ci: Update ci-actions#28
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
renovate
Bot
changed the title
renovate
Bot
force-pushed
the
renovate/ci-actions
branch
from
2810f56 to
69b0472
Compare
renovate
Bot
force-pushed
the
renovate/ci-actions
branch
from
69b0472 to
1032361
Compare
renovate
Bot
force-pushed
the
renovate/ci-actions
branch
from
1032361 to
c420b95
Compare
renovate
Bot
force-pushed
the
renovate/ci-actions
branch
from
c420b95 to
fc63a89
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
de0fac2→df4cb1c7211b7c→8aad20dv2.6.0→v2.8.0Release Notes
luckyPipewrench/pipelock (luckyPipewrench/pipelock)
v2.8.0Compare Source
Changelog
a728e24Add Enterprise Fleet Receipt Report minting (#749)0c023e7Add Fleet Receipt Report verifier foundation (#748)2f0f898Receipt evidence: clean-A2A allow receipts + fleet-receipt conformance (#801)0e5ebb2ci: Update ci-actions to v7 (#798)4d44bbfdeps: Update docker-base-images (#734)524e068deps: Update docker-base-images (#764)0a0c854deps: Update docker-base-images (#777)fce5a64deps: Update docker-base-images (#789)03e6299deps: Update docker-base-images (#800)5ff537adeps: Update go-deps to v0.9.0 (#781)9abd09adeps: Update go-deps to v1.52.0 (#793)8b14341deps: Update go-deps to v2.7.0 (#754)6634a00deps: Update k8s-images (#747)ca519a5deps: Update ts-verifier to v24.13.0 (#765)c01c561deps: Update ts-verifier to v24.13.1 (#787)480d06edocs(metrics): complete Prometheus metric catalog (#756)939f8d5feat(cli): add 'explain' command for remediable block explanations (#750)c2ec807feat(cli): add 'keys status' unified signing-key inventory (#752)d49fb60feat(cli): add 'support bundle' diagnostics command (#753)2c542a3feat(cli): add 'update' self-update command (#757)c036238feat(conductor): offline fleet-report export and verification (#791)2e72b0ffeat(conductor): operator credential and enrollment-token lifecycle (#792)a240b9efeat(conductor): operator recovery commands for the fleet control plane (#763)1b54c20feat(conductor): operator stream observability + publish-error clarity (#758)be8c25ffeat(conductor): verify emergency-control signatures at all leader read paths (#776)5a641c9feat(conductor): wire follower audience labels into policy, rollback, and remote-kill apply paths (#772)07621dcfeat(contain): install/UX hardening for first-run and older hosts (#761)2425c2efeat(contain): publishable offline containment conformance artifact with must-fail fixture (#773)a917febfeat(doctor): flag inert exemptions and semantic config mismatches (#751)70faa8afeat(license): add 'license crl inspect' and 'license crl verify' (#762)026b7f2feat(license): gate CLI issuance on paid capability + signed service import table (#779)7d2b4bafeat(license): monotonic CRL generation with consumer rollback rejection (#770)19bd993feat(license): require-intermediate enforcement, issuer-side intermediate revocation, CRL freshness (#775)8f658d4feat(mcp): defer authorization action with fail-closed resolution (#799)b9bdfddfeat(mcp): per-server response suppression + airlock reset for first-party tools (#774)3482757feat(playground): bundle generator + stable published orchestrator key (#795)26ce17dfeat(playground): gated live-chat backend (stream seam, gate, fail-closed limits, SSE server) (#802)6ec8b4efeat(playground): honest live-chat demo backend (bundle, caps, trust-class) (#812)bbaaf4dfeat(playground): honest live-chat demo for the agent firewall (#809)af5f0ddfeat(playground): live demo engine with offline-verifiable evidence (#784)9fdd1b1feat(playground): live model-backed agent for the demo (#804)1437a0ffeat(playground): live-demo spend controls + polish (#807)3a5423afeat(playground): split-proof contained mode with signed host-containment witness (#785)d7dfaabfeat(receipts): freeze v1 fixtures and publish versioning policy (#755)1de117afix(chart): render valid Conductor image refs (digest vs tag) (#790)3f5a7bbfix(conductor): tolerate abandoned fork siblings + offline recovery (#786)49d660bfix(deps): bump Python verifier cryptography to 48.0.1 (GHSA-537c-gmf6-5ccf) (#788)5236c74fix(license): evaluate token expiry against the injected verification clock (#780)4fa9952fix(mcp): opt-in stdio response timeout + self-update downgrade warning (#810)1a30205fix(playground): harden live demo adversarial edges (#808)90812befix(proxy): make redaction config key invariant to per-agent config deep-copy (#783)1413a09fix(scanner): direction-anchor Credential Solicitation to stop documentation false positives (#760)b3807cdfix(scanner): fail closed on over-depth JSON and stacked URL DLP encodings (#803)bb33140fix(wsutil): treat Windows Winsock close errnos as expected WS teardown (#769)08538aefix: close stacked-encoding DLP bypass, freeze receipt v1 canonical, correct dropped-action accounting (#814)d897e51fix: operability, UX, and support-bundle secret-redaction fixes (#805)edad608fix: verify raw action receipt chain jsonl (#771)f8bf755refactor(license): extract splitToken helper and rename Decode to DecodeUnverified (#782)ac614actest(certgen): make read-only-dir tests portable (#767)a73ce53test(cli): make read-only-dir/config tests portable on Windows (#766)abce869test(mcp): close recorder in receipt harness to fix Windows TempDir cleanup (#768)v2.7.0Compare Source
Changelog
5b7beb1Add Conductor emergency control and stale-policy fail-closed enforcement (#741)0ed5f57Add Conductor fleet observability and audit query commands (#740)05268b0Add Conductor production operator runbook and provisioning docs (#739)954c3dfAdd conductor publish for signed policy bundle distribution (#738)e606f17Add contain egress explanations and response-size allowances (#706)5b246c1Add live baseline ratify operator surface (#732)1953501Bind EvidenceReceipt v2 decisions to policy_hash (#719)eb462a1Bind action receipts to process runs with nonce (#729)f8690afConductor follower enrollment, rollback application, head-reset (#743)6adfb48Contain control-plane adaptive escalation (#709)3d07dcbEmit receipts on A2A block paths for transport parity (#727)867bd6dExport recorder signing public keys (#735)dbcb080Fail closed when signed receipts are required (#730)f8f849eFix Conductor rollback reconcile upgrade crashloop, restore coverage (#745)1d08461Fix URL-DLP false-positive remediation hint (#742)3e52a2fFix receipt-chain rotation and operator evidence ACLs (#725)2f3556cGate per-profile address allowlists on verified entitlement (#714)bcb9741Harden conductor audit ingest idempotency and lookup (#678)094e9f2Harden conductor audit queue lifecycle and error mapping (#724)b3dffd0Harden contain credential defaults and git push guard (#705)2bccfb8Harden contain setup and MCP receipt parity (#723)d5c2dfcMake receipt verification safe by default (#726)29ecdc7chore(deps): update dependency cryptography to v48 (#669)5588a58chore(hooks): scope pre-commit stages so a Go-only push doesn't need verifier toolchains (#682)511b209chore(verifiers): make TS + Rust reference verifiers publishable (npm + crates.io) (#713)15dd5c2ci(govulncheck): float to latest 1.26.x so stdlib advisories self-heal (#667)fda3d19ci: Update Azure/setup-helm action to v5 (#651)7a5031aci: Update ci-actions (#717)d3be8d3ci: run python verifier from source to stop recurring Scorecard pin alert (#665)7351c78deps: Lock file maintenance rust-verifier (#649)786052adeps: Pin dependencies (#646)42c2978deps: Update Rust crate serde_json to v1.0.150 (#647)736a519deps: Update docker-base-images (#638)49c01ffdeps: Update docker-base-images (#675)f3f9cd6deps: Update docker-base-images (#694)ed5855ddeps: Update docker-base-images (#702)7585a71deps: Update docker-base-images (#716)dadcde0deps: Update go-deps to v0.46.0 (#718)3638b23deps: Update go-deps to v1.51.0 (#703)2299f75deps: Update rust-verifier to v0.1.25 (#668)a976cfadocs(aarp): publish claims dictionary (#721)54e3bacfeat(a2a): verify Agent Card signatures against trusted origin-scoped keys (#689)8bd4fbdfeat(aarp): AARP v0.1 assurance envelope core (#660)1e2ae96feat(aarp): SVID X.509 attestation appraisal + hostile corpus (Go reference) (#670)7eeeb05feat(aarp): four-language hostile corpus + verifier lock (#663)381c4fcfeat(aarp): make the appraiser brutally literal about what it proves (#720)55e3eb0feat(aarp): port X.509-SVID attestation to TS/Rust/Python; lock four-language SVID corpus (#674)10fa815feat(aarp): verified X.509-SVID attestation binding (#661)6157e26feat(assess): honor CRL in paid artifact gating (#690)e7dde68feat(capture): add rpc id to CaptureRequest for request<->response join (#708)720b67efeat(conductor): add bootstrap command for a self-verifying dev fleet (#655)ae2b537feat(contain): runtime contract +contain doctorself-test (#704)ced2901feat(dlp): detect DB connection strings, GitLab token families, and cloud service-account keys (#657)e828c3ffeat(license): intermediate signing certificates with CRL revocation (#684)22958a7feat(license): wire intermediate license chain through runtime and service flows (#687)343a4e9feat(playground): synthetic replay capture rig for signed Audit Packet gallery (#681)d075eabfeat(receipt): add source-span v2 receipt payload (#697)d8c4b0bfeat(receipt): dual-emit v2 proxy_decision receipts on the live proxy path (#691)7c65323feat(receipts): enable flight recorder by default and seal transcript root on shutdown (#728)c2c3ba9feat(runtime): close in-flight conductor apply window and add license-reload error precision (#712)a4119e1feat(runtime): enforce fleet-license revocation at runtime (#707)1e25fb1feat(svid): offline X.509-SVID validation against pinned trust-bundle history (#653)e909785feat(taint): cross-agent contamination tracking across A2A/MCP (#677)f653dcefeat(verifier): verify EvidenceReceipt v2 chains offline (#664)43f9dcbfeat(verifiers): add spanned EvidenceReceipt v2 verification (#700)521cdbbfeat: add operation-aware playground replay capture (#686)30b62cafeat: add skill scan command (#672)e98995cfeat: self-service Enterprise Eval fulfillment (license service) (#680)6907555fix(ci): avoid unpinned AARP verifier install (#679)9df41e3fix(dlp): bound Twilio + Mailgun patterns to documented key shapes (#656)92981b6fix(dlp): require secret-plausible leading value char on credential patterns (#715)03db814fix(mcp): protect concurrent subprocess teardown (#733)496e968fix(mcp): treat connection teardown as a clean stream end in ForwardScanned (#654)bab2d93fix(mcp/provenance): domain-separate tool signatures and block duplicate names (#659)8da835cfix(proxy): harden cross-request exfil detection against key partitioning and flood-to-evict (#666)4802074fix(receipt): align cross-language verifier canonicalization, reject duplicate keys (#652)f5fd95efix(receipt): sanitize secret-bearing fields before signing (#676)6482bc5fix(release): build with patched Go 1.25.11 (#746)92d9c70fix(runtime): join listener goroutines before cleanup nils shared fields (#688)f174d70fix(scanner): direction-scope agent-secret exfil checks; skip path-shaped env values (#693)d8d278afix(scanner): exempt operator-governed API paths from path entropy; harden flaky test families (#701)00a5266fix(scanner): label MatchSpan offsets by indexed view (#685)40abeb4fix(seedprotect): close Unicode evasion gaps in BIP-39 seed-phrase detection (#658)caa96d1fix(testdata): force LF line endings for test goldens on Windows checkouts (#710)8a790bffix(windows): cross-platform file-permission gate (#695) + key-free MCP capture (#696) (#698)6dda831fix: clarify conductor key purposes and chart examples (#736)4ce2833fix: detect cross-tool sensitive file directives (#650)eb102fbfix: response-injection FPs on standards prose + seccomp CI test hang (#737)069a2e7helm: add enterprise deployment modes (#648)d2eff87test(aarp): add Evidence Theater Kill Suite overclaim gate (#722)1b5f812test(cli): harden run listener port allocation (#692)Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.