update: bump the gh-actions-packages group across 1 directory with 7 updates #294

dependabot · 2024-06-25T22:01:17Z

Bumps the gh-actions-packages group with 7 updates in the / directory:

Package	From	To
actions/checkout	`4.1.6`	`4.1.7`
snok/container-retention-policy	`2.2.1`	`3.0.0`
github/codeql-action	`3.25.6`	`3.25.10`
actions/dependency-review-action	`4.3.2`	`4.3.3`
bridgecrewio/checkov-action	`12.2762.0`	`12.2787.0`
docker/build-push-action	`5.3.0`	`6.1.0`
mikepenz/action-junit-report	`4.2.1`	`4.3.1`

Updates actions/checkout from 4.1.6 to 4.1.7

Release notes

Sourced from actions/checkout's releases.

v4.1.7

What's Changed

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in actions/checkout#1739

Bump actions/checkout from 3 to 4 by @dependabot in actions/checkout#1697

Check out other refs/* by commit by @orhantoy in actions/checkout#1774

Pin actions/checkout's own workflows to a known, good, stable version. by @jww3 in actions/checkout#1776

New Contributors

@orhantoy made their first contribution in actions/checkout#1774

Full Changelog: actions/checkout@v4.1.6...v4.1.7

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.1.7

Bump the minor-npm-dependencies group across 1 directory with 4 updates by @dependabot in actions/checkout#1739

Bump actions/checkout from 3 to 4 by @dependabot in actions/checkout#1697

Check out other refs/* by commit by @orhantoy in actions/checkout#1774

Pin actions/checkout's own workflows to a known, good, stable version. by @jww3 in actions/checkout#1776

v4.1.6

Check platform to set archive extension appropriately by @cory-miller in actions/checkout#1732

v4.1.5

Update NPM dependencies by @cory-miller in actions/checkout#1703

Bump github/codeql-action from 2 to 3 by @dependabot in actions/checkout#1694

Bump actions/setup-node from 1 to 4 by @dependabot in actions/checkout#1696

Bump actions/upload-artifact from 2 to 4 by @dependabot in actions/checkout#1695

README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @cory-miller in actions/checkout#1707

v4.1.4

Disable extensions.worktreeConfig when disabling sparse-checkout by @jww3 in actions/checkout#1692

Add dependabot config by @cory-miller in actions/checkout#1688

Bump the minor-actions-dependencies group with 2 updates by @dependabot in actions/checkout#1693

Bump word-wrap from 1.2.3 to 1.2.5 by @dependabot in actions/checkout#1643

v4.1.3

Check git version before attempting to disable sparse-checkout by @jww3 in actions/checkout#1656

Add SSH user parameter by @cory-miller in actions/checkout#1685

Update actions/checkout version in update-main-version.yml by @jww3 in actions/checkout#1650

v4.1.2

Fix: Disable sparse checkout whenever sparse-checkout option is not present @dscho in actions/checkout#1598

v4.1.1

Correct link to GitHub Docs by @peterbe in actions/checkout#1511

Link to release page from what's new section by @cory-miller in actions/checkout#1514

v4.1.0

Add support for partial checkout filters

v4.0.0

Support fetching without the --progress option

Update to node20

v3.6.0

Fix: Mark test scripts with Bash'isms to be run via Bash

Add option to fetch tags even if fetch-depth > 0

v3.5.3

Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in

Fix typos found by codespell

... (truncated)

Commits

692973e Prepare 4.1.7 release (#1775)
6ccd57f Pin actions/checkout's own workflows to a known, good, stable version. (#1776)
b17fe1e Handle hidden refs (#1774)
b80ff79 Bump actions/checkout from 3 to 4 (#1697)
b1ec302 Bump the minor-npm-dependencies group across 1 directory with 4 updates (#1739)
See full diff in compare view

Updates snok/container-retention-policy from 2.2.1 to 3.0.0

Release notes

Sourced from snok/container-retention-policy's releases.

v3.0.0

Disclaimer: This release breaks the API of the action to a large degree. It might be wise to run the action with dry-run: true after upgrading.

