Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/checkout](https://togithub.com/actions/checkout) | action | patch | `v3.5.2` -> `v3.5.3` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | minor | `v2.3.5` -> `v2.20.1` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.1.3` -> `v2.2.0` | | [pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish) | action | patch | `v1.8.6` -> `v1.8.7` | --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v3.5.3`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v353) [Compare Source](https://togithub.com/actions/checkout/compare/v3.5.2...v3.5.3) - [Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in](https://togithub.com/actions/checkout/pull/1196) - [Fix typos found by codespell](https://togithub.com/actions/checkout/pull/1287) - [Add support for sparse checkouts](https://togithub.com/actions/checkout/pull/1369) </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.20.1`](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.20.0...v2.20.1) ### [`v2.20.0`](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.6...v2.20.0) ### [`v2.3.6`](https://togithub.com/github/codeql-action/compare/v2.3.5...v2.3.6) [Compare Source](https://togithub.com/github/codeql-action/compare/v2.3.5...v2.3.6) </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.2.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.2.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by [@​spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1192](https://togithub.com/ossf/scorecard-action/pull/1192) #### Scorecard Result Viewer Thanks to contributions from [@​cynthia-sg](https://togithub.com/cynthia-sg) and [@​tegioz](https://togithub.com/tegioz) at [CLOMonitor](https://togithub.com/cncf/clomonitor), there is a new Scorecard Result visualization page at `https://securityscorecards.dev/viewer/?uri=<project-url>`. - [https://github.com/ossf/scorecard-webapp/pull/406](https://togithub.com/ossf/scorecard-webapp/pull/406) - [https://github.com/ossf/scorecard-webapp/pull/422](https://togithub.com/ossf/scorecard-webapp/pull/422) As an example, you can see our own score visualized [here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard) Checkout our [README](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge) to learn how to link your README badge to the new visualization page. #### Publishing Results This release contains two fixes which will improve the user experience when `publish_results` is `true` - Runs that fail our [workflow restrictions](https://togithub.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions) will fail with a 400 response indicating the problem, instead of a vague 500 status. ([https://github.com/ossf/scorecard-action/pull/1156](https://togithub.com/ossf/scorecard-action/pull/1156), resolved [https://github.com/ossf/scorecard-action/issues/1150](https://togithub.com/ossf/scorecard-action/issues/1150)) - Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. ([https://github.com/ossf/scorecard-action/pull/1191](https://togithub.com/ossf/scorecard-action/pull/1191)) #### Docs - 📖 Update README to accept fine-grained tokens by [@​pnacht](https://togithub.com/pnacht) in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) - 📖 Update installation instructions to match current GitHub UI by [@​joycebrum](https://togithub.com/joycebrum) in [https://github.com/ossf/scorecard-action/pull/1153](https://togithub.com/ossf/scorecard-action/pull/1153) - 📖 Document the GitHub action workflow restrictions when publishing results. by [@​spencerschrock](https://togithub.com/spencerschrock) in #### New Contributors - [@​bobcallaway](https://togithub.com/bobcallaway) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1140](https://togithub.com/ossf/scorecard-action/pull/1140) - [@​pnacht](https://togithub.com/pnacht) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1175](https://togithub.com/ossf/scorecard-action/pull/1175) **Full Changelog**: ossf/scorecard-action@v2.1.3...v2.2.0 </details> <details> <summary>pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)</summary> ### [`v1.8.7`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.7) [Compare Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.8.6...v1.8.7) #### 💅 Cosmetic output impovements - [@​woodruffw](https://togithub.com/woodruffw) fixed OIDC the multiline annotations by escaping LF through urlencoding it in [https://github.com/pypa/gh-action-pypi-publish/pull/156](https://togithub.com/pypa/gh-action-pypi-publish/pull/156). - [@​jaap3](https://togithub.com/jaap3) noticed and promptly removed extraneous `}` from a non-OIDC log annotation in [https://github.com/pypa/gh-action-pypi-publish/pull/161](https://togithub.com/pypa/gh-action-pypi-publish/pull/161). - [@​hugovk](https://togithub.com/hugovk) made pip ignore that it runs under the root user and suppress its warning output in [https://github.com/pypa/gh-action-pypi-publish/pull/159](https://togithub.com/pypa/gh-action-pypi-publish/pull/159). #### 🛠️ Internal dependencies - Cryptography was bumped from 39.0.1 to 41.0.0 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/160](https://togithub.com/pypa/gh-action-pypi-publish/pull/160)ll/160 - Requests was bumped from 2.28.1 to 2.31.0 @&#[https://github.com/pypa/gh-action-pypi-publish/pull/157](https://togithub.com/pypa/gh-action-pypi-publish/pull/157)ll/157 #### 💪 New Contributors - [@​jaap3](https://togithub.com/jaap3) made their first contribution in [https://github.com/pypa/gh-action-pypi-publish/pull/161](https://togithub.com/pypa/gh-action-pypi-publish/pull/161) **:mirror: Full Diff**: pypa/gh-action-pypi-publish@v1.8.6...v1.8.7 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone Australia/Sydney, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/google/osv.dev). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMTUuMiIsInVwZGF0ZWRJblZlciI6IjM1LjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=--> --------- Co-authored-by: Rex P <106129829+another-rex@users.noreply.github.com>
- Loading branch information