chore(deps): update github-actions (#3753)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/checkout | action | digest | `692973e` -> `9a9194f` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | patch | `v4.1.7` -> `v4.1.8` |
| [actions/setup-go](https://togithub.com/actions/setup-go) | action |
patch | `v5.0.1` -> `v5.0.2` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v4.0.2` -> `v4.0.3` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| digest | `60edb5d` -> `1e60f62` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v4.3.3` -> `v4.3.5` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v3.25.11` -> `v3.25.15` |
|
[gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action)
| action | minor | `v3.4.2` -> `v3.5.0` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.3.3` -> `v2.4.0` |
|
[softprops/action-gh-release](https://togithub.com/softprops/action-gh-release)
| action | patch | `v2.0.6` -> `v2.0.8` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.8`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.8)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.7...v4.1.8)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/341](https://togithub.com/actions/download-artifact/pull/341)

**Full Changelog**:
actions/download-artifact@v4...v4.1.8

</details>

<details>
<summary>actions/setup-go (actions/setup-go)</summary>

###
[`v5.0.2`](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2)

[Compare
Source](https://togithub.com/actions/setup-go/compare/v5.0.1...v5.0.2)

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.0.3`](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v4.0.2...v4.0.3)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.5`](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.4...v4.3.5)

###
[`v4.3.4`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.4)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.3...v4.3.4)

##### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
version, bump dependencies by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/584](https://togithub.com/actions/upload-artifact/pull/584)

**Full Changelog**:
actions/upload-artifact@v4.3.3...v4.3.4

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.25.15`](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.14...v3.25.15)

###
[`v3.25.14`](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.13...v3.25.14)

###
[`v3.25.13`](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.12...v3.25.13)

###
[`v3.25.12`](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.11...v3.25.12)

</details>

<details>
<summary>gradle/gradle-build-action
(gradle/gradle-build-action)</summary>

###
[`v3.5.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.5.0)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v3.4.2...v3.5.0)

> \[!IMPORTANT]
> As of `v3` this action has been superceded by
`gradle/actions/setup-gradle`.
> Any workflow that uses `gradle/gradle-build-action@v3` will
transparently delegate to `gradle/actions/setup-gradle@v3`.
>
> Users are encouraged to update their workflows, replacing:
>
>     uses: gradle/gradle-build-action@v3
>
> with
>
>     uses: gradle/actions/setup-gradle@v3
>
> See the [setup-gradle
documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle)
for up-to-date documentation for `gradle/actions/setup-gradle`.

For release details, see
https://github.com/gradle/actions/releases/tag/v3.5.0

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.4.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.3...v2.4.0)

#### What's Changed

This update bumps the Scorecard version to the v5 release. For a
complete list of changes, please refer to the [v5.0.0 release
notes](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0). Of
special note to Scorecard Action is the Maintainer Annotation feature,
which can be used to suppress some Code Scanning false positives. Alerts
will not be generated for any Scorecard Check with an annotation.

- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to v5.0.0
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1410](https://togithub.com/ossf/scorecard-action/pull/1410)
- 🐛 lower license sarif alert threshold to 9 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1411](https://togithub.com/ossf/scorecard-action/pull/1411)

##### Documentation

- docs: dogfooding badge by
[@&#8203;jkowalleck](https://togithub.com/jkowalleck) in
[https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399)

#### New Contributors

- [@&#8203;jkowalleck](https://togithub.com/jkowalleck) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1399](https://togithub.com/ossf/scorecard-action/pull/1399)

**Full Changelog**:
ossf/scorecard-action@v2.3.3...v2.4.0

</details>

<details>
<summary>softprops/action-gh-release
(softprops/action-gh-release)</summary>

###
[`v2.0.8`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.8)

[Compare
Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.7...v2.0.8)

<!-- Release notes generated using configuration in .github/release.yml
at master -->

#### What's Changed

##### Other Changes 🔄

- chore(deps): bump prettier from 2.8.0 to 3.3.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/480](https://togithub.com/softprops/action-gh-release/pull/480)
- chore(deps): bump
[@&#8203;types/node](https://togithub.com/types/node) from 20.14.9 to
20.14.11 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/483](https://togithub.com/softprops/action-gh-release/pull/483)
- chore(deps): bump
[@&#8203;octokit/plugin-throttling](https://togithub.com/octokit/plugin-throttling)
from 9.3.0 to 9.3.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/484](https://togithub.com/softprops/action-gh-release/pull/484)
- chore(deps): bump glob from 10.4.2 to 11.0.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/477](https://togithub.com/softprops/action-gh-release/pull/477)
- refactor: write jest config in ts by
[@&#8203;chenrui333](https://togithub.com/chenrui333) in
[https://github.com/softprops/action-gh-release/pull/485](https://togithub.com/softprops/action-gh-release/pull/485)
- chore(deps): bump
[@&#8203;actions/github](https://togithub.com/actions/github) from 5.1.1
to 6.0.0 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/470](https://togithub.com/softprops/action-gh-release/pull/470)

**Full Changelog**:
softprops/action-gh-release@v2...v2.0.8

###
[`v2.0.7`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.7)

[Compare
Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.6...v2.0.7)

<!-- Release notes generated using configuration in .github/release.yml
at master -->

#### What's Changed

##### Bug fixes 🐛

- Fix missing update release body by
[@&#8203;FirelightFlagboy](https://togithub.com/FirelightFlagboy) in
[https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365)

##### Other Changes 🔄

- Bump
[@&#8203;octokit/plugin-retry](https://togithub.com/octokit/plugin-retry)
from 4.0.3 to 7.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/443](https://togithub.com/softprops/action-gh-release/pull/443)
- Bump typescript from 4.9.5 to 5.5.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/467](https://togithub.com/softprops/action-gh-release/pull/467)
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
20.14.6 to 20.14.8 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/469](https://togithub.com/softprops/action-gh-release/pull/469)
- Bump [@&#8203;types/node](https://togithub.com/types/node) from
20.14.8 to 20.14.9 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/473](https://togithub.com/softprops/action-gh-release/pull/473)
- Bump typescript from 5.5.2 to 5.5.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/472](https://togithub.com/softprops/action-gh-release/pull/472)
- Bump ts-jest from 29.1.5 to 29.2.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/softprops/action-gh-release/pull/479](https://togithub.com/softprops/action-gh-release/pull/479)
- docs: document that existing releases are updated by
[@&#8203;jvanbruegge](https://togithub.com/jvanbruegge) in
[https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474)

#### New Contributors

- [@&#8203;jvanbruegge](https://togithub.com/jvanbruegge) made their
first contribution in
[https://github.com/softprops/action-gh-release/pull/474](https://togithub.com/softprops/action-gh-release/pull/474)
- [@&#8203;FirelightFlagboy](https://togithub.com/FirelightFlagboy) made
their first contribution in
[https://github.com/softprops/action-gh-release/pull/365](https://togithub.com/softprops/action-gh-release/pull/365)

**Full Changelog**:
softprops/action-gh-release@v2.0.6...v2.0.7

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View the
[repository job
log](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <[email protected]>

Author: renovate-bot

.github/actions/generate-builder/action.yml

@@ -76,7 +76,7 @@ runs:
         token: ${{ inputs.token }}
 
     - name: Set up Go environment
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: ${{ inputs.go-version }}
 

.github/actions/secure-download-artifact/action.yml

@@ -78,7 +78,7 @@ runs:
         echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}"
 
     - name: Download the artifact
-      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.validate-path.outputs.folder_path }}"

.github/actions/secure-download-folder/action.yml

@@ -34,7 +34,7 @@ runs:
       uses: slsa-framework/slsa-github-generator/.github/actions/rng@main
 
     - name: Download the artifact
-      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.rng.outputs.random }}"

.github/actions/secure-project-checkout-go/action.yml

@@ -65,7 +65,7 @@ runs:
         fi
 
     - name: Set up Go environment
-      uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
       with:
         go-version: ${{ steps.validate.outputs.go_version }}
         go-version-file: ${{ steps.validate.outputs.go_version_file }}

.github/actions/secure-project-checkout-node/action.yml

@@ -41,6 +41,6 @@ runs:
         path: ${{ inputs.path }}
 
     - name: Set up Node environment
-      uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
       with:
         node-version: ${{ inputs.node-version }}

.github/actions/secure-upload-artifact/action.yml

@@ -37,7 +37,7 @@ runs:
         path: "${{ inputs.path }}"
 
     - name: Upload the artifact
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
       with:
         name: "${{ inputs.name }}"
         path: "${{ inputs.path }}"

.github/workflows/builder_container-based_slsa3.yml

@@ -209,7 +209,7 @@ jobs:
           allow-private-repository: ${{ inputs.rekor-log-public }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -462,7 +462,7 @@ jobs:
         # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
         # secure upload or verify this against the SLSA layout file.
         id: upload-artifacts
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: ${{ steps.build.outputs.build-outputs-name }}
           path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
@@ -535,7 +535,7 @@ jobs:
       - name: Upload unsigned intoto attestations file for pull request
         if: ${{ github.event_name == 'pull_request' }}
         id: upload-unsigned
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "attestations-${{ needs.rng.outputs.value }}"
@@ -556,7 +556,7 @@ jobs:
       - name: Upload the signed attestations
         id: upload-signed
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
@@ -584,21 +584,21 @@ jobs:
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
       # layout files and their checksums to validate the artifacts.
       - name: Download artifacts
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: "${{ needs.build.outputs.build-outputs-name }}"
           path: "${{ needs.build.outputs.build-outputs-name }}"
 
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
       # secure-folder-download action.
       - name: Download provenance
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: "${{ needs.provenance.outputs.provenance-name }}"
           path: "${{ needs.provenance.outputs.provenance-name }}"
 
       - name: Upload provenance new tag
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         if: startsWith(github.ref, 'refs/tags/') && inputs.upload-tag-name == ''
         id: release-new-tags
         with:
@@ -609,7 +609,7 @@ jobs:
           draft: ${{ inputs.draft-release }}
 
       - name: Upload provenance tag name
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         if: inputs.upload-tag-name != ''
         with:
           prerelease: ${{ inputs.prerelease }}

.github/workflows/builder_go_slsa3.yml

@@ -169,7 +169,7 @@ jobs:
           allow-private-repository: ${{ inputs.private-repository }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -358,7 +358,7 @@ jobs:
             --workingDir "$UNTRUSTED_WORKING_DIR"
 
       - name: Upload the signed provenance
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
           path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
@@ -399,7 +399,7 @@ jobs:
           sha256: "${{ needs.provenance.outputs.go-provenance-sha256 }}"
 
       - name: Upload provenance
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         with:
           tag_name: ${{ inputs.upload-tag-name }}
           prerelease: ${{ inputs.prerelease }}

.github/workflows/codeql-analysis.yml

@@ -59,7 +59,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/init@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -72,7 +72,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/autobuild@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
 
       # Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -85,7 +85,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/analyze@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
 
   # NOTE: Checks that the matrix job above completes successfully.
   # This is necessary because the matrix strategy generates new jobs with

.github/workflows/e2e.sign-attestations.schedule.yml

@@ -40,7 +40,7 @@ jobs:
           attestations: .github/actions/sign-attestations/testdata/attestations
           output-folder: outputs
       - name: Setup node
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4
         with:
           node-version: 20
       - name: install sigstore-js

.github/workflows/generator_generic_slsa3.yml

@@ -239,7 +239,7 @@ jobs:
       - name: Upload the signed provenance
         id: upload-prov
         continue-on-error: true
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: "${{ steps.sign-prov.outputs.provenance-name }}"
           path: "${{ steps.sign-prov.outputs.provenance-name }}"
@@ -285,7 +285,7 @@ jobs:
           sha256: "${{ needs.generator.outputs.provenance-sha256 }}"
 
       - name: Upload provenance
-        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
         id: release
         with:
           draft: ${{ inputs.draft-release }}

.github/workflows/pre-submit.actions.yml

@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set Node.js 18
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 18
 
@@ -98,7 +98,7 @@ jobs:
           fi
 
       # If index.js was different from expected, upload the expected version as an artifact
-      - uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+      - uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

.github/workflows/pre-submit.e2e.container-based.default.yml

@@ -46,7 +46,7 @@ jobs:
       GITHUB_HEAD_REPOSITORY: ${{ github.event.pull_request.head.repo.full_name }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build-container-based.outputs.build-outputs-name }}
           path: outputs
@@ -57,7 +57,7 @@ jobs:
           name=$(find outputs/ -type f | head -1)
           cp "$name" .
           echo "name=$(basename "$name")" >> "$GITHUB_OUTPUT"
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build-container-based.outputs.attestations-download-name }}
       - env:

.github/workflows/pre-submit.e2e.generic.default.yml

@@ -48,7 +48,7 @@ jobs:
     if: ${{ always() }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.provenance-name }}
       - env:
@@ -78,7 +78,7 @@ jobs:
     needs: [build-continue-no-error]
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build-continue-no-error.outputs.provenance-name }}
       - env:
@@ -109,7 +109,7 @@ jobs:
     needs: [build, build-continue-invalid-subjects]
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.provenance-name }}
       - env:

.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml

@@ -65,10 +65,10 @@ jobs:
     if: ${{ always() }}
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.go-binary-name }}
-      - uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+      - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: ${{ needs.build.outputs.go-provenance-name }}
       - env:

.github/workflows/pre-submit.lint.yml

@@ -32,7 +32,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version: "1.22.3"
       - uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
@@ -74,7 +74,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
       - run: make markdownlint
@@ -83,7 +83,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+      - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: "go.mod"
       - env:
@@ -160,7 +160,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
       - run: make eslint
@@ -169,7 +169,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 20
       - run: make renovate-config-validator

.github/workflows/pre-submit.units.yml

@@ -38,12 +38,12 @@ jobs:
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: setup-go
-        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
+        uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
         with:
           go-version-file: "go.mod"
 
       - name: Set Node.js 16
-        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
           node-version: 16
 

.github/workflows/scorecards.yml

@@ -44,7 +44,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
+        uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
         with:
           sarif_file: results.sarif

.github/workflows/update-actions-dist-post-commit.yml

@@ -75,7 +75,7 @@ jobs:
           [ -z "$(cat changes.patch)" ] && RESULT=false || RESULT=true
           echo "patch_not_empty=$RESULT" >> "$GITHUB_OUTPUT"
       - name: upload
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
         with:
           name: changes.patch
           path: changes.patch
@@ -97,7 +97,7 @@ jobs:
           PR_NUMBER: ${{ inputs.pr_number }}
         run: gh pr checkout "$PR_NUMBER"
       - name: download-patch
-        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:
           name: changes.patch
       - id: apply

internal/builders/gradle/action.yml

@@ -63,7 +63,7 @@ runs:
         distribution: temurin
         java-version: ${{ fromJson(inputs.slsa-workflow-inputs).jdk-version }}
     - name: Setup Gradle
-      uses: gradle/gradle-build-action@66535aaf56f831b35e3a8481c9c99b665b84dd45 # v3.4.2
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
     - name: Run gradle builder
       id: run_gradle_builder
       shell: bash