This release is a complete rewrite of the action, tackling most if not all open issues in the issue tracker. Some of the highlights include:

Simplifying and consolidating the inputs of the action

Improving the runtime performance, and the initialization time of the action in CI

Support for multi-platform packages

Support for new token types (secrets.GITHUB_TOKEN and Github app tokens)

Much better handling of GitHub API rate limits

💥 There are a lot of breaking changes, so we've included a migration guide at the bottom of this post, to make things a bit simpler.

Since the release introduces a few thousand lines of code, we expect there may be a few things left to iron out. If you run into any problems, please share them in the v3 release issue.

In addition to what's mentioned above, other new features and changes include:

Significant effort has been spent on improving the logging, to give better insights into what exactly is happening

Updated license from BSD-3 to MIT.

The available syntax for image-names and image-tags previously allowed wildcards (using the * character). We now also allow the ? character to express a single-character wildcard. For example, the pattern ca? will match car and cat. See the wildmatch docs for details.

In addition to changing the inputs of the action (more details below), there are a few other breaking changes:

We'll no longer maintain mutable major and minor version tags for the action. There will be no v3 target for the action, just v3.0.0 and other exact versions. Mutable major version tags are generally hard to maintain and not much safer than tracking the main branch, so more precise tag tracking should reduce the likelihood of broken runs going forward. Paired with dependabot, upgrading should not be much harder than it has been.

The needs-assistance output was deleted

And in terms of performance improvements:

The action has been rewritten from a composite action to a container action, and the total size of the new image is < 10Mi.

The action would previously take ~30 seconds to initialize and would require a Python runtime. The action now starts in less than a second, and runs as a standalone binary.

The runtime of the action has been reduced, and assuming we need to delete less than 180 package versions, the action completes in, at most, a few seconds. See this example of a recent run. When we have to delete more than 180 package versions, there's a minute of waiting for every 180 new package versions, as a consequence of GitHub's secondary API rate limits. See the new README for details.

Migration guide
The account-type and org-name inputs have been replaced with account, which should be set to the literal string "user" if you previously used account-type: personal and to the organization name otherwise:
- account-type: personal
+ account: user
or
- account-type: organization
- org-name: acme
+ account: acme

... (truncated)

Commits

4f22ef8 fix: Correct oauth scope check
def81c2 fix(ci): Use input version tag when building image
ab30663 chore: Update docs for release and update action image
7793513 chore(deps): bump docker/build-push-action from 5 to 6
79a0b31 Remove oauth token
851b141 Rewrite the action in Rust
178bc0b chore: Update test workflow to test v3-develop branch
e6eea47 fix(workflows): Correct script and run every 3 hours
3bfc979 fix(ci): Revise test dockerfile
e66905c refactor(ci): Add variables to reduce clutter
Additional commits viewable in compare view

Updates github/codeql-action from 3.25.6 to 3.25.10

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

[UNRELEASED]

Avoid failing the workflow run if there is an error while uploading debug artifacts. #2349

3.25.10 - 13 Jun 2024

Update default CodeQL bundle version to 2.17.5. #2327

3.25.9 - 12 Jun 2024

Avoid failing database creation if the database folder already exists and contains some unexpected files. Requires CodeQL 2.18.0 or higher. #2330

The init Action will attempt to clean up the database cluster directory before creating a new database and at the end of the job. This will help to avoid issues where the database cluster directory is left in an inconsistent state. #2332

3.25.8 - 04 Jun 2024

Update default CodeQL bundle version to 2.17.4. #2321

3.25.7 - 31 May 2024

We are rolling out a feature in May/June 2024 that will reduce the Actions cache usage of the Action by keeping only the newest TRAP cache for each language. #2306

3.25.6 - 20 May 2024

Update default CodeQL bundle version to 2.17.3. #2295

3.25.5 - 13 May 2024

Add a compatibility matrix of supported CodeQL Action, CodeQL CLI, and GitHub Enterprise Server versions to the https://github.com/github/codeql-action/blob/main/README.md. #2273

Avoid printing out a warning for a missing on.push trigger when the CodeQL Action is triggered via a workflow_call event. #2274

The tools: latest input to the init Action has been renamed to tools: linked. This option specifies that the Action should use the tools shipped at the same time as the Action. The old name will continue to work for backwards compatibility, but we recommend that new workflows use the new name. #2281

3.25.4 - 08 May 2024

Update default CodeQL bundle version to 2.17.2. #2270

3.25.3 - 25 Apr 2024

Update default CodeQL bundle version to 2.17.1. #2247

Workflows running on macos-latest using CodeQL CLI versions before v2.15.1 will need to either upgrade their CLI version to v2.15.1 or newer, or change the platform to an Intel MacOS runner, such as macos-12. ARM machines with SIP disabled, including the newest macos-latest image, are unsupported for CLI versions before 2.15.1. #2261

3.25.2 - 22 Apr 2024

No user facing changes.

... (truncated)

Commits

23acc5c Merge pull request #2337 from github/update-v3.25.10-5bf6dad35
9b72dbd Update changelog for v3.25.10
5bf6dad Merge pull request #2329 from github/henrymercer/csharp-buildless-rollback-me...
feec81c Merge branch 'main' into henrymercer/csharp-buildless-rollback-mechanism
789b5f8 Merge pull request #2328 from github/henrymercer/direct-tracing-fix
c36b5fc Merge pull request #2327 from github/update-bundle/codeql-bundle-v2.17.5
b3642aa Merge branch 'main' into update-bundle/codeql-bundle-v2.17.5
1fc6e20 Merge pull request #2335 from github/mergeback/v3.25.9-to-main-530d4fea
356bee4 Update checked-in dependencies
385808c Update changelog and version after v3.25.9
Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.3.2 to 4.3.3

Release notes

Sourced from actions/dependency-review-action's releases.

Notes for v4.3.3

What's Changed

Allow slashes in purl package names by @juxtin in actions/dependency-review-action#765

use the v3 version of the deps.dev API by @josieang in actions/dependency-review-action#741

PR with suggestions - [Improvement]: Help streamline / simplify dependency review action README by @am-stead in actions/dependency-review-action#773

fix show-openssf-scorecard-levels input by @ramann in actions/dependency-review-action#776

Updates to the contribution guidelines by @jonjanego in actions/dependency-review-action#778

Create issue templates by @jonjanego in actions/dependency-review-action#777

Fix the max comment length issue by @jhutchings1 and @elireisman in actions/dependency-review-action#767

Bump project version to 4.3.3 in prep for a release by @elireisman in actions/dependency-review-action#781

New Contributors

@josieang made their first contribution in actions/dependency-review-action#741

@am-stead made their first contribution in actions/dependency-review-action#773

@ramann made their first contribution in actions/dependency-review-action#776

Full Changelog: actions/dependency-review-action@v4.3.2...v4.3.3

Commits

72eb03d Merge pull request #781 from actions/release-v4.3.3
137d8b4 bump to version v4.3.3
e6b618e Merge pull request #767 from actions/max-comment-length
3c42649 fix ws for linter
8e6ea8d update packaging
1b3d277 post-review: add PR comment full summary test case
220872c Update src/main.ts
087d0f8 repackage to update dist
4531204 whitespace
df1ca89 appease linter
Additional commits viewable in compare view

Updates bridgecrewio/checkov-action from 12.2762.0 to 12.2787.0

Commits

ebff1eb Bump checkov container version to 3.2.145
4a43ee1 Bump checkov container version to 3.2.144
d3328ad Bump checkov container version to 3.2.141
8b9814d Bump checkov container version to 3.2.140
14c88c2 Bump checkov container version to 3.2.139
52f5b59 Bump checkov container version to 3.2.138
2d2a17c Bump checkov container version to 3.2.137
5ec4b94 Bump checkov container version to 3.2.136
21f06df Bump checkov container version to 3.2.135
14850e6 Bump checkov container version to 3.2.134
Additional commits viewable in compare view

Updates docker/build-push-action from 5.3.0 to 6.1.0

Release notes

Sourced from docker/build-push-action's releases.

v6.1.0

Bump @docker/actions-toolkit from 0.26.2 to 0.27.0 in docker/build-push-action#1149

Full Changelog: docker/build-push-action@v6.0.2...v6.1.0

v6.0.2

Bump @docker/actions-toolkit from 0.26.1 to 0.26.2 in docker/build-push-action#1147

Full Changelog: docker/build-push-action@v6.0.1...v6.0.2

v6.0.1

Bump @docker/actions-toolkit from 0.26.0 to 0.26.1 in docker/build-push-action#1142

Full Changelog: docker/build-push-action@v6.0.0...v6.0.1

v6.0.0

Export build record and generate build summary by @crazy-max in docker/build-push-action#1120

Bump @docker/actions-toolkit from 0.24.0 to 0.26.0 in docker/build-push-action#1132 docker/build-push-action#1136 docker/build-push-action#1138

Bump braces from 3.0.2 to 3.0.3 in docker/build-push-action#1137

[!NOTE] This major release adds support for generating Build summary and exporting build record for your build. You can disable this feature by setting DOCKER_BUILD_NO_SUMMARY: true environment variable in your workflow.

Full Changelog: docker/build-push-action@v5.4.0...v6.0.0

v5.4.0

Show builder information before building by @crazy-max in docker/build-push-action#1128

Handle attestations correctly with provenance and sbom inputs by @crazy-max in docker/build-push-action#1086

Bump @docker/actions-toolkit from 0.19.0 to 0.24.0 in docker/build-push-action#1088 docker/build-push-action#1105 docker/build-push-action#1121 docker/build-push-action#1127

Bump undici from 5.28.3 to 5.28.4 in docker/build-push-action#1090

Full Changelog: docker/build-push-action@v5.3.0...v5.4.0

Commits

31159d4 Merge pull request #1149 from docker/dependabot/npm_and_yarn/docker/actions-t...
07e1c3e chore: update generated content
f7febd6 chore(deps): Bump @docker/actions-toolkit from 0.26.2 to 0.27.0
f6010ea Merge pull request #1147 from docker/dependabot/npm_and_yarn/docker/actions-t...
c0a6b96 chore: update generated content
0dfe9c3 chore(deps): Bump @docker/actions-toolkit from 0.26.1 to 0.26.2
94f8f8c Merge pull request #1142 from docker/dependabot/npm_and_yarn/docker/actions-t...
22f4433 chore: update generated content
6721c56 chore(deps): Bump @docker/actions-toolkit from 0.26.0 to 0.26.1
4367da9 Merge pull request #1140 from docker/dependabot/github_actions/docker/bake-ac...
Additional commits viewable in compare view

Updates mikepenz/action-junit-report from 4.2.1 to 4.3.1

Release notes

Sourced from mikepenz/action-junit-report's releases.

v4.3.1

🐛 Fixes

Revert optimisation to skip processing of scucessful tests

PR: #1122

v4.3.0

[!CAUTION] This version has a bug resulting in passed annotations not being created. Use v4.3.1 (or newer) instead See the report here: mikepenz/action-junit-report#1121

🚀 Features

Improve performance of action's processing

PR: #1105

Thanks @GUI

📦 Dependencies

Dependency Upgrades

PR: #1111

v4.2.2

🚀 Features

Add classname to check_title_template

PR: #1095

Thanks @valentin-demange

📦 Dependencies

Dependency upgrades

PR: #1101

Commits

db71d41 Merge pull request #1122 from mikepenz/fix/1121
2d70fb2 - revert testcase
c4cd1de - revert annotation optimisation (Skip processing of successful tests if `inc...
eb1a2b2 Merge pull request #1111 from mikepenz/feature/dependency_updates_20240620
71ce529 ```
d8a34d8 Merge branch 'refs/heads/GUI-perf'
8aa8974 - slight enhancement
a0437c7 Skip processing of successful tests if include_passed is not enabled.
1ba5f45 Improve performance by caching repeated file glob results.
ac30be7 Merge pull request #1101 from mikepenz/feature/dependency_updates_20240530
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

