chore(deps): Bump the actions group across 1 directory with 7 updates #305

dependabot · 2025-05-12T05:22:59Z

Bumps the actions group with 7 updates in the / directory:

Package	From	To
actions/setup-go	`5.4.0`	`5.5.0`
actions/dependency-review-action	`4.6.0`	`4.7.0`
sigstore/cosign-installer	`3.8.1`	`3.8.2`
anchore/sbom-action	`0.18.0`	`0.19.0`
actions/create-github-app-token	`2.0.2`	`2.0.6`
actions/attest-build-provenance	`2.2.3`	`2.3.0`
github/codeql-action	`3.28.15`	`3.28.17`

Updates actions/setup-go from 5.4.0 to 5.5.0

Release notes

Sourced from actions/setup-go's releases.

v5.5.0

What's Changed

Bug fixes:

Update self-hosted environment validation by @priyagupta108 in actions/setup-go#556

Add manifest validation and improve error handling by @priyagupta108 in actions/setup-go#586

Update template link by @jsoref in actions/setup-go#527

Dependency updates:

Upgrade @action/cache from 4.0.2 to 4.0.3 by @aparnajyothi-y in actions/setup-go#574

Upgrade @actions/glob from 0.4.0 to 0.5.0 by @dependabot in actions/setup-go#573

Upgrade ts-jest from 29.1.2 to 29.3.2 by @dependabot in actions/setup-go#582

Upgrade eslint-plugin-jest from 27.9.0 to 28.11.0 by @dependabot in actions/setup-go#537

New Contributors

@jsoref made their first contribution in actions/setup-go#527

Full Changelog: actions/setup-go@v5...v5.5.0

Commits

d35c59a chore: update discussions url (#527)
29694d7 Add manifest validation and improve error handling (#586)
78535dd Bump eslint-plugin-jest from 27.9.0 to 28.11.0 (#537)
bb65d88 Bump ts-jest from 29.1.2 to 29.3.2 (#582)
7f17e83 Bump @actions/glob from 0.4.0 to 0.5.0 (#573)
dca8468 Update self-hosted environment validation and bump undici version (#556)
691cc35 upgrade actions/cache to 4.0.3 (#574)
See full diff in compare view

Updates actions/dependency-review-action from 4.6.0 to 4.7.0

Release notes

Sourced from actions/dependency-review-action's releases.

v4.7.0

Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)

Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

Commits

38ecb5b Merge pull request #929 from actions/dangoor/4.7-release
0e9e935 Version 4.7.0 release
69d2faa Merge pull request #926 from dangoor/dangoor/replace-other
7e14978 Merge branch 'actions:main' into dangoor/replace-other
8477905 Merge pull request #927 from dangoor/dangoor/multilicense
f3ff356 Update dist
c7565d4 Fix tests and respond to review feedback
82299c3 Replace OTHER with a LicenseRef
2013ccc Update type definition for spdx-satisfies
3a2b687 Handle complex licenses (e.g. X AND Y)
Additional commits viewable in compare view

Updates sigstore/cosign-installer from 3.8.1 to 3.8.2

Release notes

Sourced from sigstore/cosign-installer's releases.

v3.8.2

What's Changed

install cosign v2 from main in sigstore/cosign-installer#186

Full Changelog: sigstore/cosign-installer@v3...v3.8.2

Commits

3454372 install cosign v2 from main (#186)
b6ee8f8 Bump actions/setup-go from 5.3.0 to 5.4.0 (#185)
See full diff in compare view

Updates anchore/sbom-action from 0.18.0 to 0.19.0

Release notes

Sourced from anchore/sbom-action's releases.

v0.19.0

Changes in v0.19.0

chore(deps): update Syft to v1.23.0 (#521)

chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#519)

chore(deps): bump cross-spawn (#514)

