid0hGkq1kM510=
-github.com/jszwec/csvutil v1.7.1/go.mod h1:Rpu7Uu9giO9subDyMCIQfHVDuLrcaC36UA4YcJjGBkg=
+github.com/jszwec/csvutil v1.8.0 h1:G7vS2LGdpZZDH1HmHeNbxOaJ/ZnJlpwGFvOkTkJzzNk=
+github.com/jszwec/csvutil v1.8.0/go.mod h1:/E4ONrmGkwmWsk9ae9jpXnv9QT8pLHEPcCirMFhxG9I=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
 github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

From fb12a395299682fcba753a89c394e35e03f77ad3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 6 Mar 2023 21:14:43 +0000
Subject: [PATCH 11/19] :seedling: Bump github.com/google/ko in /tools

Bumps [github.com/google/ko](https://github.com/google/ko) from 0.11.3-0.20220812194550-f9b4471f654a to 0.12.0.
- [Release notes](https://github.com/google/ko/releases)
- [Commits](https://github.com/google/ko/commits/v0.12.0)

---
updated-dependencies:
- dependency-name: github.com/google/ko
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 tools/go.mod |  4 ++--
 tools/go.sum | 43 ++++---------------------------------------
 2 files changed, 6 insertions(+), 41 deletions(-)

diff --git a/tools/go.mod b/tools/go.mod
index 041809e3fed..b843fa49aef 100644
--- a/tools/go.mod
+++ b/tools/go.mod
@@ -6,7 +6,7 @@ require (
 	github.com/golang/mock v1.6.0
 	github.com/golangci/golangci-lint v1.50.1
 	github.com/google/addlicense v1.1.1
-	github.com/google/ko v0.11.3-0.20220812194550-f9b4471f654a
+	github.com/google/ko v0.12.0
 	github.com/goreleaser/goreleaser v1.14.1
 	github.com/naveensrinivasan/stunning-tribble v0.4.2
 	github.com/onsi/ginkgo/v2 v2.8.3
@@ -362,7 +362,7 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	honnef.co/go/tools v0.3.3 // indirect
-	k8s.io/apimachinery v0.24.3 // indirect
+	k8s.io/apimachinery v0.24.4 // indirect
 	k8s.io/klog/v2 v2.70.1 // indirect
 	k8s.io/utils v0.0.0-20220812165043-ad590609e2e5 // indirect
 	mvdan.cc/gofumpt v0.4.0 // indirect
diff --git a/tools/go.sum b/tools/go.sum
index bf211cf9971..339e0cea7bc 100644
--- a/tools/go.sum
+++ b/tools/go.sum
@@ -153,7 +153,6 @@ github.com/Azure/azure-sdk-for-go v51.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo
 github.com/Azure/azure-sdk-for-go v56.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v59.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v63.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
-github.com/Azure/azure-sdk-for-go v64.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v65.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
 github.com/Azure/azure-sdk-for-go v66.0.0+incompatible h1:bmmC38SlE8/E81nNADlgmVGurPWMHDX2YNXVQMrBpEE=
 github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
@@ -371,7 +370,6 @@ github.com/alingse/asasalint v0.0.11/go.mod h1:nCaoMhw7a9kSJObvQyVzNTPBDbNpdocqr
 github.com/aliyun/credentials-go v1.1.2/go.mod h1:ozcZaMR5kLM7pwtCMEpVmQ242suV6qTJya2bDq4X1Tw=
 github.com/aliyun/credentials-go v1.2.3/go.mod h1:/KowD1cfGSLrLsH28Jr8W+xwoId0ywIy5lNzDz6O1vw=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
-github.com/andybalholm/brotli v1.0.0/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.1/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
 github.com/andybalholm/brotli v1.0.3/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
@@ -431,7 +429,6 @@ github.com/aws/aws-sdk-go v1.43.9/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4o
 github.com/aws/aws-sdk-go v1.43.11/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go v1.43.16/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go v1.43.31/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go v1.44.12/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go v1.44.22/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go v1.44.37/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
 github.com/aws/aws-sdk-go v1.44.45/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
@@ -646,7 +643,6 @@ github.com/caarlos0/sshmarshal v0.0.0-20220308164159-9ddb9f83c6b3 h1:w2ANoiT4ubm
 github.com/caarlos0/testfs v0.4.4 h1:3PHvzHi5Lt+g332CiShwS8ogTgS3HjrmzZxCm6JCDr8=
 github.com/caarlos0/testfs v0.4.4/go.mod h1:bRN55zgG4XCUVVHZCeU+/Tz1Q6AxEJOEJTliBy+1DMk=
 github.com/campoy/unique v0.0.0-20180121183637-88950e537e7e/go.mod h1:9IOqJGCPMSc6E5ydlp5NIonxObaeu/Iub/X03EKPVYo=
-github.com/carolynvs/magex v0.6.0/go.mod h1:hqaEkr9TAv+kFb/5wgDiTdszF13rpe0Q+bWHmTe6N74=
 github.com/carolynvs/magex v0.9.0/go.mod h1:H1LW6RYJ/sNbisMmPe9E73aJZa8geKLKK9mBWLWz3ek=
 github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ=
 github.com/cavaliercoder/badio v0.0.0-20160213150051-ce5280129e9e/go.mod h1:V284PjgVwSk4ETmz84rpu9ehpGg7swlIH8npP9k2bGw=
@@ -799,7 +795,6 @@ github.com/containerd/nri v0.0.0-20201007170849-eb1350a75164/go.mod h1:+2wGSDGFY
 github.com/containerd/nri v0.0.0-20210316161719-dbaa18c31c14/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
 github.com/containerd/nri v0.1.0/go.mod h1:lmxnXF6oMkbqs39FiCt1s0R2HSMhcLel9vNL3m4AaeY=
 github.com/containerd/stargz-snapshotter/estargz v0.4.1/go.mod h1:x7Q9dg9QYb4+ELgxmo4gBUeJB0tl5dqH1Sdz0nJU1QM=
-github.com/containerd/stargz-snapshotter/estargz v0.10.1/go.mod h1:aE5PCyhFMwR8sbrErO5eM2GcvkyXTTJremG883D4qF0=
 github.com/containerd/stargz-snapshotter/estargz v0.11.4/go.mod h1:7vRJIcImfY8bpifnMjt+HTJoQxASq7T28MYbP15/Nf0=
 github.com/containerd/stargz-snapshotter/estargz v0.12.0 h1:idtwRTLjk2erqiYhPWy2L844By8NRFYEwYHcXhoIWPM=
 github.com/containerd/stargz-snapshotter/estargz v0.12.0/go.mod h1:AIQ59TewBFJ4GOPEQXujcrJ/EKxh5xXZegW1rkR1P/M=
@@ -928,7 +923,6 @@ github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/
 github.com/dnaeon/go-vcr v1.2.0 h1:zHCHvJYTMh1N7xnV7zf1m1GPBF9Ad0Jk/whtQ1663qI=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v20.10.12+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.16+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/cli v20.10.17+incompatible h1:eO2KS7ZFeov5UJeaDmIs1NFEDRf32PaqRpvoEkKBy5M=
 github.com/docker/cli v20.10.17+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
@@ -938,7 +932,6 @@ github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4Kfc
 github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
 github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.12+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.14+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.16+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v20.10.17+incompatible h1:JYCuMrWaVNophQTOrMMoSwudOVEfcegoZZrleKc1xwE=
@@ -960,7 +953,6 @@ github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZ
 github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE=
 github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936 h1:PRxIJD8XjimM5aTknUK9w6DHLDox2r2M3DI4i2pnd3w=
 github.com/dprotaso/go-yit v0.0.0-20220510233725-9ba8df137936/go.mod h1:ttYvX5qlB+mlV1okblJqcSMtR4c52UKxDiX9GRBS8+Q=
-github.com/dsnet/compress v0.0.1/go.mod h1:Aw8dCMJ7RioblQeTqt88akK31OvO8Dhf5JflhBbQEHo=
 github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5/go.mod h1:qssHWj60/X5sZFNxpG4HBPDHVqxNm4DfnCKgrbZOT+s=
 github.com/dsnet/golib v0.0.0-20171103203638-1ea166775780/go.mod h1:Lj+Z9rebOhdfkVLjJ8T6VcRQv3SXugXy999NBtR9aFY=
 github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
@@ -1179,7 +1171,6 @@ github.com/go-redis/redis v6.15.9+incompatible/go.mod h1:NAIEuMOZ/fxfXJIrKDQDz8w
 github.com/go-redis/redis/v8 v8.11.4/go.mod h1:2Z2wHZXdQpCDXEGzqMockDpNyYvi2l4Pxt6RJr792+w=
 github.com/go-redis/redis/v8 v8.11.5/go.mod h1:gREzHqY1hg6oD9ngVRbLStwAWKhA0FEgq8Jd4h5lpwo=
 github.com/go-resty/resty/v2 v2.1.1-0.20191201195748-d7b97669fe48/go.mod h1:dZGr0i9PLlaaTD4H/hoZIDjQ+r6xq8mgbRzHZf7f2J8=
-github.com/go-rod/rod v0.106.6/go.mod h1:xkZOchuKqTOkMOBkrzb7uJpbKZRab1haPCWDvuZkS2U=
 github.com/go-rod/rod v0.106.8/go.mod h1:xkZOchuKqTOkMOBkrzb7uJpbKZRab1haPCWDvuZkS2U=
 github.com/go-rod/rod v0.109.1/go.mod h1:GZDtmEs6RpF6kBRYpGCZXxXlKNneKVPiKOjaMbmVVjE=
 github.com/go-rod/rod v0.109.3/go.mod h1:GZDtmEs6RpF6kBRYpGCZXxXlKNneKVPiKOjaMbmVVjE=
@@ -1308,7 +1299,6 @@ github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzq
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.2.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
@@ -1412,7 +1402,6 @@ github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeN
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
 github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-containerregistry v0.5.1/go.mod h1:Ct15B4yir3PLOP5jsy0GNeYVaIZs/MK/Jz5any1wFW0=
-github.com/google/go-containerregistry v0.8.0/go.mod h1:wW5v71NHGnQyb4k+gSshjxidrC7lN33MdWEn+Mz9TsI=
 github.com/google/go-containerregistry v0.9.0/go.mod h1:9eq4BnSufyT1kHNffX+vSXVonaJ7yaIOulrKZejMxnQ=
 github.com/google/go-containerregistry v0.11.0 h1:Xt8x1adcREjFcmDoDK8OdOsjxu90PHkGuwNP8GiHMLM=
 github.com/google/go-containerregistry v0.11.0/go.mod h1:BBaYtsHPHA42uEgAvd/NejvAfPSlz281sJWqupjSxfk=
@@ -1434,8 +1423,8 @@ github.com/google/go-replayers/httpreplay v1.1.1/go.mod h1:gN9GeLIs7l6NUoVaSSnv2
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/ko v0.11.3-0.20220812194550-f9b4471f654a h1:KxTmz2S815x1vX3PlRZmBnB80OOaW+fqk0HxK7cQtPQ=
-github.com/google/ko v0.11.3-0.20220812194550-f9b4471f654a/go.mod h1:RUO+8DlfPp5EH2jZju0nU4VnLlyE965vn2kE9V3aU3M=
+github.com/google/ko v0.12.0 h1:5CLEUCLgvPcf5JqV5V+UmzR3/3RUYIQ4EiRU91z3TqQ=
+github.com/google/ko v0.12.0/go.mod h1:uwWZrVeJTaruVPNueWH5dvWb/UhfzhE1h8vaubmoOW0=
 github.com/google/licenseclassifier v0.0.0-20210325184830-bb04aff29e72/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian v2.1.1-0.20190517191504-25dcb96d9e51+incompatible h1:xmapqc1AyLoB+ddYT6r04bD9lIjlOqGaREovi0SzFaE=
@@ -1631,7 +1620,6 @@ github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PU
 github.com/hashicorp/go-secure-stdlib/mlock v0.1.1/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I=
 github.com/hashicorp/go-secure-stdlib/mlock v0.1.2/go.mod h1:zq93CJChV6L9QTfGKtfBxKqD7BqqXx5O04A/ns2p5+I=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
-github.com/hashicorp/go-secure-stdlib/parseutil v0.1.2/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.5/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
 github.com/hashicorp/go-secure-stdlib/parseutil v0.1.7/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8=
@@ -1671,7 +1659,6 @@ github.com/hashicorp/serf v0.9.5/go.mod h1:UWDWwZeL5cuWDJdl0C6wrvrUwEqtQ4ZKBKKEN
 github.com/hashicorp/serf v0.9.6/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
 github.com/hashicorp/serf v0.9.7/go.mod h1:TXZNMjZQijwlDvp+r0b63xZ45H7JmCmgg4gpTwn9UV4=
 github.com/hashicorp/vault/api v1.4.1/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM=
-github.com/hashicorp/vault/api v1.5.0/go.mod h1:LkMdrZnWNrFaQyYYazWVn7KshilfDidgVBq6YiTq/bM=
 github.com/hashicorp/vault/api v1.6.0/go.mod h1:h1K70EO2DgnBaTz5IsL6D5ERsNt5Pce93ueVS2+t0Xc=
 github.com/hashicorp/vault/api v1.7.2/go.mod h1:xbfA+1AvxFseDzxxdWaL0uO99n1+tndus4GCrtouy0M=
 github.com/hashicorp/vault/sdk v0.4.1/go.mod h1:aZ3fNuL5VNydQk8GcLJ2TV8YCRVvyaakYkhZRoVuhj0=
@@ -1858,7 +1845,6 @@ github.com/kkHAIKE/contextcheck v1.1.3 h1:l4pNvrb8JSwRd51ojtcOxOeHJzHek+MtOyXbaR
 github.com/kkHAIKE/contextcheck v1.1.3/go.mod h1:PG/cwd6c0705/LM0KTr1acO2gORUxkSVWyLJOFW5qoo=
 github.com/klauspost/compress v1.4.1/go.mod h1:RyIbtBH6LamlWaDj8nUwkbUhJ87Yi3uG0guNDohfE1A=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.10.10/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.4/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.11.13/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
@@ -1873,7 +1859,6 @@ github.com/klauspost/compress v1.15.8/go.mod h1:PhcZ0MbTNciWF3rruxRgKxI5NkcHHrHU
 github.com/klauspost/compress v1.15.13 h1:NFn1Wr8cfnenSJSA46lLq4wHCcBzKTSjnBIexDMMOV0=
 github.com/klauspost/compress v1.15.13/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
 github.com/klauspost/cpuid v1.2.0/go.mod h1:Pj4uuM528wm8OyEC2QMXAi2YiTZ96dNQPGgoMS4s3ek=
-github.com/klauspost/pgzip v1.2.4/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/klauspost/pgzip v1.2.5 h1:qnWYvvKqedOF2ulHpMG72XQol4ILEJ8k2wwRl/Km8oE=
 github.com/klauspost/pgzip v1.2.5/go.mod h1:Ch1tH69qFZu15pkjo5kYi6mth2Zzwzt50oCQKQE9RUs=
 github.com/kolo/xmlrpc v0.0.0-20201022064351-38db28db192b/go.mod h1:pcaDhQK0/NJZEvtCO0qQPPropqV0sJOJ6YW7X+9kRwM=
@@ -1917,7 +1902,6 @@ github.com/leodido/go-urn v1.2.1/go.mod h1:zt4jvISO2HfUBqxjfIshjdMTYS56ZS/qv49ic
 github.com/leonklingele/grouper v1.1.0 h1:tC2y/ygPbMFSBOs3DcyaEMKnnwH7eYKzohOtRrf0SAg=
 github.com/leonklingele/grouper v1.1.0/go.mod h1:uk3I3uDfi9B6PeUjsCKi6ndcf63Uy7snXgR4yDYQVDY=
 github.com/letsencrypt/boulder v0.0.0-20220331220046-b23ab962616e/go.mod h1:Bl3mfF2LHYepsU2XfzMceIglyByfPe1IFAXtO+p37Qk=
-github.com/letsencrypt/boulder v0.0.0-20220525221457-11544756bbe8/go.mod h1:x9RdAujFpZd2xjk013ik4PVSH/yjfvJs6GIvuPJHjlo=
 github.com/letsencrypt/boulder v0.0.0-20220723181115-27de4befb95e/go.mod h1:54WQpg5QI0mpRhxoj9bxysLqA5WJylVsLtXOrb3zAiU=
 github.com/letsencrypt/boulder v0.0.0-20220812202448-7cd35f43e9ae h1:fZLv1y7+z0mP8q3vl+NccszrtcHHoTWaxXTairkAbC8=
 github.com/letsencrypt/boulder v0.0.0-20220812202448-7cd35f43e9ae/go.mod h1:0CraW6DVrx+8by5pyvXpdg36Ma0aByNt+xNI6j9nWGI=
@@ -1950,7 +1934,6 @@ github.com/luna-duclos/instrumentedsql v1.1.3/go.mod h1:9J1njvFds+zN7y85EDhN9XNQ
 github.com/lyft/protoc-gen-star v0.5.3/go.mod h1:V0xaHgaf5oCCqmcxYcWiDfTiKsZsRc87/1qhoTACD8w=
 github.com/lyft/protoc-gen-star v0.6.0/go.mod h1:TGAoBVkt8w7MPG72TrKIu85MIdXwDuzJYeZuUPFPNwA=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
-github.com/magefile/mage v1.11.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/magefile/mage v1.13.0/go.mod h1:z5UZb/iS3GoOSn0JgWuiw7dxlurVYTu+/jHXqQg881A=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
@@ -2033,11 +2016,9 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369 h1:I0XW9+e1XWDxdcEniV4rQAIOPUGDq67JSCiRCgGCZLI=
 github.com/matttproud/golang_protobuf_extensions v1.0.2-0.20181231171920-c182affec369/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/maxbrunsfeld/counterfeiter/v6 v6.2.2/go.mod h1:eD9eIE7cdwcMi9rYluz88Jz2VyhSmden33/aXg4oVIY=
-github.com/maxbrunsfeld/counterfeiter/v6 v6.4.1/go.mod h1:DK1Cjkc0E49ShgRVs5jy5ASrM15svSnem3K/hiSGD8o=
 github.com/maxbrunsfeld/counterfeiter/v6 v6.5.0/go.mod h1:fJ0UAZc1fx3xZhU4eSHQDJ1ApFmTVhp5VTpV9tm2ogg=
 github.com/mbilski/exhaustivestruct v1.2.0 h1:wCBmUnSYufAHO6J4AVWY6ff+oxWxsVFrwgOdMUQePUo=
 github.com/mbilski/exhaustivestruct v1.2.0/go.mod h1:OeTBVxQWoEmB2J2JCHmXWPJ0aksxSUOUy+nvtVEfzXc=
-github.com/mediocregopher/radix/v4 v4.1.0/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE=
 github.com/mediocregopher/radix/v4 v4.1.1/go.mod h1:ajchozX/6ELmydxWeWM6xCFHVpZ4+67LXHOTOVR0nCE=
 github.com/mgechev/dots v0.0.0-20210922191527-e955255bf517/go.mod h1:KQ7+USdGKfpPjXk4Ga+5XxQM4Lm4e3gAogrreFAYpOg=
 github.com/mgechev/revive v1.1.2/go.mod h1:bnXsMr+ZTH09V5rssEI+jHAZ4z+ZdyhgO/zsy3EhK+0=
@@ -2045,7 +2026,6 @@ github.com/mgechev/revive v1.2.4 h1:+2Hd/S8oO2H0Ikq2+egtNwQsVhAeELHjxjIUFX5ajLI=
 github.com/mgechev/revive v1.2.4/go.mod h1:iAWlQishqCuj4yhV24FTnKSXGpbAA+0SckXB8GQMX/Q=
 github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
 github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
-github.com/mholt/archiver/v3 v3.5.0/go.mod h1:qqTTPUK/HZPFgFQ/TJ3BzvTpF/dPtFVJXdQbCmeMxwc=
 github.com/mholt/archiver/v3 v3.5.1/go.mod h1:e3dqJ7H78uzsRSEACH1joayhuSyhnonssnDhppzS1L4=
 github.com/microcosm-cc/bluemonday v1.0.2/go.mod h1:iVP4YcDBq+n/5fb23BhYFvIMq/leAFZyRl6bYmGDlGc=
 github.com/microsoft/ApplicationInsights-Go v0.4.4/go.mod h1:fKRUseBqkw6bDiXTs3ESTiU/4YTIHsQS4W3fP2ieF4U=
@@ -2100,7 +2080,6 @@ github.com/moby/sys/signal v0.6.0/go.mod h1:GQ6ObYZfqacOwTtlXvcmh9A26dVRul/hbOZn
 github.com/moby/sys/symlink v0.1.0/go.mod h1:GGDODQmbFOjFsXvfLVn3+ZRxkch54RkSiGqsZeMYowQ=
 github.com/moby/sys/symlink v0.2.0/go.mod h1:7uZVF2dqJjG/NsClqul95CqKOBRQyYSNnJ6BMgR/gFs=
 github.com/moby/term v0.0.0-20200312100748-672ec06f55cd/go.mod h1:DdlQx2hp0Ss5/fLikoLlEeIYiATotOjgB//nb973jeo=
-github.com/moby/term v0.0.0-20201216013528-df9cb8a40635/go.mod h1:FBS0z0QWA44HXygs7VXDUOGoN/1TV3RuWkLO04am3wc=
 github.com/moby/term v0.0.0-20210610120745-9d4ed1856297/go.mod h1:vgPCkQMyxTZ7IDy8SXRufE172gr8+K/JE/7hHFxHW3A=
 github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6 h1:dcztxKSvZ4Id8iPpHERQBbIJfabdt4wUm5qy3wOL2Zc=
 github.com/moby/term v0.0.0-20210619224110-3f7ff695adc6/go.mod h1:E2VnQOmVuvZB6UYnnDB0qG5Nq/1tD9acaOpo6xmt0Kw=
@@ -2212,7 +2191,6 @@ github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7J
 github.com/onsi/gomega v1.9.0/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.3/go.mod h1:V9xEwhxec5O8UDM77eCW8vLymOMltsqPVYWrpDsH8xc=
-github.com/onsi/gomega v1.11.0/go.mod h1:azGKhqFUon9Vuj0YmTfLSmx0FUwqXYSTl5re8lQLTUg=
 github.com/onsi/gomega v1.15.0/go.mod h1:cIuvLEne0aoVhAgh/O6ac0Op8WWw9H6eYCriF+tEHG0=
 github.com/onsi/gomega v1.16.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
 github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAlGdZY=
@@ -2283,7 +2261,6 @@ github.com/pelletier/go-toml v1.9.3/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCko
 github.com/pelletier/go-toml v1.9.4/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
 github.com/pelletier/go-toml v1.9.5 h1:4yBQzkHv+7BHq2PQUZF3Mx0IYxG7LsP222s7Agd3ve8=
 github.com/pelletier/go-toml v1.9.5/go.mod h1:u1nR/EPcESfeI/szUZKdtJ0xRNbUoANCkoOuaOx1Y+c=
-github.com/pelletier/go-toml/v2 v2.0.0-beta.8/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
 github.com/pelletier/go-toml/v2 v2.0.1/go.mod h1:r9LEWfGN8R5k0VXJ+0BkIe7MYkRdwZOjgMj2KwnJFUo=
 github.com/pelletier/go-toml/v2 v2.0.5 h1:ipoSadvV8oGUjnUbMub59IDPPwfxF694nG/jwbMiyQg=
 github.com/pelletier/go-toml/v2 v2.0.5/go.mod h1:OMHamSCAODeSsVrwwvcJOaoN0LIUIaFVNZzmWyNfXas=
@@ -2297,7 +2274,6 @@ github.com/pierrec/lz4 v1.0.2-0.20190131084431-473cd7ce01a1/go.mod h1:3/3N9NVKO0
 github.com/pierrec/lz4 v2.0.5+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4 v2.5.2+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
 github.com/pierrec/lz4 v2.6.1+incompatible/go.mod h1:pdkljMzZIN41W+lC3N2tnIh5sFi+IEE17M5jbnwPHcY=
-github.com/pierrec/lz4/v4 v4.0.3/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pierrec/lz4/v4 v4.1.2/go.mod h1:gZWDp/Ze/IJXGXf23ltt2EXimqmTUXEy0GFuRQyBid4=
 github.com/pkg/browser v0.0.0-20180916011732-0a3d74bf9ce4/go.mod h1:4OwLy04Bl9Ef3GJJCoec+30X3LQs/0/m4HFRt/2LUSA=
 github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
@@ -2457,7 +2433,6 @@ github.com/safchain/ethtool v0.0.0-20190326074333-42ed695e3de8/go.mod h1:Z0q5wiB
 github.com/safchain/ethtool v0.0.0-20210803160452-9aa261dae9b1/go.mod h1:Z0q5wiBQGYcxhMZ6gUqHn6pYNLypFAvaL3UvgZLR0U4=
 github.com/sagikazarmark/crypt v0.1.0/go.mod h1:B/mN0msZuINBtQ1zZLEQcegFJJf9vnYIR88KRMEuODE=
 github.com/sagikazarmark/crypt v0.3.0/go.mod h1:uD/D+6UF4SrIR1uGEv7bBNkNqLGqUr43MRiaGWX1Nig=
-github.com/sagikazarmark/crypt v0.5.0/go.mod h1:l+nzl7KWh51rpzp2h7t4MZWyiEWdhNpOAnclKvg+mdA=
 github.com/sagikazarmark/crypt v0.6.0/go.mod h1:U8+INwJo3nBv1m6A/8OBXAq7Jnpspk5AxSgDyEQcea8=
 github.com/samuel/go-zookeeper v0.0.0-20190923202752-2cc03de413da/go.mod h1:gi+0XIa01GRL2eRQVjQkKGqKF3SF9vZR/HnPullcV2E=
 github.com/sanposhiho/wastedassign/v2 v2.0.6/go.mod h1:KyZ0MWTwxxBmfwn33zh3k1dmsbF2ud9pAAGfoLfjhtI=
@@ -2505,10 +2480,8 @@ github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546/go.mod h1:TrYk7fJV
 github.com/sigstore/cosign v1.12.0 h1:4FtGar5z0tuor8p4arOEtgCkzMWyjFKYE4D1oJiPJ6Y=
 github.com/sigstore/cosign v1.12.0/go.mod h1:gcWqjoMm2jhu5knf9HMWq5AS8CcnOeYXuamMUBj0Arg=
 github.com/sigstore/fulcio v0.5.3/go.mod h1:4yzMqOao6r9Nul1Dgt4LL7loKdkkgbDemLYrXUuAc+Y=
-github.com/sigstore/rekor v0.7.0/go.mod h1:uUFwwj3Cf46VELJoSQMPsdvIo+gMZUmxg4AaIsdQzNk=
 github.com/sigstore/rekor v0.11.0 h1:2x1Sy3fu3VSWbl/2fwTyFPqs5fehY++EqdTFWWT6+Mo=
 github.com/sigstore/rekor v0.11.0/go.mod h1:xEfHnfiQJ/yJVCz41/OglUrDID71gICzixJjYFrQeN0=
-github.com/sigstore/sigstore v1.2.1-0.20220512194100-3ed986cc9758/go.mod h1:BFjjR8iTGW8SZZnZXi+rlhTfaajln4LWKO4TzAixMi0=
 github.com/sigstore/sigstore v1.2.1-0.20220526001230-8dc4fa90a468/go.mod h1:xAQdMn1pZ7FcOtHU6chqIsvVKt9KGb4mJZljPQUdcpA=
 github.com/sigstore/sigstore v1.4.0/go.mod h1:z3kt1jm2A39M+g7emkQ8jdErL/haCMEjkNxvqTf41/k=
 github.com/sigstore/sigstore v1.4.1-0.20220908204944-ec922cf4f1c2 h1:/UPRO/SWpsZHRVXE8IBOHuv+ZgqzjE5/dP0ilC6AlDI=
@@ -2599,7 +2572,6 @@ github.com/spf13/viper v1.7.1/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5q
 github.com/spf13/viper v1.8.1/go.mod h1:o0Pch8wJ9BVSWGQMbra6iw0oQ5oktSIBaujf1rJH9Ns=
 github.com/spf13/viper v1.9.0/go.mod h1:+i6ajR7OX2XaiBkrcZJFK21htRk7eDeLg7+O6bhUPP4=
 github.com/spf13/viper v1.10.0/go.mod h1:SoyBPwAtKDzypXNDFKN5kzH7ppppbGZtls1UpIy5AsM=
-github.com/spf13/viper v1.11.0/go.mod h1:djo0X/bA5+tYVoCn+C7cAYJGcVn/qYLFTG8gdUsX7Zk=
 github.com/spf13/viper v1.12.0/go.mod h1:b6COn30jlNxbm/V2IqWiNWkJ+vZNiMNksliPCiuKtSI=
 github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU=
 github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
@@ -2841,18 +2813,15 @@ go.etcd.io/etcd v0.5.0-alpha.5.0.20200910180754-dd1b699fc489/go.mod h1:yVHk9ub3C
 go.etcd.io/etcd/api/v3 v3.5.0-alpha.0/go.mod h1:mPcW6aZJukV6Aa81LSKpBjQXTWlXB5r74ymPoSWa3Sw=
 go.etcd.io/etcd/api/v3 v3.5.0/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
 go.etcd.io/etcd/api/v3 v3.5.1/go.mod h1:cbVKeC6lCfl7j/8jBhAK6aIYO9XOjdptoxU/nLQcPvs=
-go.etcd.io/etcd/api/v3 v3.5.2/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
 go.etcd.io/etcd/api/v3 v3.5.4/go.mod h1:5GB2vv4A4AOn3yk7MftYGHkUfGtDHnEraIjym4dYz5A=
 go.etcd.io/etcd/api/v3 v3.6.0-alpha.0/go.mod h1:z13pg39zewDLZeXIKeM0xELOeFKcqjLocfwl5M820+w=
 go.etcd.io/etcd/client/pkg/v3 v3.5.0/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/pkg/v3 v3.5.1/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
-go.etcd.io/etcd/client/pkg/v3 v3.5.2/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/pkg/v3 v3.5.4/go.mod h1:IJHfcCEKxYu1Os13ZdwCwIUTUVGYTSAM3YSwc9/Ac1g=
 go.etcd.io/etcd/client/pkg/v3 v3.6.0-alpha.0/go.mod h1:Vl/FkH40bHqmBFwhr8WVKtV47neyts36zl1voccRq8s=
 go.etcd.io/etcd/client/v2 v2.305.0-alpha.0/go.mod h1:kdV+xzCJ3luEBSIeQyB/OEKkWKd8Zkux4sbDeANrosU=
 go.etcd.io/etcd/client/v2 v2.305.0/go.mod h1:h9puh54ZTgAKtEbut2oe9P4L/oqKCVB6xsXlzd7alYQ=
 go.etcd.io/etcd/client/v2 v2.305.1/go.mod h1:pMEacxZW7o8pg4CrFE7pquyCJJzZvkvdD2RibOCCCGs=
-go.etcd.io/etcd/client/v2 v2.305.2/go.mod h1:2D7ZejHVMIfog1221iLSYlQRzrtECw3kz4I4VAQm3qI=
 go.etcd.io/etcd/client/v2 v2.305.4/go.mod h1:Ud+VUwIi9/uQHOMA+4ekToJ12lTxlv0zB/+DHwTGEbU=
 go.etcd.io/etcd/client/v2 v2.306.0-alpha.0/go.mod h1:eW78BCfOzS1HJgTNzDrb2E6xV1p6kqlpLpKkz7ErzCs=
 go.etcd.io/etcd/client/v3 v3.5.0-alpha.0/go.mod h1:wKt7jgDgf/OfKiYmCq5WFGxOFAkVMLxiiXgLDFhECr8=
@@ -3184,7 +3153,6 @@ golang.org/x/net v0.0.0-20210119194325-5f4716e94777/go.mod h1:m0MpNAwzfU5UDzcl9v
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210316092652-d523dce5a7f4/go.mod h1:RBQZq4jEuRlivfhVLdyRGr576XBO4/greRjx4P4O3yc=
 golang.org/x/net v0.0.0-20210326060303-6b1517762897/go.mod h1:uSPa2vr4CLtc/ILN5odXGNXS6mhrKVzTaCXzk9m6W3k=
-golang.org/x/net v0.0.0-20210331212208-0fccb6fa2b5c/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20210410081132-afb366fc7cd1/go.mod h1:9tjilg8BloeKEkVJvy7fQ90B1CfIiPueXVOjqfkSzI8=
 golang.org/x/net v0.0.0-20210421230115-4e50805a0758/go.mod h1:72T/g9IO56b78aLF+1Kcs5dz7/ng1VjMUvfKvpfy+jM=
@@ -3917,7 +3885,6 @@ gopkg.in/check.v1 v1.0.0-20141024133853-64131543e789/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/cheggaaa/pb.v1 v1.0.25/go.mod h1:V/YB90LKu/1FcN3WVnfiiE5oMCibMjukxqG/qStrOgw=
@@ -3934,7 +3901,6 @@ gopkg.in/ini.v1 v1.62.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.63.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.2/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.66.4/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
-gopkg.in/ini.v1 v1.66.6/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/ini.v1 v1.67.0 h1:Dgnx+6+nfE+IfzjUEISNeydPJh9AXNNsWbGP9KzCsOA=
 gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/linkedin/goavro.v1 v1.0.5/go.mod h1:Aw5GdAbizjOEl0kAMHV9iHmA8reZzW/OKuJAl4Hb9F0=
@@ -4007,8 +3973,8 @@ k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ
 k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U=
 k8s.io/apimachinery v0.23.5/go.mod h1:BEuFMMBaIbcOqVIJqNZJXGFTP4W6AycEpb5+m/97hrM=
 k8s.io/apimachinery v0.24.2/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
-k8s.io/apimachinery v0.24.3 h1:hrFiNSA2cBZqllakVYyH/VyEh4B581bQRmqATJSeQTg=
-k8s.io/apimachinery v0.24.3/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
+k8s.io/apimachinery v0.24.4 h1:S0Ur3J/PbivTcL43EdSdPhqCqKla2NIuneNwZcTDeGQ=
+k8s.io/apimachinery v0.24.4/go.mod h1:82Bi4sCzVBdpYjyI4jY6aHX+YCUchUIrZrXKedjd2UM=
 k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU=
 k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM=
 k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q=
@@ -4085,7 +4051,6 @@ sigs.k8s.io/json v0.0.0-20211020170558-c049b76a60c6/go.mod h1:p4QtZmO4uMYipTQNza
 sigs.k8s.io/json v0.0.0-20211208200746-9f7c6b3444d2/go.mod h1:B+TnT182UBxE84DiCz4CVE26eOSDAeYCpfDnC2kdKMY=
 sigs.k8s.io/kind v0.14.0 h1:cNmI3jGBvp7UegEGbC5we8plDtCUmaNRL+bod7JoSCE=
 sigs.k8s.io/kind v0.14.0/go.mod h1:UrFRPHG+2a5j0Q7qiR4gtJ4rEyn8TuMQwuOPf+m4oHg=
-sigs.k8s.io/release-utils v0.4.1-0.20220207182343-6dadf2228617/go.mod h1:t9pL38kZkTBVDcjL1y7ajrkNQFLiArVAjOVO0sxzFF0=
 sigs.k8s.io/release-utils v0.7.3/go.mod h1:n0mVez/1PZYZaZUTJmxewxH3RJ/Lf7JUDh7TG1CASOE=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=