…updates Bumps the gh-actions-packages group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `4.1.6` | `4.1.7` | | [snok/container-retention-policy](https://github.com/snok/container-retention-policy) | `2.2.1` | `3.0.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.25.6` | `3.25.10` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.3.2` | `4.3.3` | | [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) | `12.2762.0` | `12.2787.0` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `5.3.0` | `6.1.0` | | [mikepenz/action-junit-report](https://github.com/mikepenz/action-junit-report) | `4.2.1` | `4.3.1` | Updates `actions/checkout` from 4.1.6 to 4.1.7 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@a5ac7e5...692973e) Updates `snok/container-retention-policy` from 2.2.1 to 3.0.0 - [Release notes](https://github.com/snok/container-retention-policy/releases) - [Commits](snok/container-retention-policy@b56f4ff...4f22ef8) Updates `github/codeql-action` from 3.25.6 to 3.25.10 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@9fdb3e4...23acc5c) Updates `actions/dependency-review-action` from 4.3.2 to 4.3.3 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@0c155c5...72eb03d) Updates `bridgecrewio/checkov-action` from 12.2762.0 to 12.2787.0 - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](bridgecrewio/checkov-action@cbef505...ebff1eb) Updates `docker/build-push-action` from 5.3.0 to 6.1.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@2cdde99...31159d4) Updates `mikepenz/action-junit-report` from 4.2.1 to 4.3.1 - [Release notes](https://github.com/mikepenz/action-junit-report/releases) - [Commits](mikepenz/action-junit-report@9379f0c...db71d41) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gh-actions-packages - dependency-name: snok/container-retention-policy dependency-type: direct:production update-type: version-update:semver-major dependency-group: gh-actions-packages - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gh-actions-packages - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch dependency-group: gh-actions-packages - dependency-name: bridgecrewio/checkov-action dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gh-actions-packages - dependency-name: docker/build-push-action dependency-type: direct:production update-type: version-update:semver-major dependency-group: gh-actions-packages - dependency-name: mikepenz/action-junit-report dependency-type: direct:production update-type: version-update:semver-minor dependency-group: gh-actions-packages ... Signed-off-by: dependabot[bot] <[email protected]>

github-actions · 2024-06-25T22:01:50Z

Dependency Review

The following issues were found:

✅ 0 vulnerable package(s)
✅ 0 package(s) with incompatible licenses
✅ 0 package(s) with invalid SPDX license definitions
⚠️ 1 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 3132695.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

License Issues

.github/workflows/.reusable-sast.yml

Package	Version	License	Issue Type
bridgecrewio/checkov-action	ebff1eb63648a05e86b2f15cfe439551a7d70070	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package

Version

Score

Details

update: bump the gh-actions-packages group across 1 directory with 7 updates #294

update: bump the gh-actions-packages group across 1 directory with 7 updates #294

Conversation

dependabot bot commented on behalf of github Jun 25, 2024 • edited Loading

v4.1.7

What's Changed

New Contributors

Changelog

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

v4.1.2

v4.1.1

v4.1.0

v4.0.0

v3.6.0

v3.5.3

v3.0.0

Migration guide

CodeQL Action Changelog

[UNRELEASED]

3.25.10 - 13 Jun 2024

3.25.9 - 12 Jun 2024

3.25.8 - 04 Jun 2024

3.25.7 - 31 May 2024

3.25.6 - 20 May 2024

3.25.5 - 13 May 2024

3.25.4 - 08 May 2024

3.25.3 - 25 Apr 2024

3.25.2 - 22 Apr 2024

Notes for v4.3.3

What's Changed

New Contributors

v6.1.0

v6.0.2

v6.0.1

v6.0.0

v5.4.0

v4.3.1

🐛 Fixes

v4.3.0

🚀 Features

📦 Dependencies

v4.2.2

🚀 Features

📦 Dependencies

github-actions bot commented Jun 25, 2024

Dependency Review

Snapshot Warnings

License Issues

.github/workflows/.reusable-sast.yml

OpenSSF Scorecard

Scanned Manifest Files

github-actions bot commented Jun 25, 2024

dependabot bot commented on behalf of github Jun 26, 2024

dependabot bot commented on behalf of github Jun 25, 2024 •

edited

Loading