mirror of
https://github.com/chainguard-dev/clog
synced 2026-07-06 22:12:46 +00:00
18 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
|
|
e522bdd603
|
fix(ci): add persist-credentials: false and zizmor pedantic config (#69)
## Summary This patch series addresses GitHub Actions security findings in `chainguard-dev/clog` as part of the PSEC-923 hardening campaign. ## Patches ### 0001 — `fix(ci): add persist-credentials: false to checkout steps` Adds `persist-credentials: false` to the `actions/checkout` step in: - `.github/workflows/go.yml` — build/test job; no downstream git write operations The `zizmor.yaml` and `actionlint.yaml` workflows already had `persist-credentials: false` on their checkout steps. This patch completes coverage for the remaining workflow. Resolves: 1 `artipacked` finding (zizmor) ### 0002 — `fix(ci): add pedantic persona and suppress noisy zizmor rules` - Creates `.github/zizmor.yml` disabling three pedantic-only rules that have no direct security value (`anonymous-definition`, `concurrency-limits`) and configuring `dependabot-cooldown` to use a 3-day threshold. - Updates `.github/workflows/zizmor.yaml` to run zizmor with `persona: pedantic` so that all template expansions in `run:` blocks are checked, not just attacker-controlled ones. - Extends the `paths:` trigger in `zizmor.yaml` to include `.github/zizmor.yml` and `.github/dependabot.yml`, so that changes to those files trigger the zizmor check. Resolves: 3 `concurrency-limits` findings, 1 `anonymous-definition` finding, 2 `dependabot-cooldown` findings (all suppressed via config) ## Testing - Validate that the zizmor workflow runs on PRs touching `.github/zizmor.yml` and `.github/dependabot.yml`. - Confirm zizmor passes in pedantic mode with the new `.github/zizmor.yml` suppression config in place. Refs: PSEC-923 |
||
|
|
a29ba6665f
|
Bump step-security/harden-runner from 2.18.0 to 2.19.0 (#67)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.18.0 to 2.19.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.19.0</h2> <h2>What's Changed</h2> <h3>New Runner Support</h3> <p>Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.</p> <h3>Automated Incident Response for Supply Chain Attacks</h3> <ul> <li>Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.</li> <li>System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).</li> </ul> <h3>Bug Fixes</h3> <p>Windows and macOS: stability and reliability fixes</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.18.0...v2.19.0">https://github.com/step-security/harden-runner/compare/v2.18.0...v2.19.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
f2e76c2e27
|
Bump step-security/harden-runner from 2.15.1 to 2.18.0 (#65)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.15.1 to 2.18.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.18.0</h2> <h2>What's Changed</h2> <p>Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.</p> <p>Deploy on Self-Hosted VM: Added <code>deploy-on-self-hosted-vm</code> input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.17.0...v2.18.0">https://github.com/step-security/harden-runner/compare/v2.17.0...v2.18.0</a></p> <h2>v2.17.0</h2> <h2>What's Changed</h2> <h3>Policy Store Support</h3> <p>Added <code>use-policy-store</code> and <code>api-key</code> inputs to fetch security policies directly from the <a href="https://docs.stepsecurity.io/harden-runner/policy-store">StepSecurity Policy Store</a>. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing <code>policy</code> input which requires <code>id-token: write</code> permission. If no policy is found in the store, the action defaults to audit mode.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.16.1...v2.17.0">https://github.com/step-security/harden-runner/compare/v2.16.1...v2.17.0</a></p> <h2>v2.16.1</h2> <h2>What's Changed</h2> <p>Enterprise tier: Added support for direct IP addresses in the allow list Community tier: Migrated Harden Runner telemetry to a new endpoint</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.16.0...v2.16.1">https://github.com/step-security/harden-runner/compare/v2.16.0...v2.16.1</a></p> <h2>v2.16.0</h2> <h2>What's Changed</h2> <ul> <li>Updated action.yml to use node24</li> <li>Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS over HTTPS (DoH) by proxying DNS queries through a permitted resolver, allowing data exfiltration even with a restrictive allowed-endpoints list. This issue only affects the Community Tier; the Enterprise Tier is not affected. See <a href="https://github.com/step-security/harden-runner/security/advisories/GHSA-46g3-37rh-v698">GHSA-46g3-37rh-v698</a> for details.</li> <li>Security fix: Fixed a medium severity vulnerability where the egress block policy could be bypassed via DNS queries over TCP to external resolvers, allowing outbound network communication that evades configured network restrictions. This issue only affects the Community Tier; the Enterprise Tier is not affected. See <a href="https://github.com/step-security/harden-runner/security/advisories/GHSA-g699-3x6g-wm3g">GHSA-g699-3x6g-wm3g</a> for details.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.15.1...v2.16.0">https://github.com/step-security/harden-runner/compare/v2.15.1...v2.16.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
ca1e61d20e
|
chore(workflows): add actionlint and zizmor action linters [SECINT-75] (#61)
Signed-off-by: Steve Beattie <steve.beattie@chainguard.dev> |
||
|
|
0d6447e685
|
Bump step-security/harden-runner from 2.13.3 to 2.15.1 (#60)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.3 to 2.15.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.15.1</h2> <h2>What's Changed</h2> <ul> <li>Fixes <a href="https://redirect.github.com/step-security/harden-runner/issues/642">step-security/harden-runner#642</a> bug due to which post step was failing on Windows ARM runners</li> <li>Updates npm packages</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.15.0...v2.15.1">https://github.com/step-security/harden-runner/compare/v2.15.0...v2.15.1</a></p> <h2>v2.15.0</h2> <h2>What's Changed</h2> <h3>Windows and macOS runner support</h3> <p>We are excited to announce that Harden Runner now supports <strong>Windows and macOS runners</strong>, extending runtime security beyond Linux for the first time.</p> <p>Insights for Windows and macOS runners will be displayed in the same consistent format you are already familiar with from Linux runners, giving you a unified view of runtime activity across all platforms.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.14.2...v2.15.0">https://github.com/step-security/harden-runner/compare/v2.14.2...v2.15.0</a></p> <h2>v2.14.2</h2> <h2>What's Changed</h2> <p>Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See <a href="https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq">GHSA-cpmj-h4f6-r6pq</a> for details.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2">https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2</a></p> <h2>v2.14.1</h2> <h2>What's Changed</h2> <ol> <li> <p>In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.</p> </li> <li> <p>Fixed npm audit vulnerabilities</p> </li> </ol> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.14.0...v2.14.1">https://github.com/step-security/harden-runner/compare/v2.14.0...v2.14.1</a></p> <h2>v2.14.0</h2> <h2>What's Changed</h2> <ul> <li>Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.</li> <li>Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.3...v2.14.0">https://github.com/step-security/harden-runner/compare/v2.13.3...v2.14.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
6353cd32b4
|
Bump actions/setup-go from 5.5.0 to 6.1.0 (#49)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.5.0 to 6.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v6.1.0</h2> <h2>What's Changed</h2> <h3>Enhancements</h3> <ul> <li>Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by <a href="https://github.com/nicholasngai"><code>@nicholasngai</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/665">actions/setup-go#665</a></li> <li>Add support for .tool-versions file and update workflow by <a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/673">actions/setup-go#673</a></li> <li>Add comprehensive breaking changes documentation for v6 by <a href="https://github.com/mahabaleshwars"><code>@mahabaleshwars</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/674">actions/setup-go#674</a></li> </ul> <h3>Dependency updates</h3> <ul> <li>Upgrade eslint-config-prettier from 10.0.1 to 10.1.8 and document breaking changes in v6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/617">actions/setup-go#617</a></li> <li>Upgrade actions/publish-action from 0.3.0 to 0.4.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/641">actions/setup-go#641</a></li> <li>Upgrade semver and <code>@types/semver</code> by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/652">actions/setup-go#652</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/nicholasngai"><code>@nicholasngai</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/665">actions/setup-go#665</a></li> <li><a href="https://github.com/priya-kinthali"><code>@priya-kinthali</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/673">actions/setup-go#673</a></li> <li><a href="https://github.com/mahabaleshwars"><code>@mahabaleshwars</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/674">actions/setup-go#674</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v6...v6.1.0">https://github.com/actions/setup-go/compare/v6...v6.1.0</a></p> <h2>v6.0.0</h2> <h2>What's Changed</h2> <h3>Breaking Changes</h3> <ul> <li>Improve toolchain handling to ensure more reliable and consistent toolchain selection and management by <a href="https://github.com/matthewhughes934"><code>@matthewhughes934</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/460">actions/setup-go#460</a></li> <li>Upgrade Nodejs runtime from node20 to node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/624">actions/setup-go#624</a></li> </ul> <p>Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. <a href="https://github.com/actions/runner/releases/tag/v2.327.1">See Release Notes</a></p> <h3>Dependency Upgrades</h3> <ul> <li>Upgrade <code>@types/jest</code> from 29.5.12 to 29.5.14 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-go/pull/589">actions/setup-go#589</a></li> <li>Upgrade <code>@actions/tool-cache</code> from 2.0.1 to 2.0.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-go/pull/591">actions/setup-go#591</a></li> <li>Upgrade <code>@typescript-eslint/parser</code> from 8.31.1 to 8.35.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-go/pull/590">actions/setup-go#590</a></li> <li>Upgrade undici from 5.28.5 to 5.29.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-go/pull/594">actions/setup-go#594</a></li> <li>Upgrade typescript from 5.4.2 to 5.8.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-go/pull/538">actions/setup-go#538</a></li> <li>Upgrade eslint-plugin-jest from 28.11.0 to 29.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-go/pull/603">actions/setup-go#603</a></li> <li>Upgrade <code>form-data</code> to bring in fix for critical vulnerability by <a href="https://github.com/matthewhughes934"><code>@matthewhughes934</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/618">actions/setup-go#618</a></li> <li>Upgrade actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/setup-go/pull/631">actions/setup-go#631</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/matthewhughes934"><code>@matthewhughes934</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/618">actions/setup-go#618</a></li> <li><a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/624">actions/setup-go#624</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v6.0.0">https://github.com/actions/setup-go/compare/v5...v6.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
f6946fdf0d
|
Bump step-security/harden-runner from 2.12.0 to 2.13.3 (#50)
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.12.0 to 2.13.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.13.3</h2> <h2>What's Changed</h2> <ul> <li>Fixed an issue where process events were not uploaded in certain edge cases.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.2...v2.13.3">https://github.com/step-security/harden-runner/compare/v2.13.2...v2.13.3</a></p> <h2>v2.13.2</h2> <h2>What's Changed</h2> <ul> <li>Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.</li> <li>Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.1...v2.13.2">https://github.com/step-security/harden-runner/compare/v2.13.1...v2.13.2</a></p> <h2>v2.13.1</h2> <h2>What's Changed</h2> <ul> <li> <p>Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.</p> </li> <li> <p>Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.</p> </li> <li> <p>Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.</p> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.13.0...v2.13.1">https://github.com/step-security/harden-runner/compare/v2.13.0...v2.13.1</a></p> <h2>v2.13.0</h2> <h2>What's Changed</h2> <ul> <li>Improved job markdown summary</li> <li>Https monitoring for all domains (included with the enterprise tier)</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2...v2.13.0">https://github.com/step-security/harden-runner/compare/v2...v2.13.0</a></p> <h2>v2.12.2</h2> <h2>What's Changed</h2> <p>Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:</p> <ul> <li>Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode</li> <li>Increased policy map size for block mode</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2...v2.12.2">https://github.com/step-security/harden-runner/compare/v2...v2.12.2</a></p> <h2>v2.12.1</h2> <h2>What's Changed</h2> <ul> <li>Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.</li> <li>Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2...v2.12.1">https://github.com/step-security/harden-runner/compare/v2...v2.12.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
5ca5d64e63
|
Bump actions/checkout from 4.2.2 to 6.0.1 (#51)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 6.0.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v6.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update all references from v5 and v4 to v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2314">actions/checkout#2314</a></li> <li>Add worktree support for persist-credentials includeIf by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li> <li>Clarify v6 README by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2328">actions/checkout#2328</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v6...v6.0.1">https://github.com/actions/checkout/compare/v6...v6.0.1</a></p> <h2>v6.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>v6-beta by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2298">actions/checkout#2298</a></li> <li>update readme/changelog for v6 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2311">actions/checkout#2311</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5.0.0...v6.0.0">https://github.com/actions/checkout/compare/v5.0.0...v6.0.0</a></p> <h2>v6-beta</h2> <h2>What's Changed</h2> <p>Updated persist-credentials to store the credentials under <code>$RUNNER_TEMP</code> instead of directly in the local git config.</p> <p>This requires a minimum Actions Runner version of <a href="https://github.com/actions/runner/releases/tag/v2.329.0">v2.329.0</a> to access the persisted credentials for <a href="https://docs.github.com/en/actions/tutorials/use-containerized-services/create-a-docker-container-action">Docker container action</a> scenarios.</p> <h2>v5.0.1</h2> <h2>What's Changed</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v5...v5.0.1">https://github.com/actions/checkout/compare/v5...v5.0.1</a></p> <h2>v5.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> <li>Prepare v5.0.0 release by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2238">actions/checkout#2238</a></li> </ul> <h2>⚠️ Minimum Compatible Runner Version</h2> <p><strong>v2.327.1</strong><br /> <a href="https://github.com/actions/runner/releases/tag/v2.327.1">Release Notes</a></p> <p>Make sure your runner is updated to this version or newer to use this release.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4...v5.0.0">https://github.com/actions/checkout/compare/v4...v5.0.0</a></p> <h2>v4.3.1</h2> <h2>What's Changed</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v6.0.0</h2> <ul> <li>Persist creds to a separate file by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li> <li>Update README to include Node.js 24 support details and requirements by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li> </ul> <h2>v5.0.1</h2> <ul> <li>Port v6 cleanup to v5 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li> </ul> <h2>v5.0.0</h2> <ul> <li>Update actions checkout to use node 24 by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li> </ul> <h2>v4.3.1</h2> <ul> <li>Port v6 cleanup to v4 by <a href="https://github.com/ericsciple"><code>@ericsciple</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li> </ul> <h2>v4.3.0</h2> <ul> <li>docs: update README.md by <a href="https://github.com/motss"><code>@motss</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li> <li>Add internal repos for checking out multiple repositories by <a href="https://github.com/mouismail"><code>@mouismail</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li> <li>Documentation update - add recommended permissions to Readme by <a href="https://github.com/benwells"><code>@benwells</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li> <li>Adjust positioning of user email note and permissions heading by <a href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li> <li>Update README.md by <a href="https://github.com/nebuk89"><code>@nebuk89</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li> <li>Update CODEOWNERS for actions by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li> <li>Update package dependencies by <a href="https://github.com/salmanmkc"><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li> </ul> <h2>v4.2.2</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <h2>v4.2.1</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <h2>v4.2.0</h2> <ul> <li>Add Ref and Commit outputs by <a href="https://github.com/lucacome"><code>@lucacome</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li> <li>Dependency updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>- <a href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>, <a href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li> </ul> <h2>v4.1.7</h2> <ul> <li>Bump the minor-npm-dependencies group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li> <li>Bump actions/checkout from 3 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li> <li>Check out other refs/* by commit by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li> <li>Pin actions/checkout's own workflows to a known, good, stable version. by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1776">actions/checkout#1776</a></li> </ul> <h2>v4.1.6</h2> <ul> <li>Check platform to set archive extension appropriately by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1732">actions/checkout#1732</a></li> </ul> <h2>v4.1.5</h2> <ul> <li>Update NPM dependencies by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1703">actions/checkout#1703</a></li> <li>Bump github/codeql-action from 2 to 3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1694">actions/checkout#1694</a></li> <li>Bump actions/setup-node from 1 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1696">actions/checkout#1696</a></li> <li>Bump actions/upload-artifact from 2 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1695">actions/checkout#1695</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
f9cf331fa9
|