From d708c6c5807829059be2d99442b410637f2aec5c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 7 Mar 2023 16:29:15 +0000
Subject: [PATCH 12/19] :seedling: Bump tj-actions/changed-files from 35.5.4 to
 35.6.1

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.5.4 to 35.6.1.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/74338865c1e73fee674ce5cfc5d28f4b9caa33bc...04124efe7560d15e11ea2ba96c0df2989f68f1f4)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 76e027ca0ed..ff117596587 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -41,7 +41,7 @@ jobs:
         fetch-depth: 2
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@74338865c1e73fee674ce5cfc5d28f4b9caa33bc #v35.5.4
+      uses: tj-actions/changed-files@04124efe7560d15e11ea2ba96c0df2989f68f1f4 #v35.6.1
       with:
         files_ignore: '**.md'
     - id: docs_only_check

From 0169c375a798553ceecc484c7f6cda1f1da149e4 Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Tue, 7 Mar 2023 11:19:47 -0800
Subject: [PATCH 13/19] =?UTF-8?q?=F0=9F=8C=B1=20Setup=20cron=20for=20runni?=
 =?UTF-8?q?ng=20as=20GitHub=20App=20(#2721)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Update auth server to use GitHub App.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Update release worker to use GitHub App tokens directly, as a workaround for the auth server not supporting it.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Add Retry-After logic and stats.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Change retry-after logic to support any status code. Disable troublesome checks.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Use GitHub App Token instead of auth server.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Temporarily disable additional chhecks.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Disable github auth server as it doesn't work with the GitHub App Tokens.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Re-enable Fuzzing check in the release test.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Fix unit test for new check change.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Move opencensus stat to the ratelimit roundtripped.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 clients/githubrepo/roundtripper/rate_limit.go | 14 +++++++++++
 clients/githubrepo/roundtripper/transport.go  |  1 +
 clients/githubrepo/stats/stats.go             |  4 +++-
 cron/config/config.yaml                       |  4 +++-
 cron/config/config_test.go                    |  2 +-
 cron/k8s/auth.yaml                            |  2 +-
 cron/k8s/worker.release.yaml                  | 24 ++++++++++++++++---
 cron/k8s/worker.yaml                          | 20 ++++++++++++++--
 8 files changed, 62 insertions(+), 9 deletions(-)

diff --git a/clients/githubrepo/roundtripper/rate_limit.go b/clients/githubrepo/roundtripper/rate_limit.go
index 60878f0c316..9730616d1f1 100644
--- a/clients/githubrepo/roundtripper/rate_limit.go
+++ b/clients/githubrepo/roundtripper/rate_limit.go
@@ -20,6 +20,9 @@ import (
 	"strconv"
 	"time"
 
+	"go.opencensus.io/stats"
+
+	githubstats "github.com/ossf/scorecard/v4/clients/githubrepo/stats"
 	sce "github.com/ossf/scorecard/v4/errors"
 	"github.com/ossf/scorecard/v4/log"
 )
@@ -44,6 +47,17 @@ func (gh *rateLimitTransport) RoundTrip(r *http.Request) (*http.Response, error)
 	if err != nil {
 		return nil, sce.WithMessage(sce.ErrScorecardInternal, fmt.Sprintf("innerTransport.RoundTrip: %v", err))
 	}
+
+	retryValue := resp.Header.Get("Retry-After")
+	if retryAfter, err := strconv.Atoi(retryValue); err == nil { // if NO error
+		stats.Record(r.Context(), githubstats.RetryAfter.M(int64(retryAfter)))
+		duration := time.Duration(retryAfter) * time.Second
+		gh.logger.Info(fmt.Sprintf("Retry-After header set. Waiting %s to retry...", duration))
+		time.Sleep(duration)
+		gh.logger.Info("Retry-After header set. Retrying...")
+		return gh.RoundTrip(r)
+	}
+
 	rateLimit := resp.Header.Get("X-RateLimit-Remaining")
 	remaining, err := strconv.Atoi(rateLimit)
 	if err != nil {
diff --git a/clients/githubrepo/roundtripper/transport.go b/clients/githubrepo/roundtripper/transport.go
index a9824edc2fe..fa606979459 100644
--- a/clients/githubrepo/roundtripper/transport.go
+++ b/clients/githubrepo/roundtripper/transport.go
@@ -64,5 +64,6 @@ func (gt *githubTransport) RoundTrip(r *http.Request) (*http.Response, error) {
 	if err == nil {
 		stats.Record(ctx, githubstats.RemainingTokens.M(int64(remaining)))
 	}
+
 	return resp, nil
 }
diff --git a/clients/githubrepo/stats/stats.go b/clients/githubrepo/stats/stats.go
index e320c910478..a6d8821a96a 100644
--- a/clients/githubrepo/stats/stats.go
+++ b/clients/githubrepo/stats/stats.go
@@ -24,7 +24,9 @@ var (
 	// RemainingTokens measures the remaining number of API tokens.
 	RemainingTokens = stats.Int64("RemainingTokens",
 		"Measures the remaining count of API tokens", stats.UnitDimensionless)
-
+	// RetryAfter measures the retry delay when dealing with secondary rate limits.
+	RetryAfter = stats.Int64("RetryAfter",
+		"Measures the retry delay when dealing with secondary rate limits", stats.UnitSeconds)
 	// TokenIndex is the tag key for specifying a unique token.
 	TokenIndex = tag.MustNewKey("tokenIndex")
 	// ResourceType specifies the type of GitHub resource.
diff --git a/cron/config/config.yaml b/cron/config/config.yaml
index 27e7d2643f0..a9d4017f82a 100644
--- a/cron/config/config.yaml
+++ b/cron/config/config.yaml
@@ -43,7 +43,9 @@ additional-params:
     api-results-bucket-url: gs://ossf-scorecard-cron-results
     # TODO: Temporarily remove SAST and CI-Tests which require lot of GitHub API tokens.
     # TODO(#859): Re-add Contributors after fixing inconsistencies.
-    blacklisted-checks: CI-Tests,Contributors
+    # TODO: Dependency-Update-Tool, Fuzzing, and SAST are search heavy
+    # TODO: Vulnerabilities is resource intensive, wait until the next osv-scanner release after v1.2.0
+    blacklisted-checks: CI-Tests,Contributors,Dependency-Update-Tool,Fuzzing,SAST,Vulnerabilities
     cii-data-bucket-url: gs://ossf-scorecard-cii-data
     # Raw results.
     raw-bigquery-table: scorecard-rawdata
diff --git a/cron/config/config_test.go b/cron/config/config_test.go
index 82e607f3123..d11290cd149 100644
--- a/cron/config/config_test.go
+++ b/cron/config/config_test.go
@@ -34,7 +34,7 @@ const (
 	prodCompletionThreshold            = 0.99
 	prodWebhookURL                     = ""
 	prodCIIDataBucket                  = "gs://ossf-scorecard-cii-data"
-	prodBlacklistedChecks              = "CI-Tests,Contributors"
+	prodBlacklistedChecks              = "CI-Tests,Contributors,Dependency-Update-Tool,Fuzzing,SAST,Vulnerabilities"
 	prodShardSize               int    = 10
 	prodMetricExporter          string = "stackdriver"
 	prodMetricStackdriverPrefix string = "scorecard-cron"
diff --git a/cron/k8s/auth.yaml b/cron/k8s/auth.yaml
index a1da9537e88..dbfa2c0b723 100644
--- a/cron/k8s/auth.yaml
+++ b/cron/k8s/auth.yaml
@@ -31,7 +31,7 @@ kind: Deployment
 metadata:
   name: scorecard-github-server
 spec:
-  replicas: 1
+  replicas: 0
   selector:
     matchLabels:
       app.kubernetes.io/name: github-auth-server
diff --git a/cron/k8s/worker.release.yaml b/cron/k8s/worker.release.yaml
index dc445052a41..be78ad1318b 100644
--- a/cron/k8s/worker.release.yaml
+++ b/cron/k8s/worker.release.yaml
@@ -29,7 +29,7 @@ spec:
       containers:
         - name: worker
           image: gcr.io/openssf/scorecard-batch-worker:latest
-          args: ["--ignoreRuntimeErrors=false", "--config=/etc/scorecard/config.yaml"]
+          args: ["--ignoreRuntimeErrors=true", "--config=/etc/scorecard/config.yaml"]
           imagePullPolicy: Always
           env:
             - name: SCORECARD_DATA_BUCKET_URL
@@ -40,10 +40,22 @@ spec:
               value: "gcppubsub://projects/openssf/subscriptions/scorecard-batch-worker-releasetest"
             - name: SCORECARD_METRIC_EXPORTER
               value: "printer"
-            - name: GITHUB_AUTH_SERVER
-              value: "10.4.4.210:80"
+            - name: GITHUB_APP_KEY_PATH
+              value: /etc/github/app_key
+            - name: GITHUB_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: github
+                  key: app_id
+            - name: GITHUB_APP_INSTALLATION_ID
+              valueFrom:
+                secretKeyRef:
+                  name: github
+                  key: installation_id
             - name: "SCORECARD_API_RESULTS_BUCKET_URL"
               value: "gs://ossf-scorecard-cron-releasetest-results"
+            - name: "SCORECARD_BLACKLISTED_CHECKS"
+              value: "CI-Tests,Contributors,Dependency-Update-Tool,SAST"
           resources:
             requests:
               memory: 5Gi
@@ -55,10 +67,16 @@ spec:
             - name: config-volume
               mountPath: /etc/scorecard
               readOnly: true
+            - name: github-app-key
+              mountPath: "/etc/github/"
+              readOnly: true
       volumes:
         - name: config-volume
           configMap:
             name: scorecard-config
+        - name: github-app-key
+          secret:
+            secretName: github
   strategy:
     type: "RollingUpdate"
     rollingUpdate:
diff --git a/cron/k8s/worker.yaml b/cron/k8s/worker.yaml
index 9ffe36809e1..9307d2d8d57 100644
--- a/cron/k8s/worker.yaml
+++ b/cron/k8s/worker.yaml
@@ -32,8 +32,18 @@ spec:
           args: ["--ignoreRuntimeErrors=true", "--config=/etc/scorecard/config.yaml"]
           imagePullPolicy: Always
           env:
-            - name: GITHUB_AUTH_SERVER
-              value: "10.4.4.210:80"
+            - name: GITHUB_APP_KEY_PATH
+              value: /etc/github/app_key
+            - name: GITHUB_APP_ID
+              valueFrom:
+                secretKeyRef:
+                  name: github
+                  key: app_id
+            - name: GITHUB_APP_INSTALLATION_ID
+              valueFrom:
+                secretKeyRef:
+                  name: github
+                  key: installation_id
           resources:
             requests:
               memory: 5Gi
@@ -45,10 +55,16 @@ spec:
             - name: config-volume
               mountPath: /etc/scorecard
               readOnly: true
+            - name: github-app-key
+              mountPath: "/etc/github/"
+              readOnly: true
       volumes:
         - name: config-volume
           configMap:
             name: scorecard-config
+        - name: github-app-key
+          secret:
+            secretName: github
   strategy:
     type: "RollingUpdate"
     rollingUpdate:

From 0c090b3cf0fa7daf289465f5261d73358b53ae76 Mon Sep 17 00:00:00 2001
From: Naveen <172697+naveensrinivasan@users.noreply.github.com>
Date: Tue, 7 Mar 2023 16:26:58 -0600
Subject: [PATCH 14/19] :seedling: Updated the coverage for tests (#2728)

- Updated the `Makefile` to include the `-coverpkg=./...` flag when running tests.

[Makefile]
- Changed `SKIP_GINKGO=1 go test -race -covermode=atomic  -coverprofile=unit-coverage.out` to `SKIP_GINKGO=1 go test -race -covermode=atomic  -coverprofile=unit-coverage.out -coverpkg=./...` in the `Makefile`

Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index d60a3570822..25d5e2370e2 100644
--- a/Makefile
+++ b/Makefile
@@ -314,7 +314,7 @@ test: $(test-targets)
 unit-test: ## Runs unit test without e2e
 	# Run unit tests, ignoring e2e tests
 	# run the go tests and gen the file coverage-all used to do the integration with codecov
-	SKIP_GINKGO=1 go test -race -covermode=atomic  -coverprofile=unit-coverage.out `go list ./...`
+	SKIP_GINKGO=1 go test -race -covermode=atomic  -coverprofile=unit-coverage.out -coverpkg=./... `go list ./...`
 
 unit-test-attestor: ## Runs unit tests on scorecard-attestor
 	cd attestor; SKIP_GINKGO=1 go test -covermode=atomic -coverprofile=unit-coverage.out `go list ./...`; cd ..;

From 5f13a66c271ed810560c1fd96a04630f67afed2e Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Wed, 8 Mar 2023 12:18:22 -0800
Subject: [PATCH 15/19] Atomically load from accessState to avoid data race.
 (#2732)

Signed-off-by: Spencer Schrock <sschrock@google.com>
---
 clients/githubrepo/roundtripper/tokens/round_robin.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/clients/githubrepo/roundtripper/tokens/round_robin.go b/clients/githubrepo/roundtripper/tokens/round_robin.go
index 32c7d85b70b..6bdc04f3c5f 100644
--- a/clients/githubrepo/roundtripper/tokens/round_robin.go
+++ b/clients/githubrepo/roundtripper/tokens/round_robin.go
@@ -36,7 +36,7 @@ func (tokens *roundRobinAccessor) Next() (uint64, string) {
 
 	// If selected accessToken is unavailable, wait.
 	for !atomic.CompareAndSwapInt64(&tokens.accessState[index], 0, time.Now().Unix()) {
-		currVal := tokens.accessState[index]
+		currVal := atomic.LoadInt64(&tokens.accessState[index])
 		expired := time.Now().After(time.Unix(currVal, 0).Add(expiryTimeInSec * time.Second))
 		if !expired {
 			continue

From 170af7561875dc883bb264256dadda345b6e6052 Mon Sep 17 00:00:00 2001
From: Rex P <106129829+another-rex@users.noreply.github.com>
Date: Thu, 9 Mar 2023 13:04:11 +1300
Subject: [PATCH 16/19] :bug: Updates osv-scanner dependency to 1.2.0. (#2704)

* Updates osv-scanner dependency to 1.2.0.

The 1.0 release changed the return value for osv-scanner to output an error
when vulnerabilities are found, modified to handle this error correctly.

Signed-off-by: Rex Pan <rexpan@google.com>

* Add some additional comments

Signed-off-by: Rex Pan <rexpan@google.com>

* Update osv-scanner to include SBOM and logging fixes

Signed-off-by: Rex Pan <rexpan@google.com>

---------

Signed-off-by: Rex Pan <rexpan@google.com>
---
 clients/osv.go | 43 ++++++++++++++++++++++++++-----------------
 go.mod         | 21 +++++++++++----------
 go.sum         | 42 +++++++++++++++++++++++++-----------------
 3 files changed, 62 insertions(+), 44 deletions(-)

diff --git a/clients/osv.go b/clients/osv.go
index b234057813a..9e4c3e92b06 100644
--- a/clients/osv.go
+++ b/clients/osv.go
@@ -16,6 +16,7 @@ package clients
 
 import (
 	"context"
+	"errors"
 	"fmt"
 
 	"github.com/google/osv-scanner/pkg/osvscanner"
@@ -45,26 +46,34 @@ func (v osvClient) ListUnfixedVulnerabilities(
 		Recursive:      true,
 		GitCommits:     gitCommits,
 	}, nil) // TODO: Do logging?
-	if err != nil {
-		return VulnerabilitiesResponse{}, fmt.Errorf("osvscanner.DoScan: %w", err)
-	}
 
 	response := VulnerabilitiesResponse{}
-	vulns := res.Flatten()
-	for i := range vulns {
-		response.Vulnerabilities = append(response.Vulnerabilities, Vulnerability{
-			ID:      vulns[i].Vulnerability.ID,
-			Aliases: vulns[i].Vulnerability.Aliases,
-		})
-		// Remove duplicate vulnerability IDs for now as we don't report information
-		// on the source of each vulnerability yet, therefore having multiple identical
-		// vuln IDs might be confusing.
-		response.Vulnerabilities = removeDuplicate(
-			response.Vulnerabilities,
-			func(key Vulnerability) string { return key.ID },
-		)
+
+	if err == nil { // No vulns found
+		return response, nil
 	}
-	return response, nil
+
+	// If vulnerabilities are found, err will be set to osvscanner.VulnerabilitiesFoundErr
+	if errors.Is(err, osvscanner.VulnerabilitiesFoundErr) {
+		vulns := res.Flatten()
+		for i := range vulns {
+			response.Vulnerabilities = append(response.Vulnerabilities, Vulnerability{
+				ID:      vulns[i].Vulnerability.ID,
+				Aliases: vulns[i].Vulnerability.Aliases,
+			})
+			// Remove duplicate vulnerability IDs for now as we don't report information
+			// on the source of each vulnerability yet, therefore having multiple identical
+			// vuln IDs might be confusing.
+			response.Vulnerabilities = removeDuplicate(
+				response.Vulnerabilities,
+				func(key Vulnerability) string { return key.ID },
+			)
+		}
+
+		return response, nil
+	}
+
+	return VulnerabilitiesResponse{}, fmt.Errorf("osvscanner.DoScan: %w", err)
 }
 
