From c627d1a4946f98189e8330e203d4821a0de57b5e Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Wed, 1 Jul 2026 02:02:16 +0000 Subject: [PATCH] chore(deps): Update GitHub Actions --- .github/workflows/claude-baseline-review.yml | 2 +- .github/workflows/python-dependency-provenance.yml | 2 +- .github/workflows/supply-chain-promote-core.yml | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/claude-baseline-review.yml b/.github/workflows/claude-baseline-review.yml index a5f5c8e..ffda5ca 100644 --- a/.github/workflows/claude-baseline-review.yml +++ b/.github/workflows/claude-baseline-review.yml @@ -138,7 +138,7 @@ jobs: run: git submodule update --init --recursive - name: Run baseline triage review - uses: anthropics/claude-code-action@521136812280ae7ef256e06045655b9da02793f0 # v1.0.158 + uses: anthropics/claude-code-action@a92e7c70a4da9793dc164451d829089dc057a464 # v1.0.159 with: # #CRITICAL: secret reference; ANTHROPIC_API_KEY must exist as a # repository or organization secret or this step fails at startup. diff --git a/.github/workflows/python-dependency-provenance.yml b/.github/workflows/python-dependency-provenance.yml index 31aeeee..df5bd31 100644 --- a/.github/workflows/python-dependency-provenance.yml +++ b/.github/workflows/python-dependency-provenance.yml @@ -250,7 +250,7 @@ jobs: # `npm why ` for provenance. Runs in the frontend directory. - name: Set up Node (frontend) if: env.FRONTEND_STATE != 'skip' - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20' diff --git a/.github/workflows/supply-chain-promote-core.yml b/.github/workflows/supply-chain-promote-core.yml index 92d4ffa..edc0d8b 100644 --- a/.github/workflows/supply-chain-promote-core.yml +++ b/.github/workflows/supply-chain-promote-core.yml @@ -201,7 +201,7 @@ jobs: - name: Download built image tar (oci-tar source) if: inputs.source_kind == 'oci-tar' - uses: actions/download-artifact@448e3f862ab3ef47aa50ff917776823c9946035b # v5.0.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: ${{ inputs.source_artifact }} @@ -233,7 +233,7 @@ jobs: - name: Upload Grype SARIF if: always() && hashFiles('grype-results.sarif') != '' - uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867e8 # v4.30.4 + uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: grype-results.sarif category: grype-${{ inputs.image_id }} @@ -309,7 +309,7 @@ jobs: uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 # v4.1.2 - name: Download scanned tar - uses: actions/download-artifact@448e3f862ab3ef47aa50ff917776823c9946035b # v5.0.0 + uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: promote-${{ inputs.image_id }}-tar @@ -378,7 +378,7 @@ jobs: - name: GitHub build provenance attestation if: inputs.sign && github.ref == 'refs/heads/main' - uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 + uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1 with: subject-name: ghcr.io/${{ github.repository_owner }}/${{ inputs.ghcr_name }} subject-digest: ${{ steps.push.outputs.target_digest }}