chore(deps): Bump the minor-patch group across 1 directory with 13 updates

[dependabot]

Bumps the minor-patch group with 13 updates in the / directory:

Package	From	To
sigstore/cosign-installer	3.7.0	3.8.1
ko-build/setup-ko	0.7	0.8
google-github-actions/auth	2.1.7	2.1.8
actions/cache	4.2.0	4.2.3
github/codeql-action	3.27.9	3.28.13
mikefarah/yq	4.44.6	4.45.1
anchore/sbom-action	0.17.9	0.18.0
goreleaser/goreleaser-action	6.1.0	6.3.0
google-github-actions/setup-gcloud	2.1.2	2.1.4
slsa-framework/slsa-github-generator	2.0.0	2.1.0
ossf/scorecard-action	2.4.0	2.4.1
actions/upload-artifact	4.4.3	4.6.2
codecov/codecov-action	5.1.1	5.4.0

Updates sigstore/cosign-installer from 3.7.0 to 3.8.1

Release notes

Sourced from sigstore/cosign-installer's releases.

v3.8.1

What's Changed

• use cosign 2.4.3 and other updates by @​cpanato in sigstore/cosign-installer#182

Full Changelog: sigstore/cosign-installer@v3...v3.8.1

v3.8.0

What's Changed

• test action against all non-rc releases, verify entry in rekor log by @​bobcallaway in sigstore/cosign-installer#179
• bump for cosign v2.4.2 release by @​bobcallaway in sigstore/cosign-installer#181

Full Changelog: sigstore/cosign-installer@v3...v3.8.0

Commits

• d7d6bc7 use cosign 2.4.3 and other updates (#182)
• c56c2d3 Bump actions/setup-go from 5.2.0 to 5.3.0 (#180)
• 02e36b8 bump for cosign v2.4.2 release (#181)
• 789d288 test action against all non-rc releases, verify entry in rekor log (#179)
• e11c089 Bump actions/setup-go from 5.1.0 to 5.2.0 (#178)
• 718228a Bump actions/setup-go from 5.0.2 to 5.1.0 (#176)
• 325063e Bump actions/checkout from 4.2.1 to 4.2.2 (#177)
• b929758 Bump actions/checkout from 4.2.0 to 4.2.1 (#175)
• See full diff in compare view

Updates ko-build/setup-ko from 0.7 to 0.8

Release notes

Sourced from ko-build/setup-ko's releases.

v0.8

What's Changed

• feat: get arch from runner context. by @​hsblhsn in ko-build/setup-ko#29
• ci: test on arm by @​imjasonh in ko-build/setup-ko#40
• Update use-action.yaml by @​imjasonh in ko-build/setup-ko#41
• install without sudo by @​imjasonh in ko-build/setup-ko#42

New Contributors

• @​hsblhsn made their first contribution in ko-build/setup-ko#29

Full Changelog: ko-build/setup-ko@v0.7...v0.8

Commits

• d982fec Merge pull request #42 from ko-build/imjasonh-patch-3
• d9a259d install without sudo
• 3eacfb1 Merge pull request #41 from ko-build/imjasonh-patch-2
• bc1d28d Update use-action.yaml
• 6f2a060 Merge pull request #40 from ko-build/imjasonh-patch-2
• 79f378f Update use-action.yaml
• 913b299 Update use-action.yaml
• 92449d1 ci: test on arm
• 2a5f936 Merge pull request #29 from hsblhsn/main
• d632f4f Update ci.yaml
• Additional commits viewable in compare view

Updates google-github-actions/auth from 2.1.7 to 2.1.8

Release notes

Sourced from google-github-actions/auth's releases.

v2.1.8

What's Changed

• Update TROUBLESHOOTING.md by @​sethvargo in google-github-actions/auth#457
• fix: add runs-on to README.md example by @​lbarthon in google-github-actions/auth#460
• security: bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group by @​dependabot in google-github-actions/auth#463
• Update deps by @​sethvargo in google-github-actions/auth#466
• Release: v2.1.8 by @​google-github-actions-bot in google-github-actions/auth#467

New Contributors

• @​lbarthon made their first contribution in google-github-actions/auth#460

Full Changelog: google-github-actions/auth@v2...v2.1.8

Commits

• 71f9864 Release: v2.1.8 (#467)
• 0cd8f2e Update deps (#466)
• 332e0ba security: bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group (#463)
• 28d44ba fix: add runs-on to README.md example (#460)
• 83354ca Update TROUBLESHOOTING.md (#457)
• See full diff in compare view

Updates actions/cache from 4.2.0 to 4.2.3

Release notes

Sourced from actions/cache's releases.

v4.2.3

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in actions/cache#1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

v4.2.2

What's Changed

[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

• Bump @​actions/cache to v4.0.2 by @​robherley in actions/cache#1560

Full Changelog: actions/cache@v4.2.1...v4.2.2

v4.2.1

What's Changed

[!IMPORTANT] As a reminder, there were important backend changes to release v4.2.0, see those release notes and the announcement for more details.

• docs: GitHub is spelled incorrectly in caching-strategies.md by @​janco-absa in actions/cache#1526
• docs: Make the "always save prime numbers" example more clear by @​Tobbe in actions/cache#1525
• Update force deletion docs due a recent deprecation by @​sebbalex in actions/cache#1500
• Bump @​actions/cache to v4.0.1 by @​robherley in actions/cache#1554

New Contributors

• @​janco-absa made their first contribution in actions/cache#1526
• @​Tobbe made their first contribution in actions/cache#1525
• @​sebbalex made their first contribution in actions/cache#1500

Full Changelog: actions/cache@v4.2.0...v4.2.1

Changelog

Sourced from actions/cache's changelog.

Releases

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

• Bump @actions/cache to v4.0.2

4.2.1

• Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

4.1.2

• Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - #1474
• Security fix: Bump braces from 3.0.2 to 3.0.3 - #1475

4.1.1

• Restore original behavior of cache-hit output - #1467

4.1.0

• Ensure cache-hit output is set when a cache is missed - #1404
• Deprecate save-always input - #1452

4.0.2

• Fixed restore fail-on-cache-miss not working.

4.0.1

• Updated isGhes check

... (truncated)

Commits

• 5a3ec84 Merge pull request #1577 from salmanmkc/salmanmkc/4-test
• 7de2102 Update releases.md
• 76d40dd Update to use the latest version of the cache package to obfuscate the SAS
• 76dd5eb update cache with main
• 8c80c27 new package
• 45cfd0e updates
• edd449b updated cache with latest changes
• 0576707 latest test before pr
• 3105dc9 update
• 9450d42 mask
• Additional commits viewable in compare view

Updates github/codeql-action from 3.27.9 to 3.28.13

Release notes

Sourced from github/codeql-action's releases.

v3.28.13

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.13 - 24 Mar 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.28.12

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

See the full CHANGELOG.md for more information.

v3.28.11

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

See the full CHANGELOG.md for more information.

v3.28.10

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

See the full CHANGELOG.md for more information.

v3.28.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

• Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

• Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

3.28.7 - 29 Jan 2025

No user facing changes.

3.28.6 - 27 Jan 2025

• Re-enable debug artifact upload for CLI versions 2.20.3 or greater. #2726

3.28.5 - 24 Jan 2025

• Update default CodeQL bundle version to 2.20.3. #2717

3.28.4 - 23 Jan 2025

No user facing changes.

... (truncated)

Commits

• 1b549b9 Merge pull request #2819 from github/update-v3.28.13-e0ea14102
• 82630c8 Update changelog for v3.28.13
• e0ea141 Merge pull request #2818 from github/cklin/empty-pr-diff-range
• b361a91 Diff-informed analysis: fix empty PR handling
• bd1d9ab Merge pull request #2816 from github/cklin/overlay-file-list
• b98ae6c Add overlay-database-utils tests
• 9825184 Add getFileOidsUnderPath() tests
• ac67cff Merge pull request #2817 from github/cklin/default-setup-diff-informed
• 9c674ba build: refresh js files
• d109dd5 Detect PR branches for Default Setup
• Additional commits viewable in compare view

Updates mikefarah/yq from 4.44.6 to 4.45.1

Release notes

Sourced from mikefarah/yq's releases.

v4.45.1 - Create parent directories when --split-exp is used!

• Create parent directories when --split-exp is used, Thanks @​rudo-thomas
• Bumped dependencies

Changelog

Sourced from mikefarah/yq's changelog.