 // RemoveDuplicate removes duplicate entries from a slice.
diff --git a/go.mod b/go.mod
index 7542a96aac7..8f41152096a 100644
--- a/go.mod
+++ b/go.mod
@@ -35,7 +35,7 @@ require (
 	go.opencensus.io v0.24.0
 	gocloud.dev v0.26.0
 	golang.org/x/text v0.7.0
-	golang.org/x/tools v0.5.0
+	golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2
 	google.golang.org/genproto v0.0.0-20221118155620-16455021b5e6
 	google.golang.org/protobuf v1.28.1
 	gopkg.in/yaml.v2 v2.4.0
@@ -47,7 +47,7 @@ require (
 	github.com/Masterminds/semver/v3 v3.2.0
 	github.com/caarlos0/env/v6 v6.10.0
 	github.com/gobwas/glob v0.2.3
-	github.com/google/osv-scanner v0.0.0-20221212045131-8aef1778b823
+	github.com/google/osv-scanner v1.2.1-0.20230302232134-592acbc2539b
 	github.com/mcuadros/go-jsonschema-generator v0.0.0-20200330054847-ba7a369d4303
 	github.com/onsi/ginkgo/v2 v2.7.0
 	sigs.k8s.io/release-utils v0.6.0
@@ -63,7 +63,7 @@ require (
 	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
 	github.com/Azure/go-autorest/logger v0.2.1 // indirect
 	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
-	github.com/BurntSushi/toml v1.2.0 // indirect
+	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/CycloneDX/cyclonedx-go v0.7.0 // indirect
 	github.com/cloudflare/circl v1.1.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -73,18 +73,19 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/golang-lru v0.5.3 // indirect
-	github.com/jedib0t/go-pretty/v6 v6.4.0 // indirect
+	github.com/jedib0t/go-pretty/v6 v6.4.4 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/package-url/packageurl-go v0.1.0 // indirect
 	github.com/pjbgf/sha1cd v0.2.3 // indirect
 	github.com/skeema/knownhosts v1.1.0 // indirect
-	github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb // indirect
-	github.com/spdx/tools-golang v0.3.0 // indirect
-	golang.org/x/mod v0.7.0 // indirect
+	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
+	github.com/spdx/tools-golang v0.4.0 // indirect
+	golang.org/x/mod v0.8.0 // indirect
 	golang.org/x/term v0.5.0 // indirect
 	golang.org/x/time v0.3.0 // indirect
+	golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	k8s.io/api v0.20.0 // indirect
 	k8s.io/apimachinery v0.20.0 // indirect
@@ -92,7 +93,7 @@ require (
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/utils v0.0.0-20211116205334-6203023598ed // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.0.2 // indirect
-	sigs.k8s.io/yaml v1.2.0 // indirect
+	sigs.k8s.io/yaml v1.3.0 // indirect
 )
 
 require (
@@ -115,7 +116,7 @@ require (
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
-	github.com/go-git/go-billy/v5 v5.4.0 // indirect
+	github.com/go-git/go-billy/v5 v5.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@@ -150,7 +151,7 @@ require (
 	github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	golang.org/x/crypto v0.3.0 // indirect
-	golang.org/x/exp v0.0.0-20221031165847-c99f073a8326
+	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2
 	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/oauth2 v0.3.0 // indirect
 	golang.org/x/sync v0.1.0 // indirect
diff --git a/go.sum b/go.sum
index c1bcd5d036d..47d2697bb88 100644
--- a/go.sum
+++ b/go.sum
@@ -157,8 +157,8 @@ github.com/Azure/go-autorest/tracing v0.5.0/go.mod h1:r/s2XiOKccPW3HrqB+W0TQzfbt
 github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
 github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
-github.com/BurntSushi/toml v1.2.0 h1:Rt8g24XnyGTyglgET/PRUNlrUeu9F5L+7FilkXfZgs0=
-github.com/BurntSushi/toml v1.2.0/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
+github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak=
+github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
 github.com/CycloneDX/cyclonedx-go v0.7.0 h1:jNxp8hL7UpcvPDFXjY+Y1ibFtsW+e5zyF9QoSmhK/zg=
 github.com/CycloneDX/cyclonedx-go v0.7.0/go.mod h1:W5Z9w8pTTL+t+yG3PCiFRGlr8PUlE0pGWzKSJbsyXkg=
@@ -260,6 +260,7 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
+github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.1.0 h1:bZgT/A+cikZnKIwn7xL2OBj012Bmvho/o6RpRvv3GKY=
 github.com/cloudflare/circl v1.1.0/go.mod h1:prBCrKB9DV4poKZY1l9zBXg2QJY7mvgRvtMxxK7fi4I=
@@ -363,8 +364,9 @@ github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4x
 github.com/go-git/gcfg v1.5.0 h1:Q5ViNfGF8zFgyJWPqYwA7qGFoMTEiBmdlkcfRmpIMa4=
 github.com/go-git/gcfg v1.5.0/go.mod h1:5m20vg6GwYabIxaOonVkTdrILxQMpEShl1xiMF4ua+E=
 github.com/go-git/go-billy/v5 v5.3.1/go.mod h1:pmpqyWchKfYfrkb/UVH4otLvyi/5gJlGI4Hb3ZqZ3W0=
-github.com/go-git/go-billy/v5 v5.4.0 h1:Vaw7LaSTRJOUric7pe4vnzBSgyuf2KrLsu2Y4ZpQBDE=
 github.com/go-git/go-billy/v5 v5.4.0/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg=
+github.com/go-git/go-billy/v5 v5.4.1 h1:Uwp5tDRkPr+l/TnbHOQzp+tmJfLceOlbVucgpTz8ix4=
+github.com/go-git/go-billy/v5 v5.4.1/go.mod h1:vjbugF6Fz7JIflbVpl1hJsGjSHNltrSw45YK/ukIvQg=
 github.com/go-git/go-git-fixtures/v4 v4.3.1 h1:y5z6dd3qi8Hl+stezc8p3JxDkoTRqMAlKnXHuzrfjTQ=
 github.com/go-git/go-git-fixtures/v4 v4.3.1/go.mod h1:8LHG1a3SRW71ettAD/jW13h8c6AqjVSeL11RAdgaqpo=
 github.com/go-git/go-git/v5 v5.5.2 h1:v8lgZa5k9ylUw+OR/roJHTxR4QItsNFI5nKtAXFuynw=
@@ -505,8 +507,8 @@ github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIG
 github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
 github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
-github.com/google/osv-scanner v0.0.0-20221212045131-8aef1778b823 h1:gmZSgbjnj2XPX2jz1VY8QAUFqiHrYJDajG72CODinuc=
-github.com/google/osv-scanner v0.0.0-20221212045131-8aef1778b823/go.mod h1:/pyEWUK+MMC8/CxgHmZNjtCq0pts7KYc6bXJEA9UPNE=
+github.com/google/osv-scanner v1.2.1-0.20230302232134-592acbc2539b h1:i51oNIa4JdwBAKDnZjvxGq9jOHKZ3OPZtLrTz8aHaAA=
+github.com/google/osv-scanner v1.2.1-0.20230302232134-592acbc2539b/go.mod h1:bzlupbn+xUEuPbu4cuCN4HlpD2eMPmMNj8Qqwu8s9vM=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -643,8 +645,8 @@ github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dv
 github.com/jackc/puddle v1.2.1/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/jedib0t/go-pretty/v6 v6.4.0 h1:YlI/2zYDrweA4MThiYMKtGRfT+2qZOO65ulej8GTcVI=
-github.com/jedib0t/go-pretty/v6 v6.4.0/go.mod h1:MgmISkTWDSFu0xOqiZ0mKNntMQ2mDgOcwOkwBEkMDJI=
+github.com/jedib0t/go-pretty/v6 v6.4.4 h1:N+gz6UngBPF4M288kiMURPHELDMIhF/Em35aYuKrsSc=
+github.com/jedib0t/go-pretty/v6 v6.4.4/go.mod h1:MgmISkTWDSFu0xOqiZ0mKNntMQ2mDgOcwOkwBEkMDJI=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jessevdk/go-flags v1.5.0/go.mod h1:Fw0T6WPc1dYxT4mKEZRfG5kJhaTDP9pj1c2EWnYs/m4=
 github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8/go.mod h1:Nht3zPeWKUH0NzdCt2Blrr5ys8VGpn0CEB0cQHVjt7k=
@@ -868,10 +870,11 @@ github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1
 github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
-github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb h1:bLo8hvc8XFm9J47r690TUKBzcjSWdJDxmjXJZ+/f92U=
 github.com/spdx/gordf v0.0.0-20201111095634-7098f93598fb/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
-github.com/spdx/tools-golang v0.3.0 h1:rtm+DHk3aAt74Fh0Wgucb4pCxjXV8SqHCPEb2iBd30k=
-github.com/spdx/tools-golang v0.3.0/go.mod h1:RO4Y3IFROJnz+43JKm1YOrbtgQNljW4gAPpA/sY2eqo=
+github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 h1:dArkMwZ7Mf2JiU8OfdmqIv8QaHT4oyifLIe1UhsF1SY=
+github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89/go.mod h1:uKWaldnbMnjsSAXRurWqqrdyZen1R7kxl8TkmWk2OyM=
+github.com/spdx/tools-golang v0.4.0 h1:jdhnW8zYelURCbYTphiviFKZkWu51in0E4A1KT2csP0=
+github.com/spdx/tools-golang v0.4.0/go.mod h1:VHzvNsKAfAGqs4ZvwRL+7a0dNsL20s7lGui4K9C0xQM=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
@@ -1010,8 +1013,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0
 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4=
 golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM=
 golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU=
-golang.org/x/exp v0.0.0-20221031165847-c99f073a8326 h1:QfTh0HpN6hlw6D3vu8DAwC8pBIwikq0AI1evdm+FksE=
-golang.org/x/exp v0.0.0-20221031165847-c99f073a8326/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js=
 golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
@@ -1039,8 +1042,8 @@ golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
-golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
+golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20170114055629-f2499483f923/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1341,8 +1344,10 @@ golang.org/x/tools v0.1.3/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.4/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.5/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.5.0 h1:+bSpV5HIeWkuvgaMfI3UmKRThoTA5ODJTUd8T17NO+4=
-golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
+golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2 h1:v0FhRDmSCNH/0EurAT6T8KRY4aNuUhz6/WwBMxG+gvQ=
+golang.org/x/tools v0.5.1-0.20230117180257-8aba49bb5ea2/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
+golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6 h1:XZD8apnMaMVuqE3ZEzf5JJncKMlOsMnnov7U+JRT/d4=
+golang.org/x/vuln v0.0.0-20230118164824-4ec8867cc0e6/go.mod h1:cBP4HMKv0X+x96j8IJWCKk0eqpakBmmHjKGSSC0NaYE=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1590,6 +1595,7 @@ honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWh
 honnef.co/go/tools v0.0.1-2019.2.3/go.mod h1:a3bituU0lyd329TUQxRnasdCoJDkEUEAqEt0JzvZhAg=
 honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
+honnef.co/go/tools v0.2.2 h1:MNh1AVMyVX23VUHE2O27jm6lNj3vjO5DexS4A1xvnzk=
 k8s.io/api v0.18.8/go.mod h1:d/CXqwWv+Z2XEG1LgceeDmHQwpUJhROPx16SlxJgERY=
 k8s.io/api v0.20.0 h1:WwrYoZNM1W1aQEbyl8HNG+oWGzLpZQBlcerS9BQw9yI=
 k8s.io/api v0.20.0/go.mod h1:HyLC5l5eoS/ygQYl1BXBgFzWNlkHiAuyNAbevIn+FKg=
@@ -1631,6 +1637,7 @@ modernc.org/strutil v1.0.0/go.mod h1:lstksw84oURvj9y3tn8lGvRxyRC1S2+g5uuIzNfIOBs
 modernc.org/xc v1.0.0/go.mod h1:mRNCo0bvLjGhHO9WsyuKVU4q0ceiDDDoEeWDJHrNx8I=
 mvdan.cc/sh/v3 v3.6.0 h1:gtva4EXJ0dFNvl5bHjcUEvws+KRcDslT8VKheTYkbGU=
 mvdan.cc/sh/v3 v3.6.0/go.mod h1:U4mhtBLZ32iWhif5/lD+ygy1zrgaQhUu+XFy7C8+TTA=
+mvdan.cc/unparam v0.0.0-20211214103731-d0ef000c54e5 h1:Jh3LAeMt1eGpxomyu3jVkmVZWW2MxZ1qIIV2TZ/nRio=
 nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
@@ -1644,5 +1651,6 @@ sigs.k8s.io/structured-merge-diff/v3 v3.0.0/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnM
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2 h1:YHQV7Dajm86OuqnIR6zAelnDWBRjo+YhYV9PmGrh1s8=
 sigs.k8s.io/structured-merge-diff/v4 v4.0.2/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK1F7G282QMXDPYydCw=
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
-sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
+sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
+sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=

From 2e6347f133c3da60334ba729087822074a6502a5 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 8 Mar 2023 19:03:26 -0600
Subject: [PATCH 17/19] :seedling: Bump github.com/moby/buildkit from 0.10.3 to
 0.11.4 (#2735)

Bumps [github.com/moby/buildkit](https://github.com/moby/buildkit) from 0.10.3 to 0.11.4.
- [Release notes](https://github.com/moby/buildkit/releases)
- [Commits](https://github.com/moby/buildkit/compare/v0.10.3...v0.11.4)

---
updated-dependencies:
- dependency-name: github.com/moby/buildkit
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 go.mod | 16 ++++++++--------
 go.sum | 59 ++++++++++++++++++++++++++++++----------------------------
 2 files changed, 39 insertions(+), 36 deletions(-)

diff --git a/go.mod b/go.mod
index 8f41152096a..e4e59a23244 100644
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/grafeas/kritis v0.2.3-0.20210120183821-faeba81c520c
 	github.com/h2non/filetype v1.1.3
 	github.com/jszwec/csvutil v1.8.0
-	github.com/moby/buildkit v0.10.3
+	github.com/moby/buildkit v0.11.4
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/onsi/gomega v1.24.2
 	github.com/shurcooL/githubv4 v0.0.0-20201206200315-234843c633fa
@@ -72,12 +72,12 @@ require (
 	github.com/googleapis/gnostic v0.4.1 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
-	github.com/hashicorp/golang-lru v0.5.3 // indirect
+	github.com/hashicorp/golang-lru v0.5.4 // indirect
 	github.com/jedib0t/go-pretty/v6 v6.4.4 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
-	github.com/package-url/packageurl-go v0.1.0 // indirect
+	github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170 // indirect
 	github.com/pjbgf/sha1cd v0.2.3 // indirect
 	github.com/skeema/knownhosts v1.1.0 // indirect
 	github.com/spdx/gordf v0.0.0-20221230105357-b735bd5aac89 // indirect
@@ -107,18 +107,18 @@ require (
 	github.com/aws/aws-sdk-go v1.43.31 // indirect
 	github.com/census-instrumentation/opencensus-proto v0.3.0 // indirect
 	github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be // indirect
-	github.com/containerd/stargz-snapshotter/estargz v0.12.1 // indirect
+	github.com/containerd/stargz-snapshotter/estargz v0.13.0 // indirect
 	github.com/containerd/typeurl v1.0.2 // indirect
-	github.com/docker/cli v20.10.20+incompatible // indirect
+	github.com/docker/cli v23.0.0-rc.1+incompatible // indirect
 	github.com/docker/distribution v2.8.1+incompatible // indirect
-	github.com/docker/docker v20.10.20+incompatible // indirect
+	github.com/docker/docker v23.0.0-rc.1+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
 	github.com/go-git/gcfg v1.5.0 // indirect
 	github.com/go-git/go-billy/v5 v5.4.1 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.4.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-github/v45 v45.2.0 // indirect
@@ -132,7 +132,7 @@ require (
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.15.11 // indirect
+	github.com/klauspost/compress v1.15.12 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
 	github.com/mattn/go-runewidth v0.0.13 // indirect
diff --git a/go.sum b/go.sum
index 47d2697bb88..9b462823b9b 100644
--- a/go.sum
+++ b/go.sum
@@ -199,43 +199,44 @@ github.com/aws/aws-sdk-go v1.31.6/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU
 github.com/aws/aws-sdk-go v1.37.0/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro=
 github.com/aws/aws-sdk-go v1.43.31 h1:yJZIr8nMV1hXjAvvOLUFqZRJcHV7udPQBfhJqawDzI0=
 github.com/aws/aws-sdk-go v1.43.31/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
-github.com/aws/aws-sdk-go-v2 v1.16.2 h1:fqlCk6Iy3bnCumtrLz9r3mJ/2gUT0pJ0wLFVIdWh+JA=
 github.com/aws/aws-sdk-go-v2 v1.16.2/go.mod h1:ytwTPBG6fXTZLxxeeCCWj2/EMYp/xDUgX+OET6TLNNU=
+github.com/aws/aws-sdk-go-v2 v1.16.3 h1:0W1TSJ7O6OzwuEvIXAtJGvOeQ0SGAhcpxPN2/NK5EhM=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1 h1:SdK4Ppk5IzLs64ZMvr6MrSficMtjY2oS0WOORXTlxwU=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.1/go.mod h1:n8Bs1ElDD2wJ9kCRTczA83gYbBmjSwZp3umc6zF4EeM=
-github.com/aws/aws-sdk-go-v2/config v1.15.3 h1:5AlQD0jhVXlGzwo+VORKiUuogkG7pQcLJNzIzK7eodw=
 github.com/aws/aws-sdk-go-v2/config v1.15.3/go.mod h1:9YL3v07Xc/ohTsxFXzan9ZpFpdTOFl4X65BAKYaz8jg=
-github.com/aws/aws-sdk-go-v2/credentials v1.11.2 h1:RQQ5fzclAKJyY5TvF+fkjJEwzK4hnxQCLOu5JXzDmQo=
+github.com/aws/aws-sdk-go-v2/config v1.15.5 h1:P+xwhr6kabhxDTXTVH9YoHkqjLJ0wVVpIUHtFNr2hjU=
 github.com/aws/aws-sdk-go-v2/credentials v1.11.2/go.mod h1:j8YsY9TXTm31k4eFhspiQicfXPLZ0gYXA50i4gxPE8g=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3 h1:LWPg5zjHV9oz/myQr4wMs0gi4CjnDN/ILmyZUFYXZsU=
+github.com/aws/aws-sdk-go-v2/credentials v1.12.0 h1:4R/NqlcRFSkR0wxOhgHi+agGpbEr5qMCjn7VqUIJY+E=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.3/go.mod h1:uk1vhHHERfSVCUnqSqz8O48LBYDSC+k6brng09jcMOk=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.3 h1:ir7iEq78s4txFGgwcLqD6q9IIPzTQNRJXulJd9h/zQo=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.4 h1:FP8gquGeGHHdfY6G5llaMQDF+HAf20VKc8opRwmjf04=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.3/go.mod h1:0dHuD2HZZSiwfJSy1FO5bX1hQ1TxVV1QXXjpn3XUE44=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9 h1:onz/VaaxZ7Z4V+WIN9Txly9XLTmoOh1oJ8XcAC3pako=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.10 h1:JL7cY85hyjlgfA29MMyAlItX+JYIH9XsxgMBS7jtlqA=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.9/go.mod h1:AnVH5pvai0pAF4lXRq0bmhbes1u9R8wTE+g+183bZNM=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3 h1:9stUQR/u2KXU6HkFJYlqnZEjBnbgrVbG6I5HN09xZh0=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.10 h1:uFWgo6mGJI1n17nbcvSc6fxVuR3xLNqvXt12JCnEcT8=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.3/go.mod h1:ssOhaLpRlh88H3UmEcsBoVKq309quMvm3Ds8e9d4eJM=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10 h1:by9P+oy3P/CwggN4ClnW2D4oL91QV7pBzBICi1chZvQ=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.4 h1:cnsvEKSoHN4oAN7spMMr0zhEW2MHnhAVpmqQg8E6UcM=
 github.com/aws/aws-sdk-go-v2/internal/ini v1.3.10/go.mod h1:8DcYQcz0+ZJaSxANlHIsbbi6S+zMwjwdDqwW3r9AzaE=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.11 h1:6cZRymlLEIlDTEB0+5+An6Zj1CKt6rSE69tOmFeu1nk=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.1 h1:C21IDZCm9Yu5xqjb3fKmxDoYvJXtw1DNlOmLZEIlY1M=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.1 h1:T4pFel53bkHjL2mMo+4DKE6r6AuoZnM0fg7k1/ratr4=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.1/go.mod h1:GeUru+8VzrTXV/83XyMJ80KpH8xO89VPoUileyNQ+tc=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.3 h1:I0dcwWitE752hVSMrsLCxqNQ+UdEp3nACx2bYNMQq+k=
 github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.3/go.mod h1:Seb8KNmD6kVTjwRjVEgOT5hPin6sq+v4C2ycJQDwuH8=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3 h1:Gh1Gpyh01Yvn7ilO/b/hr01WgNpaszfbKMUgqM186xQ=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.5 h1:9LSZqt4v1JiehyZTrQnRFf2mY/awmyYNNY/b7zqtduU=
 github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.3/go.mod h1:wlY6SVjuwvh3TVRpTqdy4I1JpBFLX4UGeKZdWntaocw=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.3 h1:BKjwCJPnANbkwQ8vzSbaZDKawwagDubrH/z/c0X+kbQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.4 h1:b16QW0XWl0jWjLABFc1A+uh145Oqv+xDcObNk0iQgUk=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.3/go.mod h1:Bm/v2IaN6rZ+Op7zX+bOUMdL4fsrYZiD0dsjLhNKwZc=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.4 h1:RE/DlZLYrz1OOmq8F28IXHLksuuvlpzUbvJ+SESCZBI=
 github.com/aws/aws-sdk-go-v2/service/kms v1.16.3/go.mod h1:QuiHPBqlOFCi4LqdSskYYAWpQlx3PKmohy+rE2F+o5g=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.26.3 h1:rMPtwA7zzkSQZhhz9U3/SoIDz/NZ7Q+iRn4EIO8rSyU=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.26.3/go.mod h1:g1qvDuRsJY+XghsV6zg00Z4KJ7DtFFCx8fJD2a491Ak=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.26.9 h1:LCQKnopq2t4oQS3VKivlYTzAHCTJZZoQICM9fny7KHY=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.4/go.mod h1:PJc8s+lxyU8rrre0/4a0pn2wgwiDvOEzoOjcJUBr67o=
 github.com/aws/aws-sdk-go-v2/service/sns v1.17.4/go.mod h1:kElt+uCcXxcqFyc+bQqZPFD9DME/eC6oHBXvFzQ9Bcw=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.18.3/go.mod h1:skmQo0UPvsjsuYYSYMVmrPc1HWCbHUJyrCEp+ZaLzqM=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.24.1/go.mod h1:NR/xoKjdbRJ+qx0pMR4mI+N/H1I1ynHwXnO6FowXJc0=
-github.com/aws/aws-sdk-go-v2/service/sso v1.11.3 h1:frW4ikGcxfAEDfmQqWgMLp+F1n4nRo9sF39OcIb5BkQ=
 github.com/aws/aws-sdk-go-v2/service/sso v1.11.3/go.mod h1:7UQ/e69kU7LDPtY40OyoHYgRmgfGM4mgsLYtcObdveU=
-github.com/aws/aws-sdk-go-v2/service/sts v1.16.3 h1:cJGRyzCSVwZC7zZZ1xbx9m32UnrKydRYhOvcD1NYP9Q=
+github.com/aws/aws-sdk-go-v2/service/sso v1.11.4 h1:Uw5wBybFQ1UeA9ts0Y07gbv0ncZnIAyw858tDW0NP2o=
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.3/go.mod h1:bfBj0iVmsUyUg4weDB4NxktD9rDGeKSVWnjTnwbx9b8=
+github.com/aws/aws-sdk-go-v2/service/sts v1.16.4 h1:+xtV90n3abQmgzk1pS++FdxZTrPEDgQng6e4/56WR2A=
 github.com/aws/smithy-go v1.11.2 h1:eG/N+CcUMAvsdffgMvjMKwfyDzIkjM6pfxMJ8Mzc6mE=
 github.com/aws/smithy-go v1.11.2/go.mod h1:3xHYmszWVx2c0kIwQeEVf9uSm4fYZt67FBJnwub1bgM=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
@@ -277,8 +278,8 @@ github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:z
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be h1:J5BL2kskAlV9ckgEsNQXscjIaLiOYiZ75d4e94E6dcQ=
 github.com/common-nighthawk/go-figure v0.0.0-20210622060536-734e95fb86be/go.mod h1:mk5IQ+Y0ZeO87b858TlA645sVcEcbiX6YqP98kt+7+w=
 github.com/containerd/containerd v1.3.0/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA=
-github.com/containerd/stargz-snapshotter/estargz v0.12.1 h1:+7nYmHJb0tEkcRaAW+MHqoKaJYZmkikupxCqVtmPuY0=
-github.com/containerd/stargz-snapshotter/estargz v0.12.1/go.mod h1:12VUuCq3qPq4y8yUW+l5w3+oXV3cx2Po3KSe/SmPGqw=
+github.com/containerd/stargz-snapshotter/estargz v0.13.0 h1:fD7AwuVV+B40p0d9qVkH/Au1qhp8hn/HWJHIYjpEcfw=
+github.com/containerd/stargz-snapshotter/estargz v0.13.0/go.mod h1:m+9VaGJGlhCnrcEUod8mYumTmRgblwd3rC5UCEh2Yp0=
 github.com/containerd/typeurl v1.0.2 h1:Chlt8zIieDbzQFzXzAeBEF92KhExuE4p9p92/QmY7aY=
 github.com/containerd/typeurl v1.0.2/go.mod h1:9trJWW2sRlGub4wZJRTW83VtbOLS6hwcDZXTn6oPz9s=
 github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk=
@@ -312,14 +313,14 @@ github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/
 github.com/dnaeon/go-vcr v1.0.1/go.mod h1:aBB1+wY4s93YsC3HHjMBMrwTj2R9FHDzUr9KyGc8n1E=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/docker/cli v0.0.0-20191017083524-a8ff7f821017/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/cli v20.10.20+incompatible h1:lWQbHSHUFs7KraSN2jOJK7zbMS2jNCHI4mt4xUFUVQ4=
-github.com/docker/cli v20.10.20+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v23.0.0-rc.1+incompatible h1:Vl3pcUK4/LFAD56Ys3BrqgAtuwpWd/IO3amuSL0ZbP0=
+github.com/docker/cli v23.0.0-rc.1+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.0+incompatible h1:l9EaZDICImO1ngI+uTifW+ZYvvz7fKISBAKpg+MbWbY=
 github.com/docker/distribution v2.8.0+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v0.7.3-0.20190327010347-be7ac8be2ae0/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
-github.com/docker/docker v20.10.20+incompatible h1:kH9tx6XO+359d+iAkumyKDc5Q1kOwPuAUaeri48nD6E=
-github.com/docker/docker v20.10.20+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v23.0.0-rc.1+incompatible h1:Dmn88McWuHc7BSNN1s6RtfhMmt6ZPQAYUEf7FhqpiQI=
+github.com/docker/docker v23.0.0-rc.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
 github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0=
@@ -420,8 +421,9 @@ github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.0.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
-github.com/golang-jwt/jwt/v4 v4.4.1 h1:pC5DB52sCeK48Wlb9oPcdhnjkz1TKt1D/P7WKJ0kUcQ=
 github.com/golang-jwt/jwt/v4 v4.4.1/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/sqlexp v0.0.0-20170517235910-f1bb20e5a188/go.mod h1:vXjM/+wXQnTPR4KqTKDgJukSZ6amVRtWMPEjE6sQoK8=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b h1:VKtxabqXZkF25pY9ekfRL6a582T4P37/31XEstQ5p58=
@@ -589,8 +591,9 @@ github.com/hashicorp/go-uuid v1.0.1/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/b
 github.com/hashicorp/go.net v0.0.1/go.mod h1:hjKkEWcCURg++eb33jQU7oqQcI9XDCnUzHA0oac0k90=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
-github.com/hashicorp/golang-lru v0.5.3 h1:YPkqC67at8FYaadspW/6uE0COsBxS2656RLEr8Bppgk=
 github.com/hashicorp/golang-lru v0.5.3/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
+github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc=
+github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO+LraFDTW64=
 github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0mNTz8vQ=
@@ -681,8 +684,8 @@ github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
 github.com/klauspost/compress v1.15.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47etQ6QUkpK6sk=
-github.com/klauspost/compress v1.15.11 h1:Lcadnb3RKGin4FYM/orgq0qde+nc15E5Cbqg4B9Sx9c=
-github.com/klauspost/compress v1.15.11/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
+github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kElDUEM=
+github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.3/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -747,8 +750,8 @@ github.com/mitchellh/mapstructure v0.0.0-20160808181253-ca63d7c062ee/go.mod h1:F
 github.com/mitchellh/mapstructure v1.1.2/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
 github.com/mitchellh/mapstructure v1.3.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/mitchellh/mapstructure v1.4.3/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
-github.com/moby/buildkit v0.10.3 h1:/dGykD8FW+H4p++q5+KqKEo6gAkYKyBQHdawdjVwVAU=
-github.com/moby/buildkit v0.10.3/go.mod h1:jxeOuly98l9gWHai0Ojrbnczrk/rf+o9/JqNhY+UCSo=
+github.com/moby/buildkit v0.11.4 h1:mleVHr+n7HUD65QNUkgkT3d8muTzhYUoHE9FM3Ej05s=
+github.com/moby/buildkit v0.11.4/go.mod h1:P5Qi041LvCfhkfYBHry+Rwoo3Wi6H971J2ggE+PcIoo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -792,8 +795,8 @@ github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.0.2 h1:9yCKha/T5XdGtO0q9Q9a6T5NUCsTn/DrBg0D7ufOcFM=
 github.com/opencontainers/image-spec v1.0.2/go.mod h1:BtxoFyWECRxE4U/7sNtV5W15zMzWCbyJoFRP3s7yZA0=
-github.com/package-url/packageurl-go v0.1.0 h1:efWBc98O/dBZRg1pw2xiDzovnlMjCa9NPnfaiBduh8I=
-github.com/package-url/packageurl-go v0.1.0/go.mod h1:C/ApiuWpmbpni4DIOECf6WCjFUZV7O1Fx7VAzrZHgBw=
+github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170 h1:DiLBVp4DAcZlBVBEtJpNWZpZVq0AEeCY7Hqk8URVs4o=
+github.com/package-url/packageurl-go v0.1.1-0.20220428063043-89078438f170/go.mod h1:uQd4a7Rh3ZsVg5j0lNyAfyxIeGde9yrlhjF78GzeW0c=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=

