Bump the action-packages group with 7 updates

[dependabot]

Bumps the action-packages group with 7 updates:

Package	From	To
step-security/harden-runner	2.5.1	2.7.0
actions/checkout	4.1.1	4.1.2
actions/dependency-review-action	3.1.0	4.1.3
actions/setup-python	4.7.1	5.0.0
ossf/scorecard-action	2.3.0	2.3.1
actions/upload-artifact	3.1.3	4.3.1
codecov/codecov-action	3.1.4	4.1.0

Updates step-security/harden-runner from 2.5.1 to 2.7.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.7.0

What's Changed

Release 2.7.0 by @​varunsh-coder and @​h0x0er in step-security/harden-runner#376 This release:

1. Updates the node runtime to node20
2. Adds capability to inspect outbound HTTPS traffic on GitHub-hosted and self-hosted VM runners

Full Changelog: step-security/harden-runner@v2...v2.7.0

v2.6.1

What's Changed

Release v2.6.1 by @​varunsh-coder and @​h0x0er in step-security/harden-runner#356 This release:

1. Improves the job summary markdown written by the Harden-Runner Action
2. Improves detection of cache endpoint used by the job
3. Detects use of Kubernetes mode in Actions Runner Controller (ARC) based runners
4. Updates dependencies

Full Changelog: step-security/harden-runner@v2...v2.6.1

v2.6.0

What's Changed

Release v2.6.0 by @​varunsh-coder in step-security/harden-runner#346

This release adds support for self-hosted Virtual Machine runners (e.g. on EC2).

• Both ephemeral and persistent self-hosted VM runners are supported
• Documentation: https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security-vm

Full Changelog: step-security/harden-runner@v2...v2.6.0

Commits

• 63c24ba Merge pull request #376 from step-security/rc-7
• 95691d3 Update dist
• 6339621 Update to node20
• 4a63cda Add tls-inspection capability (#368)
• dece111 Merge pull request #372 from step-security/readme-update
• 1952f97 Updates
• 32f00ff Update README.md
• ea8b747 Publish test results (#363)
• c0db65e Merge pull request #359 from step-security/dependabot/github_actions/actions/...
• 4151c05 Merge pull request #361 from step-security/dependabot/github_actions/step-sec...
• Additional commits viewable in compare view

Updates actions/checkout from 4.1.1 to 4.1.2

Release notes

Sourced from actions/checkout's releases.

v4.1.2

We are investigating the following issue with this release and have rolled-back the v4 tag to point to v4.1.1

• sparse-checkout is not available on git versions prior to 2.27.0 (see actions/checkout#1651)

What's Changed

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in actions/checkout#1598
• Bump tough-cookie from 4.0.0 to 4.1.3 by @​dependabot in actions/checkout#1406
• Bump @​babel/traverse from 7.20.5 to 7.24.0 by @​dependabot in actions/checkout#1642

New Contributors

• @​jww3 made their first contribution in actions/checkout#1616

Full Changelog: actions/checkout@v4.1.1...v4.1.2

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.1.2

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in actions/checkout#1598

v4.1.1

• Correct link to GitHub Docs by @​peterbe in actions/checkout#1511
• Link to release page from what's new section by @​cory-miller in actions/checkout#1514

v4.1.0

• Add support for partial checkout filters

v4.0.0

• Support fetching without the --progress option
• Update to node20

v3.6.0

• Fix: Mark test scripts with Bash'isms to be run via Bash
• Add option to fetch tags even if fetch-depth > 0

v3.5.3

• Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in
• Fix typos found by codespell
• Add support for sparse checkouts

v3.5.2

• Fix api endpoint for GHES

v3.5.1

• Fix slow checkout on Windows

v3.5.0

• Add new public key for known_hosts

v3.4.0

• Upgrade codeql actions to v2
• Upgrade dependencies
• Upgrade @​actions/io

v3.3.0

• Implement branch list using callbacks from exec function
• Add in explicit reference to private checkout options
• [Fix comment typos (that got added in #770)](actions/checkout#1057)

v3.2.0

• Add GitHub Action to perform release
• Fix status badge
• Replace datadog/squid with ubuntu/squid Docker image
• Wrap pipeline commands for submoduleForeach in quotes
• Update @​actions/io to 1.1.2

... (truncated)

Commits

• 9bb5618 Prep for release of v4.1.2 (#1649)
• 8eb1f6a Bump @​babel/traverse from 7.20.5 to 7.24.0 (#1642)
• 556e4c3 Bump tough-cookie from 4.0.0 to 4.1.3 (#1406)
• b32f140 Warn on attempts to publish test-ubuntu-git from non-main branch. (#1623)
• 2650dbd Give test-ubuntu-git its own README (#1620)
• aadec89 Explicitly disable sparse checkout unless asked for (#1598)
• df0bcdd Refine workflow for generating test-ubuntu-git (#1617)
• 473055b Create test-ubuntu-git Docker Container for Proxy Tests (#1616)
• See full diff in compare view

Updates actions/dependency-review-action from 3.1.0 to 4.1.3

Release notes

Sourced from actions/dependency-review-action's releases.

4.1.3

Fixes a bug in 4.1.2 that would introduce comments in every pull request, regardless of the user's configuration (see actions/dependency-review-action#697).

Full Changelog: actions/dependency-review-action@v4.1.2...v4.1.3

4.1.2

What's Changed

• Expose dependency comment content by @​jsoref in actions/dependency-review-action#696

Full Changelog: actions/dependency-review-action@v4.1.1...v4.1.2

4.1.1

What's Changed

• Bump undici to fix GHSA-wqq4-5wpv-mx2g
• Bump @​types/node from 20.11.17 to 20.11.19 by @​dependabot in actions/dependency-review-action#693

Full Changelog: actions/dependency-review-action@v4.1.0...v4.1.1

4.1.0

What's Changed

• Add warn-only by @​tgrall in actions/dependency-review-action#432

Added a new configuration option (warn-only, boolean) that makes the action always succeed while still displaying found vulnerabilities in the log.

• Create stale.yaml by @​jonjanego in actions/dependency-review-action#671
• Use manual codeql config by @​juxtin in actions/dependency-review-action#678
• Multiple dependency updates (see the changelog below for more information)

New Contributors

• @​jonjanego made their first contribution in actions/dependency-review-action#671
• @​tgrall made their first contribution in actions/dependency-review-action#432

Full Changelog: actions/dependency-review-action@v4...v4.1.0

v4.0.0

• Update action to Node 20 by @​takost in actions/dependency-review-action#639
• Dependabot updates, see the full changelog for more details.

New Contributors

• @​takost made their first contribution in actions/dependency-review-action#639

Full Changelog: actions/dependency-review-action@v3.1.5...v4.0.0

3.1.5

What's Changed

• Smaller per_page when requesting diff by @​hmaurer in actions/dependency-review-action#649
• Update dependencies:
  • Bump @​typescript-eslint/parser from 6.10.0 to 6.13.1 by @​dependabot in actions/dependency-review-action#630
  • Bump prettier from 3.0.3 to 3.1.0 by @​dependabot in actions/dependency-review-action#629

... (truncated)

Commits

• 9129d7d don't set output on every run
• a1be843 Update stale.yaml
• 587ff57 Don't use if: always() in examples.
• be8bc50 Merge branch 'output-comment'
• cb180bf Merge pull request #696 from actions/output-comment
• b2ea187 bumping action version
• c94f57b Add a new image for the example report.
• 124fafe Merge branch 'issue-250' into output-comment
• 26174d8 Merge branch 'issue-250' of https://github.com/jsoref/dependency-review-actio...
• a87338a Update example workflow.
• Additional commits viewable in compare view

Updates actions/setup-python from 4.7.1 to 5.0.0

Release notes

Sourced from actions/setup-python's releases.

v5.0.0

What's Changed

In scope of this release, we update node version runtime from node16 to node20 (actions/setup-python#772). Besides, we update dependencies to the latest versions.

