[pull] main from ossf:main #104

pull · 2024-07-28T11:06:24Z

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.1)

Can you help keep this open source service alive? 💖 Please sponsor : )

Signed-off-by: Stephen Augustus <[email protected]>

Bumps the go_modules group with 1 update: [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp). Updates `github.com/hashicorp/go-retryablehttp` from 0.7.5 to 0.7.7 - [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md) - [Commits](hashicorp/go-retryablehttp@v0.7.5...v0.7.7) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-retryablehttp dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.10.0 to 2.11.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.10.0...v2.11.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [ko-build/setup-ko](https://github.com/ko-build/setup-ko) from 0.6 to 0.7. - [Release notes](https://github.com/ko-build/setup-ko/releases) - [Commits](ko-build/setup-ko@ace48d7...3aebd05) --- updated-dependencies: - dependency-name: ko-build/setup-ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4 to 6. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v4...v6) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.3.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@v2.1.3...v2.3.3) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@e1523de...59acb62) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.32.0 to 1.33.0. - [Commits](rs/zerolog@v1.32.0...v1.33.0) --- updated-dependencies: - dependency-name: github.com/rs/zerolog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.27 to 1.7.1. - [Release notes](https://github.com/rhysd/actionlint/releases) - [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md) - [Commits](rhysd/actionlint@v1.6.27...v1.7.1) --- updated-dependencies: - dependency-name: github.com/rhysd/actionlint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: StepSecurity Bot <[email protected]>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.1 to 5.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v4.0.1...cdcb360) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.1.1...692973e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Stephen Augustus <[email protected]>

Includes minor fixes to surrounding documentation. Signed-off-by: Stephen Augustus <[email protected]>

Signed-off-by: Stephen Augustus <[email protected]>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@6546280...0b2256b) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@cdcb360...0a12ed9) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.11 to 3.25.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b611370...4fa2a79) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@72eb03d...5a2ce3f) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.12 to 3.25.13. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4fa2a79...2d79040) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/ossf/scorecard/v5](https://github.com/ossf/scorecard) from 5.0.0-rc2 to 5.0.0. - [Release notes](https://github.com/ossf/scorecard/releases) - [Changelog](https://github.com/ossf/scorecard/blob/main/RELEASE.md) - [Commits](ossf/scorecard@v5.0.0-rc2...v5.0.0) --- updated-dependencies: - dependency-name: github.com/ossf/scorecard/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Stephen Augustus <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.13 to 3.25.14. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@2d79040...5cf07d8) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.37.0 to 0.38.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.37.0...v0.38.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.14 to 3.25.15. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5cf07d8...afb54ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@dc50aa9...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.5 to 3.27.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@f09c1c0...babb554) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps the go_modules group with 1 update: [golang.org/x/crypto](https://github.com/golang/crypto). Updates `golang.org/x/crypto` from 0.26.0 to 0.31.0 - [Commits](golang/crypto@v0.26.0...v0.31.0) --- updated-dependencies: - dependency-name: golang.org/x/crypto dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.1.0 to 5.2.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@41dfa10...3041bf5) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.7 to 3.27.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@babb554...df409f7) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Signed-off-by: Anders Blockmar <[email protected]>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.3 to 4.5.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@b4b15b8...6f51ac0) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps the go_modules group with 2 updates: [github.com/go-git/go-git/v5](https://github.com/go-git/go-git) and [golang.org/x/net](https://github.com/golang/net). Updates `github.com/go-git/go-git/v5` from 5.12.0 to 5.13.1 - [Release notes](https://github.com/go-git/go-git/releases) - [Commits](go-git/go-git@v5.12.0...v5.13.1) Updates `golang.org/x/net` from 0.28.0 to 0.33.0 - [Commits](golang/net@v0.28.0...v0.33.0) --- updated-dependencies: - dependency-name: github.com/go-git/go-git/v5 dependency-type: indirect dependency-group: go_modules - dependency-name: golang.org/x/net dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.12.0 to 2.13.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.12.0...v2.13.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.7.4 to 1.7.7. - [Release notes](https://github.com/rhysd/actionlint/releases) - [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md) - [Commits](rhysd/actionlint@v1.7.4...v1.7.7) --- updated-dependencies: - dependency-name: github.com/rhysd/actionlint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.27.9 to 3.28.5. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@df409f7...f6091c0) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@3041bf5...f111f33) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.1.1 to 6.2.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@971e284...ec5d184) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [ko-build/setup-ko](https://github.com/ko-build/setup-ko) from 0.7 to 0.8. - [Release notes](https://github.com/ko-build/setup-ko/releases) - [Commits](ko-build/setup-ko@3aebd05...d982fec) --- updated-dependencies: - dependency-name: ko-build/setup-ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.5.0 to 4.6.0. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@6f51ac0...65c4c4a) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/evanphx/json-patch/v5](https://github.com/evanphx/json-patch) from 5.9.0 to 5.9.11. - [Release notes](https://github.com/evanphx/json-patch/releases) - [Commits](evanphx/json-patch@v5.9.0...v5.9.11) --- updated-dependencies: - dependency-name: github.com/evanphx/json-patch/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.5 to 3.28.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@f6091c0...dd74661) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [golang.org/x/sync](https://github.com/golang/sync) from 0.10.0 to 0.11.0. - [Commits](golang/sync@v0.10.0...v0.11.0) --- updated-dependencies: - dependency-name: golang.org/x/sync dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.7.0 to 3.8.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@dc72c7d...c56c2d3) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@ec5d184...e60da84) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.3.0 to 6.5.0. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@e60da84...2226d7c) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.8 to 3.28.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@dd74661...9e8d078) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]>

