Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Bump ossf/scorecard-action from 2.1.2 to 2.3.0 (#4887)
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.2 to 2.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's releases</a>.</em></p> <blockquote> <h2>v2.3.0</h2> <h2>What's Changed</h2> <ul> <li>:seedling: Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by <a href="https://github.com/spencerschrock"><code>@spencerschrock</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1270">ossf/scorecard-action#1270</a> <ul> <li>For a full changelist of what this includes, see the <a href="https://github.com/ossf/scorecard/releases/tag/v4.12.0">v4.12.0</a> and <a href="https://github.com/ossf/scorecard/releases/tag/v4.13.0">v4.13.0</a> release notes</li> </ul> </li> <li>:sparkles: Send rekor tlog index to webapp when publishing results by <a href="https://github.com/spencerschrock"><code>@spencerschrock</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1169">ossf/scorecard-action#1169</a></li> <li>:bug: Prevent url clipping for GHES instances by <a href="https://github.com/rajbos"><code>@rajbos</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1225">ossf/scorecard-action#1225</a></li> </ul> <h3>Documentation</h3> <ul> <li>:book: Update access rights needed to see the results in code scanning by <a href="https://github.com/rajbos"><code>@rajbos</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1229">ossf/scorecard-action#1229</a></li> <li>:book: Add package comments. by <a href="https://github.com/spencerschrock"><code>@spencerschrock</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1221">ossf/scorecard-action#1221</a></li> <li>:book: Add SECURITY.md file by <a href="https://github.com/david-a-wheeler"><code>@david-a-wheeler</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1250">ossf/scorecard-action#1250</a></li> <li>:book: Fix typo in token input docs by <a href="https://github.com/aabouzaid"><code>@aabouzaid</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1258">ossf/scorecard-action#1258</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/david-a-wheeler"><code>@david-a-wheeler</code></a> made their first contribution in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1250">ossf/scorecard-action#1250</a></li> <li><a href="https://github.com/aabouzaid"><code>@aabouzaid</code></a> made their first contribution in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1258">ossf/scorecard-action#1258</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0">https://github.com/ossf/scorecard-action/compare/v2.2.0...v2.3.0</a></p> <h2>v2.2.0</h2> <h2>What's Changed</h2> <ul> <li>:seedling: Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by <a href="https://github.com/spencerschrock"><code>@spencerschrock</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1192">ossf/scorecard-action#1192</a></li> </ul> <h2>Scorecard Result Viewer</h2> <p>Thanks to contributions from <a href="https://github.com/cynthia-sg"><code>@cynthia-sg</code></a> and <a href="https://github.com/tegioz"><code>@tegioz</code></a> at <a href="https://github.com/cncf/clomonitor">CLOMonitor</a>, there is a new Scorecard Result visualization page at <code>https://securityscorecards.dev/viewer/?uri=<project-url></code>.</p> <ul> <li><a href="https://redirect.github.com/ossf/scorecard-webapp/pull/406">ossf/scorecard-webapp#406</a></li> <li><a href="https://redirect.github.com/ossf/scorecard-webapp/pull/422">ossf/scorecard-webapp#422</a></li> </ul> <p>As an example, you can see our own score visualized <a href="https://securityscorecards.dev/viewer/?uri=github.com/ossf/scorecard">here</a> Checkout our <a href="https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#scorecard-badge">README</a> to learn how to link your README badge to the new visualization page.</p> <h2>Publishing Results</h2> <p>This release contains two fixes which will improve the user experience when <code>publish_results</code> is <code>true</code></p> <ul> <li>Runs that fail our <a href="https://github.com/ossf/scorecard-action/blob/08b4669551908b1024bb425080c797723083c031/README.md#workflow-restrictions">workflow restrictions</a> will fail with a 400 response indicating the problem, instead of a vague 500 status. (<a href="https://redirect.github.com/ossf/scorecard-action/pull/1156">ossf/scorecard-action#1156</a>, resolved <a href="https://redirect.github.com/ossf/scorecard-action/issues/1150">ossf/scorecard-action#1150</a>)</li> <li>Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. (<a href="https://redirect.github.com/ossf/scorecard-action/pull/1191">ossf/scorecard-action#1191</a>)</li> </ul> <h2>Docs</h2> <ul> <li>📖 Update README to accept fine-grained tokens by <a href="https://github.com/pnacht"><code>@pnacht</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1175">ossf/scorecard-action#1175</a></li> <li>📖 Update installation instructions to match current GitHub UI by <a href="https://github.com/joycebrum"><code>@joycebrum</code></a> in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1153">ossf/scorecard-action#1153</a></li> <li>📖 Document the GitHub action workflow restrictions when publishing results. by <a href="https://github.com/spencerschrock"><code>@spencerschrock</code></a> in</li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/bobcallaway"><code>@bobcallaway</code></a> made their first contribution in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1140">ossf/scorecard-action#1140</a></li> <li><a href="https://github.com/pnacht"><code>@pnacht</code></a> made their first contribution in <a href="https://redirect.github.com/ossf/scorecard-action/pull/1175">ossf/scorecard-action#1175</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0">https://github.com/ossf/scorecard-action/compare/v2.1.3...v2.2.0</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/ossf/scorecard-action/commit/483ef80eb98fb506c348f7d62e28055e49fe2398"><code>483ef80</code></a> :seedling: Bump docker tag for v2.3.0 release. (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1271">#1271</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/5d3591303ed947eee0d7a421fcdda0e039ddf8e1"><code>5d35913</code></a> :seedling: Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1270">#1270</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/49787a6922d868dab142da9d87a1d8b3b3922046"><code>49787a6</code></a> :seedling: Bump distroless/base from <code>46c5b9b</code> to <code>a35b652</code> (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1269">#1269</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/4283c75015ea78a15ba7caf13d686b136db16b0a"><code>4283c75</code></a> :seedling: Bump github/codeql-action from 2.21.8 to 2.21.9 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1268">#1268</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/709ecd0815982a217ee06fc6ee71f698dc20f14c"><code>709ecd0</code></a> :seedling: Bump golang from <code>6974950</code> to <code>c416cee</code> (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1266">#1266</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/25bb02cd479310452820e62d96669712a90684ba"><code>25bb02c</code></a> :seedling: Bump actions/checkout from 4.0.0 to 4.1.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1267">#1267</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/b687393d2370bdf6d960ea972ff690c9ed797189"><code>b687393</code></a> :seedling: Bump github/codeql-action from 2.21.5 to 2.21.8 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1265">#1265</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/6a1c21f537e92adea170a26dd3a42d38f93f1e2f"><code>6a1c21f</code></a> :seedling: Bump golang from <code>cffaba7</code> to <code>6974950</code> (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1264">#1264</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/2dee8c185ea0de807198c818714b6f3436856709"><code>2dee8c1</code></a> :seedling: Bump github.com/sigstore/cosign/v2 from 2.1.1 to 2.2.0 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1254">#1254</a>)</li> <li><a href="https://github.com/ossf/scorecard-action/commit/e79dcb6112482815fc9ea2d659f49eb15403c373"><code>e79dcb6</code></a> :seedling: Upgrade to go 1.20 (<a href="https://redirect.github.com/ossf/scorecard-action/issues/1262">#1262</a>)</li> <li>Additional commits viewable in <a href="https://github.com/ossf/scorecard-action/compare/e38b1902ae4f44df626f11ba0734b14fb91f8f86...483ef80eb98fb506c348f7d62e28055e49fe2398">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action&package-manager=github_actions&previous-version=2.1.2&new-version=2.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
- Loading branch information