Bump advanced-security/spdx-dependency-submission-action from 0.0.1 to 0.2.0

[dependabot]

Bumps advanced-security/spdx-dependency-submission-action from 0.0.1 to 0.2.0.

Release notes

Sourced from advanced-security/spdx-dependency-submission-action's releases.

v0.2.0

What's Changed

• build: Update dist files after dependency bump by @​Copilot in advanced-security/spdx-dependency-submission-action#97
• deps: Bump the production-dependencies group with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#96
• chore: Bump eslint from 9.39.1 to 9.39.2 in the development-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#95
• deps: Bump the production-dependencies group across 1 directory with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#98
• chore: Bump eslint from 9.39.2 to 10.0.0 in the development-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#100
• deps: Bump the production-dependencies group across 1 directory with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#101
  • Convert to ES modules for @​actions/core v3 and @​actions/github v9 compatibility advanced-security/spdx-dependency-submission-action#102

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.2...v0.2.0

v0.1.2 - features and maintenance release

What's Changed

• Update CODEOWNERS to DG team by @​jhutchings1 in advanced-security/spdx-dependency-submission-action#49
• Update CODEOWNERS by @​GeekMasher in advanced-security/spdx-dependency-submission-action#54
• deps: bump actions/setup-node from 4.0.2 to 4.2.0 in the production-dependencies group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#69
• feat: Update dependabot.yml by @​GeekMasher in advanced-security/spdx-dependency-submission-action#55
• feat: Add support for running inside a matrix by overriding the default correlator identifier by @​felickz in advanced-security/spdx-dependency-submission-action#50
• deps: bump actions/setup-node from 4.2.0 to 4.3.0 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#71
• deps: bump actions/setup-node from 4.3.0 to 4.4.0 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#72
• Update README.md to use v4 for checkout and upload-artifact by @​CallMeGreg in advanced-security/spdx-dependency-submission-action#73
• conditional test - do not run on PR from fork by @​felickz in advanced-security/spdx-dependency-submission-action#74
• Bump the npm_and_yarn group across 1 directory with 5 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#77
• deps: bump actions/checkout from 4 to 5 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#79
• chore: bump the development-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#78
• chore: bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#86
• deps: bump the production-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#76
• chore: bump glob from 10.4.5 to 10.5.0 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#87
• deps: bump the production-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#85
• deps: Bump the production-dependencies group across 1 directory with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#89
• chore: bump the development-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#82
• Fix for "workflow does not contain permissions", plus updated dist and fixed test failure with lazy loading of submission toolkit by @​aegilops in advanced-security/spdx-dependency-submission-action#90
• deps: bump @​actions/core from 1.11.1 to 2.0.1 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#92

New Contributors

• @​felickz made their first contribution in advanced-security/spdx-dependency-submission-action#50
• @​CallMeGreg made their first contribution in advanced-security/spdx-dependency-submission-action#73
• @​aegilops made their first contribution in advanced-security/spdx-dependency-submission-action#90

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.1...v0.1.2

v0.1.1

What's Changed

• Hotfix for PURL issues by @​GeekMasher in advanced-security/spdx-dependency-submission-action#42

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.0...v0.1.1

... (truncated)

Commits

• 169d224 deps: Bump the production-dependencies group across 1 directory with 2 update...
• c810a02 Merge pull request #100 from advanced-security/dependabot/npm_and_yarn/main/d...
• f9ac915 chore: Bump eslint in the development-dependencies group
• 4df5384 Merge pull request #98 from advanced-security/dependabot/github_actions/main/...
• ff0db0f Merge pull request #95 from advanced-security/dependabot/npm_and_yarn/main/de...
• e99d8ce deps: Bump the production-dependencies group across 1 directory with 2 updates
• be4152f chore: Bump eslint in the development-dependencies group
• 6b8807f Merge pull request #96 from advanced-security/dependabot/npm_and_yarn/main/pr...
• c6bcfd0 Merge pull request #97 from advanced-security/copilot/sub-pr-96
• 096e79b build: Update dist files after dependency bump
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/advanced-security/spdx-dependency-submission-action	169d22427d74f3faf93504e70b03eede8dab272a	🟢 6.1	Details Check Score Reason Code-Review 🟢 4 Found 2/5 approved changesets -- score normalized to 4 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/sbom-generate-submit.yml

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 file)

• .github/workflows/sbom-generate-submit.yml