Bump actions/setup-go from 5.3.0 to 5.5.0 (#37)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.3.0 to 5.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v5.5.0</h2> <h2>What's Changed</h2> <h3>Bug fixes:</h3> <ul> <li>Update self-hosted environment validation by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/556">actions/setup-go#556</a></li> <li>Add manifest validation and improve error handling by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/586">actions/setup-go#586</a></li> <li>Update template link by <a href="https://github.com/jsoref"><code>@jsoref</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/527">actions/setup-go#527</a></li> </ul> <h3>Dependency updates:</h3> <ul> <li>Upgrade <code>@action/cache</code> from 4.0.2 to 4.0.3 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/574">actions/setup-go#574</a></li> <li>Upgrade <code>@actions/glob</code> from 0.4.0 to 0.5.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/573">actions/setup-go#573</a></li> <li>Upgrade ts-jest from 29.1.2 to 29.3.2 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/582">actions/setup-go#582</a></li> <li>Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/537">actions/setup-go#537</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/jsoref"><code>@jsoref</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/527">actions/setup-go#527</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v5.5.0">https://github.com/actions/setup-go/compare/v5...v5.5.0</a></p> <h2>v5.4.0</h2> <h2>What's Changed</h2> <h3>Dependency updates :</h3> <ul> <li>Upgrade semver from 7.6.0 to 7.6.3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/535">actions/setup-go#535</a></li> <li>Upgrade eslint-config-prettier from 8.10.0 to 10.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/536">actions/setup-go#536</a></li> <li>Upgrade <code>@action/cache</code> from 4.0.0 to 4.0.2 by <a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/568">actions/setup-go#568</a></li> <li>Upgrade undici from 5.28.4 to 5.28.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/541">actions/setup-go#541</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/aparnajyothi-y"><code>@aparnajyothi-y</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/568">actions/setup-go#568</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v5.4.0">https://github.com/actions/setup-go/compare/v5...v5.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
e53dba9a34
|
[StepSecurity] Apply security best practices (#39)
This PR implements [go/ssdlc-2](https://go/ssdlc-2). Please raise issues to ProdSec's on-call rotation. Ref: https://github.com/chainguard-dev/prodsec/issues/138 ## Summary This pull request has been generated by [StepSecurity](https://app.stepsecurity.io/github/chainguard-dev/actions/dashboard) as part of your enterprise subscription to ensure compliance with recommended security best practices. Please review and merge the pull request to apply these security enhancements. At a high level, this PR: - Adds the `harden-runner` Action if not already present - Pins Actions to a digest rather than mutable tags - Restricts GitHub token permissions to be as minimal as possible ## Security Fixes ### Harden Runner Harden-Runner is an open-source security agent for the GitHub-hosted runner to prevent software supply chain attacks. It prevents exfiltration of credentials, detects tampering of source code during build, and enables running jobs without sudo access. - [GitHub Security Guide](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#dangerous-workflow) ### Least Privileged GitHub Actions Token Permissions The GITHUB_TOKEN is an automatically generated secret to make authenticated calls to the GitHub API. GitHub recommends setting minimum token permissions for the GITHUB_TOKEN. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo) or contact us via [our website](https://www.stepsecurity.io/). Signed-off-by: StepSecurity Bot <bot@stepsecurity.io> Co-authored-by: stepsecurity-app[bot] <188008098+stepsecurity-app[bot]@users.noreply.github.com> |
||
|
|
cedc4c3467
|
Bump actions/setup-go from 5.2.0 to 5.3.0 (#32)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.2.0 to 5.3.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v5.3.0</h2> <h2>What's Changed</h2> <ul> <li>Use the new cache service: upgrade <code>@actions/cache</code> to <code>^4.0.0</code> by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/setup-go/pull/531">actions/setup-go#531</a></li> <li>Configure Dependabot settings by <a href="https://github.com/HarithaVattikuti"><code>@HarithaVattikuti</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/530">actions/setup-go#530</a></li> <li>Document update - permission section by <a href="https://github.com/HarithaVattikuti"><code>@HarithaVattikuti</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/533">actions/setup-go#533</a></li> <li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/534">actions/setup-go#534</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/531">actions/setup-go#531</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v5.3.0">https://github.com/actions/setup-go/compare/v5...v5.3.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
67ba3d0193
|
Bump actions/setup-go from 5.1.0 to 5.2.0 (#30)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.1.0 to 5.2.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v5.2.0</h2> <h2>What's Changed</h2> <ul> <li>Leveraging the raw API to retrieve the version-manifest, as it does not impose a rate limit and hence facilitates unrestricted consumption without the need for a token for Github Enterprise Servers by <a href="https://github.com/Shegox"><code>@Shegox</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/496">actions/setup-go#496</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Shegox"><code>@Shegox</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/496">actions/setup-go#496</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v5.2.0">https://github.com/actions/setup-go/compare/v5...v5.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
e97f0ca65a
|
Bump actions/checkout from 4.1.7 to 4.2.2 (#27)
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v4.2.2</h2> <h2>What's Changed</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.2.1...v4.2.2">https://github.com/actions/checkout/compare/v4.2.1...v4.2.2</a></p> <h2>v4.2.1</h2> <h2>What's Changed</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Jcambass"><code>@Jcambass</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1919">actions/checkout#1919</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.2.0...v4.2.1">https://github.com/actions/checkout/compare/v4.2.0...v4.2.1</a></p> <h2>v4.2.0</h2> <h2>What's Changed</h2> <ul> <li>Add Ref and Commit outputs by <a href="https://github.com/lucacome"><code>@lucacome</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li> <li>Dependabot updates in <a href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a> & <a href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/yasonk"><code>@yasonk</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1869">actions/checkout#1869</a></li> <li><a href="https://github.com/lucacome"><code>@lucacome</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v4.1.7...v4.2.0">https://github.com/actions/checkout/compare/v4.1.7...v4.2.0</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's changelog</a>.</em></p> <blockquote> <h1>Changelog</h1> <h2>v4.2.2</h2> <ul> <li><code>url-helper.ts</code> now leverages well-known environment variables by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li> <li>Expand unit test coverage for <code>isGhes</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li> </ul> <h2>v4.2.1</h2> <ul> <li>Check out other refs/* by commit if provided, fall back to ref by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li> </ul> <h2>v4.2.0</h2> <ul> <li>Add Ref and Commit outputs by <a href="https://github.com/lucacome"><code>@lucacome</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1180">actions/checkout#1180</a></li> <li>Dependency updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a>- <a href="https://redirect.github.com/actions/checkout/pull/1777">actions/checkout#1777</a>, <a href="https://redirect.github.com/actions/checkout/pull/1872">actions/checkout#1872</a></li> </ul> <h2>v4.1.7</h2> <ul> <li>Bump the minor-npm-dependencies group across 1 directory with 4 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1739">actions/checkout#1739</a></li> <li>Bump actions/checkout from 3 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1697">actions/checkout#1697</a></li> <li>Check out other refs/* by commit by <a href="https://github.com/orhantoy"><code>@orhantoy</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1774">actions/checkout#1774</a></li> <li>Pin actions/checkout's own workflows to a known, good, stable version. by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1776">actions/checkout#1776</a></li> </ul> <h2>v4.1.6</h2> <ul> <li>Check platform to set archive extension appropriately by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1732">actions/checkout#1732</a></li> </ul> <h2>v4.1.5</h2> <ul> <li>Update NPM dependencies by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1703">actions/checkout#1703</a></li> <li>Bump github/codeql-action from 2 to 3 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1694">actions/checkout#1694</a></li> <li>Bump actions/setup-node from 1 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1696">actions/checkout#1696</a></li> <li>Bump actions/upload-artifact from 2 to 4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1695">actions/checkout#1695</a></li> <li>README: Suggest <code>user.email</code> to be <code>41898282+github-actions[bot]@users.noreply.github.com</code> by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1707">actions/checkout#1707</a></li> </ul> <h2>v4.1.4</h2> <ul> <li>Disable <code>extensions.worktreeConfig</code> when disabling <code>sparse-checkout</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1692">actions/checkout#1692</a></li> <li>Add dependabot config by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1688">actions/checkout#1688</a></li> <li>Bump the minor-actions-dependencies group with 2 updates by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1693">actions/checkout#1693</a></li> <li>Bump word-wrap from 1.2.3 to 1.2.5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1643">actions/checkout#1643</a></li> </ul> <h2>v4.1.3</h2> <ul> <li>Check git version before attempting to disable <code>sparse-checkout</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1656">actions/checkout#1656</a></li> <li>Add SSH user parameter by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1685">actions/checkout#1685</a></li> <li>Update <code>actions/checkout</code> version in <code>update-main-version.yml</code> by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1650">actions/checkout#1650</a></li> </ul> <h2>v4.1.2</h2> <ul> <li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code> option is not present <a href="https://github.com/dscho"><code>@dscho</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li> </ul> <h2>v4.1.1</h2> <ul> <li>Correct link to GitHub Docs by <a href="https://github.com/peterbe"><code>@peterbe</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li> <li>Link to release page from what's new section by <a href="https://github.com/cory-miller"><code>@cory-miller</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li> </ul> <h2>v4.1.0</h2> <ul> <li><a href="https://redirect.github.com/actions/checkout/pull/1396">Add support for partial checkout filters</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
8827246f05
|
Bump actions/setup-go from 5.0.2 to 5.1.0 (#28)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.2 to 5.1.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v5.1.0</h2> <h2>What's Changed</h2> <ul> <li>Add workflow file for publishing releases to immutable action package by <a href="https://github.com/Jcambass"><code>@Jcambass</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/500">actions/setup-go#500</a></li> <li>Upgrade IA Publish by <a href="https://github.com/Jcambass"><code>@Jcambass</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/502">actions/setup-go#502</a></li> <li>Add architecture to cache key by <a href="https://github.com/Zxilly"><code>@Zxilly</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/493">actions/setup-go#493</a> This addresses issues with caching by adding the architecture (arch) to the cache key, ensuring that cache keys are accurate to prevent conflicts. Note: This change may break previous cache keys as they will no longer be compatible with the new format.</li> <li>Enhance workflows and Upgrade micromatch Dependency by <a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/510">actions/setup-go#510</a></li> </ul> <p><strong>Bug Fixes</strong></p> <ul> <li>Revise <code>isGhes</code> logic by <a href="https://github.com/jww3"><code>@jww3</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/511">actions/setup-go#511</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Zxilly"><code>@Zxilly</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/493">actions/setup-go#493</a></li> <li><a href="https://github.com/Jcambass"><code>@Jcambass</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/500">actions/setup-go#500</a></li> <li><a href="https://github.com/jww3"><code>@jww3</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/511">actions/setup-go#511</a></li> <li><a href="https://github.com/priyagupta108"><code>@priyagupta108</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/510">actions/setup-go#510</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v5.1.0">https://github.com/actions/setup-go/compare/v5...v5.1.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
b42aea849e
|
Bump actions/setup-go from 5.0.1 to 5.0.2 (#20)
Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.1 to 5.0.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-go/releases">actions/setup-go's releases</a>.</em></p> <blockquote> <h2>v5.0.2</h2> <h2>What's Changed</h2> <h3>Bug fixes:</h3> <ul> <li>Fix versions check failure by <a href="https://github.com/HarithaVattikuti"><code>@HarithaVattikuti</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/479">actions/setup-go#479</a></li> </ul> <h3>Dependency updates:</h3> <ul> <li>Bump braces from 3.0.2 to 3.0.3 and undici from 5.28.3 to 5.28.4 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/setup-go/pull/487">actions/setup-go#487</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/HarithaVattikuti"><code>@HarithaVattikuti</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-go/pull/479">actions/setup-go#479</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-go/compare/v5...v5.0.2">https://github.com/actions/setup-go/compare/v5...v5.0.2</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
d26a705a05
|
Bump actions/checkout from 3 to 4 (#19)
Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/checkout/releases">actions/checkout's releases</a>.</em></p> <blockquote> <h2>v4.0.0</h2> <h2>What's Changed</h2> <ul> <li>Update default runtime to node20 by <a href="https://github.com/takost"><code>@takost</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1436">actions/checkout#1436</a></li> <li>Support fetching without the --progress option by <a href="https://github.com/simonbaird"><code>@simonbaird</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1067">actions/checkout#1067</a></li> <li>Release 4.0.0 by <a href="https://github.com/takost"><code>@takost</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1447">actions/checkout#1447</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/takost"><code>@takost</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1436">actions/checkout#1436</a></li> <li><a href="https://github.com/simonbaird"><code>@simonbaird</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1067">actions/checkout#1067</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v3...v4.0.0">https://github.com/actions/checkout/compare/v3...v4.0.0</a></p> <h2>v3.6.0</h2> <h2>What's Changed</h2> <ul> <li>Mark test scripts with Bash'isms to be run via Bash by <a href="https://github.com/dscho"><code>@dscho</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1377">actions/checkout#1377</a></li> <li>Add option to fetch tags even if fetch-depth > 0 by <a href="https://github.com/RobertWieczoreck"><code>@RobertWieczoreck</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/579">actions/checkout#579</a></li> <li>Release 3.6.0 by <a href="https://github.com/luketomlinson"><code>@luketomlinson</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1437">actions/checkout#1437</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/RobertWieczoreck"><code>@RobertWieczoreck</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/579">actions/checkout#579</a></li> <li><a href="https://github.com/luketomlinson"><code>@luketomlinson</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1437">actions/checkout#1437</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v3.5.3...v3.6.0">https://github.com/actions/checkout/compare/v3.5.3...v3.6.0</a></p> <h2>v3.5.3</h2> <h2>What's Changed</h2> <ul> <li>Fix: Checkout Issue in self hosted runner due to faulty submodule check-ins by <a href="https://github.com/megamanics"><code>@megamanics</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1196">actions/checkout#1196</a></li> <li>Fix typos found by codespell by <a href="https://github.com/DimitriPapadopoulos"><code>@DimitriPapadopoulos</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1287">actions/checkout#1287</a></li> <li>Add support for sparse checkouts by <a href="https://github.com/dscho"><code>@dscho</code></a> and <a href="https://github.com/dfdez"><code>@dfdez</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1369">actions/checkout#1369</a></li> <li>Release v3.5.3 by <a href="https://github.com/TingluoHuang"><code>@TingluoHuang</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1376">actions/checkout#1376</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/megamanics"><code>@megamanics</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1196">actions/checkout#1196</a></li> <li><a href="https://github.com/DimitriPapadopoulos"><code>@DimitriPapadopoulos</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1287">actions/checkout#1287</a></li> <li><a href="https://github.com/dfdez"><code>@dfdez</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1369">actions/checkout#1369</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v3...v3.5.3">https://github.com/actions/checkout/compare/v3...v3.5.3</a></p> <h2>v3.5.2</h2> <h2>What's Changed</h2> <ul> <li>Fix: Use correct API url / endpoint in GHES by <a href="https://github.com/fhammerl"><code>@fhammerl</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1289">actions/checkout#1289</a> based on <a href="https://redirect.github.com/actions/checkout/issues/1286">#1286</a> by <a href="https://github.com/1newsr"><code>@1newsr</code></a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/checkout/compare/v3.5.1...v3.5.2">https://github.com/actions/checkout/compare/v3.5.1...v3.5.2</a></p> <h2>v3.5.1</h2> <h2>What's Changed</h2> <ul> <li>Improve checkout performance on Windows runners by upgrading <code>@actions/github</code> dependency by <a href="https://github.com/BrettDong"><code>@BrettDong</code></a> in <a href="https://redirect.github.com/actions/checkout/pull/1246">actions/checkout#1246</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/BrettDong"><code>@BrettDong</code></a> made their first contribution in <a href="https://redirect.github.com/actions/checkout/pull/1246">actions/checkout#1246</a></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href=" |
||
|
|
1a2666f783
|
setup dependabot for clog (#18)
Signed-off-by: Kenny Leung <kleung@chainguard.dev> |
||
|
|
9bf46567a6
|
Create go.yml |