Bumps [github.com/ossf/scorecard/v5](https://github.com/ossf/scorecard) from 5.0.0 to 5.1.1. - [Release notes](https://github.com/ossf/scorecard/releases) - [Changelog](https://github.com/ossf/scorecard/blob/main/RELEASE.md) - [Commits](ossf/scorecard@v5.0.0...v5.1.1) --- updated-dependencies: - dependency-name: github.com/ossf/scorecard/v5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

...to match ossf/scorecard. Signed-off-by: Stephen Augustus <[email protected]>

justaugustus and others added 28 commits July 2, 2024 10:38

.github: Add initial CODEOWNERS

eb99bd4

Signed-off-by: Stephen Augustus <[email protected]>

[StepSecurity] ci: Harden GitHub Actions

a10a639

Signed-off-by: StepSecurity Bot <[email protected]>

go.mod: Update Scorecard to v5.0.0-rc2

5d71b29

Signed-off-by: Stephen Augustus <[email protected]>

.github: Create codeql.yml

c66f943

Signed-off-by: Stephen Augustus <[email protected]>

CodeQL: Dedupe post-merge configs, pin SHAs, strip add'l permissions

9bcc5c7

Signed-off-by: Stephen Augustus <[email protected]>

docs: Correct instances of "Security Scorecards" to "OpenSSF Scorecard"

e329fdf

Includes minor fixes to surrounding documentation. Signed-off-by: Stephen Augustus <[email protected]>

README: Correct Scorecard API URL

3ff8fdf

Signed-off-by: Stephen Augustus <[email protected]>

go.mod: Update go directive to go1.12.12

38d990d

Signed-off-by: Stephen Augustus <[email protected]>

pull bot requested a review from a team as a code owner July 28, 2024 11:06

pull bot added the ⤵️ pull label Jul 28, 2024

contentful-automation bot previously approved these changes Dec 11, 2024

View reviewed changes

dependabot bot dismissed contentful-automation[bot]’s stale review via 3f9627a December 11, 2024 06:22

contentful-automation bot previously approved these changes Dec 11, 2024

View reviewed changes

dependabot bot dismissed contentful-automation[bot]’s stale review via 00e2013 December 17, 2024 04:01

contentful-automation bot previously approved these changes Dec 17, 2024

View reviewed changes

auto-merge was automatically disabled December 17, 2024 22:38
Head branch was pushed to by a user without write access

jeffmendoza dismissed contentful-automation[bot]’s stale review via e775a1d December 17, 2024 22:38

dependabot bot and others added 20 commits December 17, 2024 14:38

Build container images for both amd64 and arm64 platforms

b1e2230

Signed-off-by: Anders Blockmar <[email protected]>

go.mod: Update go directive to go 1.22.10

5ef0769

...to match ossf/scorecard. Signed-off-by: Stephen Augustus <[email protected]>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[pull] main from ossf:main #104

[pull] main from ossf:main #104

pull bot commented Jul 28, 2024 •

edited

Loading

[pull] main from ossf:main #104

Are you sure you want to change the base?

[pull] main from ossf:main #104

Conversation

pull bot commented Jul 28, 2024 • edited Loading

pull bot commented Jul 28, 2024 •

edited

Loading