Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update README to accept fine-grained tokens #1175

Merged
merged 5 commits into from
Jun 22, 2023

Conversation

pnacht
Copy link
Contributor

@pnacht pnacht commented Jun 14, 2023

GraphQL now works with fine-grained tokens. My understanding is that this was the blocker to adopting fine-grained tokens in the Scorecard Action.

I unfortunately did not manage to get fine-grained tokens to work for random public repos using the Scorecard CLI, so I think we're still stuck using classic PATs there (but please try to solve this yourself!)... but they do work when running the Scorecard Action with a fine-grained PAT (see this example and the successful workflow run).

Therefore, this PR updates the README.md to show how to set the token up. Are changes needed anywhere else (other than the starter workflow)?

The README contained quite a bit of information on private repos, which I don't believe applies to fine-grained tokens. However, I don't have a private repo with GitHub Advanced Security, so I haven't been able to test this. This should be tested by someone with access to such repos.

The README also describes issues with SAML SSO, but these do not apply to fine-grained tokens, which are authorized at creation. As such, these comments have been removed. (Though it may be worth testing this just to be sure!)

Before merging this PR, we should make sure that:

  • Action works with fine-grained tokens on private repositories
  • Action works with fine-grained tokens on repos with SAML SSO

- Removed "Personal Access Token (PAT) Requirements and Risks" section, which
doesn't apply to fine-grained tokens
- In "Authentication with PAT (Optional)"
  - Updated settings for fine-grained permissions
  - Removed comment about SAML SSO, which doesn't apply to fine-grained tokens
- In "Troubleshooting", removed items on private repositories and SAML SSO.
- Updated "Workflow example"

Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
README.md Show resolved Hide resolved
README.md Show resolved Hide resolved
README.md Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
Signed-off-by: Pedro Kaj Kjellerup Nacht <[email protected]>
README.md Outdated Show resolved Hide resolved
README.md Show resolved Hide resolved
README.md Show resolved Hide resolved
@codecov
Copy link

codecov bot commented Jun 18, 2023

Codecov Report

Merging #1175 (e143085) into main (8808ed2) will decrease coverage by 0.98%.
The diff coverage is n/a.

❗ Current head e143085 differs from pull request most recent head ec6db9c. Consider uploading reports for the commit ec6db9c to get more accurate results

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main    #1175      +/-   ##
==========================================
- Coverage   64.68%   63.70%   -0.98%     
==========================================
  Files           4        4              
  Lines         269      248      -21     
==========================================
- Hits          174      158      -16     
+ Misses         80       75       -5     
  Partials       15       15              

see 1 file with indirect coverage changes

@spencerschrock spencerschrock enabled auto-merge (squash) June 22, 2023 17:12
@spencerschrock spencerschrock merged commit 597960e into ossf:main Jun 22, 2023
renovate bot referenced this pull request in trunk-io/trunk-action Jun 23, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v2.20.0` -> `v2.20.1` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.3` -> `v2.2.0` |

---

### Release Notes

<details>
<summary>github/codeql-action</summary>

###
[`v2.20.1`](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

</details>

<details>
<summary>ossf/scorecard-action</summary>

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/trunk-io/trunk-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMzEuMCIsInVwZGF0ZWRJblZlciI6IjM1LjEzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
another-rex referenced this pull request in google/osv-scanner Jun 26, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v2.20.0` -> `v2.20.1` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.3` -> `v2.2.0` |

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.1`](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv-scanner).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDEuMyIsInVwZGF0ZWRJblZlciI6IjM1LjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
another-rex referenced this pull request in google/osv.dev Jun 27, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action |
patch | `v3.5.2` -> `v3.5.3` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | minor | `v2.3.5` -> `v2.20.1` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.3` -> `v2.2.0` |
|
[pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.8.6` -> `v1.8.7` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v3.5.3`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v353)

[Compare
Source](https://github.com/actions/checkout/compare/v3.5.2...v3.5.3)

- [Fix: Checkout fail in self-hosted runners when faulty submodule are
checked-in](https://github.com/actions/checkout/pull/1196)
- [Fix typos found by
codespell](https://github.com/actions/checkout/pull/1287)
- [Add support for sparse
checkouts](https://github.com/actions/checkout/pull/1369)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.1`](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

###
[`v2.20.0`](https://github.com/github/codeql-action/compare/v2.3.6...v2.20.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.6...v2.20.0)

###
[`v2.3.6`](https://github.com/github/codeql-action/compare/v2.3.5...v2.3.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.5...v2.3.6)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.8.7`](https://github.com/pypa/gh-action-pypi-publish/releases/tag/v1.8.7)

[Compare
Source](https://github.com/pypa/gh-action-pypi-publish/compare/v1.8.6...v1.8.7)

#### 💅 Cosmetic output impovements

- [@&#8203;woodruffw](https://github.com/woodruffw) fixed OIDC the
multiline annotations by escaping LF through urlencoding it in
[https://github.com/pypa/gh-action-pypi-publish/pull/156](https://github.com/pypa/gh-action-pypi-publish/pull/156).
- [@&#8203;jaap3](https://github.com/jaap3) noticed and promptly
removed extraneous `}` from a non-OIDC log annotation in
[https://github.com/pypa/gh-action-pypi-publish/pull/161](https://github.com/pypa/gh-action-pypi-publish/pull/161).
- [@&#8203;hugovk](https://github.com/hugovk) made pip ignore that it
runs under the root user and suppress its warning output in
[https://github.com/pypa/gh-action-pypi-publish/pull/159](https://github.com/pypa/gh-action-pypi-publish/pull/159).

#### 🛠️ Internal dependencies

- Cryptography was bumped from 39.0.1 to 41.0.0
@&#[https://github.com/pypa/gh-action-pypi-publish/pull/160](https://github.com/pypa/gh-action-pypi-publish/pull/160)ll/160
- Requests was bumped from 2.28.1 to 2.31.0
@&#[https://github.com/pypa/gh-action-pypi-publish/pull/157](https://github.com/pypa/gh-action-pypi-publish/pull/157)ll/157

#### 💪 New Contributors

- [@&#8203;jaap3](https://github.com/jaap3) made their first
contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/161](https://github.com/pypa/gh-action-pypi-publish/pull/161)

**:mirror: Full Diff**:
pypa/gh-action-pypi-publish@v1.8.6...v1.8.7

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMTUuMiIsInVwZGF0ZWRJblZlciI6IjM1LjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->

---------

Co-authored-by: Rex P <[email protected]>
ianlewis referenced this pull request in slsa-framework/slsa-github-generator Jun 27, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-java | action | digest | `45058d7` -> `1f2faad` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v2.20.0` -> `v2.20.1` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.3` -> `v2.2.0` |
|
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
| action | minor | `v3.0.5` -> `v3.1.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.1`](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.1.0`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.0)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.5...v3.1.0)

#### What's Changed

- update job to use latest action release by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/130](https://github.com/sigstore/cosign-installer/pull/130)
- Update action example for keyless signing as xarg is not required by
[@&#8203;jbtrystram](https://github.com/jbtrystram) in
[https://github.com/sigstore/cosign-installer/pull/132](https://github.com/sigstore/cosign-installer/pull/132)
- update examples by [@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/133](https://github.com/sigstore/cosign-installer/pull/133)
- bump cosign to default to release v2.1.0 and update docs by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/136](https://github.com/sigstore/cosign-installer/pull/136)

#### New Contributors

- [@&#8203;jbtrystram](https://github.com/jbtrystram) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/132](https://github.com/sigstore/cosign-installer/pull/132)

**Full Changelog**:
sigstore/cosign-installer@v3.0.5...v3.1.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMzEuMCIsInVwZGF0ZWRJblZlciI6IjM1LjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
ianlewis referenced this pull request in slsa-framework/slsa-verifier Jul 18, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://github.com/actions/setup-node) | action
| minor | `v3.6.0` -> `v3.7.0` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | minor | `v2.3.6` -> `v2.20.4` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.3` -> `v2.2.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.7.0`](https://github.com/actions/setup-node/releases/tag/v3.7.0)

[Compare
Source](https://github.com/actions/setup-node/compare/v3.6.0...v3.7.0)

##### What's Changed

In scope of this release we added a logic to save an additional cache
path for yarn 3 ([related pull
request](https://github.com/actions/setup-node/pull/744) and [feature
request](https://github.com/actions/setup-node/issues/325)). Moreover,
we added functionality to use all the sub directories derived from
`cache-dependency-path` input and add detect all dependencies
directories to cache (related [pull
request](https://github.com/actions/setup-node/pull/735) and [feature
request](https://github.com/actions/setup-node/issues/488)).

##### Besides, we made such changes as:

- Replace workflow badge with new badge by
[@&#8203;jongwooo](https://github.com/jongwooo) in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- Fix a minor typo by [@&#8203;phanan](https://github.com/phanan) in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- docs: fix typo in advanced-usage.md by
[@&#8203;remarkablemark](https://github.com/remarkablemark) in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- bugfix: Don't attempt to use Windows fallbacks on non-Windows OSes by
[@&#8203;domdomegg](https://github.com/domdomegg) in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- Update to node 18.x by
[@&#8203;feelepxyz](https://github.com/feelepxyz) in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- Remove implicit dependencies by
[@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- Fix description about ensuring workflow access to private package by
[@&#8203;x86chi](https://github.com/x86chi) in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

##### New Contributors

- [@&#8203;jongwooo](https://github.com/jongwooo) made their first
contribution in
[https://github.com/actions/setup-node/pull/653](https://github.com/actions/setup-node/pull/653)
- [@&#8203;phanan](https://github.com/phanan) made their first
contribution in
[https://github.com/actions/setup-node/pull/662](https://github.com/actions/setup-node/pull/662)
- [@&#8203;remarkablemark](https://github.com/remarkablemark) made
their first contribution in
[https://github.com/actions/setup-node/pull/697](https://github.com/actions/setup-node/pull/697)
- [@&#8203;domdomegg](https://github.com/domdomegg) made their first
contribution in
[https://github.com/actions/setup-node/pull/718](https://github.com/actions/setup-node/pull/718)
- [@&#8203;feelepxyz](https://github.com/feelepxyz) made their first
contribution in
[https://github.com/actions/setup-node/pull/751](https://github.com/actions/setup-node/pull/751)
- [@&#8203;nikolai-laevskii](https://github.com/nikolai-laevskii) made
their first contribution in
[https://github.com/actions/setup-node/pull/758](https://github.com/actions/setup-node/pull/758)
- [@&#8203;x86chi](https://github.com/x86chi) made their first
contribution in
[https://github.com/actions/setup-node/pull/704](https://github.com/actions/setup-node/pull/704)

**Full Changelog**:
actions/setup-node@v3...v3.7.0

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.4`](https://github.com/github/codeql-action/compare/v2.20.3...v2.20.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.3...v2.20.4)

###
[`v2.20.3`](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

###
[`v2.20.2`](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

###
[`v2.20.1`](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

###
[`v2.20.0`](https://github.com/github/codeql-action/compare/v2.3.6...v2.20.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.6...v2.20.0)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xNDQuMiIsInVwZGF0ZWRJblZlciI6IjM2LjUuMyIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Signed-off-by: Mend Renovate <[email protected]>
enteraga6 referenced this pull request in enteraga6/slsa-github-generator Jul 18, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/setup-java | action | digest | `45058d7` -> `1f2faad` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v2.20.0` -> `v2.20.1` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.3` -> `v2.2.0` |
|
[sigstore/cosign-installer](https://github.com/sigstore/cosign-installer)
| action | minor | `v3.0.5` -> `v3.1.0` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.20.1`](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.1.0`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.0)

[Compare
Source](https://github.com/sigstore/cosign-installer/compare/v3.0.5...v3.1.0)

#### What's Changed

- update job to use latest action release by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/130](https://github.com/sigstore/cosign-installer/pull/130)
- Update action example for keyless signing as xarg is not required by
[@&#8203;jbtrystram](https://github.com/jbtrystram) in
[https://github.com/sigstore/cosign-installer/pull/132](https://github.com/sigstore/cosign-installer/pull/132)
- update examples by [@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/133](https://github.com/sigstore/cosign-installer/pull/133)
- bump cosign to default to release v2.1.0 and update docs by
[@&#8203;cpanato](https://github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/136](https://github.com/sigstore/cosign-installer/pull/136)

#### New Contributors

- [@&#8203;jbtrystram](https://github.com/jbtrystram) made their first
contribution in
[https://github.com/sigstore/cosign-installer/pull/132](https://github.com/sigstore/cosign-installer/pull/132)

**Full Changelog**:
sigstore/cosign-installer@v3.0.5...v3.1.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS4xMzEuMCIsInVwZGF0ZWRJblZlciI6IjM1LjE0MS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: Noah Elzner <[email protected]>
karfau referenced this pull request in xmldom/xmldom Sep 28, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.2` -> `v2.2.0` |

---

### Release Notes

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

###
[`v2.1.3`](https://github.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://github.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://github.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://github.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://github.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://github.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/xmldom/xmldom).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4wLjMiLCJ1cGRhdGVkSW5WZXIiOiIzNy4wLjMiLCJ0YXJnZXRCcmFuY2giOiJtYXN0ZXIifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
anakinxc referenced this pull request in secretflow/spu Jan 12, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.2` -> `v2.3.1` |

---

### Release Notes

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://github.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://github.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

###
[`v2.3.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1270](https://github.com/ossf/scorecard-action/pull/1270)
- For a full changelist of what this includes, see the
[v4.12.0](https://github.com/ossf/scorecard/releases/tag/v4.12.0) and
[v4.13.0](https://github.com/ossf/scorecard/releases/tag/v4.13.0)
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1169](https://github.com/ossf/scorecard-action/pull/1169)
- 🐛 Prevent url clipping for GHES instances by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1225](https://github.com/ossf/scorecard-action/pull/1225)

##### Documentation

- 📖 Update access rights needed to see the results in code scanning
by [@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1229](https://github.com/ossf/scorecard-action/pull/1229)
- 📖 Add package comments. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1221](https://github.com/ossf/scorecard-action/pull/1221)
- 📖 Add SECURITY.md file by
[@&#8203;david-a-wheeler](https://github.com/david-a-wheeler) in
[https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250)
- 📖 Fix typo in token input docs by
[@&#8203;aabouzaid](https://github.com/aabouzaid) in
[https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258)

#### New Contributors

- [@&#8203;david-a-wheeler](https://github.com/david-a-wheeler) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250)
- [@&#8203;aabouzaid](https://github.com/aabouzaid) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258)

**Full Changelog**:
ossf/scorecard-action@v2.2.0...v2.3.0

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

###
[`v2.1.3`](https://github.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://github.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://github.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://github.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://github.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://github.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/secretflow/spu).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xMjcuMCIsInVwZGF0ZWRJblZlciI6IjM3LjEyNy4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
codeboten referenced this pull request in open-telemetry/opentelemetry-collector Jan 30, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://github.com/actions/checkout) | action |
minor | `v3.1.0` -> `v3.6.0` |
|
[actions/upload-artifact](https://github.com/actions/upload-artifact)
| action | patch | `v3.1.0` -> `v3.1.3` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | minor | `v2.2.4` -> `v2.23.2` |
| [github/codeql-action](https://github.com/github/codeql-action) |
action | patch | `v3.23.1` -> `v3.23.2` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
action | minor | `v2.1.2` -> `v2.3.1` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v3.6.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v360)

[Compare
Source](https://github.com/actions/checkout/compare/v3.5.3...v3.6.0)

- [Fix: Mark test scripts with Bash'isms to be run via
Bash](https://github.com/actions/checkout/pull/1377)
- [Add option to fetch tags even if fetch-depth >
0](https://github.com/actions/checkout/pull/579)

###
[`v3.5.3`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v353)

[Compare
Source](https://github.com/actions/checkout/compare/v3.5.2...v3.5.3)

- [Fix: Checkout fail in self-hosted runners when faulty submodule are
checked-in](https://github.com/actions/checkout/pull/1196)
- [Fix typos found by
codespell](https://github.com/actions/checkout/pull/1287)
- [Add support for sparse
checkouts](https://github.com/actions/checkout/pull/1369)

###
[`v3.5.2`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v352)

[Compare
Source](https://github.com/actions/checkout/compare/v3.5.1...v3.5.2)

- [Fix api endpoint for
GHES](https://github.com/actions/checkout/pull/1289)

###
[`v3.5.1`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v351)

[Compare
Source](https://github.com/actions/checkout/compare/v3.5.0...v3.5.1)

- [Fix slow checkout on
Windows](https://github.com/actions/checkout/pull/1246)

###
[`v3.5.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v350)

[Compare
Source](https://github.com/actions/checkout/compare/v3.4.0...v3.5.0)

- [Add new public key for
known_hosts](https://github.com/actions/checkout/pull/1237)

###
[`v3.4.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v340)

[Compare
Source](https://github.com/actions/checkout/compare/v3.3.0...v3.4.0)

- [Upgrade codeql actions to
v2](https://github.com/actions/checkout/pull/1209)
- [Upgrade
dependencies](https://github.com/actions/checkout/pull/1210)
- [Upgrade
@&#8203;actions/io](https://github.com/actions/checkout/pull/1225)

###
[`v3.3.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v330)

[Compare
Source](https://github.com/actions/checkout/compare/v3.2.0...v3.3.0)

- [Implement branch list using callbacks from exec
function](https://github.com/actions/checkout/pull/1045)
- [Add in explicit reference to private checkout
options](https://github.com/actions/checkout/pull/1050)
- [Fix comment typos (that got added in
#&#8203;770)](https://github.com/actions/checkout/pull/1057)

###
[`v3.2.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v320)

[Compare
Source](https://github.com/actions/checkout/compare/v3.1.0...v3.2.0)

- [Add GitHub Action to perform
release](https://github.com/actions/checkout/pull/942)
-   [Fix status badge](https://github.com/actions/checkout/pull/967)
- [Replace datadog/squid with ubuntu/squid Docker
image](https://github.com/actions/checkout/pull/1002)
- [Wrap pipeline commands for submoduleForeach in
quotes](https://github.com/actions/checkout/pull/964)
- [Update @&#8203;actions/io to
1.1.2](https://github.com/actions/checkout/pull/1029)
- [Upgrading version to
3.2.0](https://github.com/actions/checkout/pull/1039)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v3.1.3`](https://github.com/actions/upload-artifact/releases/tag/v3.1.3)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v3.1.2...v3.1.3)

#### What's Changed

- chore(github): remove trailing whitespaces by
[@&#8203;ljmf00](https://github.com/ljmf00) in
[https://github.com/actions/upload-artifact/pull/313](https://github.com/actions/upload-artifact/pull/313)
- Bump [@&#8203;actions/artifact](https://github.com/actions/artifact)
version to v1.1.2 by
[@&#8203;bethanyj28](https://github.com/bethanyj28) in
[https://github.com/actions/upload-artifact/pull/436](https://github.com/actions/upload-artifact/pull/436)

**Full Changelog**:
actions/upload-artifact@v3...v3.1.3

###
[`v3.1.2`](https://github.com/actions/upload-artifact/releases/tag/v3.1.2)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v3.1.1...v3.1.2)

- Update all `@actions/*` NPM packages to their latest versions-
[#&#8203;374](https://github.com/actions/upload-artifact/issues/374)
- Update all dev dependencies to their most recent versions -
[#&#8203;375](https://github.com/actions/upload-artifact/issues/375)

###
[`v3.1.1`](https://github.com/actions/upload-artifact/releases/tag/v3.1.1)

[Compare
Source](https://github.com/actions/upload-artifact/compare/v3.1.0...v3.1.1)

- Update actions/core package to latest version to remove `set-output`
deprecation warning
[#&#8203;351](https://github.com/actions/upload-artifact/issues/351)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.23.2`](https://github.com/github/codeql-action/compare/v2.23.1...v2.23.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.1...v2.23.2)

###
[`v2.23.1`](https://github.com/github/codeql-action/compare/v2.23.0...v2.23.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.23.0...v2.23.1)

###
[`v2.23.0`](https://github.com/github/codeql-action/compare/v2.22.12...v2.23.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.12...v2.23.0)

###
[`v2.22.12`](https://github.com/github/codeql-action/compare/v2.22.11...v2.22.12)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.11...v2.22.12)

###
[`v2.22.11`](https://github.com/github/codeql-action/compare/v2.22.10...v2.22.11)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.10...v2.22.11)

###
[`v2.22.10`](https://github.com/github/codeql-action/compare/v2.22.9...v2.22.10)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.9...v2.22.10)

###
[`v2.22.9`](https://github.com/github/codeql-action/compare/v2.22.8...v2.22.9)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.8...v2.22.9)

###
[`v2.22.8`](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.7...v2.22.8)

###
[`v2.22.7`](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.6...v2.22.7)

###
[`v2.22.6`](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.5...v2.22.6)

###
[`v2.22.5`](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.4...v2.22.5)

###
[`v2.22.4`](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4)

###
[`v2.22.3`](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3)

###
[`v2.22.2`](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2)

###
[`v2.22.1`](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1)

###
[`v2.22.0`](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0)

###
[`v2.21.9`](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9)

###
[`v2.21.8`](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8)

###
[`v2.21.7`](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7)

###
[`v2.21.6`](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6)

###
[`v2.21.5`](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5)

###
[`v2.21.4`](https://github.com/github/codeql-action/compare/v2.21.3...v2.21.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.3...v2.21.4)

###
[`v2.21.3`](https://github.com/github/codeql-action/compare/v2.21.2...v2.21.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.2...v2.21.3)

###
[`v2.21.2`](https://github.com/github/codeql-action/compare/v2.21.1...v2.21.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.1...v2.21.2)

###
[`v2.21.1`](https://github.com/github/codeql-action/compare/v2.21.0...v2.21.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.21.0...v2.21.1)

###
[`v2.21.0`](https://github.com/github/codeql-action/compare/v2.20.4...v2.21.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.4...v2.21.0)

###
[`v2.20.4`](https://github.com/github/codeql-action/compare/v2.20.3...v2.20.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.3...v2.20.4)

###
[`v2.20.3`](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.2...v2.20.3)

###
[`v2.20.2`](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.1...v2.20.2)

###
[`v2.20.1`](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.20.0...v2.20.1)

###
[`v2.20.0`](https://github.com/github/codeql-action/compare/v2.3.6...v2.20.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.6...v2.20.0)

###
[`v2.3.6`](https://github.com/github/codeql-action/compare/v2.3.5...v2.3.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.5...v2.3.6)

###
[`v2.3.5`](https://github.com/github/codeql-action/compare/v2.3.4...v2.3.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.4...v2.3.5)

###
[`v2.3.4`](https://github.com/github/codeql-action/compare/v2.3.3...v2.3.4)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.3...v2.3.4)

###
[`v2.3.3`](https://github.com/github/codeql-action/compare/v2.3.2...v2.3.3)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.2...v2.3.3)

###
[`v2.3.2`](https://github.com/github/codeql-action/compare/v2.3.1...v2.3.2)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.1...v2.3.2)

###
[`v2.3.1`](https://github.com/github/codeql-action/compare/v2.3.0...v2.3.1)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.3.0...v2.3.1)

###
[`v2.3.0`](https://github.com/github/codeql-action/compare/v2.2.12...v2.3.0)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.12...v2.3.0)

###
[`v2.2.12`](https://github.com/github/codeql-action/compare/v2.2.11...v2.2.12)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.11...v2.2.12)

###
[`v2.2.11`](https://github.com/github/codeql-action/compare/v2.2.10...v2.2.11)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.10...v2.2.11)

###
[`v2.2.10`](https://github.com/github/codeql-action/compare/v2.2.9...v2.2.10)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.9...v2.2.10)

###
[`v2.2.9`](https://github.com/github/codeql-action/compare/v2.2.8...v2.2.9)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.8...v2.2.9)

###
[`v2.2.8`](https://github.com/github/codeql-action/compare/v2.2.7...v2.2.8)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.7...v2.2.8)

###
[`v2.2.7`](https://github.com/github/codeql-action/compare/v2.2.6...v2.2.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.6...v2.2.7)

###
[`v2.2.6`](https://github.com/github/codeql-action/compare/v2.2.5...v2.2.6)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.5...v2.2.6)

###
[`v2.2.5`](https://github.com/github/codeql-action/compare/v2.2.4...v2.2.5)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.2.4...v2.2.5)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://github.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://github.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

###
[`v2.3.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1270](https://github.com/ossf/scorecard-action/pull/1270)
- For a full changelist of what this includes, see the
[v4.12.0](https://github.com/ossf/scorecard/releases/tag/v4.12.0) and
[v4.13.0](https://github.com/ossf/scorecard/releases/tag/v4.13.0)
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1169](https://github.com/ossf/scorecard-action/pull/1169)
- 🐛 Prevent url clipping for GHES instances by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1225](https://github.com/ossf/scorecard-action/pull/1225)

##### Documentation

- 📖 Update access rights needed to see the results in code scanning
by [@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1229](https://github.com/ossf/scorecard-action/pull/1229)
- 📖 Add package comments. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1221](https://github.com/ossf/scorecard-action/pull/1221)
- 📖 Add SECURITY.md file by
[@&#8203;david-a-wheeler](https://github.com/david-a-wheeler) in
[https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250)
- 📖 Fix typo in token input docs by
[@&#8203;aabouzaid](https://github.com/aabouzaid) in
[https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258)

#### New Contributors

- [@&#8203;david-a-wheeler](https://github.com/david-a-wheeler) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250)
- [@&#8203;aabouzaid](https://github.com/aabouzaid) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258)

**Full Changelog**:
ossf/scorecard-action@v2.2.0...v2.3.0

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

###
[`v2.1.3`](https://github.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://github.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://github.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://github.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://github.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://github.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "on tuesday" (UTC), Automerge - At any
time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/open-telemetry/opentelemetry-collector).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjE1My4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Alex Boten <[email protected]>
github-merge-queue bot referenced this pull request in AmadeusITGroup/otter Mar 13, 2024
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence | Type |
Update |
|---|---|---|---|---|---|---|---|
|
[@openapitools/openapi-generator-cli](https://github.com/OpenAPITools/openapi-generator-cli)
| [`~2.11.0` ->
`~2.12.0`](https://renovatebot.com/diffs/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| devDependencies | minor |
|
[@openapitools/openapi-generator-cli](https://github.com/OpenAPITools/openapi-generator-cli)
| [`~2.11.0` ->
`~2.12.0`](https://renovatebot.com/diffs/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| peerDependencies | minor |
|
[@openapitools/openapi-generator-cli](https://github.com/OpenAPITools/openapi-generator-cli)
| [`~2.11.0` ->
`~2.12.0`](https://renovatebot.com/diffs/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@openapitools%2fopenapi-generator-cli/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@openapitools%2fopenapi-generator-cli/2.11.0/2.12.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| dependencies | minor |
| [github/codeql-action](https://github.com/github/codeql-action) |
`v2.24.6` -> `v2.24.7` |
[![age](https://developer.mend.io/api/mc/badges/age/github-tags/github%2fcodeql-action/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/github%2fcodeql-action/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/github%2fcodeql-action/v2.24.6/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/github%2fcodeql-action/v2.24.6/v2.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| action | patch |
| [github/codeql-action](https://github.com/github/codeql-action) |
`v3.24.6` -> `v3.24.7` |
[![age](https://developer.mend.io/api/mc/badges/age/github-tags/github%2fcodeql-action/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/github%2fcodeql-action/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/github%2fcodeql-action/v3.24.6/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/github%2fcodeql-action/v3.24.6/v3.24.7?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| action | patch |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) |
`v2.0.6` -> `v2.3.1` |
[![age](https://developer.mend.io/api/mc/badges/age/github-tags/ossf%2fscorecard-action/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/github-tags/ossf%2fscorecard-action/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/github-tags/ossf%2fscorecard-action/v2.0.6/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/github-tags/ossf%2fscorecard-action/v2.0.6/v2.3.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
| action | minor |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>OpenAPITools/openapi-generator-cli
(@&#8203;openapitools/openapi-generator-cli)</summary>

###
[`v2.12.0`](https://github.com/OpenAPITools/openapi-generator-cli/compare/v2.11.0...ad97182dac3fc2fec59c70fa96e7213d0a475dd3)

[Compare
Source](https://github.com/OpenAPITools/openapi-generator-cli/compare/v2.11.0...v2.12.0)

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.24.7`](https://github.com/github/codeql-action/compare/v2.24.6...v2.24.7)

[Compare
Source](https://github.com/github/codeql-action/compare/v2.24.6...v2.24.7)

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.1`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://github.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://github.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

###
[`v2.3.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1270](https://github.com/ossf/scorecard-action/pull/1270)
- For a full changelist of what this includes, see the
[v4.12.0](https://github.com/ossf/scorecard/releases/tag/v4.12.0) and
[v4.13.0](https://github.com/ossf/scorecard/releases/tag/v4.13.0)
release notes
- ✨ Send rekor tlog index to webapp when publishing results by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1169](https://github.com/ossf/scorecard-action/pull/1169)
- 🐛 Prevent url clipping for GHES instances by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1225](https://github.com/ossf/scorecard-action/pull/1225)

##### Documentation

- 📖 Update access rights needed to see the results in code scanning
by [@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1229](https://github.com/ossf/scorecard-action/pull/1229)
- 📖 Add package comments. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1221](https://github.com/ossf/scorecard-action/pull/1221)
- 📖 Add SECURITY.md file by
[@&#8203;david-a-wheeler](https://github.com/david-a-wheeler) in
[https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250)
- 📖 Fix typo in token input docs by
[@&#8203;aabouzaid](https://github.com/aabouzaid) in
[https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258)

#### New Contributors

- [@&#8203;david-a-wheeler](https://github.com/david-a-wheeler) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250)
- [@&#8203;aabouzaid](https://github.com/aabouzaid) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258)

**Full Changelog**:
ossf/scorecard-action@v2.2.0...v2.3.0

###
[`v2.2.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.2.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0
by [@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1192](https://github.com/ossf/scorecard-action/pull/1192)

#### Scorecard Result Viewer

Thanks to contributions from
[@&#8203;cynthia-sg](https://github.com/cynthia-sg) and
[@&#8203;tegioz](https://github.com/tegioz) at
[CLOMonitor](https://github.com/cncf/clomonitor), there is a new
Scorecard Result visualization page at
`https://securityscorecards.dev/viewer/?uri=<project-url>`.

-
[https://github.com/ossf/scorecard-webapp/pull/406](https://github.com/ossf/scorecard-webapp/pull/406)
-
[https://github.com/ossf/scorecard-webapp/pull/422](https://github.com/ossf/scorecard-webapp/pull/422)

As an example, you can see our own score visualized
[here](https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard)
Checkout our
[README](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge)
to learn how to link your README badge to the new visualization page.

#### Publishing Results

This release contains two fixes which will improve the user experience
when `publish_results` is `true`

- Runs that fail our [workflow
restrictions](https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions)
will fail with a 400 response indicating the problem, instead of a vague
500 status.
([https://github.com/ossf/scorecard-action/pull/1156](https://github.com/ossf/scorecard-action/pull/1156),
resolved
[https://github.com/ossf/scorecard-action/issues/1150](https://github.com/ossf/scorecard-action/issues/1150))
- Scorecard action will retry when signing results and submitting them
to our web API. This should help with flakiness from connection
failures.
([https://github.com/ossf/scorecard-action/pull/1191](https://github.com/ossf/scorecard-action/pull/1191))

#### Docs

- 📖 Update README to accept fine-grained tokens by
[@&#8203;pnacht](https://github.com/pnacht) in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)
- 📖 Update installation instructions to match current GitHub UI by
[@&#8203;joycebrum](https://github.com/joycebrum) in
[https://github.com/ossf/scorecard-action/pull/1153](https://github.com/ossf/scorecard-action/pull/1153)
- 📖 Document the GitHub action workflow restrictions when publishing
results. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in

#### New Contributors

- [@&#8203;bobcallaway](https://github.com/bobcallaway) made their
first contribution in
[https://github.com/ossf/scorecard-action/pull/1140](https://github.com/ossf/scorecard-action/pull/1140)
- [@&#8203;pnacht](https://github.com/pnacht) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1175](https://github.com/ossf/scorecard-action/pull/1175)

**Full Changelog**:
ossf/scorecard-action@v2.1.3...v2.2.0

###
[`v2.1.3`](https://github.com/ossf/scorecard-action/releases/tag/v2.1.3)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.2...v2.1.3)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1111](https://github.com/ossf/scorecard-action/pull/1111)

##### Bug Fixes

-   Invalid SARIF files from a bug in scorecard
-
[#&#8203;1076](https://github.com/ossf/scorecard-action/issues/1076),
[#&#8203;1094](https://github.com/ossf/scorecard-action/issues/1094)
- Vulnerabilities check crashes if a vulnerable dependency is found via
OSVScanner
- [#&#8203;1092](https://github.com/ossf/scorecard-action/issues/1092)
-   Scorecard action not reporting binary artifacts in the repo
- [#&#8203;1116](https://github.com/ossf/scorecard-action/issues/1116)

**Full Scorecard Changelog**:
ossf/scorecard@v4.10.2...v4.10.5

**Full Changelog**:
ossf/scorecard-action@v2.1.2...v2.1.3

###
[`v2.1.2`](https://github.com/ossf/scorecard-action/releases/tag/v2.1.2)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2)

#### What's Changed

##### Fixes

- 🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf
statement. by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1054](https://github.com/ossf/scorecard-action/pull/1054)

**Full Changelog**:
ossf/scorecard-action@v2.1.1...v2.1.2

###
[`v2.1.1`](https://github.com/ossf/scorecard-action/releases/tag/v2.1.1)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1)

#### Scorecard version

This release use [Scorecard's
v4.10.1](https://github.com/ossf/scorecard/releases/tag/v4.10.1)

**Full Changelog**:
ossf/scorecard-action@v2.1.0...v2.1.1

###
[`v2.1.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.1.0)

[Compare
Source](https://github.com/ossf/scorecard-action/compare/v2.0.6...v2.1.0)

#### What's Changed

##### Scorecard version

This release uses [scorecard
v4.10.0](https://github.com/ossf/scorecard/releases/tag/v4.10.0).

##### Improvements

- Docker build workflow by
[@&#8203;naveensrinivasan](https://github.com/naveensrinivasan) in
[https://github.com/ossf/scorecard-action/pull/981](https://github.com/ossf/scorecard-action/pull/981)
- Use root user in distroless to support GitHub Actions by
[@&#8203;spencerschrock](https://github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/994](https://github.com/ossf/scorecard-action/pull/994)
- Disable pull_request_target by
[@&#8203;laurentsimon](https://github.com/laurentsimon) in
[https://github.com/ossf/scorecard-action/pull/1031](https://github.com/ossf/scorecard-action/pull/1031)

##### Documentation

- Add PAT section explaining risks by
[@&#8203;olivekl](https://github.com/olivekl) in
[https://github.com/ossf/scorecard-action/pull/1024](https://github.com/ossf/scorecard-action/pull/1024)
- Make the badge text easier to copy by
[@&#8203;rajbos](https://github.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1026](https://github.com/ossf/scorecard-action/pull/1026)

#### New Contributors

- [@&#8203;joycebrum](https://github.com/joycebrum) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/984](https://github.com/ossf/scorecard-action/pull/984)
- [@&#8203;rajbos](https://github.com/rajbos) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1026](https://github.com/ossf/scorecard-action/pull/1026)

**Full Changelog**:
ossf/scorecard-action@v2.0.6...v2.1.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "after 10pm every weekday,before 5am
every weekday,every weekend" in timezone Europe/Paris, Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/AmadeusITGroup/otter).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yMzguMSIsInVwZGF0ZWRJblZlciI6IjM3LjIzOC4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants