chore(deps): update github-actions (#2850)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `96f5310` -> `b4ffde6` | | [actions/checkout](https://github.com/actions/checkout) | action | minor | `v4.0.0` -> `v4.1.1` | | [actions/setup-go](https://github.com/actions/setup-go) | action | minor | `v4.0.1` -> `v4.1.0` | | [actions/setup-java](https://github.com/actions/setup-java) | action | minor | `v3.12.0` -> `v3.13.0` | | [actions/setup-node](https://github.com/actions/setup-node) | action | minor | `v3.7.0` -> `v3.8.1` | | [actions/setup-node](https://github.com/actions/setup-node) | action | digest | `e33196f` -> `5e21ff4` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | action | patch | `v3.1.2` -> `v3.1.3` | | [github/codeql-action](https://github.com/github/codeql-action) | action | minor | `v2.21.2` -> `v2.22.4` | | [gradle/gradle-build-action](https://github.com/gradle/gradle-build-action) | action | minor | `v2.7.0` -> `v2.9.0` | | [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | action | minor | `v2.2.0` -> `v2.3.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | action | patch | `v3.1.1` -> `v3.1.2` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/checkout (actions/checkout)</summary> ### [`v4.1.1`](https://github.com/actions/checkout/releases/tag/v4.1.1) [Compare Source](https://github.com/actions/checkout/compare/v4.1.0...v4.1.1) ##### What's Changed - Update CODEOWNERS to Launch team by [@joshmgross](https://github.com/joshmgross) in [https://github.com/actions/checkout/pull/1510](https://github.com/actions/checkout/pull/1510) - Correct link to GitHub Docs by [@peterbe](https://github.com/peterbe) in [https://github.com/actions/checkout/pull/1511](https://github.com/actions/checkout/pull/1511) - Link to release page from what's new section by [@cory-miller](https://github.com/cory-miller) in [https://github.com/actions/checkout/pull/1514](https://github.com/actions/checkout/pull/1514) ##### New Contributors - [@joshmgross](https://github.com/joshmgross) made their first contribution in [https://github.com/actions/checkout/pull/1510](https://github.com/actions/checkout/pull/1510) - [@peterbe](https://github.com/peterbe) made their first contribution in [https://github.com/actions/checkout/pull/1511](https://github.com/actions/checkout/pull/1511) **Full Changelog**: actions/checkout@v4...v4.1.1 ### [`v4.1.0`](https://github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v410) [Compare Source](https://github.com/actions/checkout/compare/v4.0.0...v4.1.0) - [Add support for partial checkout filters](https://github.com/actions/checkout/pull/1396) </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v4.1.0`](https://github.com/actions/setup-go/releases/tag/v4.1.0) [Compare Source](https://github.com/actions/setup-go/compare/v4.0.1...v4.1.0) #### What's Changed In scope of this release, slow installation on Windows was fixed by [@dsame](https://github.com/dsame) in [https://github.com/actions/setup-go/pull/393](https://github.com/actions/setup-go/pull/393) and OS version was added to `primaryKey` for Ubuntu runners to avoid conflicts ([https://github.com/actions/setup-go/pull/383](https://github.com/actions/setup-go/pull/383)) This release also includes the following changes: - Remove implicit dependencies by [@nikolai-laevskii](https://github.com/nikolai-laevskii) in [https://github.com/actions/setup-go/pull/378](https://github.com/actions/setup-go/pull/378) - Update action.yml by [@mkelly](https://github.com/mkelly) in [https://github.com/actions/setup-go/pull/379](https://github.com/actions/setup-go/pull/379) - Added a description that go-version should be specified as a string type by [@n3xem](https://github.com/n3xem) in [https://github.com/actions/setup-go/pull/367](https://github.com/actions/setup-go/pull/367) - Add note about YAML parsing versions by [@dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-go/pull/382](https://github.com/actions/setup-go/pull/382) - Automatic update of configuration files from 05/23/2023 by [@github-actions](https://github.com/github-actions) in [https://github.com/actions/setup-go/pull/377](https://github.com/actions/setup-go/pull/377) - Bump tough-cookie and [@azure/ms-rest-js](https://github.com/azure/ms-rest-js) by [@dependabot](https://github.com/dependabot) in [https://github.com/actions/setup-go/pull/392](https://github.com/actions/setup-go/pull/392) - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://github.com/dependabot) in [https://github.com/actions/setup-go/pull/397](https://github.com/actions/setup-go/pull/397) - Bump semver from 6.3.0 to 6.3.1 by [@dependabot](https://github.com/dependabot) in [https://github.com/actions/setup-go/pull/396](https://github.com/actions/setup-go/pull/396) #### New Contributors - [@mkelly](https://github.com/mkelly) made their first contribution in [https://github.com/actions/setup-go/pull/379](https://github.com/actions/setup-go/pull/379) - [@n3xem](https://github.com/n3xem) made their first contribution in [https://github.com/actions/setup-go/pull/367](https://github.com/actions/setup-go/pull/367) **Full Changelog**: actions/setup-go@v4...v4.1.0 </details> <details> <summary>actions/setup-java (actions/setup-java)</summary> ### [`v3.13.0`](https://github.com/actions/setup-java/releases/tag/v3.13.0) [Compare Source](https://github.com/actions/setup-java/compare/v3.12.0...v3.13.0) ##### What's changed In the scope of this release, support for Dragonwell JDK was added by [@Accelerator1996](https://github.com/Accelerator1996) in [https://github.com/actions/setup-java/pull/532](https://github.com/actions/setup-java/pull/532) ```yaml steps: - name: Checkout uses: actions/checkout@v3 - name: Setup-java uses: actions/setup-java@v3 with: distribution: 'dragonwell' java-version: '17' ``` Several inaccuracies were also fixed: - Fix XML namespaces wrongly using https by [@gnodet](https://github.com/gnodet) in [https://github.com/actions/setup-java/pull/503](https://github.com/actions/setup-java/pull/503) - Fix typo and remove unintentional(?) word by [@CyberFlameGO](https://github.com/CyberFlameGO) in [https://github.com/actions/setup-java/pull/518](https://github.com/actions/setup-java/pull/518) - Fix usage link within the README.md file by [@dassiorleando](https://github.com/dassiorleando) in [https://github.com/actions/setup-java/pull/525](https://github.com/actions/setup-java/pull/525) ##### New Contributors - [@CyberFlameGO](https://github.com/CyberFlameGO) made their first contribution in [https://github.com/actions/setup-java/pull/518](https://github.com/actions/setup-java/pull/518) - [@dassiorleando](https://github.com/dassiorleando) made their first contribution in [https://github.com/actions/setup-java/pull/525](https://github.com/actions/setup-java/pull/525) - [@gnodet](https://github.com/gnodet) made their first contribution in [https://github.com/actions/setup-java/pull/503](https://github.com/actions/setup-java/pull/503) - [@Accelerator1996](https://github.com/Accelerator1996) made their first contribution in [https://github.com/actions/setup-java/pull/532](https://github.com/actions/setup-java/pull/532) **Full Changelog**: actions/setup-java@v3...v3.13.0 </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v3.8.1`](https://github.com/actions/setup-node/releases/tag/v3.8.1) [Compare Source](https://github.com/actions/setup-node/compare/v3.8.0...v3.8.1) #### What's Changed In scope of this release, the filter was removed within the cache-save step by [@dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/831](https://github.com/actions/setup-node/pull/831). It is filtered and checked in the toolkit/cache library. **Full Changelog**: actions/setup-node@v3...v3.8.1 ### [`v3.8.0`](https://github.com/actions/setup-node/releases/tag/v3.8.0) [Compare Source](https://github.com/actions/setup-node/compare/v3.7.0...v3.8.0) ##### What's Changed ##### Bug fixes: - Add check for existing paths by [@dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/803](https://github.com/actions/setup-node/pull/803) - Resolve SymbolicLink by [@dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/809](https://github.com/actions/setup-node/pull/809) - Change passing logic for cache input by [@dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/816](https://github.com/actions/setup-node/pull/816) - Fix armv7 cache issue by [@louislam](https://github.com/louislam) in [https://github.com/actions/setup-node/pull/794](https://github.com/actions/setup-node/pull/794) - Update check-dist workflow name by [@sinchang](https://github.com/sinchang) in [https://github.com/actions/setup-node/pull/710](https://github.com/actions/setup-node/pull/710) ##### Feature implementations: - feat: handling the case where "node" is used for tool-versions file. by [@xytis](https://github.com/xytis) in [https://github.com/actions/setup-node/pull/812](https://github.com/actions/setup-node/pull/812) ##### Documentation changes: - Refer to semver package name in README.md by [@olleolleolle](https://github.com/olleolleolle) in [https://github.com/actions/setup-node/pull/808](https://github.com/actions/setup-node/pull/808) ##### Update dependencies: - Update toolkit cache to fix zstd by [@dmitry-shibanov](https://github.com/dmitry-shibanov) in [https://github.com/actions/setup-node/pull/804](https://github.com/actions/setup-node/pull/804) - Bump tough-cookie and [@azure/ms-rest-js](https://github.com/azure/ms-rest-js) by [@dependabot](https://github.com/dependabot) in [https://github.com/actions/setup-node/pull/802](https://github.com/actions/setup-node/pull/802) - Bump semver from 6.1.2 to 6.3.1 by [@dependabot](https://github.com/dependabot) in [https://github.com/actions/setup-node/pull/807](https://github.com/actions/setup-node/pull/807) - Bump word-wrap from 1.2.3 to 1.2.4 by [@dependabot](https://github.com/dependabot) in [https://github.com/actions/setup-node/pull/815](https://github.com/actions/setup-node/pull/815) ##### New Contributors - [@olleolleolle](https://github.com/olleolleolle) made their first contribution in [https://github.com/actions/setup-node/pull/808](https://github.com/actions/setup-node/pull/808) - [@louislam](https://github.com/louislam) made their first contribution in [https://github.com/actions/setup-node/pull/794](https://github.com/actions/setup-node/pull/794) - [@sinchang](https://github.com/sinchang) made their first contribution in [https://github.com/actions/setup-node/pull/710](https://github.com/actions/setup-node/pull/710) - [@xytis](https://github.com/xytis) made their first contribution in [https://github.com/actions/setup-node/pull/812](https://github.com/actions/setup-node/pull/812) **Full Changelog**: actions/setup-node@v3...v3.8.0 </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v3.1.3`](https://github.com/actions/upload-artifact/releases/tag/v3.1.3) [Compare Source](https://github.com/actions/upload-artifact/compare/v3.1.2...v3.1.3) #### What's Changed - chore(github): remove trailing whitespaces by [@ljmf00](https://github.com/ljmf00) in [https://github.com/actions/upload-artifact/pull/313](https://github.com/actions/upload-artifact/pull/313) - Bump [@actions/artifact](https://github.com/actions/artifact) version to v1.1.2 by [@bethanyj28](https://github.com/bethanyj28) in [https://github.com/actions/upload-artifact/pull/436](https://github.com/actions/upload-artifact/pull/436) **Full Changelog**: actions/upload-artifact@v3...v3.1.3 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v2.22.4`](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.3...v2.22.4) ### [`v2.22.3`](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.2...v2.22.3) ### [`v2.22.2`](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.1...v2.22.2) ### [`v2.22.1`](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1) [Compare Source](https://github.com/github/codeql-action/compare/v2.22.0...v2.22.1) ### [`v2.22.0`](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.9...v2.22.0) ### [`v2.21.9`](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.8...v2.21.9) ### [`v2.21.8`](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.7...v2.21.8) ### [`v2.21.7`](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.6...v2.21.7) ### [`v2.21.6`](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.5...v2.21.6) ### [`v2.21.5`](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.4...v2.21.5) ### [`v2.21.4`](https://github.com/github/codeql-action/compare/v2.21.3...v2.21.4) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.3...v2.21.4) ### [`v2.21.3`](https://github.com/github/codeql-action/compare/v2.21.2...v2.21.3) [Compare Source](https://github.com/github/codeql-action/compare/v2.21.2...v2.21.3) </details> <details> <summary>gradle/gradle-build-action (gradle/gradle-build-action)</summary> ### [`v2.9.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.9.0) [Compare Source](https://github.com/gradle/gradle-build-action/compare/v2.8.1...v2.9.0) The GitHub [dependency-review-action](https://github.com/actions/dependency-review-action) helps you understand dependency changes (and the security impact of these changes) for a pull request. This release updates the GItHub Dependency Graph support to be compatible with the `dependency-review-action`. See [the documentation](https://github.com/gradle/gradle-build-action#integrating-the-dependency-review-action) for detailed examples. ##### Changelog - \[FIX] Use correct SHA for `pull-request` events [#882](https://github.com/gradle/gradle-build-action/issues/882) - \[FIX] Avoid generating dependency graph during cache cleanup [#905](https://github.com/gradle/gradle-build-action/issues/905) - \[NEW] Improve warning on failure to submit dependency graph - \[NEW] Compatibility with GitHub `dependency-review-action` [#879](https://github.com/gradle/gradle-build-action/issues/879) **Full-changelog**: gradle/gradle-build-action@v2.8.1...v2.9.0 ### [`v2.8.1`](https://github.com/gradle/gradle-build-action/releases/tag/v2.8.1) [Compare Source](https://github.com/gradle/gradle-build-action/compare/v2.8.0...v2.8.1) Fixes an issue that prevented Dependency Graph submission when running on GitHub Enterprise Server. ##### Fixes - Incorrect endpoint used to submit Dependency Graph on GitHub Enterprise [#885](https://github.com/gradle/gradle-build-action/issues/885) ##### Changelog ### [`v2.8.0`](https://github.com/gradle/gradle-build-action/releases/tag/v2.8.0) [Compare Source](https://github.com/gradle/gradle-build-action/compare/v2.7.1...v2.8.0) The `v2.8.0` release of the `gradle-build-action` introduces an easy mechanism to connect to Gradle Enterprise, as well improved support for self-hosted GitHub Actions runners. ##### Automatic injection of Gradle Enterprise connectivity It is now possible to connect a Gradle build to Gradle Enterprise without changing any of the Gradle project sources. This is achieved through Gradle Enterprise injection, where an init-script will apply the Gradle Enterprise plugin and associated configuration. This feature can be useful to easily trial Gradle Enterprise on a project, or to centralize Gradle Enterprise configuration for all GitHub Actions workflows in an organization. See [Gradle Enterprise injection in the README](https://github.com/gradle/gradle-build-action/blob/v2.8.0/README.md#gradle-enterprise-plugin-injection) for more info. ##### Restore Gradle User Home when directory already exists Previously, the Gradle User Home would not be restored if the directory already exists. This wasn't normally an issue with GitHub-hosted runners, but limited the usefulness of the action for persistent, self-hosted runners. This behaviour has been improved in this release: - The Job Summary now includes a useful error message when Gradle User Home was not restored because the directory already exists. - The action can now be configured to restore the Gradle User Home when the directory already exists, overwriting existing content with content from the GitHub Actions cache. See https://github.com/gradle/gradle-build-action#overwriting-an-existing-gradle-user-home for more details. ##### Changes **Issues fixed**: https://github.com/gradle/gradle-build-action/issues?q=milestone%3A2.8.0+is%3Aclosed **Full changelog**: gradle/gradle-build-action@v2.7.1...v2.8.0 ### [`v2.7.1`](https://github.com/gradle/gradle-build-action/releases/tag/v2.7.1) [Compare Source](https://github.com/gradle/gradle-build-action/compare/v2.7.0...v2.7.1) This release contains no code changes, only dependency updates and documentation improvements. ##### Changelog </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.3.0`](https://github.com/ossf/scorecard-action/releases/tag/v2.3.0) [Compare Source](https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0) #### What's Changed - 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by [@spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1270](https://github.com/ossf/scorecard-action/pull/1270) - For a full changelist of what this includes, see the [v4.12.0](https://github.com/ossf/scorecard/releases/tag/v4.12.0) and [v4.13.0](https://github.com/ossf/scorecard/releases/tag/v4.13.0) release notes - ✨ Send rekor tlog index to webapp when publishing results by [@spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1169](https://github.com/ossf/scorecard-action/pull/1169) - 🐛 Prevent url clipping for GHES instances by [@rajbos](https://github.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1225](https://github.com/ossf/scorecard-action/pull/1225) ##### Documentation - 📖 Update access rights needed to see the results in code scanning by [@rajbos](https://github.com/rajbos) in [https://github.com/ossf/scorecard-action/pull/1229](https://github.com/ossf/scorecard-action/pull/1229) - 📖 Add package comments. by [@spencerschrock](https://github.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1221](https://github.com/ossf/scorecard-action/pull/1221) - 📖 Add SECURITY.md file by [@david-a-wheeler](https://github.com/david-a-wheeler) in [https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250) - 📖 Fix typo in token input docs by [@aabouzaid](https://github.com/aabouzaid) in [https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258) #### New Contributors - [@david-a-wheeler](https://github.com/david-a-wheeler) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1250](https://github.com/ossf/scorecard-action/pull/1250) - [@aabouzaid](https://github.com/aabouzaid) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1258](https://github.com/ossf/scorecard-action/pull/1258) **Full Changelog**: ossf/scorecard-action@v2.2.0...v2.3.0 </details> <details> <summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary> ### [`v3.1.2`](https://github.com/sigstore/cosign-installer/releases/tag/v3.1.2) [Compare Source](https://github.com/sigstore/cosign-installer/compare/v3.1.1...v3.1.2) #### What's Changed - Fix build and push step Readme missing id by [@hbenali](https://github.com/hbenali) in [https://github.com/sigstore/cosign-installer/pull/138](https://github.com/sigstore/cosign-installer/pull/138) - bump cosign to v2.2.0 by [@cpanato](https://github.com/cpanato) in [https://github.com/sigstore/cosign-installer/pull/142](https://github.com/sigstore/cosign-installer/pull/142) #### New Contributors - [@hbenali](https://github.com/hbenali) made their first contribution in [https://github.com/sigstore/cosign-installer/pull/138](https://github.com/sigstore/cosign-installer/pull/138) **Full Changelog**: sigstore/cosign-installer@v3...v3.1.2 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).  Signed-off-by: Mend Renovate <[email protected]>
slsa-framework · Oct 23, 2023 · b0eae7f · b0eae7f
1 parent 36f04d7
commit b0eae7f
Show file tree

Hide file tree

Showing 31 changed files with 93 additions and 93 deletions.
diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml
@@ -76,7 +76,7 @@ runs:
         token: ${{ inputs.token }}
 
     - name: Set up Go environment
-      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ inputs.go-version }}
 

diff --git a/.github/actions/secure-builder-checkout/action.yaml b/.github/actions/secure-builder-checkout/action.yaml
@@ -37,7 +37,7 @@ runs:
     # and has an associated release. This will require exceptions
     # for e2e tests.
     - name: Checkout the repository
-      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}

diff --git a/.github/actions/secure-project-checkout-go/action.yml b/.github/actions/secure-project-checkout-go/action.yml
@@ -65,7 +65,7 @@ runs:
         fi
 
     - name: Set up Go environment
-      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
+      uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
       with:
         go-version: ${{ steps.validate.outputs.go_version }}
         go-version-file: ${{ steps.validate.outputs.go_version_file }}
diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml
@@ -41,6 +41,6 @@ runs:
         path: ${{ inputs.path }}
 
     - name: Set up Node environment
-      uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
+      uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1
       with:
         node-version: ${{ inputs.node-version }}
diff --git a/.github/actions/secure-project-checkout/action.yaml b/.github/actions/secure-project-checkout/action.yaml
@@ -40,7 +40,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout the repository
-      uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       with:
         fetch-depth: ${{ inputs.fetch-depth }}
         ref: ${{ inputs.checkout-sha1 }}

diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml
@@ -37,7 +37,7 @@ runs:
         path: "${{ inputs.path }}"
 
     - name: Upload the artifact
-      uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+      uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
       with:
         name: "${{ inputs.name }}"
         path: "${{ inputs.path }}"

diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml
@@ -209,7 +209,7 @@ jobs:
           allow-private-repository: ${{ inputs.rekor-log-public }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -228,7 +228,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [rng, detect-env, generate-builder]
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Checkout builder repository
         uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
         with:
@@ -372,7 +372,7 @@ jobs:
           set-executable: true
 
       - name: Checkout the source repository
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           fetch-depth: 1
           persist-credentials: false
@@ -462,7 +462,7 @@ jobs:
         # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
         # secure upload or verify this against the SLSA layout file.
         id: upload-artifacts
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: ${{ steps.build.outputs.build-outputs-name }}
           path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
@@ -535,7 +535,7 @@ jobs:
       - name: Upload unsigned intoto attestations file for pull request
         if: ${{ github.event_name == 'pull_request' }}
         id: upload-unsigned
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "attestations-${{ needs.rng.outputs.value }}"
@@ -556,7 +556,7 @@ jobs:
       - name: Upload the signed attestations
         id: upload-signed
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"

diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml
@@ -169,7 +169,7 @@ jobs:
           allow-private-repository: ${{ inputs.private-repository }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -358,7 +358,7 @@ jobs:
             --workingDir "$UNTRUSTED_WORKING_DIR"
 
       - name: Upload the signed provenance
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
           path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -55,11 +55,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2
+        uses: github/codeql-action/init@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -72,7 +72,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2
+        uses: github/codeql-action/autobuild@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
 
       # Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -85,7 +85,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@0ba4244466797eb048eb91a6cd43d5c03ca8bd05 # v2.21.2
+        uses: github/codeql-action/analyze@49abf0ba24d0b7953cb586944e918a0b92074c80 # v2.22.4
 
   # NOTE: Checks that the matrix job above completes successfully.
   # This is necessary because the matrix strategy generates new jobs with

diff --git a/.github/workflows/e2e.create-container_based-predicate.schedule.yml b/.github/workflows/e2e.create-container_based-predicate.schedule.yml
@@ -39,7 +39,7 @@ jobs:
     permissions:
       id-token: write # Needed to detect the current reusable repository and ref.
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Detect the builder ref
         id: detect
         uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main
@@ -71,7 +71,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -85,7 +85,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/e2e.detect-workflow-js.schedule.yml b/.github/workflows/e2e.detect-workflow-js.schedule.yml
@@ -33,7 +33,7 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - id: detect
         uses: ./.github/actions/detect-workflow-js
       - id: verify
@@ -70,7 +70,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -84,7 +84,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml
@@ -33,14 +33,14 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - id: setup
         uses: ./.github/actions/sign-attestations
         with:
           attestations: .github/actions/sign-attestations/testdata/attestations
           output-folder: outputs
       - name: Setup node
-        uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3
+        uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3
         with:
           node-version: 16
       - name: install sigstore-js
@@ -62,7 +62,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -76,7 +76,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/e2e.upload-folder.schedule.yml b/.github/workflows/e2e.upload-folder.schedule.yml
@@ -37,7 +37,7 @@ jobs:
       sha256: ${{ steps.upload.outputs.sha256 }}
       sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }}
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Create folder
         run: |
           set -euo pipefail
@@ -100,7 +100,7 @@ jobs:
     needs: [secure-upload-folder]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Download in new folder
         uses: ./.github/actions/secure-download-folder
@@ -180,7 +180,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -194,7 +194,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           repository: slsa-framework/example-package
           ref: main

diff --git a/.github/workflows/generator_container_slsa3.yml b/.github/workflows/generator_container_slsa3.yml
@@ -147,7 +147,7 @@ jobs:
           service_account: ${{ inputs.gcp-service-account }}
 
       - id: cosign-install
-        uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 # v3.1.1
+        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
         with:
           cosign-release: v2.0.0
         continue-on-error: true

diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml
@@ -251,7 +251,7 @@ jobs:
       - name: Upload the signed provenance
         id: upload-prov
         continue-on-error: true
-        uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
+        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         with:
           name: "${{ steps.sign-prov.outputs.provenance-name }}"
           path: "${{ steps.sign-prov.outputs.provenance-name }}"