chore: bump the all group across 1 directory with 14 updates

[dependabot]

Bumps the all group with 14 updates in the / directory:

Package	From	To
step-security/harden-runner	2.7.0	2.7.1
actions/checkout	4.1.2	4.1.5
actions/dependency-review-action	4.1.3	4.3.2
actions/cache	4.0.1	4.0.2
peaceiris/actions-gh-pages	3.9.3	4.0.0
actions/setup-go	5.0.0	5.0.1
docker/setup-buildx-action	3.2.0	3.3.0
actions/upload-artifact	4.3.1	4.3.3
actions/download-artifact	4.1.4	4.1.7
peter-evans/create-pull-request	6.0.2	6.0.5
aquasecurity/trivy-action	0.18.0	0.20.0
ossf/scorecard-action	2.3.1	2.3.3
golangci/golangci-lint-action	4.0.0	6.0.1
codecov/codecov-action	4.1.0	4.3.1

Updates step-security/harden-runner from 2.7.0 to 2.7.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.7.1

What's Changed

Release v2.7.1 by @​varunsh-coder, @​h0x0er, @​ashishkurmi in step-security/harden-runner#397 This release:

• Improves the capability to inspect outbound HTTPS traffic on GitHub-hosted and self-hosted VM runners
• Updates README to add link to case study video on how Harden-Runner detected a supply chain attack on a Google open-source project
• Addresses minor bugs

Full Changelog: step-security/harden-runner@v2.7.0...v2.7.1

Commits

• a4aa98b Release v2.7.1 (#397)
• 6c3b1c9 Merge pull request #379 from step-security/dependabot/github_actions/step-sec...
• 3498091 Bump step-security/harden-runner from 2.6.1 to 2.7.0
• 63a88e2 Merge pull request #378 from step-security/update-readme3
• 07e5965 Update README
• See full diff in compare view

Updates actions/checkout from 4.1.2 to 4.1.5

Release notes

Sourced from actions/checkout's releases.

v4.1.5

What's Changed

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

Full Changelog: actions/checkout@v4.1.4...v4.1.5

v4.1.4

What's Changed

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693

Full Changelog: actions/checkout@v4.1.3...v4.1.4

v4.1.3

What's Changed

• Update actions/checkout version in update-main-version.yml by @​jww3 in actions/checkout#1650
• Check git version before attempting to disable sparse-checkout by @​jww3 in actions/checkout#1656
• Add SSH user parameter by @​cory-miller in actions/checkout#1685

Full Changelog: actions/checkout@v4.1.2...v4.1.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

• Check git version before attempting to disable sparse-checkout by @​jww3 in actions/checkout#1656
• Add SSH user parameter by @​cory-miller in actions/checkout#1685
• Update actions/checkout version in update-main-version.yml by @​jww3 in actions/checkout#1650

v4.1.2

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in actions/checkout#1598

v4.1.1

• Correct link to GitHub Docs by @​peterbe in actions/checkout#1511
• Link to release page from what's new section by @​cory-miller in actions/checkout#1514

v4.1.0

• Add support for partial checkout filters

v4.0.0

• Support fetching without the --progress option
• Update to node20

v3.6.0

• Fix: Mark test scripts with Bash'isms to be run via Bash
• Add option to fetch tags even if fetch-depth > 0

v3.5.3

• Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in
• Fix typos found by codespell
• Add support for sparse checkouts

v3.5.2

• Fix api endpoint for GHES

v3.5.1

• Fix slow checkout on Windows

v3.5.0

• Add new public key for known_hosts

v3.4.0

• Upgrade codeql actions to v2
• Upgrade dependencies
• Upgrade @​actions/io

... (truncated)

Commits

• 44c2b7a README: Suggest user.email to be `41898282+github-actions[bot]@​users.norepl...
• 8459bc0 Bump actions/upload-artifact from 2 to 4 (#1695)
• 3f603f6 Bump actions/setup-node from 1 to 4 (#1696)
• fd084cd Bump github/codeql-action from 2 to 3 (#1694)
• 9c1e94e Update NPM dependencies (#1703)
• 0ad4b8f Prep Release v4.1.4 (#1704)
• 43045ae Disable extensions.worktreeConfig when disabling sparse-checkout (#1692)
• 37b0821 Bump the minor-actions-dependencies group with 2 updates (#1693)
• 9839dc1 Add dependabot config (#1688)
• 9b4c13b Bump word-wrap from 1.2.3 to 1.2.5 (#1643)
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.1.3 to 4.3.2

Release notes

Sourced from actions/dependency-review-action's releases.

v4.3.2

What's Changed

• Fix package-url parsing for allow-dependencies-licenses by @​juxtin in actions/dependency-review-action#761

Full Changelog: actions/dependency-review-action@v4.3.1...v4.3.2

v4.3.1

What's Changed

This release fixes some bugs related to package-url parsing that were introduced in 4.3.0. See actions/dependency-review-action#753.

Full Changelog: actions/dependency-review-action@V4.3.0...v4.3.1

v4.3.0

New Features

• The deny-packages option can now be used without a version number to exclude all versions of a package.

What's Changed

• Fix action variable name for scorecard by @​lukehinds in actions/dependency-review-action#735
• Fix extra https:// in summary by @​jhutchings1 in actions/dependency-review-action#748
• Bump typescript from 5.3.3 to 5.4.5 by @​dependabot in actions/dependency-review-action#744
• Bump eslint-plugin-github from 4.10.1 to 4.10.2 by @​dependabot in actions/dependency-review-action#737
• Show denied packages with red X by @​juxtin in actions/dependency-review-action#750
• deny-packages configuration option can deny specified version or all packages by @​febuiles and @​bteng22 in actions/dependency-review-action#733

New Contributors

• @​bteng22 made their first contribution in actions/dependency-review-action#733
• @​lukehinds made their first contribution in actions/dependency-review-action#735

Full Changelog: actions/dependency-review-action@v4.2.5...V4.3.0

4.2.5

What's Changed

• Fixed a bug where some configuration options in external files were not being properly picked up -- actions/dependency-review-action#722
• Bump eslint from 8.56.0 to 8.57.0

Full Changelog: actions/dependency-review-action@v4.2.4...v4.2.5

v4.2.4

What's Changed

Fixed a bug in the output of OpenSSF cards for GitHub Actions.

New Contributors

• @​sporkmonger made their first contribution in actions/dependency-review-action#721

Full Changelog: actions/dependency-review-action@v4.2.3...v4.2.4

4.2.3

... (truncated)

Commits

• 0c155c5 Merge pull request #762 from actions/juxtin/prepare-4.3.2
• f3dac32 Merge pull request #761 from actions/juxtin/fix-allow-dependencies-licenses
• d0d5cc3 Update version number to 4.3.2
• 49fbbe0 Fix package-url parsing for allow-dependencies-licenses
• e58c696 Merge pull request #758 from actions/juxtin/prepare-4.3.1
• 9b7c72d Change version to 4.3.1
• 7dcfabf Merge pull request #753 from actions/juxtin/debug-purl
• 5f0808f Validate that deny-packages purls are complete
• fcc66c2 Refine purl parsing and tests
• 1dd418b Basic tests for PURL validation in config
• Additional commits viewable in compare view

Updates actions/cache from 4.0.1 to 4.0.2

Release notes

Sourced from actions/cache's releases.

v4.0.2

What's Changed

• Fix fail-on-cache-miss not working by @​cdce8p in actions/cache#1327

Full Changelog: actions/cache@v4.0.1...v4.0.2

Changelog

Sourced from actions/cache's changelog.

Releases

4.0.2

• Fixed restore fail-on-cache-miss not working.

4.0.1

• Updated isGhes check

4.0.0

• Updated minimum runner version support from node 12 -> node 20

3.3.3

• Updates @​actions/cache to v3.2.3 to fix accidental mutated path arguments to getCacheVersion actions/toolkit#1378
• Additional audit fixes of npm package(s)

3.3.2

• Fixes bug with Azure SDK causing blob downloads to get stuck.

3.3.1

• Reduced segment size to 128MB and segment timeout to 10 minutes to fail fast in case the cache download is stuck.

3.3.0

• Added option to lookup cache without downloading it.

3.2.6

• Fix zstd not being used after zstd version upgrade to 1.5.4 on hosted runners.

3.2.5

• Added fix to prevent from setting MYSYS environment variable globally.

3.2.4

• Added option to fail job on cache miss.

3.2.3

• Support cross os caching on Windows as an opt-in feature.
• Fix issue with symlink restoration on Windows for cross-os caches.

3.2.2

... (truncated)

Commits

• 0c45773 Merge pull request #1327 from cdce8p/fix-fail-on-cache-miss
• 8a55f83 Add test case for process exit
• 3884cac Bump version
• e29dad3 Fix fail-on-cache-miss not working
• See full diff in compare view

Updates peaceiris/actions-gh-pages from 3.9.3 to 4.0.0

Release notes

Sourced from peaceiris/actions-gh-pages's releases.

actions-github-pages v4.0.0

See CHANGELOG.md for more details.

Changelog

Sourced from peaceiris/actions-gh-pages's changelog.

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

4.0.0 (2024-04-08)

build

• node 20.11.1 (5049354)

chore

• bump node16 to node20 (#1067) (4eb285e), closes #1067
• downgrade engines.npm to 8.0.0 (87231bc)

ci

• pin node-version to 18 (#981) (65ebf11), closes #981

docs

• add Release Strategy (67f80d9)
• fix link to Nuxt github-pages (#980) (88b4d2a), closes #980
• remove braces in if conditions (#920) (0fbd122), closes #920

3.9.3 (2023-03-30)

docs

• fix typo, bump hugo version (#851) (884a022), closes #851

fix

• fix error handling (#841) (32e33dc), closes #841
• update known_hosts (#871) (31c15f0), closes #871

3.9.2 (2023-01-17)

chore

• rename cicd (32c9288)
• replace npm ci with install (9839780)

... (truncated)

Commits

• 4f9cc66 chore(release): 4.0.0
• 9c75028 chore(release): Add build assets
• 5049354 build: node 20.11.1
• 4eb285e chore: bump node16 to node20 (#1067)
• cdc09a3 chore(deps): update dependency @​types/node to v16.18.77 (#1065)
• d830378 chore(deps): update dependency @​types/node to v16.18.76 (#1063)
• 80daa1d chore(deps): update dependency @​types/node to v16.18.75 (#1061)
• 108285e chore(deps): update dependency ts-jest to v29.1.2 (#1060)
• 99c95ff chore(deps): update dependency @​types/node to v16.18.74 (#1058)
• 1f46537 chore(deps): update dependency @​types/node to v16.18.73 (#1057)
• Additional commits viewable in compare view

Updates actions/setup-go from 5.0.0 to 5.0.1

Release notes

Sourced from actions/setup-go's releases.

v5.0.1

What's Changed

• Bump undici from 5.28.2 to 5.28.3 and dependencies upgrade by @​dependabot , @​HarithaVattikuti in actions/setup-go#465
• Update documentation with latest V5 release notes by @​ab in actions/setup-go#459
• Update version documentation by @​178inaba in actions/setup-go#458
• Documentation update of actions/setup-go to v5 by @​chenrui333 in actions/setup-go#449

New Contributors

• @​ab made their first contribution in actions/setup-go#459

Full Changelog: actions/setup-go@v5.0.0...v5.0.1

Commits

• cdcb360 Remove the description of the old go.mod specification (#458)
• 99176a8 Update README.md with V5 release notes (#459)
• be1aa11 Bump undici from 5.28.2 to 5.28.3 (#465)
• 6c1fd22 docs: bump actions/setup-go to v5 (#449)
• See full diff in compare view

Updates docker/setup-buildx-action from 3.2.0 to 3.3.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v3.3.0

• Bump @​docker/actions-toolkit from 0.19.0 to 0.20.0 by @​crazy-max in docker/setup-buildx-action#307

Full Changelog: docker/setup-buildx-action@v3.2.0...v3.3.0

Commits

• d70bba7 Merge pull request #307 from crazy-max/bump-toolkit
• 7638634 chore: update generated content
• c68420f bump @​docker/actions-toolkit from 0.19.0 to 0.20.0
• See full diff in compare view

Updates actions/upload-artifact from 4.3.1 to 4.3.3

Release notes

Sourced from actions/upload-artifact's releases.

v4.3.3

What's Changed

• updating @actions/artifact dependency to v2.1.6 by @​eggyhead in actions/upload-artifact#565

Full Changelog: actions/upload-artifact@v4.3.2...v4.3.3

v4.3.2

What's Changed

• Update release-new-action-version.yml by @​konradpabjan in actions/upload-artifact#516
• Minor fix to the migration readme by @​andrewakim in actions/upload-artifact#523
• Update readme with v3/v2/v1 deprecation notice by @​robherley in actions/upload-artifact#561
• updating @actions/artifact dependency to v2.1.5 and @actions/core to v1.0.1 by @​eggyhead in actions/upload-artifact#562

New Contributors

• @​andrewakim made their first contribution in actions/upload-artifact#523

Full Changelog: actions/upload-artifact@v4.3.1...v4.3.2

Commits

• 6546280 updating package version
• c004fb4 Merge branch 'main' into eggyhead/use-artifact-v2.1.6
• 90aba49 updating toolkit artifact dependency to 2.1.6
• b06cde3 Merge pull request #563 from actions/eggyhead/release-4.3.2
• 1746f4a Revert "updating to release 4.3.2"
• 31685d0 updating to release 4.3.2
• 18bf333 Merge pull request #562 from actions/eggyhead/update-artifact-v215
• dac413b update package lock version
• bb3b4a3 updating package version
• 3e3da83 updating artifact and core dependencies
• Additional commits viewable in compare view

Updates actions/download-artifact from 4.1.4 to 4.1.7

Release notes

Sourced from actions/download-artifact's releases.

v4.1.7

What's Changed

• Update @​actions/artifact dependency by @​bethanyj28 in actions/download-artifact#325

Full Changelog: actions/download-artifact@v4.1.6...v4.1.7

v4.1.6

What's Changed

• updating @actions/artifact dependency to v2.1.6 by @​eggyhead in actions/download-artifact#324

Full Changelog: actions/download-artifact@v4.1.5...v4.1.6

v4.1.5

What's Changed

• Update readme with v3/v2/v1 deprecation notice by @​robherley in actions/download-artifact#322
• Update dependencies @actions/core to v1.10.1 and @actions/artifact to v2.1.5

Full Changelog: actions/download-artifact@v4.1.4...v4.1.5

Commits

• 65a9edc Merge pull request #325 from bethanyj28/main
• fdd1595 licensed
• c13dba1 update @​actions/artifact dependency
• 0daa75e Merge pull request #324 from actions/eggyhead/use-artifact-v2.1.6
• 9c19ed7 Merge branch 'main' into eggyhead/use-artifact-v2.1.6
• 3d3ea87 updating license
• 89af5db updating artifact package v2.1.6
• b4aefff Merge pull request #323 from actions/eggyhead/update-artifact-v215
• 8caf195 package lock update
• d7a2ec4 updating package version
• Additional commits viewable in compare view

Updates peter-evans/create-pull-request from 6.0.2 to 6.0.5

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v6.0.5

⚙️ Fixes an issue with proxy support for users that run self-hosted behind a proxy.

What's Changed

• fix: update proxy support to follow octokit change to fetch api by @​peter-evans in peter-evans/create-pull-request#2867

Full Changelog: peter-evans/create-pull-request@v6.0.4...v6.0.5

Create Pull Request v6.0.4

⚡ Improves performance in some cases for very large git repositories.

What's Changed

• perf: limit the fetch depth of pr branch by @​peter-evans in peter-evans/create-pull-request#2857

Full Changelog: peter-evans/create-pull-request@v6.0.3...v6.0.4

Create Pull Request v6.0.3

⚡ Improves performance of the push-to-fork feature.

What's Changed

• build(deps-dev): bump @​types/node from 18.19.23 to 18.19.25 by @​dependabot in peter-evans/create-pull-request#2826
• build(deps-dev): bump @​types/node from 18.19.25 to 18.19.26 by @​dependabot in peter-evans/create-pull-request#2831
• build(deps-dev): bump @​types/node from 18.19.26 to 18.19.28 by @​dependabot in peter-evans/create-pull-request#2836
• build(deps-dev): bump @​types/node from 18.19.28 to 18.19.31 by @​dependabot in peter-evans/create-pull-request#2842
• fix: drop unnecessary fetch with unshallow on push-to-fork by @​peter-evans in peter-evans/create-pull-request#2849

Full Changelog: peter-evans/create-pull-request@v6.0.2...v6.0.3

Commits

• 6d6857d fix: update proxy support to follow octokit change to fetch api (#2867)
• 9153d83 perf: limit the fetch depth of pr branch (#2857)
• c55203c fix: drop unnecessary fetch with unshallow on push-to-fork (#2849)
• 6ce4eca build(deps-dev): bump @​types/node from 18.19.28 to 18.19.31 (#2842)
• 36ef0ed build(deps-dev): bump @​types/node from 18.19.26 to 18.19.28 (#2836)
• 8500972 build(deps-dev): bump @​types/node from 18.19.25 to 18.19.26 (#2831)
• bda5ade build(deps-dev): bump @​types/node from 18.19.23 to 18.19.25 (#2826)
• See full diff in compare view

Updates aquasecurity/trivy-action from 0.18.0 to 0.20.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.20.0

What's Changed

• Make 'hide-progress' input working again by @​uridium in aquasecurity/trivy-action#323
• feat(image): add --docker-host option for GH Action users by @​calinmarina in aquasecurity/trivy-action#267
• Browse Trivy reports without GitHub Advanced Security license by @​uridium in aquasecurity/trivy-action#328
• Fix docker host bug by @​admiralAwkbar in aquasecurity/trivy-action#329
• Bump trivy version to v0.50.2 by @​pdefreitas in aquasecurity/trivy-action#341
• update tests by @​nikpivkin in aquasecurity/trivy-action#334
• bump trivy version to v0.51.1 by @​simar7 in aquasecurity/trivy-action#353

New Contributors

• @​uridium made their first contribution in aquasecurity/trivy-action#323
• @​calinmarina made their first contribution in aquasecurity/trivy-action#267
• @​admiralAwkbar made their first contribution in aquasecurity/trivy-action#329
• @​pdefreitas made their first contribution in aquasecurity/trivy-action#341

Full Changelog: aquasecurity/trivy-action@0.19.0...0.20.0

v0.19.0

What's Changed

• bump trivy version to v0.50.1 by @​simar7 in aquasecurity/trivy-action#324

Full Changelog: aquasecurity/trivy-action@0.18.0...0.19.0

Commits

• b2933f5 bump trivy version to v0.51.1 (#353)
• b2cd5ff Update bump-trivy.yaml
• 6f8c237 update tests (#334)
• 7088d18 Revert "fix: 🐛 allow trivy-config and other options to be used together (#338)"
• ee6a4f5 fix: 🐛 allow trivy-config and other options to be used together (#338)
• b5f4977 Bump trivy version to v0.50.2 (#341)
• 207cd40 Fix docker host bug (#329)
• 840deb4 Browse scan reports without GitHub Advanced Security license (#328)
• 0f287db feat(image): add --docker-host option for GH Action users (#267)
• f72b7e8 Make 'hide-progress' input working again (#323)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.3.1 to 2.3.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.3.3

[!NOTE]
There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by @​spencerschrock in ossf/scorecard-action#1366
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by @​spencerschrock in ossf/scorecard-action#1374
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by @​spencerschrock in ossf/scorecard-action#1377

For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.

Documentation

• 📖 Move token discussion out of main README. by @​spencerschrock in ossf/scorecard-action#1279
• 📖 link to ossf/scorecard workflow instead of maintaining an example by @​spencerschrock in ossf/scorecard-action#1352
• 📖 update api links to new scorecard.dev site by @​spencerschrock in ossf/scorecard-action#1376

Full Changelog: ossf/scorecard-action@v2.3.1...v2.3.3

Commits

• dc50aa9 🌱 Bump docker tag for v2.3.3 release (#1368)
• 8ff5700 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0....
• 8ba5e73 update api links to new scorecard.dev site (#1376)
• 92ddde3 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 (#1374)
• 6c55905 🌱 Bump golang.org/x/net from 0.24.0 to 0.25.0 (#1373)
• 09bb953 🌱 Bump distroless/base in the docker-images group (#1372)
• 1511e13 🌱 Bump the github-actions group across 1 directory with 6 updates (#...
• df66cd8 🌱 Bump the docker-images group with 2 updates (#1370)
• fad9a3c 🌱 Bump distroless/base in the docker-images group (#1364)
• 1e01a30 🌱 Bump the github-actions group with 3 updates (#1365)
• Additional commits viewable in compare view

Updates golangci/golangci-lint-action from 4.0.0 to 6.0.1

Release notes

Sourced from golangci/golangci-lint-action's releases.

v6.0.1

What's Changed

Changes

• fix: use 3-dots syntax for diff on push by @​ldez in golangci/golangci-lint-action#1040

Full Changelog: golangci/golangci-lint-action@v6.0.0...v6.0.1

v6.0.0

What's Changed

This version removes annotations option (because it was useless), and removes the default output format (github-actions). The annotations are still produced but with another approach.

Changes

• feat: rewrite format handling by @​ldez in golangci/golangci-lint-action#1038

Dependencies

• build(deps-dev): bump @​typescript-eslint/eslint-plugin from 7.7.1 to 7.8.0 by @​dependabot in golangci/golangci-lint-action#1034
• build(deps): bump @​types/node from 20.12.7 to 20.12.8 by @​dependabot in golangci/golangci-lint-action#1036
• build(d...

  Description has been truncated

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.