From b5254fea7c6edef0674c7ea25fdc0f627438aa0b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 9 Mar 2023 09:11:18 -0600
Subject: [PATCH 18/19] :seedling: Bump tj-actions/changed-files from 35.6.1 to
 35.6.2 (#2736)

Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 35.6.1 to 35.6.2.
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](https://github.com/tj-actions/changed-files/compare/04124efe7560d15e11ea2ba96c0df2989f68f1f4...5ce975c6021a0b11062c547acb6c26c96a34a8c5)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/docker.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index ff117596587..651673b1dbf 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -41,7 +41,7 @@ jobs:
         fetch-depth: 2
     - id: files
       name: Get changed files
-      uses: tj-actions/changed-files@04124efe7560d15e11ea2ba96c0df2989f68f1f4 #v35.6.1
+      uses: tj-actions/changed-files@5ce975c6021a0b11062c547acb6c26c96a34a8c5 #v35.6.2
       with:
         files_ignore: '**.md'
     - id: docs_only_check

From a7e81bbcf3bfb978d8916f48469ef813492cfef3 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 10 Mar 2023 08:20:28 -0600
Subject: [PATCH 19/19] :seedling: Bump actions/cache from 3.2.6 to 3.3.0
 (#2738)

Bumps [actions/cache](https://github.com/actions/cache) from 3.2.6 to 3.3.0.
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/69d9d449aced6a2ede0bc19182fadc3a0a42d2b0...940f3d7cf195ba83374c77632d1e2cbb2f24ae68)

---
updated-dependencies:
- dependency-name: actions/cache
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/docker.yml | 14 +++++++-------
 .github/workflows/main.yml   | 32 ++++++++++++++++----------------
 2 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index 651673b1dbf..d0f2ac388b3 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -70,7 +70,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -118,7 +118,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -166,7 +166,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -214,7 +214,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -262,7 +262,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -310,7 +310,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
@@ -358,7 +358,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
           # In order:
           # * Module download cache
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 12dab7b3af9..f712e059acc 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -43,7 +43,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 #v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 #v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -88,7 +88,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -136,7 +136,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -219,7 +219,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -267,7 +267,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -315,7 +315,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -363,7 +363,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -411,7 +411,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -459,7 +459,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -507,7 +507,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -555,7 +555,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -603,7 +603,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -651,7 +651,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -699,7 +699,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -771,7 +771,7 @@ jobs:
 
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod
@@ -818,7 +818,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
      - name: Cache builds
        # https://github.com/mvdan/github-actions-golang#how-do-i-set-up-caching-between-builds
-       uses: actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0 # v3.2.6
+       uses: actions/cache@940f3d7cf195ba83374c77632d1e2cbb2f24ae68 # v3.3.0
        with:
          path: |
            ~/go/pkg/mod