From 86f654b5e6a461c419e73d089955d50270f50a06 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Jun 2026 08:10:28 +0000 Subject: [PATCH] chore(actions)(deps): bump the actions group with 4 updates Bumps the actions group with 4 updates: [actions/checkout](https://github.com/actions/checkout), [step-security/harden-runner](https://github.com/step-security/harden-runner), [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) and [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action). Updates `actions/checkout` from 6 to 7 - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v6...v7) Updates `step-security/harden-runner` from 2.19.0 to 2.19.4 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/v2.19.0...9af89fc71515a100421586dfdb3dc9c984fbf411) Updates `sigstore/cosign-installer` from 3.9.2 to 4.1.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](https://github.com/sigstore/cosign-installer/compare/d58896d6a1865668819e1d91763c7751a165e159...6f9f17788090df1f26f669e9d70d6ae9567deba6) Updates `goreleaser/goreleaser-action` from 6.2.1 to 7.2.2 - [Release notes](https://github.com/goreleaser/goreleaser-action/releases) - [Commits](https://github.com/goreleaser/goreleaser-action/compare/90a3faa9d0182683851fbfa97ca1a2cb983bfca3...5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: step-security/harden-runner dependency-version: 2.19.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 4.1.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: goreleaser/goreleaser-action dependency-version: 7.2.2 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci.yml | 2 +- .github/workflows/release.yml | 8 ++++---- .github/workflows/scorecard.yml | 2 +- .github/workflows/security.yml | 12 ++++++------ 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d22b9e3..504749e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -17,7 +17,7 @@ jobs: env: CGO_ENABLED: "1" steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@v7 - uses: actions/setup-go@v6 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 102dcb4..86f399c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -47,13 +47,13 @@ jobs: steps: - name: Harden runner egress # step-security/harden-runner v2.19.0 - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 with: egress-policy: audit - name: Checkout tag # actions/checkout v4.2.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 with: # On workflow_dispatch, build the supplied existing tag; on a tag # push, the pushed ref. Full history so goreleaser version detection @@ -92,7 +92,7 @@ jobs: - name: Install cosign # sigstore/cosign-installer v3.9.2 — provides `cosign` for the keyless # signing step in .goreleaser.yaml (signs: cmd: cosign). - uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 + uses: sigstore/cosign-installer@6f9f17788090df1f26f669e9d70d6ae9567deba6 - name: Install syft # anchore/sbom-action v0.24.0 (download-syft sub-action) — puts `syft` @@ -103,7 +103,7 @@ jobs: - name: Run GoReleaser # goreleaser/goreleaser-action v6.2.1 - uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 + uses: goreleaser/goreleaser-action@5daf1e915a5f0af01ddbcd89a43b8061ff4f1a89 with: version: '~> v2' args: release --clean diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 1ae22d3..cec95ce 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -41,7 +41,7 @@ jobs: - name: Checkout code # actions/checkout v6.0.2 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 with: persist-credentials: false diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml index 0faec9e..a48b21e 100644 --- a/.github/workflows/security.yml +++ b/.github/workflows/security.yml @@ -33,7 +33,7 @@ jobs: OSV_SCANNER_VERSION: 2.3.5 GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 # Install osv-scanner from the official GitHub release (binary, not the # action — google/osv-scanner-action's `action.yml` is composite-only and # fails when invoked as a job step). Using the preinstalled `gh` CLI @@ -70,7 +70,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 - uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: scan-type: fs @@ -85,7 +85,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: '3.12' @@ -110,7 +110,7 @@ jobs: GITLEAKS_VERSION: 8.30.1 GH_TOKEN: ${{ github.token }} steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 with: fetch-depth: 0 # The official `gitleaks/gitleaks-action` requires a paid license for @@ -133,7 +133,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: '20' @@ -165,7 +165,7 @@ jobs: permissions: contents: read steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2 + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v4.2.2 - name: Generate SPDX SBOM uses: anchore/sbom-action@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0 with: