chore(deps): update workflows (#3178)

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | patch | `v4.6.0` -> `v4.6.1` | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | patch | `v3.28.9` -> `v3.28.10` | | [ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action) | action | patch | `v2.4.0` -> `v2.4.1` | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.6.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.1) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.0...v4.6.1) #### What's Changed - Update to use artifact 2.2.2 package by [@yacaovsnc](https://redirect.github.com/yacaovsnc) in [https://github.com/actions/upload-artifact/pull/673](https://redirect.github.com/actions/upload-artifact/pull/673) **Full Changelog**: actions/upload-artifact@v4...v4.6.1 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.28.10`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.10) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3.28.9...v3.28.10) ##### CodeQL Action Changelog See the [releases page](https://redirect.github.com/github/codeql-action/releases) for the relevant changes to the CodeQL CLI and language packs. ##### 3.28.10 - 21 Feb 2025 - Update default CodeQL bundle version to 2.20.5. [#2772](https://redirect.github.com/github/codeql-action/pull/2772) - Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. [#2768](https://redirect.github.com/github/codeql-action/pull/2768) See the full [CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.10/CHANGELOG.md) for more information. </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.1`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.1) [Compare Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.4.0...v2.4.1) #### What's Changed - This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the [v5.1.0](https://redirect.github.com/ossf/scorecard/releases/tag/v5.1.0) and [v5.1.1](https://redirect.github.com/ossf/scorecard/releases/tag/v5.1.1) release notes. - Publishing results now uses half the API quota as before. The exact savings depends on the repository in question. - use Scorecard library entrypoint instead of Cobra hooking by [@spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1423](https://redirect.github.com/ossf/scorecard-action/pull/1423) - Some errors were made into annotations to make them more visible - Make default branch error more prominent by [@jsoref](https://redirect.github.com/jsoref) in [https://github.com/ossf/scorecard-action/pull/1459](https://redirect.github.com/ossf/scorecard-action/pull/1459) - There is now an optional `file_mode` input which controls how repository files are fetched from GitHub. The default is `archive`, but `git` produces the most accurate results for repositories with `.gitattributes` files at the cost of analysis speed. - add input for specifying `--file-mode` by [@spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1509](https://redirect.github.com/ossf/scorecard-action/pull/1509) - The underlying container for the action is now [hosted on GitHub Container Registry](https://redirect.github.com/ossf/scorecard-action/pkgs/container/scorecard-action). There should be no functional changes. - 🌱 publish docker images to GitHub Container Registry by [@spencerschrock](https://redirect.github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1453](https://redirect.github.com/ossf/scorecard-action/pull/1453) ##### Docs - Installation docs update by [@JeremiahAHoward](https://redirect.github.com/JeremiahAHoward) in [https://github.com/ossf/scorecard-action/pull/1416](https://redirect.github.com/ossf/scorecard-action/pull/1416) #### New Contributors - [@JeremiahAHoward](https://redirect.github.com/JeremiahAHoward) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1416](https://redirect.github.com/ossf/scorecard-action/pull/1416) - [@jsoref](https://redirect.github.com/jsoref) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1459](https://redirect.github.com/ossf/scorecard-action/pull/1459) **Full Changelog**: ossf/scorecard-action@v2.4.0...v2.4.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/google/osv.dev).
google · Feb 26, 2025 · a51c180 · a51c180
1 parent 640d468
commit a51c180
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -43,7 +43,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+      uses: github/codeql-action/init@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -54,7 +54,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+      uses: github/codeql-action/autobuild@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
+      uses: github/codeql-action/analyze@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3.28.10
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -27,7 +27,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
+        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,7 +42,7 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: SARIF file
           path: results.sarif