4.45.1:

• Create parent directories when --split-exp is used, Thanks @​rudo-thomas
• Bumped dependencies

4.44.6:

• Fixed deleting items in array bug #2027, #2172; Thanks @​jandubois
• Docker image for armv7 / raspberry pi3, Thanks @​brianegge
• Fixed no-colors regression #2218
• Fixed various panic scenarios #2211
• Bumped dependencies

4.44.5:

• Fixing release pipeline

4.44.4:

• Format comments with a gray foreground (Thanks @​gabe565)
• Fixed handling of nulls with sort_by expressions #2164
• Force no color output when NO_COLOR env presents (Thanks @​narqo)
• Fixed array subtraction update bug #2159
• Fixed index out of range error
• Can traverse straight from parent operator (parent.blah)
• Bumped dependencies

4.44.3:

• Fixed upper-case file extension detection, Thanks @​ryenus (#2121)
• Log printing follow no-colors flag #2082
• Skip and warn when interpolating strings and theres a unclosed bracket #2083
• Fixed CSV content starting with # issue #2076
• Bumped dependencies

4.44.2:

• Handle numbers with underscores #2039
• Unique now works on maps and arrays #2068
• Added support for short hand splat with env[] expression #2071, as well as many other operators (split,select,eval,pick..)
• Bumped dependencies

4.44.1:

• Added min/max operators (#1992) Thanks @​mbenson
• Added pivot oeprator (#1993) Thanks @​mbenson
• Fix: shell-completion (#2006) Thanks @​codekow
• Handle escaped backslashes (#1997) Thanks @​mbenson
• Fix npe when given filename ending with "." (#1994)
• Fix: linux (w/ selinux) build (#2004) Thanks @​codekow
• Bumped dependencies

4.43.1:

• Added omit operator #1989 thanks @​mbenson!
• Added tostring #72
• Added string interpolation #1149

... (truncated)

Commits

• 8bf425b Bumping version
• f755755 Updated release notes
• 0f390b2 Bumping goccy
• 31ad7fb Bump github.com/magiconair/properties from 1.8.7 to 1.8.9
• 566cf82 Bump github.com/goccy/go-json from 0.10.3 to 0.10.4
• 2c9f833 Bump github.com/elliotchance/orderedmap from 1.7.0 to 1.7.1
• c02d44d Bump golang.org/x/net from 0.32.0 to 0.33.0
• f73c862 feat: Create parent directories if --split-exp is used.
• 294a170 Bumping version
• See full diff in compare view

Updates anchore/sbom-action from 0.17.9 to 0.18.0

Release notes

Sourced from anchore/sbom-action's releases.

v0.18.0

Changes in v0.18.0

• chore(deps): update Syft to v1.19.0 (#513)
  • See Syft changelog for latest changes

Commits

• f325610 chore(deps): bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (#511)
• 83a99f5 chore(deps): bump release-drafter/release-drafter from 6.0.0 to 6.1.0 (#512)
• 9af714f chore(deps): update Syft to v1.19.0 (#513)
• See full diff in compare view

Updates goreleaser/goreleaser-action from 6.1.0 to 6.3.0

Release notes

Sourced from goreleaser/goreleaser-action's releases.

v6.3.0

• Bump undici from 5.28.3 to 5.28.5 in goreleaser/goreleaser-action#488

Full Changelog: goreleaser/goreleaser-action@v6.2.1...v6.3.0

v6.2.1

What's Changed

This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the -pro suffix). Older versions should work fine.

[!WARNING] This version is required for GoReleaser Pro v2.7.0+. Read more here.

Full Changelog: goreleaser/goreleaser-action@v6.2.0...v6.2.1

v6.2.0

What's Changed

This version of the actions adds support for GoReleaser Pro v2.7.0 versioning (which dropped the -pro suffix). Older versions should work fine.

[!WARNING] This version is required for GoReleaser Pro v2.7.0+. Read more here.

Full Changelog: goreleaser/goreleaser-action@v6.1.0...v6.2.0

Commits

• 9c156ee ci: update bake-action to v6 (#493)
• 73c477b chore(deps): bump undici from 5.28.3 to 5.28.5 (#488)
• 19c00a9 chore(deps): bump codecov/codecov-action from 4 to 5 (#481)
• 90a3faa chore(deps): bake vendor
• 0262998 test: fixes
• 450d3a4 test: fix configs
• 25b92ab chore(deps): update semver and tool-cache
• bc0ac76 chore(deps): update actions
• 842e7cc feat: update for goreleaser v2.7
• d28c982 chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 (#482)
• See full diff in compare view

Updates google-github-actions/setup-gcloud from 2.1.2 to 2.1.4

Release notes

Sourced from google-github-actions/setup-gcloud's releases.

v2.1.4

What's Changed

• Revert to pinned release workflows by @​sethvargo in google-github-actions/setup-gcloud#706
• Release: v2.1.4 by @​google-github-actions-bot in google-github-actions/setup-gcloud#707

Full Changelog: google-github-actions/setup-gcloud@v2.1.3...v2.1.4

v2.1.3

What's Changed

• Allow manually running integration tests with workflow_dispatch by @​sethvargo in google-github-actions/setup-gcloud#702
• security: bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group by @​dependabot in google-github-actions/setup-gcloud#703
• Update deps by @​sethvargo in google-github-actions/setup-gcloud#704
• Release: v2.1.3 by @​google-github-actions-bot in google-github-actions/setup-gcloud#705

Full Changelog: google-github-actions/setup-gcloud@v2...v2.1.3

Commits

• 77e7a55 Release: v2.1.4 (#707)
• 334c690 Revert to pinned release workflows (#706)
• 4111bea Release: v2.1.3 (#705)
• 0c0751a Update deps (#704)
• ae61ebc security: bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group (#703)
• 25043b0 Allow manually running integration tests with workflow_dispatch (#702)
• See full diff in compare view

Updates slsa-framework/slsa-github-generator from 2.0.0 to 2.1.0

Release notes

Sourced from slsa-framework/slsa-github-generator's releases.

v2.1.0

What's Changed

• chore: v2.0.0: update tags to v2.0.0 by @​ramonpetgrave64 in slsa-framework/slsa-github-generator#3584
• fix: use @​sigstore/cli in e2e.sign-attestations.schedule.yml by @​ramonpetgrave64 in slsa-framework/slsa-github-generator#3572
• docs: fix broken links by @​suzuki-shunsuke in slsa-framework/slsa-github-generator#3605
• chore(setup-go): update actions/setup-go to resolve the warning by @​suzuki-shunsuke in slsa-framework/slsa-github-generator#3604
• fix: Update release docs by @​ramonpetgrave64 in slsa-framework/slsa-github-generator#3589
• docs: Add Atsign-Foundation NoPorts to the Hall of Fame by @​cpswan in slsa-framework/slsa-github-generator#3616
• docs: Add v2.0.0 to SECURITY.md by @​ianlewis in slsa-framework/slsa-github-generator#3630
• docs: Add links to CHANGELOG by @​ianlewis in slsa-framework/slsa-github-generator#3631
• ci: fix PR title checker by @​ianlewis in slsa-framework/slsa-github-generator#3632
• ci: Add issue reopener by @​ianlewis in slsa-framework/slsa-github-generator#3629
• fix: update softprops/action-gh-release to v2.0.5 by @​suzuki-shunsuke in slsa-framework/slsa-github-generator#3619
• chore(renovate): use cron syntax for schedule by @​rarkins in slsa-framework/slsa-github-generator#3638
• chore: Fix Renovate config by @​ianlewis in slsa-framework/slsa-github-generator#3635
• feat: workflow to update actions dist by @​ramonpetgrave64 in slsa-framework/slsa-github-generator#3653
• fix(deps): update dependency @​sigstore/rekor-types to v2 by @​renovate-bot in slsa-framework/slsa-github-generator#3650
• chore(deps): update github-actions (major) by @​renovate-bot in slsa-framework/slsa-github-generator#3648
• fix(deps): update dependency org.json:json to v20231013 [security] by @​renovate-bot in slsa-framework/slsa-github-generator#3641
• fix(deps): update module github.com/sigstore/cosign/v2 to v2.2.4 [security] by @​renovate-bot in slsa-framework/slsa-github-generator#3640
• chore(deps): update dependency pathspec to v0.12.1 by @​renovate-bot in slsa-framework/slsa-github-generator#3644
• fix(deps): update dependency @​actions/github to v6 by @​renovate-bot in slsa-framework/slsa-github-generator#3649
• fix(deps): update module golang.org/x/oauth2 to v0.20.0 by @​renovate-bot in slsa-framework/slsa-github-generator#3646
• fix(deps): update npm by @​renovate-bot in slsa-framework/slsa-github-generator#3647
• chore: formatting by @​ianlewis in slsa-framework/slsa-github-generator#3655
• chore(deps): update github-actions by @​renovate-bot in slsa-framework/slsa-github-generator#3642
• docs: Add openfga as another user of slsa-github-generator via Github Actions by @​aaguiarz in slsa-framework/slsa-github-generator#2950
• fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.6 by @​renovate-bot in slsa-framework/slsa-github-generator#3645
• chore: allow Renovate to create new config warning issues by @​HonkingGoose in slsa-framework/slsa-github-generator#3662
• chore: Fix markdown issues by @​ianlewis in slsa-framework/slsa-github-generator#3658
• chore(deps): update npm dev by @​renovate-bot in slsa-framework/slsa-github-generator#3643
• feat: Record vars in SLSA generators by @​ianlewis in slsa-framework/slsa-github-generator#3633
• chore(deps): update github-actions by @​renovate-bot in slsa-framework/slsa-github-generator#3679
• fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.7 by @​renovate-bot in slsa-framework/slsa-github-generator#3680
• docs: Remove expected GA for Node.js builder by @​ianlewis in slsa-framework/slsa-github-generator#3659
• ci: Add formatting pre-submit check by @​ianlewis in slsa-framework/slsa-github-generator#3654
• fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.8 by @​renovate-bot in slsa-framework/slsa-github-generator#3712
• chore(deps): bump the npm_and_yarn group across 10 directories with 2 updates by @​dependabot in slsa-framework/slsa-github-generator#3714
• chore(deps): update github-actions by @​renovate-bot in slsa-framework/slsa-github-generator#3711
• chore(deps): bump the go_modules group with 2 updates by @​dependabot in slsa-framework/slsa-github-generator#3715
• chore: slsa-verifier v2.6.0: Update action.yml by @​ramonpetgrave64 in slsa-framework/slsa-github-generator#3736
• fix: Update maven helper plugin build by @​loosebazooka in slsa-framework/slsa-github-generator#3746
• fix: maven e2e: remove verify job by @​ramonpetgrave64 in slsa-framework/slsa-github-generator#3748
• chore(deps): update github-actions by @​renovate-bot in slsa-framework/slsa-github-generator#3753
• chore(deps): bump github.com/docker/docker from 24.0.9+incompatible to 25.0.6+incompatible in the go_modules group by @​dependabot in slsa-framework/slsa-github-generator#3760
• chore(config): migrate renovate config by @​renovate-bot in slsa-framework/slsa-github-generator#3774
• chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.10.1 by @​renovate-bot in slsa-framework/slsa-github-generator#3758
• chore(deps): update dependency org.apache.maven.plugins:maven-deploy-plugin to v3.1.3 by @​renovate-bot in slsa-framework/slsa-github-generator#3820
• chore(deps): update dependency org.apache.maven.plugins:maven-gpg-plugin to v3.2.5 by @​renovate-bot in slsa-framework/slsa-github-generator#3757
• fix(deps): update npm by @​renovate-bot in slsa-framework/slsa-github-generator#3754

... (truncated)

Changelog

Sourced from slsa-framework/slsa-github-generator's changelog.

v2.1.0

v2.1.0: Sigstore Bundles for Generic Generator and Go Builder

The workflows generator_generic_slsa3.yml and builder_go_slsa3.yml have been updated to produce signed Sigstore Bundles, just like all the other builders that use the BYOB framework.

The workflow logs will now print a LogIndex, rather than a LogUUID. Both are equally searchanble on https://search.sigstore.dev/.

v2.1.0: Vars context recorded in provenance

• Updated: GitHub vars context is now recorded in provenance for the generic and container generators. The vars context cannot affect the build in the Go builder so it is not recorded.

Commits

• f7dd8c5 update the ref in the pre-submit
• 0a5124b fix jq for the sigstore bundles
• fbeecf0 update docs
• f701310 update workflows
• 3618598 v2.1.0-rc.3
• 46f81fc chore: update refs to v2.1.0-rc.1 (#4120)
• 5d20c93 chore: use builder tag v2.1.0-rc.0 (#4118)
• e27b237 chore: braces and ejs vulns (#4116)
• 8967e1c chore: Update CODEOWNERS (#4115)
• 47d1954 chore: update octokit deps (#4114)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.0 to 2.4.1

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.1

What's Changed

• This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
• Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • use Scorecard library entrypoint instead of Cobra hooking by @​spencerschrock in ossf/scorecard-action#1423
• Some errors were made into annotations to make them more visible
  • Make default branch error more prominent by @​jsoref in ossf/scorecard-action#1459
• There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • add input for specifying --file-mode by @​spencerschrock in ossf/scorecard-action#1509
• The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.
  • 🌱 publish docker images to GitHub Container Registry by @​spencerschrock in ossf/scorecard-action#1453

Docs

• Installation docs update by @​JeremiahAHoward in ossf/scorecard-action#1416

New Contributors

• @​JeremiahAHoward made their first contribution in ossf/scorecard-action#1416
• @​jsoref made their first contribution in ossf/scorecard-action#1459 Full Changelog: ossf/scorecard-action@v2.4.0...v2.4.1

Commits

• f49aabe bump docker to ghcr v2.4.1 (#1478)
• 30a595b 🌱 Bump github.com/sigstore/cosign/v2 from 2.4.2 to 2.4.3 (#1515)
• 69ae593 omit vcs info ...

  Description has been truncated