Full Changelog: actions/setup-python@v4.8.0...v5.0.0

v4.8.0

What's Changed

In scope of this release we added support for GraalPy (actions/setup-python#694). You can use this snippet to set up GraalPy:

steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4 
  with:
    python-version: 'graalpy-22.3' 
- run: python my_script.py

Besides, the release contains such changes as:

• Trim python version when reading from file by @​FerranPares in actions/setup-python#628
• Use non-deprecated versions in examples by @​jeffwidman in actions/setup-python#724
• Change deprecation comment to past tense by @​jeffwidman in actions/setup-python#723
• Bump @​babel/traverse from 7.9.0 to 7.23.2 by @​dependabot in actions/setup-python#743
• advanced-usage.md: Encourage the use actions/checkout@v4 by @​cclauss in actions/setup-python#729
• Examples now use checkout@v4 by @​simonw in actions/setup-python#738
• Update actions/checkout to v4 by @​dmitry-shibanov in actions/setup-python#761

New Contributors

• @​FerranPares made their first contribution in actions/setup-python#628
• @​timfel made their first contribution in actions/setup-python#694
• @​jeffwidman made their first contribution in actions/setup-python#724

Full Changelog: actions/setup-python@v4...v4.8.0

Commits

• 0a5c615 Update action to node20 (#772)
• 0ae5836 Add example of GraalPy to docs (#773)
• b64ffca update actions/checkout to v4 (#761)
• 8d28961 Examples now use checkout@v4 (#738)
• 7bc6abb advanced-usage.md: Encourage the use actions/checkout@v4 (#729)
• e8111ce Bump @​babel/traverse from 7.9.0 to 7.23.2 (#743)
• a00ea43 add fix for graalpy ci (#741)
• 8635b1c Change deprecation comment to past tense (#723)
• f6cc428 Use non-deprecated versions in examples (#724)
• 5f2af21 Add GraalPy support (#694)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.3.0 to 2.3.1

Release notes

Sourced from ossf/scorecard-action's releases.

v2.3.1

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by @​spencerschrock in ossf/scorecard-action#1282
  • Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the v4.13.1 release notes

Full Changelog: ossf/scorecard-action@v2.3.0...v2.3.1

Commits

• 0864cf1 🌱 Bump docker tag to for v2.3.1 release (#1284)
• 72df3bf 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 (#1282)
• 0ea411f 🌱 Bump the docker-images group with 1 update (#1281)
• dbfd042 🌱 Bump the github-actions group with 1 update (#1280)
• 2fa1e2f 🌱 Bump golang.org/x/net from 0.16.0 to 0.17.0 (#1278)
• 652ddd0 🌱 Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (#1277)
• 28d0c92 🌱 Group Dependabot updates for GitHub Actions and Dockerfiles (#1276)
• cb50491 🌱 Bump distroless/base from a35b652 to b31a6e0 (#1275)
• 87157ac 🌱 Bump github/codeql-action from 2.21.9 to 2.22.1 (#1274)
• 7c1648b 🌱 Bump step-security/harden-runner from 2.5.1 to 2.6.0 (#1273)
• Additional commits viewable in compare view

Updates actions/upload-artifact from 3.1.3 to 4.3.1

Release notes

Sourced from actions/upload-artifact's releases.

v4.3.1

• Bump @​actions/artifacts to latest version to include updated GHES host check

v4.3.0

What's Changed

• Reorganize upload code in prep for merge logic & add more tests by @​robherley in actions/upload-artifact#504
• Add sub-action to merge artifacts by @​robherley in actions/upload-artifact#505

Full Changelog: actions/upload-artifact@v4...v4.3.0

v4.2.0

What's Changed

• Ability to overwrite an Artifact by @​robherley in actions/upload-artifact#501

Full Changelog: actions/upload-artifact@v4...v4.2.0

v4.1.0

What's Changed

• Add migrations docs by @​robherley in actions/upload-artifact#482
• Update README.md by @​samuelwine in actions/upload-artifact#492
• Support artifact-url output by @​konradpabjan in actions/upload-artifact#496
• Update readme to reflect new 500 artifact per job limit by @​robherley in actions/upload-artifact#497

New Contributors

• @​samuelwine made their first contribution in actions/upload-artifact#492

Full Changelog: actions/upload-artifact@v4...v4.1.0

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows.

For more information, please see:

1. The changelog post.
2. The README.
3. The migration documentation.
4. As well as the underlying npm package, @​actions/artifact documentation.

New Contributors

• @​vmjoseph made their first contribution in actions/upload-artifact#464

Full Changelog: actions/upload-artifact@v3...v4.0.0

Commits

• 5d5d22a Merge pull request #515 from actions/eggyhead/update-artifact-v2.1.1
• f1e993d update artifact license
• 4881bfd updating dist:
• a30777e @​eggyhead
• 3a80482 Merge pull request #511 from actions/robherley/migration-docs-typo
• 9d63e3f Merge branch 'main' into robherley/migration-docs-typo
• dfa1ab2 fix typo with v3 artifact downloads in migration guide
• d00351b Merge pull request #509 from markmssd/patch-1
• 707f5a7 Update limitation of 10 artifacts upload to 500
• 26f96df Merge pull request #505 from actions/robherley/merge-artifacts
• Additional commits viewable in compare view

Updates codecov/codecov-action from 3.1.4 to 4.1.0

Release notes

Sourced from codecov/codecov-action's releases.

v4.1.0

What's Changed

• fix: set safe directory by @​thomasrockhu-codecov in codecov/codecov-action#1304
• build(deps): bump github/codeql-action from 3.24.3 to 3.24.5 by @​dependabot in codecov/codecov-action#1306
• build(deps-dev): bump eslint from 8.56.0 to 8.57.0 by @​dependabot in codecov/codecov-action#1305
• chore(release): v4.1.0 by @​thomasrockhu-codecov in codecov/codecov-action#1307

Full Changelog: codecov/codecov-action@v4.0.2...v4.1.0

v4.0.2

What's Changed

• Update README.md by @​thomasrockhu-codecov in codecov/codecov-action#1251
• build(deps-dev): bump @​types/jest from 29.5.11 to 29.5.12 by @​dependabot in codecov/codecov-action#1257
• build(deps): bump github/codeql-action from 3.23.2 to 3.24.0 by @​dependabot in codecov/codecov-action#1266
• Escape pipes in table of arguments by @​jwodder in codecov/codecov-action#1265
• Add link to docs on Dependabot secrets by @​ianlewis in codecov/codecov-action#1260
• fix: working-directory input for all stages by @​Bo98 in codecov/codecov-action#1272
• build(deps-dev): bump @​typescript-eslint/parser from 6.20.0 to 6.21.0 by @​dependabot in codecov/codecov-action#1271
• build(deps-dev): bump @​typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0 by @​dependabot in codecov/codecov-action#1269
• build(deps): bump github/codeql-action from 3.24.0 to 3.24.3 by @​dependabot in codecov/codecov-action#1298
• Use updated syntax for GitHub Markdown notes by @​jamacku in codecov/codecov-action#1300
• build(deps-dev): bump @​typescript-eslint/eslint-plugin from 6.21.0 to 7.0.0 by @​dependabot in codecov/codecov-action#1290
• build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 by @​dependabot in codecov/codecov-action#1286
• chore(release): bump to 4.0.2 by @​thomasrockhu-codecov in codecov/codecov-action#1302

New Contributors

• @​jwodder made their first contribution in codecov/codecov-action#1265
• @​ianlewis made their first contribution in codecov/codecov-action#1260
• @​Bo98 made their first contribution in codecov/codecov-action#1272
• @​jamacku made their first contribution in codecov/codecov-action#1300

Full Changelog: codecov/codecov-action@v4.0.1...v4.0.2

v4.0.1

What's Changed

• Update README.md by @​thomasrockhu-codecov in codecov/codecov-action#1243
• Add all args by @​thomasrockhu-codecov in codecov/codecov-action#1245
• fix: show both token uses in readme by @​thomasrockhu-codecov in codecov/codecov-action#1250

Full Changelog: codecov/codecov-action@v4.0.0...v4.0.1

v4.0.0

v4 of the Codecov Action uses the CLI as the underlying upload. The CLI has helped to power new features including local upload, the global upload token, and new upcoming features.

Breaking Changes

• The Codecov Action runs as a node20 action due to node16 deprecation. See this post from GitHub on how to migrate.
• Tokenless uploading is unsupported. However, PRs made from forks to the upstream public repos will support tokenless (e.g. contributors to OS projects do not need the upstream repo's Codecov token). This doc shows instructions on how to add the Codecov token.

... (truncated)

Changelog

Sourced from codecov/codecov-action's changelog.

4.0.0-beta.2

Fixes

• #1085 not adding -n if empty to do-upload command

4.0.0-beta.1

v4 represents a move from the universal uploader to the Codecov CLI. Although this will unlock new features for our users, the CLI is not yet at feature parity with the universal uploader.

Breaking Changes

• No current support for aarch64 and alpine architectures.
• Tokenless uploading is unsuported
• Various arguments to the Action have been removed

3.1.4

Fixes

• #967 Fix typo in README.md
• #971 fix: add back in working dir
• #969 fix: CLI option names for uploader

Dependencies

• #970 build(deps-dev): bump @​types/node from 18.15.12 to 18.16.3
• #979 build(deps-dev): bump @​types/node from 20.1.0 to 20.1.2
• #981 build(deps-dev): bump @​types/node from 20.1.2 to 20.1.4

3.1.3

Fixes

• #960 fix: allow for aarch64 build

Dependencies

• #957 build(deps-dev): bump jest-junit from 15.0.0 to 16.0.0
• #958 build(deps): bump openpgp from 5.7.0 to 5.8.0
• #959 build(deps-dev): bump @​types/node from 18.15.10 to 18.15.12

3.1.2

Fixes

• #718 Update README.md
• #851 Remove unsupported path_to_write_report argument
• #898 codeql-analysis.yml
• #901 Update README to contain correct information - inputs and negate feature
• #955 fix: add in all the extra arguments for uploader

Dependencies

• #819 build(deps): bump openpgp from 5.4.0 to 5.5.0
• #835 build(deps): bump node-fetch from 3.2.4 to 3.2.10
• #840 build(deps): bump ossf/scorecard-action from 1.1.1 to 2.0.4
• #841 build(deps): bump @​actions/core from 1.9.1 to 1.10.0
• #843 build(deps): bump @​actions/github from 5.0.3 to 5.1.1
• #869 build(deps): bump node-fetch from 3.2.10 to 3.3.0
• #872 build(deps-dev): bump jest-junit from 13.2.0 to 15.0.0
• #879 build(deps): bump decode-uri-component from 0.2.0 to 0.2.2

... (truncated)

Commits

• 54bcd87 chore(release): v4.1.0 (#1307)
• 8ba77ef build(deps-dev): bump eslint from 8.56.0 to 8.57.0 (#1305)
• c60aa80 build(deps): bump github/codeql-action from 3.24.3 to 3.24.5 (#1306)
• 2fc4847 fix: set safe directory (#1304)
• 0cfda1d chore(release): bump to 4.0.2 (#1302)
• 7d3a55e build(deps): bump actions/upload-artifact from 4.3.0 to 4.3.1 (#1286)
• fe84a0b build(deps-dev): bump @​typescript-eslint/eslint-plugin from 6.21.0 to 7.0.0 (...
• e12c940 Use updated syntax for GitHub Markdown notes (#1300)
• ef7f8a5 build(deps): bump github/codeql-action from 3.24.0 to 3.24.3 (#1298)
• b8a1d6a build(deps-dev): bump @​typescript-eslint/eslint-plugin from 6.20.0 to 6.21.0 ...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Superseded by #112.