Commits

9f73021 chore(deps): update Syft to v1.23.0 (#521)
a669da5 chore(deps): update Syft to v1.22.0 (#517)
5aeee89 chore(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 (#519)
79202ae chore(deps): bump cross-spawn (#514)
See full diff in compare view

Updates actions/create-github-app-token from 2.0.2 to 2.0.6

Release notes

Sourced from actions/create-github-app-token's releases.

v2.0.6

2.0.6 (2025-05-03)

Bug Fixes

replace - with _ (#246) (3336784)

v2.0.5

2.0.5 (2025-05-02)

Bug Fixes

deps: bump the production-dependencies group with 3 updates (#240) (d64d7d7)

v2.0.4

2.0.4 (2025-05-02)

Bug Fixes

permission input handling (#243) (2950cbc)

v2.0.3

2.0.3 (2025-05-01)

Bug Fixes

README: use v2 in examples (#234) (9ba274d), closes #232

use core.getBooleanInput() to retrieve boolean input values (#223) (c3c17c7)

Commits

df432ce build(release): 2.0.6 [skip ci]
3336784 fix: replace - with _ (#246)
db3cdf4 build(release): 2.0.5 [skip ci]
d64d7d7 fix(deps): bump the production-dependencies group with 3 updates (#240)
1b6f53e build(deps-dev): bump the development-dependencies group across 1 directory w...
061a84d build(deps-dev): bump @octokit/openapi from 18.2.0 to 19.0.0 (#242)
c8f34a6 build(deps): bump stefanzweifel/git-auto-commit-action from 5.1.0 to 5.2.0 in...
4821f52 build(release): 2.0.4 [skip ci]
2950cbc fix: permission input handling (#243)
30bf625 build(release): 2.0.3 [skip ci]
Additional commits viewable in compare view

Updates actions/attest-build-provenance from 2.2.3 to 2.3.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v2.3.0

What's Changed

Bump actions/attest from 2.2.1 to 2.3.0 by @bdehamer in actions/attest-build-provenance#615

Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

Commits

db473fd bump actions/attest from 2.2.1 to 2.3.0 (#615)
d3b713a Bump the actions-minor group with 2 updates (#566)
e042adb Bump the npm-development group with 4 updates (#567)
9d3beef Bump the npm-development group with 4 updates (#554)
877f50d Bump typescript-eslint in the npm-development group (#516)
b7ab740 Bump the npm-development group across 1 directory with 6 updates (#506)
See full diff in compare view

Updates github/codeql-action from 3.28.15 to 3.28.17

Release notes

Sourced from github/codeql-action's releases.

v3.28.17

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.17 - 02 May 2025

Update default CodeQL bundle version to 2.21.2. #2872

See the full CHANGELOG.md for more information.

v3.28.16

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

Update default CodeQL bundle version to 2.21.1. #2863

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.17 - 02 May 2025

Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.

Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

Update default CodeQL bundle version to 2.20.5. #2772

Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

... (truncated)

Commits

60168ef Merge pull request #2886 from github/update-v3.28.17-97a2bfd2a
0d5a311 Update changelog for v3.28.17
97a2bfd Merge pull request #2872 from github/update-bundle/codeql-bundle-v2.21.2
9aba20e Merge branch 'main' into update-bundle/codeql-bundle-v2.21.2
81a9508 Merge pull request #2876 from github/henrymercer/fix-diff-informed-multiple-a...
1569f4c Disable diff-informed queries in code scanning config tests
62fbeb6 Merge branch 'main' into henrymercer/fix-diff-informed-multiple-analyze
f122d1d Address test failures from computing temporary directory too early
083772a Do not fail diff informed analyses when analyze is run twice in the same job
5db14d0 Merge branch 'main' into update-bundle/codeql-bundle-v2.21.2
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the actions group with 7 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/setup-go](https://github.com/actions/setup-go) | `5.4.0` | `5.5.0` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.6.0` | `4.7.0` | | [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) | `3.8.1` | `3.8.2` | | [anchore/sbom-action](https://github.com/anchore/sbom-action) | `0.18.0` | `0.19.0` | | [actions/create-github-app-token](https://github.com/actions/create-github-app-token) | `2.0.2` | `2.0.6` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `2.2.3` | `2.3.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.28.15` | `3.28.17` | Updates `actions/setup-go` from 5.4.0 to 5.5.0 - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@0aaccfd...d35c59a) Updates `actions/dependency-review-action` from 4.6.0 to 4.7.0 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@ce3cf95...38ecb5b) Updates `sigstore/cosign-installer` from 3.8.1 to 3.8.2 - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@d7d6bc7...3454372) Updates `anchore/sbom-action` from 0.18.0 to 0.19.0 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](anchore/sbom-action@f325610...9f73021) Updates `actions/create-github-app-token` from 2.0.2 to 2.0.6 - [Release notes](https://github.com/actions/create-github-app-token/releases) - [Commits](actions/create-github-app-token@3ff1caa...df432ce) Updates `actions/attest-build-provenance` from 2.2.3 to 2.3.0 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](actions/attest-build-provenance@c074443...db473fd) Updates `github/codeql-action` from 3.28.15 to 3.28.17 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@45775bd...60168ef) --- updated-dependencies: - dependency-name: actions/setup-go dependency-version: 5.5.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/dependency-review-action dependency-version: 4.7.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: sigstore/cosign-installer dependency-version: 3.8.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: anchore/sbom-action dependency-version: 0.19.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: actions/create-github-app-token dependency-version: 2.0.6 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: actions/attest-build-provenance dependency-version: 2.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions - dependency-name: github/codeql-action dependency-version: 3.28.17 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot bot added the dependencies Pull requests that update a dependency file label May 12, 2025

dependabot bot requested a review from a team as a code owner May 12, 2025 05:23

dependabot bot added the dependencies Pull requests that update a dependency file label May 12, 2025

ashearin approved these changes May 14, 2025

View reviewed changes

ashearin requested review from idunbarh and jhoward-lm May 14, 2025 14:32

jhoward-lm approved these changes May 14, 2025

View reviewed changes

ashearin merged commit b70ce18 into main May 28, 2025
13 checks passed

dependabot bot deleted the dependabot/github_actions/actions-d793f434d0 branch May 28, 2025 14:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): Bump the actions group across 1 directory with 7 updates #305

chore(deps): Bump the actions group across 1 directory with 7 updates #305

Uh oh!

Uh oh!

Uh oh!

Uh oh!

chore(deps): Bump the actions group across 1 directory with 7 updates #305

chore(deps): Bump the actions group across 1 directory with 7 updates #305

Uh oh!

Conversation

Uh oh!

v5.5.0

What's Changed

Bug fixes:

Dependency updates:

New Contributors

v4.7.0

v3.8.2

What's Changed

v0.19.0

Changes in v0.19.0

v2.0.6

2.0.6 (2025-05-03)

Bug Fixes

v2.0.5

2.0.5 (2025-05-02)

Bug Fixes

v2.0.4

2.0.4 (2025-05-02)

Bug Fixes

v2.0.3

2.0.3 (2025-05-01)

Bug Fixes

v2.3.0

What's Changed

v3.28.17

CodeQL Action Changelog

3.28.17 - 02 May 2025

v3.28.16

CodeQL Action Changelog

3.28.16 - 23 Apr 2025

CodeQL Action Changelog

[UNRELEASED]

3.28.17 - 02 May 2025

3.28.16 - 23 Apr 2025

3.28.15 - 07 Apr 2025

3.28.14 - 07 Apr 2025

3.28.13 - 24 Mar 2025

3.28.12 - 19 Mar 2025

3.28.11 - 07 Mar 2025

3.28.10 - 21 Feb 2025

3.28.9 - 07 Feb 2025

3.28.8 - 29 Jan 2025

Uh oh!

Uh oh!

Uh oh!