Update ossf/scorecard-action action to v2.3.3

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
ossf/scorecard-action	action	patch	v2.3.1 -> v2.3.3

---

Release Notes

ossf/scorecard-action (ossf/scorecard-action)

v2.3.3

Compare Source

[!NOTE]
There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1366
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1374
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1377

For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.

Documentation

• 📖 Move token discussion out of main README. by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1279
• 📖 link to ossf/scorecard workflow instead of maintaining an example by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1352
• 📖 update api links to new scorecard.dev site by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1376

Full Changelog: ossf/scorecard-action@v2.3.1...v2.3.3

v2.3.2

Compare Source

---

Configuration

📅 Schedule: Branch creation - "* 0-4 * * 3" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

[puLL-Merge] - ossf/[email protected]

Here is my review of the pull request:

Description

This PR updates several dependencies to their latest versions, including upgrading the ossf/scorecard dependency from v4 to v5. It also updates the Docker base image to a newer version of Go.

Changes

Changes

.github/workflows/codeql-analysis.yml:

• Updates actions/checkout, github/codeql-action, and github/codeql-action/autobuild to newer versions

.github/workflows/dependency-review.yml:

• Updates step-security/harden-runner, actions/checkout, and actions/dependency-review-action to newer versions

.github/workflows/docker-image.yml:

• Updates actions/checkout to a newer version

.github/workflows/golangci.yml:

• Updates actions/checkout, actions/setup-go, and golangci/golangci-lint-action to newer versions
• Adds version: v1.55.2 to golangci-lint-action

.github/workflows/scorecards.yml:

• Updates actions/checkout, actions/upload-artifact, and github/codeql-action/upload-sarif to newer versions

.github/workflows/tests.yaml:

• Updates actions/checkout, actions/setup-go, and codecov/codecov-action to newer versions

.golangci.yml:

• Changes deadline field to timeout

Dockerfile:

• Updates Go base image from 1.21.3 to 1.22.2
• Updates gcr.io/distroless/base base image to a newer version

Makefile:

• Updates LDFLAGS to reference a newer version of sigs.k8s.io/release-utils

README.md:

• Removes section on "Classic" PAT requirements and risks
• Updates links to point to scorecard.dev instead of securityscorecards.dev
• Adds link to workflow example in ossf/scorecard repo
• Other minor updates and cleanups

action.yaml:

• Updates scorecard-action container image tag to v2.3.3

docs/:

• Adds new docs on authentication with fine-grained PAT

entrypoint/entrypoint.go:

• Updates import paths for ossf/scorecard packages to v5

github/github.go:

• Updates import paths for ossf/scorecard packages to v5

go.mod, go.sum:

• Updates dependencies, notably upgrading ossf/scorecard from v4.13.1 to v5.0.0-rc2 and updating other dependencies

options/:

• Updates import paths for ossf/scorecard packages to v5

Security Hotspots

No major security concerns identified. The updates are mostly routine dependency version bumps and cleanup. The change from v4 to v5 of ossf/scorecard is a major version bump but unlikely to introduce new vulnerabilities.