From 0932e2f77228145a36906167f2b6b2bda6a19a4c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Jul 2026 12:15:01 +0000 Subject: [PATCH] ci: bump the github-actions group with 12 updates Bumps the github-actions group with 12 updates: | Package | From | To | | --- | --- | --- | | [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.19.4` | `2.20.0` | | [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [actions/labeler](https://github.com/actions/labeler) | `6.1.0` | `6.2.0` | | [mislav/bump-homebrew-formula-action](https://github.com/mislav/bump-homebrew-formula-action) | `4.1` | `4.2` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `4.1.0` | `4.1.1` | | [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) | `4.1.0` | `4.2.0` | | [docker/login-action](https://github.com/docker/login-action) | `4.2.0` | `4.4.0` | | [docker/build-push-action](https://github.com/docker/build-push-action) | `7.2.0` | `7.3.0` | | [actions/stale](https://github.com/actions/stale) | `10.3.0` | `10.4.0` | | [github/codeql-action/init](https://github.com/github/codeql-action) | `4.36.2` | `4.37.0` | | [github/codeql-action/analyze](https://github.com/github/codeql-action) | `4.36.2` | `4.37.0` | | [github/codeql-action/upload-sarif](https://github.com/github/codeql-action) | `4.36.2` | `4.37.0` | Updates `step-security/harden-runner` from 2.19.4 to 2.20.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/9af89fc71515a100421586dfdb3dc9c984fbf411...bf7454d06d71f1098171f2acdf0cd4708d7b5920) Updates `actions/cache` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](https://github.com/actions/cache/compare/27d5ce7f107fe9357f9df03efb73ab90386fccae...55cc8345863c7cc4c66a329aec7e433d2d1c52a9) Updates `actions/labeler` from 6.1.0 to 6.2.0 - [Release notes](https://github.com/actions/labeler/releases) - [Commits](https://github.com/actions/labeler/compare/f27b608878404679385c85cfa523b85ccb86e213...b8dd2d9be0f68b860e7dae5dae7d772984eacd6d) Updates `mislav/bump-homebrew-formula-action` from 4.1 to 4.2 - [Release notes](https://github.com/mislav/bump-homebrew-formula-action/releases) - [Commits](https://github.com/mislav/bump-homebrew-formula-action/compare/ccf2332299a883f6af50a1d2d41e5df7904dd769...f865c8b0dbebd6e263cc06782a0e974c61cf12d2) Updates `actions/attest-build-provenance` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](https://github.com/actions/attest-build-provenance/compare/a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32...0f67c3f4856b2e3261c31976d6725780e5e4c373) Updates `docker/setup-buildx-action` from 4.1.0 to 4.2.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](https://github.com/docker/setup-buildx-action/compare/d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5...bb05f3f5519dd87d3ba754cc423b652a5edd6d2c) Updates `docker/login-action` from 4.2.0 to 4.4.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](https://github.com/docker/login-action/compare/650006c6eb7dba73a995cc03b0b2d7f5ca915bee...af1e73f918a031802d376d3c8bbc3fe56130a9b0) Updates `docker/build-push-action` from 7.2.0 to 7.3.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](https://github.com/docker/build-push-action/compare/f9f3042f7e2789586610d6e8b85c8f03e5195baf...53b7df96c91f9c12dcc8a07bcb9ccacbed38856a) Updates `actions/stale` from 10.3.0 to 10.4.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/stale/compare/eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899...1e223db275d687790206a7acac4d1a11bd6fe629) Updates `github/codeql-action/init` from 4.36.2 to 4.37.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...99df26d4f13ea111d4ec1a7dddef6063f76b97e9) Updates `github/codeql-action/analyze` from 4.36.2 to 4.37.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...99df26d4f13ea111d4ec1a7dddef6063f76b97e9) Updates `github/codeql-action/upload-sarif` from 4.36.2 to 4.37.0 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/8aad20d150bbac5944a9f9d289da16a4b0d87c1e...99df26d4f13ea111d4ec1a7dddef6063f76b97e9) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/labeler dependency-version: 6.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: mislav/bump-homebrew-formula-action dependency-version: '4.2' dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/attest-build-provenance dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: docker/setup-buildx-action dependency-version: 4.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/login-action dependency-version: 4.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: docker/build-push-action dependency-version: 7.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: actions/stale dependency-version: 10.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action/init dependency-version: 4.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action/analyze dependency-version: 4.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: github/codeql-action/upload-sarif dependency-version: 4.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/_build-cached.yml | 4 ++-- .github/workflows/_build-core.yml | 6 +++--- .github/workflows/_build-deps.yml | 6 +++--- .github/workflows/automation-ai-fix.yml | 4 ++-- .github/workflows/automation-assign-project.yml | 2 +- .github/workflows/automation-label-issues.yml | 2 +- .github/workflows/automation-label-prs.yml | 4 ++-- .github/workflows/cd-deploy-apt.yml | 2 +- .github/workflows/cd-deploy-aur.yml | 2 +- .github/workflows/cd-deploy-copr.yml | 2 +- .github/workflows/cd-deploy-flatpak.yml | 2 +- .github/workflows/cd-deploy-homebrew.yml | 4 ++-- .github/workflows/cd-deploy-ppa.yml | 2 +- .github/workflows/cd-deploy-winget.yml | 2 +- .github/workflows/cd-nightly.yml | 10 +++++----- .github/workflows/cd-packages.yml | 12 ++++++------ .github/workflows/cd-release-candidate.yml | 8 ++++---- .github/workflows/cd-release.yml | 12 ++++++------ .github/workflows/ci-arch-container.yml | 8 ++++---- .github/workflows/ci-debian-container.yml | 8 ++++---- .github/workflows/ci-fedora-container.yml | 8 ++++---- .github/workflows/ci-lint.yml | 2 +- .github/workflows/ci-pull-request.yml | 10 +++++----- .github/workflows/maintenance-stale.yml | 4 ++-- .github/workflows/maintenance-upstream-sync.yml | 2 +- .github/workflows/maintenance-version-bump.yml | 2 +- .github/workflows/security-codeql.yml | 6 +++--- .github/workflows/security-dependency-review.yml | 2 +- .github/workflows/security-scorecard.yml | 4 ++-- 29 files changed, 71 insertions(+), 71 deletions(-) diff --git a/.github/workflows/_build-cached.yml b/.github/workflows/_build-cached.yml index 3b17bb2292..5d73b072c4 100644 --- a/.github/workflows/_build-cached.yml +++ b/.github/workflows/_build-cached.yml @@ -28,7 +28,7 @@ jobs: valid-cache: ${{ steps.cache_deps.outputs.cache-hit }} steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 continue-on-error: true with: egress-policy: audit @@ -57,7 +57,7 @@ jobs: - name: Lookup cache (no restore) id: cache_deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ${{ steps.set_outputs.outputs.cache-path }} key: ${{ steps.set_outputs.outputs.cache-key }} diff --git a/.github/workflows/_build-core.yml b/.github/workflows/_build-core.yml index 1c018d975b..6d29c83e86 100644 --- a/.github/workflows/_build-core.yml +++ b/.github/workflows/_build-core.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 continue-on-error: true with: egress-policy: audit @@ -44,7 +44,7 @@ jobs: fetch-depth: 0 - name: load cached deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ${{ inputs.cache-path || format('{0}/deps/build', github.workspace) }} key: ${{ inputs.cache-key }} @@ -106,7 +106,7 @@ jobs: - name: Cache Homebrew downloads (macOS) if: runner.os == 'macOS' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ~/Library/Caches/Homebrew/downloads key: brew-core-${{ inputs.os }}-${{ hashFiles('.github/workflows/_build-core.yml') }} diff --git a/.github/workflows/_build-deps.yml b/.github/workflows/_build-deps.yml index ef00fb4bad..21d175c094 100644 --- a/.github/workflows/_build-deps.yml +++ b/.github/workflows/_build-deps.yml @@ -32,7 +32,7 @@ jobs: date: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -43,7 +43,7 @@ jobs: lfs: 'true' - name: load cached deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ${{ inputs.cache-path }} key: ${{ inputs.cache-key }} @@ -148,7 +148,7 @@ jobs: - name: Cache Homebrew downloads (macOS) if: startsWith(inputs.os, 'macos-') - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: ~/Library/Caches/Homebrew/downloads key: brew-deps-${{ inputs.os }}-${{ hashFiles('.github/workflows/_build-deps.yml') }} diff --git a/.github/workflows/automation-ai-fix.yml b/.github/workflows/automation-ai-fix.yml index 5e01e13b82..3ac3b70b98 100644 --- a/.github/workflows/automation-ai-fix.yml +++ b/.github/workflows/automation-ai-fix.yml @@ -20,7 +20,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -193,7 +193,7 @@ jobs: - name: Cache build deps if: steps.changes.outputs.changed == 'true' - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: autofix-deps-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} diff --git a/.github/workflows/automation-assign-project.yml b/.github/workflows/automation-assign-project.yml index bfc016e9d6..f216bc4a35 100644 --- a/.github/workflows/automation-assign-project.yml +++ b/.github/workflows/automation-assign-project.yml @@ -20,7 +20,7 @@ jobs: if: github.event_name == 'issues' || github.event_name == 'pull_request' steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/automation-label-issues.yml b/.github/workflows/automation-label-issues.yml index e4a71291f6..9722ff3ec4 100644 --- a/.github/workflows/automation-label-issues.yml +++ b/.github/workflows/automation-label-issues.yml @@ -19,7 +19,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/automation-label-prs.yml b/.github/workflows/automation-label-prs.yml index ade42c5bd6..9d35bf907a 100644 --- a/.github/workflows/automation-label-prs.yml +++ b/.github/workflows/automation-label-prs.yml @@ -16,12 +16,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 with: egress-policy: block allowed-endpoints: | api.github.com:443 - - uses: actions/labeler@f27b608878404679385c85cfa523b85ccb86e213 # v6.1.0 + - uses: actions/labeler@b8dd2d9be0f68b860e7dae5dae7d772984eacd6d # v6.2.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} configuration-path: .github/labeler.yml diff --git a/.github/workflows/cd-deploy-apt.yml b/.github/workflows/cd-deploy-apt.yml index 625fe6f43a..52161c7263 100644 --- a/.github/workflows/cd-deploy-apt.yml +++ b/.github/workflows/cd-deploy-apt.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-aur.yml b/.github/workflows/cd-deploy-aur.yml index f7d5ff22fe..cfb9485432 100644 --- a/.github/workflows/cd-deploy-aur.yml +++ b/.github/workflows/cd-deploy-aur.yml @@ -42,7 +42,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-copr.yml b/.github/workflows/cd-deploy-copr.yml index d9352d6345..d17a262f62 100644 --- a/.github/workflows/cd-deploy-copr.yml +++ b/.github/workflows/cd-deploy-copr.yml @@ -55,7 +55,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-flatpak.yml b/.github/workflows/cd-deploy-flatpak.yml index 21d1ad75d1..84f618eb1d 100644 --- a/.github/workflows/cd-deploy-flatpak.yml +++ b/.github/workflows/cd-deploy-flatpak.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/cd-deploy-homebrew.yml b/.github/workflows/cd-deploy-homebrew.yml index ab8361424c..6632130cc9 100644 --- a/.github/workflows/cd-deploy-homebrew.yml +++ b/.github/workflows/cd-deploy-homebrew.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: # audit (not block) to match the other deploy workflows — block mode # rejected the checkout connection to github.com even though it was @@ -69,7 +69,7 @@ jobs: echo "sha_intel=$SHA_INTEL" >> "$GITHUB_OUTPUT" - name: Update Homebrew Cask via PR - uses: mislav/bump-homebrew-formula-action@ccf2332299a883f6af50a1d2d41e5df7904dd769 # v4 + uses: mislav/bump-homebrew-formula-action@f865c8b0dbebd6e263cc06782a0e974c61cf12d2 # v4 with: formula-name: bambu-studio formula-path: Casks/bambu-studio.rb diff --git a/.github/workflows/cd-deploy-ppa.yml b/.github/workflows/cd-deploy-ppa.yml index 83a7ff3865..f3d0fc1ad3 100644 --- a/.github/workflows/cd-deploy-ppa.yml +++ b/.github/workflows/cd-deploy-ppa.yml @@ -63,7 +63,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-deploy-winget.yml b/.github/workflows/cd-deploy-winget.yml index b0d0a5d699..01b7b57ff2 100644 --- a/.github/workflows/cd-deploy-winget.yml +++ b/.github/workflows/cd-deploy-winget.yml @@ -25,7 +25,7 @@ jobs: timeout-minutes: 15 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/cd-nightly.yml b/.github/workflows/cd-nightly.yml index 7f37befab2..70c6f3e5b1 100644 --- a/.github/workflows/cd-nightly.yml +++ b/.github/workflows/cd-nightly.yml @@ -26,7 +26,7 @@ jobs: has_changes: ${{ steps.check.outputs.has_changes }} steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: > @@ -179,7 +179,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -275,7 +275,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -363,7 +363,7 @@ jobs: - name: Attest build provenance if: steps.check.outputs.n > 0 - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: artifacts/** @@ -506,7 +506,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-packages.yml b/.github/workflows/cd-packages.yml index c00844ffa3..c057461252 100644 --- a/.github/workflows/cd-packages.yml +++ b/.github/workflows/cd-packages.yml @@ -62,7 +62,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -77,7 +77,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-debian-trixie-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} @@ -191,7 +191,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -206,7 +206,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-fedora42_rpm-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} @@ -261,7 +261,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -276,7 +276,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-arch-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} diff --git a/.github/workflows/cd-release-candidate.yml b/.github/workflows/cd-release-candidate.yml index ee7d00b95f..a5edac2a37 100644 --- a/.github/workflows/cd-release-candidate.yml +++ b/.github/workflows/cd-release-candidate.yml @@ -120,7 +120,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -211,7 +211,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -302,7 +302,7 @@ jobs: - name: Attest build provenance if: steps.check.outputs.n > 0 - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: artifacts/** @@ -390,7 +390,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/cd-release.yml b/.github/workflows/cd-release.yml index aa84e30647..d649077531 100644 --- a/.github/workflows/cd-release.yml +++ b/.github/workflows/cd-release.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: > @@ -77,7 +77,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -245,7 +245,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -290,7 +290,7 @@ jobs: run: bash scripts/generate-checksums.sh release-assets/ - name: Attest build provenance - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-path: release-assets/** @@ -347,7 +347,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -398,7 +398,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/ci-arch-container.yml b/.github/workflows/ci-arch-container.yml index db052f4d30..d18dfd117b 100644 --- a/.github/workflows/ci-arch-container.yml +++ b/.github/workflows/ci-arch-container.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -37,10 +37,10 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Log in to ghcr.io - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Build and push - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: docker file: docker/Dockerfile.archlinux diff --git a/.github/workflows/ci-debian-container.yml b/.github/workflows/ci-debian-container.yml index 9e59bc2257..54e7d01459 100644 --- a/.github/workflows/ci-debian-container.yml +++ b/.github/workflows/ci-debian-container.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -37,10 +37,10 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Log in to ghcr.io - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Build and push - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: docker file: docker/Dockerfile.debian-trixie diff --git a/.github/workflows/ci-fedora-container.yml b/.github/workflows/ci-fedora-container.yml index 1cf0d4b79b..26dd14bc1c 100644 --- a/.github/workflows/ci-fedora-container.yml +++ b/.github/workflows/ci-fedora-container.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -37,10 +37,10 @@ jobs: uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 + uses: docker/setup-buildx-action@bb05f3f5519dd87d3ba754cc423b652a5edd6d2c # v4.2.0 - name: Log in to ghcr.io - uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 + uses: docker/login-action@af1e73f918a031802d376d3c8bbc3fe56130a9b0 # v4.4.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -50,7 +50,7 @@ jobs: run: echo "IMAGE_OWNER=$(echo '${{ github.repository_owner }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_ENV" - name: Build and push - uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 + uses: docker/build-push-action@53b7df96c91f9c12dcc8a07bcb9ccacbed38856a # v7.3.0 with: context: docker file: docker/Dockerfile.fedora diff --git a/.github/workflows/ci-lint.yml b/.github/workflows/ci-lint.yml index 7114f5219c..fb99f92600 100644 --- a/.github/workflows/ci-lint.yml +++ b/.github/workflows/ci-lint.yml @@ -24,7 +24,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 diff --git a/.github/workflows/ci-pull-request.yml b/.github/workflows/ci-pull-request.yml index 9bab8c3510..bed28abf52 100644 --- a/.github/workflows/ci-pull-request.yml +++ b/.github/workflows/ci-pull-request.yml @@ -28,7 +28,7 @@ jobs: code: ${{ steps.check.outputs.code }} steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -106,7 +106,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -120,7 +120,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-debian-trixie_deb-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} @@ -167,7 +167,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit @@ -182,7 +182,7 @@ jobs: - name: Cache deps id: cache-deps - uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 + uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v5 with: path: deps/build/destdir key: pkg-deps-fedora42_rpm-${{ hashFiles('deps/CMakeLists.txt', 'deps/**/*.cmake') }} diff --git a/.github/workflows/maintenance-stale.yml b/.github/workflows/maintenance-stale.yml index be790430a3..aea7b98511 100644 --- a/.github/workflows/maintenance-stale.yml +++ b/.github/workflows/maintenance-stale.yml @@ -17,12 +17,12 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | api.github.com:443 - - uses: actions/stale@eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899 # v10.3.0 + - uses: actions/stale@1e223db275d687790206a7acac4d1a11bd6fe629 # v10.4.0 with: repo-token: ${{ secrets.GITHUB_TOKEN }} stale-issue-message: > diff --git a/.github/workflows/maintenance-upstream-sync.yml b/.github/workflows/maintenance-upstream-sync.yml index e745750464..d195e9cfcd 100644 --- a/.github/workflows/maintenance-upstream-sync.yml +++ b/.github/workflows/maintenance-upstream-sync.yml @@ -17,7 +17,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit diff --git a/.github/workflows/maintenance-version-bump.yml b/.github/workflows/maintenance-version-bump.yml index f2a9484be0..3165376f1d 100644 --- a/.github/workflows/maintenance-version-bump.yml +++ b/.github/workflows/maintenance-version-bump.yml @@ -29,7 +29,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block allowed-endpoints: | diff --git a/.github/workflows/security-codeql.yml b/.github/workflows/security-codeql.yml index 460556d612..6ade9540bf 100644 --- a/.github/workflows/security-codeql.yml +++ b/.github/workflows/security-codeql.yml @@ -39,7 +39,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: audit - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -47,7 +47,7 @@ jobs: submodules: false - name: Initialize CodeQL - uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/init@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: languages: ${{ matrix.language }} build-mode: manual @@ -80,6 +80,6 @@ jobs: --parallel 4 2>&1 | head -5000 || true - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/analyze@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: category: "/language:${{ matrix.language }}" diff --git a/.github/workflows/security-dependency-review.yml b/.github/workflows/security-dependency-review.yml index bd7a8c2d87..0b86cdee52 100644 --- a/.github/workflows/security-dependency-review.yml +++ b/.github/workflows/security-dependency-review.yml @@ -16,7 +16,7 @@ jobs: timeout-minutes: 10 steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: egress-policy: block # Use folded (>), NOT literal (|): harden-runner splits allowed-endpoints on diff --git a/.github/workflows/security-scorecard.yml b/.github/workflows/security-scorecard.yml index 7ae1f7aa11..312b625bf7 100644 --- a/.github/workflows/security-scorecard.yml +++ b/.github/workflows/security-scorecard.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 + uses: step-security/harden-runner@bf7454d06d71f1098171f2acdf0cd4708d7b5920 # v2.20.0 with: # audit instead of block: scorecard-action runs in a Docker container # whose DNS (UDP) is blocked by egress-policy:block even for listed @@ -42,6 +42,6 @@ jobs: publish_results: true - name: Upload SARIF results - uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 + uses: github/codeql-action/upload-sarif@99df26d4f13ea111d4ec1a7dddef6063f76b97e9 # v4.37.0 with: sarif_file: results.sarif