chore(deps): Bump the actions-all group across 1 directory with 13 updates

[dependabot]

Bumps the actions-all group with 13 updates in the / directory:

Package	From	To
step-security/harden-runner	2.11.0	2.12.0
actions/setup-go	5.3.0	5.5.0
github/codeql-action	3.28.11	3.28.18
dependabot/fetch-metadata	2.3.0	2.4.0
actions/dependency-review-action	4.5.0	4.7.1
actions/setup-node	4.3.0	4.4.0
actions/cache	4.2.2	4.2.3
golangci/golangci-lint-action	6.5.1	8.0.0
sigstore/cosign-installer	3.8.1	3.8.2
docker/build-push-action	6.15.0	6.18.0
crazy-max/ghaction-github-runtime	3.0.0	3.1.0
ossf/scorecard-action	2.4.1	2.4.2
actions/upload-artifact	4.6.1	4.6.2

Updates step-security/harden-runner from 2.11.0 to 2.12.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.12.0

What's Changed

1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

v2.11.1

What's Changed

• cache: add support for GitHub Actions cache v2 by @​h0x0er in step-security/harden-runner#529

Full Changelog: step-security/harden-runner@v2...v2.11.1

Commits

• 0634a26 Merge pull request #541 from step-security/rc-20
• 2e3c511 Update action.yml
• 40873e6 Update README.md
• 484c279 Update README.md
• 4c8582f Update agent versions
• e8d595c fix disable_sudo_and_containers bug
• 5d277fc fix journalctl related bug
• ff2ab22 Merge pull request #536 from rohan-stepsecurity/feat/flag/disable-sudo-and-co...
• b81d650 fix: run sudo command only when both disable-sudo and disable-sudo-and-docker...
• 769df4e Update agent
• Additional commits viewable in compare view

Updates actions/setup-go from 5.3.0 to 5.5.0

Release notes

Sourced from actions/setup-go's releases.

v5.5.0

What's Changed

Bug fixes:

• Update self-hosted environment validation by @​priyagupta108 in actions/setup-go#556
• Add manifest validation and improve error handling by @​priyagupta108 in actions/setup-go#586
• Update template link by @​jsoref in actions/setup-go#527

Dependency updates:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in actions/setup-go#574
• Upgrade @​actions/glob from 0.4.0 to 0.5.0 by @​dependabot in actions/setup-go#573
• Upgrade ts-jest from 29.1.2 to 29.3.2 by @​dependabot in actions/setup-go#582
• Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by @​dependabot in actions/setup-go#537

New Contributors

• @​jsoref made their first contribution in actions/setup-go#527

Full Changelog: actions/setup-go@v5...v5.5.0

v5.4.0

What's Changed

Dependency updates :

• Upgrade semver from 7.6.0 to 7.6.3 by @​dependabot in actions/setup-go#535
• Upgrade eslint-config-prettier from 8.10.0 to 10.0.1 by @​dependabot in actions/setup-go#536
• Upgrade @​action/cache from 4.0.0 to 4.0.2 by @​aparnajyothi-y in actions/setup-go#568
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot in actions/setup-go#541

New Contributors

• @​aparnajyothi-y made their first contribution in actions/setup-go#568

Full Changelog: actions/setup-go@v5...v5.4.0

Commits

• d35c59a chore: update discussions url (#527)
• 29694d7 Add manifest validation and improve error handling (#586)
• 78535dd Bump eslint-plugin-jest from 27.9.0 to 28.11.0 (#537)
• bb65d88 Bump ts-jest from 29.1.2 to 29.3.2 (#582)
• 7f17e83 Bump @​actions/glob from 0.4.0 to 0.5.0 (#573)
• dca8468 Update self-hosted environment validation and bump undici version (#556)
• 691cc35 upgrade actions/cache to 4.0.3 (#574)
• 0aaccfd Bump undici from 5.28.4 to 5.28.5 (#541)
• c4c1141 upgrade actions/cache to 4.0.2 (#568)
• 5a083d0 Bump eslint-config-prettier from 8.10.0 to 10.0.1 (#536)
• Additional commits viewable in compare view

Updates github/codeql-action from 3.28.11 to 3.28.18

Release notes

Sourced from github/codeql-action's releases.

v3.28.18

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.18 - 16 May 2025

• Update default CodeQL bundle version to 2.21.3. #2893
• Skip validating SARIF produced by CodeQL for improved performance. #2894
• The number of threads and amount of RAM used by CodeQL can now be set via the CODEQL_THREADS and CODEQL_RAM runner environment variables. If set, these environment variables override the threads and ram inputs respectively. #2891

See the full CHANGELOG.md for more information.

v3.28.17

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

See the full CHANGELOG.md for more information.

v3.28.16

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

See the full CHANGELOG.md for more information.

v3.28.15

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

See the full CHANGELOG.md for more information.

v3.28.14

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

• The CodeQL Action no longer includes its own copy of the extractor for the actions language, which is currently in public preview. The actions extractor has been included in the CodeQL CLI since v2.20.6. If your workflow has enabled the actions language and you have pinned your tools: property to a specific version of the CodeQL CLI earlier than v2.20.6, you will need to update to at least CodeQL v2.20.6 or disable actions analysis.

3.28.18 - 16 May 2025

• Update default CodeQL bundle version to 2.21.3. #2893
• Skip validating SARIF produced by CodeQL for improved performance. #2894
• The number of threads and amount of RAM used by CodeQL can now be set via the CODEQL_THREADS and CODEQL_RAM runner environment variables. If set, these environment variables override the threads and ram inputs respectively. #2891

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

... (truncated)

Commits

• ff0a06e Merge pull request #2896 from github/update-v3.28.18-b86edfc27
• a41e084 Update changelog for v3.28.18
• b86edfc Merge pull request #2893 from github/update-bundle/codeql-bundle-v2.21.3
• e93b900 Merge branch 'main' into update-bundle/codeql-bundle-v2.21.3
• 510dfa3 Merge pull request #2894 from github/henrymercer/skip-validating-codeql-sarif
• 492d783 Merge branch 'main' into henrymercer/skip-validating-codeql-sarif
• 83bdf3b Merge pull request #2859 from github/update-supported-enterprise-server-versions
• cffc916 Merge pull request #2891 from austinpray-mixpanel/patch-1
• 4420887 Add deprecation warning for CodeQL 2.16.5 and earlier
• 4e178c5 Update supported versions table in README
• Additional commits viewable in compare view

Updates dependabot/fetch-metadata from 2.3.0 to 2.4.0

Release notes

Sourced from dependabot/fetch-metadata's releases.

v2.4.0

What's Changed

• Bump actions/create-github-app-token from 1.11.0 to 1.11.3 by @​dependabot in dependabot/fetch-metadata#598
• Bump @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot in dependabot/fetch-metadata#578
• Add missing @octokit/request-error to package.json by @​jeffwidman in dependabot/fetch-metadata#605
• Bump to ESLint 9 by @​jeffwidman in dependabot/fetch-metadata#606
• Stop using a node16 devcontainer image by @​jeffwidman in dependabot/fetch-metadata#608
• Make typescript compile to "es2022" by @​jeffwidman in dependabot/fetch-metadata#609
• Bump the dev-dependencies group across 1 directory with 8 updates by @​dependabot in dependabot/fetch-metadata#607
• Tidy up examples slightly by @​jeffwidman in dependabot/fetch-metadata#611
• Fixup some anchor tags that weren't deeplinking by @​jeffwidman in dependabot/fetch-metadata#614
• Remove unnecessary hardcoding of ref by @​jeffwidman in dependabot/fetch-metadata#617
• Bump actions/create-github-app-token from 1.11.3 to 2.0.2 by @​dependabot in dependabot/fetch-metadata#616
• Enable caching of npm install/npm ci for setup-node action by @​jeffwidman in dependabot/fetch-metadata#618
• Add workflow to publish new version of immutable action on every release by @​jeffwidman in dependabot/fetch-metadata#623
• Bump actions/create-github-app-token from 2.0.2 to 2.0.6 by @​dependabot in dependabot/fetch-metadata#621
• v2.4.0 by @​fetch-metadata-action-automation in dependabot/fetch-metadata#594

Full Changelog: dependabot/fetch-metadata@v2...v2.4.0

Commits

• 08eff52 v2.4.0 (#594)
• 821b654 Merge pull request #621 from dependabot/dependabot/github_actions/actions/cre...
• 2c22a37 Bump actions/create-github-app-token from 2.0.2 to 2.0.6
• 6ad01a0 Add workflow to publish new version of immutable action on every release (#623)
• 8ca800c Enable caching of npm install/npm ci for setup-node action (#618)
• 6787635 Merge pull request #616 from dependabot/dependabot/github_actions/actions/cre...
• a09d4af Bump actions/create-github-app-token from 1.11.3 to 2.0.2
• 3a5ce46 Remove unnecessary hardcoding of ref (#617)
• 798f45c Fixup some anchor tags that weren't deeplinking (#614)
• 6c031ac Tidy up examples slightly (#611)
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.5.0 to 4.7.1

Release notes

Sourced from actions/dependency-review-action's releases.

v4.7.1

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

v4.6.0

What's Changed

• Updating multiple dependency versions by @​Ahmed3lmallah in actions/dependency-review-action#870
• Grouping minor and patch dependabot updates to lessen the number of PRs by @​Ahmed3lmallah in actions/dependency-review-action#876
• Bump actions/stale from 9.0.0 to 9.1.0 by @​dependabot in actions/dependency-review-action#878
• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in actions/dependency-review-action#877
• DR Action should link to the proxima stamp when appropriate in error messages by @​AshelyTC in actions/dependency-review-action#891
• Allow deny package removal by @​ellenfieldn in actions/dependency-review-action#888
• Fix typos by @​omahs in actions/dependency-review-action#893
• Bump esbuild from 0.19.5 to 0.25.0 by @​dependabot in actions/dependency-review-action#900
• Bump octokit and related dependencies by @​RomanIakovlev in actions/dependency-review-action#904
• Bump @​babel/helpers from 7.23.2 to 7.26.10 by @​dependabot in actions/dependency-review-action#905
• Bump @​octokit/plugin-paginate-rest from 9.1.5 to 9.2.2 by @​dependabot in actions/dependency-review-action#899
• Update transitive dependency spdx-license-ids by @​ailox in actions/dependency-review-action#855
• To not print OpenSSF Scorecard section if no dependencies scanned by @​fabasoad in actions/dependency-review-action#884
• Improve usage of this action in dependency-review.yml by @​fabasoad in actions/dependency-review-action#883
• Clarify comment-summary-in-pr behaviour by @​Pantelis-Santorinios in actions/dependency-review-action#902
• Prepare 4.6.0 Release candidate by @​brrygrdn in actions/dependency-review-action#910

New Contributors

• @​AshelyTC made their first contribution in actions/dependency-review-action#891
• @​ellenfieldn made their first contribution in actions/dependency-review-action#888
• @​omahs made their first contribution in actions/dependency-review-action#893
• @​RomanIakovlev made their first contribution in actions/dependency-review-action#904
• @​ailox made their first contribution in actions/dependency-review-action#855
• @​fabasoad made their first contribution in actions/dependency-review-action#884
• @​Pantelis-Santorinios made their first contribution in actions/dependency-review-action#902
• @​brrygrdn made their first contribution in actions/dependency-review-action#910

Full Changelog: actions/dependency-review-action@v4.5.0...v4.6.0

Commits

• da24556 Merge pull request #933 from actions/dangoor/471-release
• 9af0caf Bump version number for 4.7.1
• d8f2df2 Merge pull request #932 from actions/907-disallow-expression
• 6e9307a Discard allow list entries that are not SPDX IDs
• 8805179 Merge pull request #930 from actions/889-allow-no-license
• 014300b Update build
• 34486f3 Check namespaces when excluding license checks
• 9b155d6 Update build
• f199659 Allowing dependencies works with no licenses
• 38ecb5b Merge pull request #929 from actions/dangoor/4.7-release
• Additional commits viewable in compare view

Updates actions/setup-node from 4.3.0 to 4.4.0

Release notes

Sourced from actions/setup-node's releases.

v4.4.0

What's Changed

Bug fixes:

• Make eslint-compact matcher compatible with Stylelint by @​FloEdelmann in actions/setup-node#98
• Add support for indented eslint output by @​fregante in actions/setup-node#1245

Enhancement:

• Support private mirrors by @​marco-ippolito in actions/setup-node#1240

Dependency update:

• Upgrade @​action/cache from 4.0.2 to 4.0.3 by @​aparnajyothi-y in actions/setup-node#1262

New Contributors

• @​FloEdelmann made their first contribution in actions/setup-node#98
• @​fregante made their first contribution in actions/setup-node#1245
• @​marco-ippolito made their first contribution in actions/setup-node#1240

Full Changelog: actions/setup-node@v4...v4.4.0

Commits

• 49933ea Bump @​action/cache from 4.0.2 to 4.0.3 (#1262)
• e3ce749 feat: support private mirrors (#1240)
• 40337cb Add support for indented eslint output (#1245)
• 1ccdddc Make eslint-compact matcher compatible with Stylelint (#98)
• See full diff in compare view

Updates actions/cache from 4.2.2 to 4.2.3

Release notes

Sourced from actions/cache's releases.

v4.2.3

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in actions/cache#1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

Changelog

Sourced from actions/cache's changelog.

Releases

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

• Bump @actions/cache to v4.0.2

4.2.1

• Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

4.1.2

• Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - #1474
• Security fix: Bump braces from 3.0.2 to 3.0.3 - #1475

4.1.1

• Restore original behavior of cache-hit output - #1467

4.1.0

• Ensure cache-hit output is set when a cache is missed - #1404
• Deprecate save-always input - #1452

4.0.2

• Fixed restore fail-on-cache-miss not working.

4.0.1

• Updated isGhes check

... (truncated)

Commits

• 5a3ec84 Merge pull request #1577 from salmanmkc/salmanmkc/4-test
• 7de2102 Update releases.md
• 76d40dd Update to use the latest version of the cache package to obfuscate the SAS
• 76dd5eb update cache with main
• 8c80c27 new package
• 45cfd0e updates
• edd449b updated cache with latest changes
• 0576707 latest test before pr
• 3105dc9 update
• 9450d42 mask
• Additional commits viewable in compare view

Updates golangci/golangci-lint-action from 6.5.1 to 8.0.0

Release notes

Sourced from golangci/golangci-lint-action's releases.

v8.0.0

Requires golangci-lint version >= v2.1.0

What's Changed

Changes

• feat: use absolute paths by default when using working-directory option by @​ldez in golangci/golangci-lint-action#1231

Full Changelog: golangci/golangci-lint-action@v7...v8.0.0

v7.0.1

What's Changed

Documentation

• docs: add note about github.workspace by @​mattjohnsonpint in golangci/golangci-lint-action#1218
• docs: clarify that ’args: --path-mode=abs’ is needed for working-directory by @​HaraldNordgren in golangci/golangci-lint-action#1230

Dependencies

• build(deps): bump the dependencies group across 1 directory with 3 updates by @​dependabot in golangci/golangci-lint-action#1213
• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot in golangci/golangci-lint-action#1215
• build(deps-dev): bump the dev-dependencies group with 4 updates by @​dependabot in golangci/golangci-lint-action#1220
• build(deps): bump @​types/node from 22.13.14 to 22.14.0 in the dependencies group by @​dependabot in golangci/golangci-lint-action#1221
• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot in golangci/golangci-lint-action#1224
• build(deps): bump @​types/node from 22.14.0 to 22.14.1 in the dependencies group by @​dependabot in golangci/golangci-lint-action#1225
• build(deps-dev): bump the dev-dependencies group with 2 updates by @​dependabot in golangci/golangci-lint-action#1227

New Contributors

• @​mattjohnsonpint made their first contribution in golangci/golangci-lint-action#1218
• @​HaraldNordgren made their first contribution in golangci/golangci-lint-action#1230

Full Changelog: golangci/golangci-lint-action@v7.0.0...v7.0.1

v7.0.0

⚠️ The GitHub Action v7 supports golangci-lint v2 only. ⚠️

What's Changed

Changes

• feat: golangci-lint v2 support by @​ldez in golangci/golangci-lint-action#1198

Documentation

• docs: update annotation permissions by @​ldez in golangci/golangci-lint-action#1203
• docs: fix checks permissions for annotations by @​kema-dev in golangci/golangci-lint-action#1204

Dependencies

• build(deps-dev): bump the dev-dependencies group with 3 updates by @​dependabot in golangci/golangci-lint-action#1207

New Contributors

... (truncated)

Commits

• 4afd733 8.0.0
• 7774f98 feat: use absolute paths by default when using working-directory option (#1231)
• 9fae48a 7.0.1
• 16ece5e docs: clarify that ’args: --path-mode=abs’ is needed for working-directory (...
• a3942e2 build(deps-dev): bump the dev-dependencies group with 2 updates (#1227)
• 7ecb048 build(deps): bump @​types/node from 22.14.0 to 22.14.1 in the dependencies gro...
• 63a0d0e build(deps-dev): bump the dev-dependencies group with 3 updates (#1224)
• c2427fe docs: update problem matchers section
• 642f8ee build(deps): bump @​types/node from 22.13.14 to 22.14.0 in the dependencies gr...
• d84be92 build(deps-dev): bump the dev-dependencies group with 4 updates (#1220)
• Additional commits viewable in compare view

Updates sigstore/cosign-installer from 3.8.1 to 3.8.2

Release notes

Sourced from sigstore/cosign-installer's releases.

v3.8.2

What's Changed

• install cosign v2 from main in sigstore/cosign-installer#186

Full Changelog: sigstore/cosign-installer@v3...v3.8.2

Commits

• 3454372 install cosign v2 from main (#186)
• b6ee8f8 Bump actions/setup-go from 5.3.0 to 5.4.0 (#185)
• See full diff in compare view

Updates docker/build-push-action from 6.15.0 to 6.18.0

Release notes

Sourced from docker/build-push-action's releases.

v6.18.0

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in docker/build-push-action#1381

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in docker/build-push-action#1364

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343
• Only print secret keys in build summary output by @​crazy-max in docker/build-push-action#1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in docker/build-push-action#1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

Commits

• 2634353 Merge pull request #1381 from docker/dependabot/npm_and_yarn/docker/actions-t...
• c0432d2 chore: update generated content
• 0bb1f27 set builder driver and endpoint attributes for dbc summary support
• 5f9dbf9 chore(deps): Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1
• 0788c44 Merge pull request #1375 from crazy-max/remove-gcr
• aa179ca e2e: remove GCR
• 1dc7386 Merge pull request #1364 from crazy-max/history-export-cmd
• 9c9803f chore: update generated content
• db1f6c4 DOCKER_BUILD_EXPORT_LEGACY env var to opt-in for legacy export
• 721e8c7 Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0
• Additional commits viewable in compare view

Updates crazy-max/ghaction-github-runtime from 3.0.0 to 3.1.0

Release notes

Sourced from crazy-max/ghaction-github-runtime's releases.

v3.1.0

• Bump @​actions/core from 1.10.0 to 1.11.1 in crazy-max/ghaction-github-runtime#58
• Bump braces from 3.0.2 to 3.0.3 in crazy-max/ghaction-github-runtime#54
• Bump cross-spawn from 7.0.3 to 7.0.6 in crazy-max/ghaction-github-runtime#59
• Bump ip from 2.0.0 to 2.0.1 in crazy-max/ghaction-github-runtime#50
• Bump micromatch from 4.0.5 to 4.0.8 in crazy-max/ghaction-github-runtime#55
• Bump tar from 6.1.14 to 6.2.1 in crazy-max/ghaction-github-runtime#51

Full Changelog: crazy-max/ghaction-github-runtime@v3.0.0...v3.1.0

Commits

• 3cb05d8 Merge pull request #58 from crazy-max/dependabot/npm_and_yarn/actions/core-1....
• ef7a149 chore: update generated content
• 5bfe170 Merge pull request #55 from crazy-max/dependabot/npm_and_yarn/micromatch-4.0.8
• 58529df Merge pull request #59 from crazy-max/dependabot/npm_and_yarn/cross-spawn-7.0.6
• ac1af5a Merge pull request #60 from crazy-max/gha-perms
• 8ae9a9b ci: set contents read as default workflow permissions
• 22db7e4 new year
• 24046ff Bump cross-spawn from 7.0.3 to 7.0.6
• c068fc9 Bump @​actions/core from 1.10.0 to 1.11.1
• 0d73af4 Bump micromatch from 4.0.5 to 4.0.8
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.2

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard