[pull] main from ossf:main #104

pull · 2024-07-28T11:06:24Z

See Commits and Changes for more details.

Can you help keep this open source service alive? 💖 Please sponsor : )

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Bumps the go_modules group with 1 update: [github.com/hashicorp/go-retryablehttp](https://github.com/hashicorp/go-retryablehttp). Updates `github.com/hashicorp/go-retryablehttp` from 0.7.5 to 0.7.7 - [Changelog](https://github.com/hashicorp/go-retryablehttp/blob/main/CHANGELOG.md) - [Commits](hashicorp/go-retryablehttp@v0.7.5...v0.7.7) --- updated-dependencies: - dependency-name: github.com/hashicorp/go-retryablehttp dependency-type: indirect dependency-group: go_modules ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/bradleyfalzon/ghinstallation/v2](https://github.com/bradleyfalzon/ghinstallation) from 2.10.0 to 2.11.0. - [Release notes](https://github.com/bradleyfalzon/ghinstallation/releases) - [Commits](bradleyfalzon/ghinstallation@v2.10.0...v2.11.0) --- updated-dependencies: - dependency-name: github.com/bradleyfalzon/ghinstallation/v2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [ko-build/setup-ko](https://github.com/ko-build/setup-ko) from 0.6 to 0.7. - [Release notes](https://github.com/ko-build/setup-ko/releases) - [Commits](ko-build/setup-ko@ace48d7...3aebd05) --- updated-dependencies: - dependency-name: ko-build/setup-ko dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 4 to 6. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@v4...v6) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.3 to 2.3.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@v2.1.3...v2.3.3) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.4.0 to 3.5.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@e1523de...59acb62) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.32.0 to 1.33.0. - [Commits](rs/zerolog@v1.32.0...v1.33.0) --- updated-dependencies: - dependency-name: github.com/rs/zerolog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.6.27 to 1.7.1. - [Release notes](https://github.com/rhysd/actionlint/releases) - [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md) - [Commits](rhysd/actionlint@v1.6.27...v1.7.1) --- updated-dependencies: - dependency-name: github.com/rhysd/actionlint dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 4.0.1 to 5.0.1. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v4.0.1...cdcb360) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.1 to 4.1.7. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4.1.1...692973e) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Signed-off-by: Stephen Augustus <justaugustus@users.noreply.github.com>

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Includes minor fixes to surrounding documentation. Signed-off-by: Stephen Augustus <foo@auggie.dev>

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@6546280...0b2256b) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/setup-go](https://github.com/actions/setup-go) from 5.0.1 to 5.0.2. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@cdcb360...0a12ed9) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.11 to 3.25.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b611370...4fa2a79) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.3.3 to 4.3.4. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@72eb03d...5a2ce3f) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.12 to 3.25.13. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@4fa2a79...2d79040) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/ossf/scorecard/v5](https://github.com/ossf/scorecard) from 5.0.0-rc2 to 5.0.0. - [Release notes](https://github.com/ossf/scorecard/releases) - [Changelog](https://github.com/ossf/scorecard/blob/main/RELEASE.md) - [Commits](ossf/scorecard@v5.0.0-rc2...v5.0.0) --- updated-dependencies: - dependency-name: github.com/ossf/scorecard/v5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: Stephen Augustus <foo@auggie.dev>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.13 to 3.25.14. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@2d79040...5cf07d8) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.37.0 to 0.38.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.37.0...v0.38.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.14 to 3.25.15. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@5cf07d8...afb54ba) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.3 to 2.4.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@dc50aa9...62b2cac) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.0 to 3.26.7. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@eb055d7...8214744) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.7 to 3.26.8. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@8214744...294a9d9) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.7.1 to 1.7.2. - [Release notes](https://github.com/rhysd/actionlint/releases) - [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md) - [Commits](rhysd/actionlint@v1.7.1...v1.7.2) --- updated-dependencies: - dependency-name: github.com/rhysd/actionlint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.8 to 3.26.9. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@294a9d9...461ef6c) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: Sebastian Bezold <sebastian.bezold@mercedes-benz.com>

Bumps [github.com/rhysd/actionlint](https://github.com/rhysd/actionlint) from 1.7.2 to 1.7.3. - [Release notes](https://github.com/rhysd/actionlint/releases) - [Changelog](https://github.com/rhysd/actionlint/blob/main/CHANGELOG.md) - [Commits](rhysd/actionlint@v1.7.2...v1.7.3) --- updated-dependencies: - dependency-name: github.com/rhysd/actionlint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from 6.1.0 to 6.1.1. - [Release notes](https://github.com/golangci/golangci-lint-action/releases) - [Commits](golangci/golangci-lint-action@aaa42aa...971e284) --- updated-dependencies: - dependency-name: golangci/golangci-lint-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.6.0 to 3.7.0. - [Release notes](https://github.com/sigstore/cosign-installer/releases) - [Commits](sigstore/cosign-installer@4959ce0...dc72c7d) --- updated-dependencies: - dependency-name: sigstore/cosign-installer dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.0 to 4.4.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@5076954...604373d) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.9 to 3.26.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@461ef6c...c36620d) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.1. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@692973e...eef6144) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.1 to 4.4.2. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@604373d...8448086) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.4.2 to 4.4.3. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@8448086...b4b15b8) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [gocloud.dev](https://github.com/google/go-cloud) from 0.39.0 to 0.40.0. - [Release notes](https://github.com/google/go-cloud/releases) - [Commits](google/go-cloud@v0.39.0...v0.40.0) --- updated-dependencies: - dependency-name: gocloud.dev dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.26.12 to 3.26.13. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@c36620d...f779452) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: Jeff Mendoza <jlm@jlm.name>

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.3.4 to 4.3.5. - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@5a2ce3f...a6993e2) --- updated-dependencies: - dependency-name: actions/dependency-review-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

justaugustus and others added 28 commits July 2, 2024 10:38

.github: Add initial CODEOWNERS

eb99bd4

Signed-off-by: Stephen Augustus <foo@auggie.dev>

[StepSecurity] ci: Harden GitHub Actions

a10a639

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>

go.mod: Update Scorecard to v5.0.0-rc2

5d71b29

Signed-off-by: Stephen Augustus <foo@auggie.dev>

.github: Create codeql.yml

c66f943

Signed-off-by: Stephen Augustus <justaugustus@users.noreply.github.com>

CodeQL: Dedupe post-merge configs, pin SHAs, strip add'l permissions

9bcc5c7

Signed-off-by: Stephen Augustus <foo@auggie.dev>

docs: Correct instances of "Security Scorecards" to "OpenSSF Scorecard"

e329fdf

Includes minor fixes to surrounding documentation. Signed-off-by: Stephen Augustus <foo@auggie.dev>

README: Correct Scorecard API URL

3ff8fdf

Signed-off-by: Stephen Augustus <foo@auggie.dev>

go.mod: Update go directive to go1.12.12

38d990d

Signed-off-by: Stephen Augustus <foo@auggie.dev>

pull bot requested a review from a team as a code owner July 28, 2024 11:06

pull bot added the ⤵️ pull label Jul 28, 2024

dependabot bot added 2 commits September 16, 2024 14:23

contentful-automation bot previously approved these changes Sep 24, 2024

View reviewed changes

contentful-automation bot enabled auto-merge (squash) September 24, 2024 14:21

dependabot bot dismissed contentful-automation[bot]’s stale review via 2ee59a2 September 24, 2024 14:22

contentful-automation bot previously approved these changes Sep 24, 2024

View reviewed changes

Support globs for optOut/optInRepos

4b1d421

Signed-off-by: Colm O hEigeartaigh <coheigea@apache.org>

auto-merge was automatically disabled September 25, 2024 22:23
Head branch was pushed to by a user without write access

jeffmendoza dismissed contentful-automation[bot]’s stale review via 4b1d421 September 25, 2024 22:23

dependabot bot and others added 18 commits September 25, 2024 15:24

feat: add support for GitHub enterprise

8649289

Signed-off-by: Sebastian Bezold <sebastian.bezold@mercedes-benz.com>

fix: ensure correct enterprise API URLs for GraphQL + http client

68d2f55

Signed-off-by: Sebastian Bezold <sebastian.bezold@mercedes-benz.com>

docs: add hints on GHE operating specifics

3cc20f3

Signed-off-by: Sebastian Bezold <sebastian.bezold@mercedes-benz.com>

chore: adapt GH_HOST env variable comment

ca25e17

Signed-off-by: Sebastian Bezold <sebastian.bezold@mercedes-benz.com>

fix: handle errors when creating gh client transport

38c2e3b

Signed-off-by: Sebastian Bezold <sebastian.bezold@mercedes-benz.com>

Update scorecard interface to use scorecard.Run()

9f5fb01

Signed-off-by: Jeff Mendoza <jlm@jlm.name>

contentful-automation bot approved these changes Oct 22, 2024

View reviewed changes

contentful-automation bot enabled auto-merge (squash) October 22, 2024 21:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[pull] main from ossf:main #104

[pull] main from ossf:main #104

pull bot commented Jul 28, 2024 •

edited

Loading

[pull] main from ossf:main #104

Are you sure you want to change the base?

[pull] main from ossf:main #104

Conversation

pull bot commented Jul 28, 2024 • edited Loading

pull bot commented Jul 28, 2024 •

edited

Loading