deps: update ossf/scorecard-action action to v2.4.0

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
ossf/scorecard-action	action	minor	v2.1.2 -> v2.4.0

---

Release Notes

ossf/scorecard-action (ossf/scorecard-action)

v2.4.0

Compare Source

What's Changed

This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the v5.0.0 release notes. Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation.

• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1410
• 🐛 lower license sarif alert threshold to 9 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1411

Documentation

• docs: dogfooding badge by @​jkowalleck in https://github.com/ossf/scorecard-action/pull/1399

New Contributors

• @​jkowalleck made their first contribution in https://github.com/ossf/scorecard-action/pull/1399

Full Changelog: ossf/scorecard-action@v2.3.3...v2.4.0

v2.3.3

Compare Source

[!NOTE]
There is no v2.3.2 release as a step was skipped in the release process. This was fixed and re-released under the v2.3.3 tag

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to github.com/ossf/scorecard/v5 (v5.0.0-rc1) by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1366
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1374
• 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0-rc2.0.20240509182734-7ce860946928 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1377

For a full changelist of what these include, see the v5.0.0-rc1 and v5.0.0-rc2 release notes.

Documentation

• 📖 Move token discussion out of main README. by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1279
• 📖 link to ossf/scorecard workflow instead of maintaining an example by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1352
• 📖 update api links to new scorecard.dev site by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1376

Full Changelog: ossf/scorecard-action@v2.3.1...v2.3.3

v2.3.2

Compare Source

v2.3.1

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1282
  • Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the v4.13.1 release notes

Full Changelog: ossf/scorecard-action@v2.3.0...v2.3.1

v2.3.0

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1270
  • For a full changelist of what this includes, see the v4.12.0 and v4.13.0 release notes
• ✨ Send rekor tlog index to webapp when publishing results by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1169
• 🐛 Prevent url clipping for GHES instances by @​rajbos in https://github.com/ossf/scorecard-action/pull/1225

Documentation

• 📖 Update access rights needed to see the results in code scanning by @​rajbos in https://github.com/ossf/scorecard-action/pull/1229
• 📖 Add package comments. by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1221
• 📖 Add SECURITY.md file by @​david-a-wheeler in https://github.com/ossf/scorecard-action/pull/1250
• 📖 Fix typo in token input docs by @​aabouzaid in https://github.com/ossf/scorecard-action/pull/1258

New Contributors

• @​david-a-wheeler made their first contribution in https://github.com/ossf/scorecard-action/pull/1250
• @​aabouzaid made their first contribution in https://github.com/ossf/scorecard-action/pull/1258

Full Changelog: ossf/scorecard-action@v2.2.0...v2.3.0

v2.2.0

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1192

Scorecard Result Viewer

Thanks to contributions from @​cynthia-sg and @​tegioz at CLOMonitor, there is a new Scorecard Result visualization page at https://securityscorecards.dev/viewer/?uri=<project-url>.

• https://github.com/ossf/scorecard-webapp/pull/406
• https://github.com/ossf/scorecard-webapp/pull/422

As an example, you can see our own score visualized here
Checkout our README to learn how to link your README badge to the new visualization page.

Publishing Results

This release contains two fixes which will improve the user experience when publish_results is true

• Runs that fail our workflow restrictions will fail with a 400 response indicating the problem, instead of a vague 500 status. (https://github.com/ossf/scorecard-action/pull/1156, resolved https://github.com/ossf/scorecard-action/issues/1150)
• Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. (https://github.com/ossf/scorecard-action/pull/1191)

Docs

• 📖 Update README to accept fine-grained tokens by @​pnacht in https://github.com/ossf/scorecard-action/pull/1175
• 📖 Update installation instructions to match current GitHub UI by @​joycebrum in https://github.com/ossf/scorecard-action/pull/1153
• 📖 Document the GitHub action workflow restrictions when publishing results. by @​spencerschrock in

New Contributors

• @​bobcallaway made their first contribution in https://github.com/ossf/scorecard-action/pull/1140
• @​pnacht made their first contribution in https://github.com/ossf/scorecard-action/pull/1175

Full Changelog: ossf/scorecard-action@v2.1.3...v2.2.0

v2.1.3

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1111

Bug Fixes

• Invalid SARIF files from a bug in scorecard
  • #​1076, #​1094
• Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner
  • #​1092
• Scorecard action not reporting binary artifacts in the repo
  • #​1116

Full Scorecard Changelog: ossf/scorecard@v4.10.2...v4.10.5

Full Changelog: ossf/scorecard-action@v2.1.2...v2.1.3

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[dpebot]

/gcbrun