chore(deps): update github-actions (#3753)

[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | actions/checkout | action | digest | `692973e` -> `9a9194f` | | [actions/download-artifact](https://togithub.com/actions/download-artifact) | action | patch | `v4.1.7` -> `v4.1.8` | | [actions/setup-go](https://togithub.com/actions/setup-go) | action | patch | `v5.0.1` -> `v5.0.2` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | patch | `v4.0.2` -> `v4.0.3` | | [actions/setup-node](https://togithub.com/actions/setup-node) | action | digest | `60edb5d` -> `1e60f62` | | [actions/upload-artifact](https://togithub.com/actions/upload-artifact) | action | patch | `v4.3.3` -> `v4.3.5` | | [github/codeql-action](https://togithub.com/github/codeql-action) | action | patch | `v3.25.11` -> `v3.25.15` | | [gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action) | action | minor | `v3.4.2` -> `v3.5.0` | | [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) | action | minor | `v2.3.3` -> `v2.4.0` | | [softprops/action-gh-release](https://togithub.com/softprops/action-gh-release) | action | patch | `v2.0.6` -> `v2.0.8` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. --- ### Release Notes <details> <summary>actions/download-artifact (actions/download-artifact)</summary> ### [`v4.1.8`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.8) [Compare Source](https://togithub.com/actions/download-artifact/compare/v4.1.7...v4.1.8) #### What's Changed - Update [@actions/artifact](https://togithub.com/actions/artifact) version, bump dependencies by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/download-artifact/pull/341](https://togithub.com/actions/download-artifact/pull/341) **Full Changelog**: actions/download-artifact@v4...v4.1.8 </details> <details> <summary>actions/setup-go (actions/setup-go)</summary> ### [`v5.0.2`](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) [Compare Source](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2) </details> <details> <summary>actions/setup-node (actions/setup-node)</summary> ### [`v4.0.3`](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3) [Compare Source](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3) </details> <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v4.3.5`](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5) ### [`v4.3.4`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.4) [Compare Source](https://togithub.com/actions/upload-artifact/compare/v4.3.3...v4.3.4) ##### What's Changed - Update [@actions/artifact](https://togithub.com/actions/artifact) version, bump dependencies by [@robherley](https://togithub.com/robherley) in [https://github.com/actions/upload-artifact/pull/584](https://togithub.com/actions/upload-artifact/pull/584) **Full Changelog**: actions/upload-artifact@v4.3.3...v4.3.4 </details> <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v3.25.15`](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15) ### [`v3.25.14`](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14) ### [`v3.25.13`](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13) ### [`v3.25.12`](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) [Compare Source](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12) </details> <details> <summary>gradle/gradle-build-action (gradle/gradle-build-action)</summary> ### [`v3.5.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.5.0) [Compare Source](https://togithub.com/gradle/gradle-build-action/compare/v3.4.2...v3.5.0) > \[!IMPORTANT] > As of `v3` this action has been superceded by `gradle/actions/setup-gradle`. > Any workflow that uses `gradle/gradle-build-action@v3` will transparently delegate to `gradle/actions/setup-gradle@v3`. > > Users are encouraged to update their workflows, replacing: > > uses: gradle/gradle-build-action@v3 > > with > > uses: gradle/actions/setup-gradle@v3 > > See the [setup-gradle documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle) for up-to-date documentation for `gradle/actions/setup-gradle`. For release details, see https://github.com/gradle/actions/releases/tag/v3.5.0 </details> <details> <summary>ossf/scorecard-action (ossf/scorecard-action)</summary> ### [`v2.4.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.4.0) [Compare Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0) #### What's Changed This update bumps the Scorecard version to the v5 release. For a complete list of changes, please refer to the [v5.0.0 release notes](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0). Of special note to Scorecard Action is the Maintainer Annotation feature, which can be used to suppress some Code Scanning false positives. Alerts will not be generated for any Scorecard Check with an annotation. - 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1410](https://togithub.com/ossf/scorecard-action/pull/1410) - 🐛 lower license sarif alert threshold to 9 by [@spencerschrock](https://togithub.com/spencerschrock) in [https://github.com/ossf/scorecard-action/pull/1411](https://togithub.com/ossf/scorecard-action/pull/1411) ##### Documentation - docs: dogfooding badge by [@jkowalleck](https://togithub.com/jkowalleck) in [https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399) #### New Contributors - [@jkowalleck](https://togithub.com/jkowalleck) made their first contribution in [https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399) **Full Changelog**: ossf/scorecard-action@v2.3.3...v2.4.0 </details> <details> <summary>softprops/action-gh-release (softprops/action-gh-release)</summary> ### [`v2.0.8`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.8) [Compare Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.7...v2.0.8)  #### What's Changed ##### Other Changes 🔄 - chore(deps): bump prettier from 2.8.0 to 3.3.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/480](https://togithub.com/softprops/action-gh-release/pull/480) - chore(deps): bump [@types/node](https://togithub.com/types/node) from 20.14.9 to 20.14.11 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/483](https://togithub.com/softprops/action-gh-release/pull/483) - chore(deps): bump [@octokit/plugin-throttling](https://togithub.com/octokit/plugin-throttling) from 9.3.0 to 9.3.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/484](https://togithub.com/softprops/action-gh-release/pull/484) - chore(deps): bump glob from 10.4.2 to 11.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/477](https://togithub.com/softprops/action-gh-release/pull/477) - refactor: write jest config in ts by [@chenrui333](https://togithub.com/chenrui333) in [https://github.com/softprops/action-gh-release/pull/485](https://togithub.com/softprops/action-gh-release/pull/485) - chore(deps): bump [@actions/github](https://togithub.com/actions/github) from 5.1.1 to 6.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/470](https://togithub.com/softprops/action-gh-release/pull/470) **Full Changelog**: softprops/action-gh-release@v2...v2.0.8 ### [`v2.0.7`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.7) [Compare Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.6...v2.0.7)  #### What's Changed ##### Bug fixes 🐛 - Fix missing update release body by [@FirelightFlagboy](https://togithub.com/FirelightFlagboy) in [https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365) ##### Other Changes 🔄 - Bump [@octokit/plugin-retry](https://togithub.com/octokit/plugin-retry) from 4.0.3 to 7.1.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/443](https://togithub.com/softprops/action-gh-release/pull/443) - Bump typescript from 4.9.5 to 5.5.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/467](https://togithub.com/softprops/action-gh-release/pull/467) - Bump [@types/node](https://togithub.com/types/node) from 20.14.6 to 20.14.8 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/469](https://togithub.com/softprops/action-gh-release/pull/469) - Bump [@types/node](https://togithub.com/types/node) from 20.14.8 to 20.14.9 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/473](https://togithub.com/softprops/action-gh-release/pull/473) - Bump typescript from 5.5.2 to 5.5.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/472](https://togithub.com/softprops/action-gh-release/pull/472) - Bump ts-jest from 29.1.5 to 29.2.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/softprops/action-gh-release/pull/479](https://togithub.com/softprops/action-gh-release/pull/479) - docs: document that existing releases are updated by [@jvanbruegge](https://togithub.com/jvanbruegge) in [https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474) #### New Contributors - [@jvanbruegge](https://togithub.com/jvanbruegge) made their first contribution in [https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474) - [@FirelightFlagboy](https://togithub.com/FirelightFlagboy) made their first contribution in [https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365) **Full Changelog**: softprops/action-gh-release@v2.0.6...v2.0.7 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on the first day of the month" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View the [repository job log](https://developer.mend.io/github/slsa-framework/slsa-github-generator).  Signed-off-by: Mend Renovate <[email protected]>
slsa-framework · Aug 2, 2024 · 0f53438 · 0f53438
1 parent afa0f38
commit 0f53438
Show file tree

Hide file tree

Showing 22 changed files with 47 additions and 47 deletions.
diff --git a/.github/actions/generate-builder/action.yml b/.github/actions/generate-builder/action.yml
@@ -76,7 +76,7 @@ runs:
         token: ${{ inputs.token }}
 
     - name: Set up Go environment
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: ${{ inputs.go-version }}
 

diff --git a/.github/actions/secure-download-artifact/action.yml b/.github/actions/secure-download-artifact/action.yml
@@ -78,7 +78,7 @@ runs:
         echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}"
 
     - name: Download the artifact
-      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.validate-path.outputs.folder_path }}"

diff --git a/.github/actions/secure-download-folder/action.yml b/.github/actions/secure-download-folder/action.yml
@@ -34,7 +34,7 @@ runs:
       uses: slsa-framework/slsa-github-generator/.github/actions/rng@main
 
     - name: Download the artifact
-      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.rng.outputs.random }}"

diff --git a/.github/actions/secure-project-checkout-go/action.yml b/.github/actions/secure-project-checkout-go/action.yml
@@ -65,7 +65,7 @@ runs:
         fi
 
     - name: Set up Go environment
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: ${{ steps.validate.outputs.go_version }}
         go-version-file: ${{ steps.validate.outputs.go_version_file }}
diff --git a/.github/actions/secure-project-checkout-node/action.yml b/.github/actions/secure-project-checkout-node/action.yml
@@ -41,6 +41,6 @@ runs:
         path: ${{ inputs.path }}
 
     - name: Set up Node environment
-      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
       with:
         node-version: ${{ inputs.node-version }}
diff --git a/.github/actions/secure-upload-artifact/action.yml b/.github/actions/secure-upload-artifact/action.yml
@@ -37,7 +37,7 @@ runs:
         path: "${{ inputs.path }}"
 
     - name: Upload the artifact
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
       with:
         name: "${{ inputs.name }}"
         path: "${{ inputs.path }}"

diff --git a/.github/workflows/builder_container-based_slsa3.yml b/.github/workflows/builder_container-based_slsa3.yml
@@ -209,7 +209,7 @@ jobs:
           allow-private-repository: ${{ inputs.rekor-log-public }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -462,7 +462,7 @@ jobs:
         # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
         # secure upload or verify this against the SLSA layout file.
         id: upload-artifacts
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: ${{ steps.build.outputs.build-outputs-name }}
           path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
@@ -535,7 +535,7 @@ jobs:
       - name: Upload unsigned intoto attestations file for pull request
         if: ${{ github.event_name == 'pull_request' }}
         id: upload-unsigned
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "attestations-${{ needs.rng.outputs.value }}"
@@ -556,7 +556,7 @@ jobs:
       - name: Upload the signed attestations
         id: upload-signed
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
@@ -584,21 +584,21 @@ jobs:
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
       # layout files and their checksums to validate the artifacts.
       - name: Download artifacts
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: "${{ needs.build.outputs.build-outputs-name }}"
           path: "${{ needs.build.outputs.build-outputs-name }}"
 
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
       # secure-folder-download action.
       - name: Download provenance
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: "${{ needs.provenance.outputs.provenance-name }}"
           path: "${{ needs.provenance.outputs.provenance-name }}"
 
       - name: Upload provenance new tag
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         if: startsWith(github.ref, 'refs/tags/') && inputs.upload-tag-name == ''
         id: release-new-tags
         with:
@@ -609,7 +609,7 @@ jobs:
           draft: ${{ inputs.draft-release }}
 
       - name: Upload provenance tag name
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         if: inputs.upload-tag-name != ''
         with:
           prerelease: ${{ inputs.prerelease }}

diff --git a/.github/workflows/builder_go_slsa3.yml b/.github/workflows/builder_go_slsa3.yml
@@ -169,7 +169,7 @@ jobs:
           allow-private-repository: ${{ inputs.private-repository }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -358,7 +358,7 @@ jobs:
             --workingDir "$UNTRUSTED_WORKING_DIR"
 
       - name: Upload the signed provenance
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
           path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
@@ -399,7 +399,7 @@ jobs:
           sha256: "${{ needs.provenance.outputs.go-provenance-sha256 }}"
 
       - name: Upload provenance
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           tag_name: ${{ inputs.upload-tag-name }}
           prerelease: ${{ inputs.prerelease }}

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -59,7 +59,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -72,7 +72,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
 
       # Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -85,7 +85,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
 
   # NOTE: Checks that the matrix job above completes successfully.
   # This is necessary because the matrix strategy generates new jobs with

diff --git a/.github/workflows/e2e.sign-attestations.schedule.yml b/.github/workflows/e2e.sign-attestations.schedule.yml
@@ -40,7 +40,7 @@ jobs:
           attestations: .github/actions/sign-attestations/testdata/attestations
           output-folder: outputs
       - name: Setup node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4
         with:
           node-version: 20
       - name: install sigstore-js

diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml
@@ -239,7 +239,7 @@ jobs:
       - name: Upload the signed provenance
         id: upload-prov
         continue-on-error: true
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ steps.sign-prov.outputs.provenance-name }}"
           path: "${{ steps.sign-prov.outputs.provenance-name }}"
@@ -285,7 +285,7 @@ jobs:
           sha256: "${{ needs.generator.outputs.provenance-sha256 }}"
 
       - name: Upload provenance
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         id: release
         with:
           draft: ${{ inputs.draft-release }}

diff --git a/.github/workflows/pre-submit.actions.yml b/.github/workflows/pre-submit.actions.yml
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set Node.js 18
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 18
 
@@ -98,7 +98,7 @@ jobs:
           fi
 
       # If index.js was different from expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

diff --git a/.github/workflows/pre-submit.e2e.container-based.default.yml b/.github/workflows/pre-submit.e2e.container-based.default.yml
@@ -46,7 +46,7 @@ jobs:
       GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build-container-based.outputs.build-outputs-name }}
           path: outputs
@@ -57,7 +57,7 @@ jobs:
           name=$(find outputs/ -type f | head -1)
           cp "$name" .
           echo "name=$(basename "$name")" >> "$GITHUB_OUTPUT"
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build-container-based.outputs.attestations-download-name }}
       - env:

diff --git a/.github/workflows/pre-submit.e2e.generic.default.yml b/.github/workflows/pre-submit.e2e.generic.default.yml
@@ -48,7 +48,7 @@ jobs:
     if: ${{ always() }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.provenance-name }}
       - env:
@@ -78,7 +78,7 @@ jobs:
     needs: [build-continue-no-error]
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build-continue-no-error.outputs.provenance-name }}
       - env:
@@ -109,7 +109,7 @@ jobs:
     needs: [build, build-continue-invalid-subjects]
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.provenance-name }}
       - env:

diff --git a/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml b/.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml
@@ -65,10 +65,10 @@ jobs:
     if: ${{ always() }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.go-binary-name }}
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.go-provenance-name }}
       - env:

diff --git a/.github/workflows/pre-submit.lint.yml b/.github/workflows/pre-submit.lint.yml
@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: "1.22.3"
       - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
@@ -74,7 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
       - run: make markdownlint
@@ -83,7 +83,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: "go.mod"
       - env:
@@ -160,7 +160,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
       - run: make eslint
@@ -169,7 +169,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
       - run: make renovate-config-validator
diff --git a/.github/workflows/pre-submit.units.yml b/.github/workflows/pre-submit.units.yml
@@ -38,12 +38,12 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: "go.mod"
 
       - name: Set Node.js 16
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 16
 

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -44,7 +44,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/update-actions-dist-post-commit.yml b/.github/workflows/update-actions-dist-post-commit.yml
@@ -75,7 +75,7 @@ jobs:
           [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
           echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
       - name: upload
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: changes.patch
           path: changes.patch
@@ -97,7 +97,7 @@ jobs:
           PR_NUMBER: ${{ inputs.pr_number }}
         run: gh pr checkout "$PR_NUMBER"
       - name: download-patch
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: changes.patch
       - id: apply

diff --git a/internal/builders/gradle/action.yml b/internal/builders/gradle/action.yml
@@ -63,7 +63,7 @@ runs:
         distribution: temurin
         java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }}
     - name: Setup Gradle
-      uses: gradle/gradle-build-action@66535aaf56f831b35e3a8481c9c99b665b84dd45 # v3.4.2
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
     - name: Run gradle builder
       id: run_gradle_builder
       shell: bash