Bump the github-actions group with 7 updates

[dependabot[bot]]

Bumps the github-actions group with 7 updates:

Package	From	To
step-security/harden-runner	2.5.1	2.6.1
actions/checkout	3.5.3	4.1.1
docker/metadata-action	5.0.0	5.5.0
docker/build-push-action	5.0.0	5.1.0
github/codeql-action	2.22.5	3.23.0
actions/upload-artifact	3.1.2	4.1.0
crate-ci/typos	1.16.21	1.17.1

Updates step-security/harden-runner from 2.5.1 to 2.6.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.6.1

What's Changed

Release v2.6.1 by @​varunsh-coder and @​h0x0er in step-security/harden-runner#356 This release:

1. Improves the job summary markdown written by the Harden-Runner Action
2. Improves detection of cache endpoint used by the job
3. Detects use of Kubernetes mode in Actions Runner Controller (ARC) based runners
4. Updates dependencies

Full Changelog: https://github.com/step-security/harden-runner/compare/v2...v2.6.1

v2.6.0

What's Changed

Release v2.6.0 by @​varunsh-coder in step-security/harden-runner#346

This release adds support for self-hosted Virtual Machine runners (e.g. on EC2).

• Both ephemeral and persistent self-hosted VM runners are supported
• Documentation: https://docs.stepsecurity.io/harden-runner/how-tos/enable-runtime-security-vm

Full Changelog: https://github.com/step-security/harden-runner/compare/v2...v2.6.0

Commits

• eb238b5 Release v2.6.1 (#356)
• 2579b52 Merge pull request #350 from step-security/dependabot/github_actions/actions/...
• c11b220 Merge pull request #352 from step-security/dependabot/github_actions/ossf/sco...
• 3338abc Bump ossf/scorecard-action from 2.3.0 to 2.3.1
• 7523e86 Bump actions/checkout from 4.1.0 to 4.1.1
• bf4cac9 Merge pull request #349 from step-security/dependabot/github_actions/ossf/sco...
• ab35e30 Bump ossf/scorecard-action from 2.2.0 to 2.3.0
• 02adcd6 Merge pull request #348 from step-security/dependabot/github_actions/step-sec...
• cddb4d2 Bump step-security/harden-runner from 2.5.1 to 2.6.0
• d7f96b7 Merge pull request #347 from step-security/varunsh-coder-patch-1
• Additional commits viewable in compare view

Updates actions/checkout from 3.5.3 to 4.1.1

Release notes

Sourced from actions/checkout's releases.

v4.1.1

What's Changed

• Update CODEOWNERS to Launch team by @​joshmgross in actions/checkout#1510
• Correct link to GitHub Docs by @​peterbe in actions/checkout#1511
• Link to release page from what's new section by @​cory-miller in actions/checkout#1514

New Contributors

• @​joshmgross made their first contribution in actions/checkout#1510
• @​peterbe made their first contribution in actions/checkout#1511

Full Changelog: https://github.com/actions/checkout/compare/v4.1.0...v4.1.1

v4.1.0

What's Changed

• Update README.md for V4 by @​sivapalan in actions/checkout#1452
• Add support for partial checkout filters by @​finleygn in actions/checkout#1396
• Prepare 4.1.0 release by @​cory-miller in actions/checkout#1496

New Contributors

• @​sivapalan made their first contribution in actions/checkout#1452
• @​finleygn made their first contribution in actions/checkout#1396

Full Changelog: https://github.com/actions/checkout/compare/v4.0.0...v4.1.0

v4.0.0

What's Changed

• Update default runtime to node20 by @​takost in actions/checkout#1436
• Support fetching without the --progress option by @​simonbaird in actions/checkout#1067
• Release 4.0.0 by @​takost in actions/checkout#1447

New Contributors

• @​takost made their first contribution in actions/checkout#1436
• @​simonbaird made their first contribution in actions/checkout#1067

Full Changelog: https://github.com/actions/checkout/compare/v3...v4.0.0

v3.6.0

What's Changed

• Mark test scripts with Bash'isms to be run via Bash by @​dscho in actions/checkout#1377
• Add option to fetch tags even if fetch-depth > 0 by @​RobertWieczoreck in actions/checkout#579
• Release 3.6.0 by @​luketomlinson in actions/checkout#1437

New Contributors

• @​RobertWieczoreck made their first contribution in actions/checkout#579
• @​luketomlinson made their first contribution in actions/checkout#1437

Full Changelog: https://github.com/actions/checkout/compare/v3.5.3...v3.6.0

Commits

• b4ffde6 Link to release page from what's new section (#1514)
• 8530928 Correct link to GitHub Docs (#1511)
• 7cdaf2f Update CODEOWNERS to Launch team (#1510)
• 8ade135 Prepare 4.1.0 release (#1496)
• c533a0a Add support for partial checkout filters (#1396)
• 72f2cec Update README.md for V4 (#1452)
• 3df4ab1 Release 4.0.0 (#1447)
• 8b5e8b7 Support fetching without the --progress option (#1067)
• 97a652b Update default runtime to node20 (#1436)
• f43a0e5 Release 3.6.0 (#1437)
• Additional commits viewable in compare view

Updates docker/metadata-action from 5.0.0 to 5.5.0

Release notes

Sourced from docker/metadata-action's releases.

v5.5.0

• Set cwd:// prefix for bake files path by @​crazy-max in docker/metadata-action#370
• Bump @​docker/actions-toolkit from 0.16.0 to 0.16.1 in docker/metadata-action#371
• Bump moment from 2.29.4 to 2.30.1 in docker/metadata-action#373
• Bump moment-timezone from 0.5.43 to 0.5.44 in docker/metadata-action#374

Full Changelog: https://github.com/docker/metadata-action/compare/v5.4.0...v5.5.0

v5.4.0

• Bump @​docker/actions-toolkit from 0.15.0 to 0.16.0 in docker/metadata-action#369
• Bump csv-parse from 5.5.2 to 5.5.3 in docker/metadata-action#365

Full Changelog: https://github.com/docker/metadata-action/compare/v5.3.0...v5.4.0

v5.3.0

• Bump @​docker/actions-toolkit from 0.14.0 to 0.15.0 in docker/metadata-action#363 (fixes #362)

Full Changelog: https://github.com/docker/metadata-action/compare/v5.2.0...v5.3.0

v5.2.0

• Custom annotations support by @​crazy-max in docker/metadata-action#361

Full Changelog: https://github.com/docker/metadata-action/compare/v5.1.0...v5.2.0

v5.1.0

• Annotations support by @​crazy-max in docker/metadata-action#352
• Split bake definition into two files by @​crazy-max in docker/metadata-action#353
• Allow images input to be empty to output bare tags by @​crazy-max in docker/metadata-action#358
• Bump @​actions/github from 5.1.1 to 6.0.0 in docker/metadata-action#348
• Bump @​babel/traverse from 7.17.3 to 7.23.2 in docker/metadata-action#350
• Bump @​docker/actions-toolkit from 0.12.0 to 0.14.0 in docker/metadata-action#349 docker/metadata-action#357
• Bump csv-parse from 5.5.0 to 5.5.2 in docker/metadata-action#346
• Bump semver from 7.5.3 to 7.5.4 in docker/metadata-action#335

Full Changelog: https://github.com/docker/metadata-action/compare/v5.0.0...v5.1.0

Commits

• dbef880 Merge pull request #374 from docker/dependabot/npm_and_yarn/moment-timezone-0...
• b73e7a7 chore: update generated content
• b9fba69 chore(deps): Bump moment-timezone from 0.5.43 to 0.5.44
• ac82374 Merge pull request #373 from docker/dependabot/npm_and_yarn/moment-2.30.1
• c92519a chore: update generated content
• 3b4179d chore(deps): Bump moment from 2.29.4 to 2.30.1
• 0784993 Merge pull request #371 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 52c3e9e chore: update generated content
• 82a5e67 chore(deps): Bump @​docker/actions-toolkit from 0.16.0 to 0.16.1
• 41e1fe3 Merge pull request #370 from crazy-max/bake-cwd
• Additional commits viewable in compare view

Updates docker/build-push-action from 5.0.0 to 5.1.0

Release notes

Sourced from docker/build-push-action's releases.

v5.1.0

• Add annotations input by @​crazy-max in docker/build-push-action#992
• Add secret-envs input by @​elias-lundgren in docker/build-push-action#980
• Bump @​babel/traverse from 7.17.3 to 7.23.2 in docker/build-push-action#991
• Bump @​docker/actions-toolkit from 0.13.0-rc.1 to 0.14.0 in docker/build-push-action#990 docker/build-push-action#1006

Full Changelog: https://github.com/docker/build-push-action/compare/v5.0.0...v5.1.0

Commits

• 4a13e50 Merge pull request #1006 from docker/dependabot/npm_and_yarn/docker/actions-t...
• 7416668 chore: update generated content
• b4f76a5 chore(deps): Bump @​docker/actions-toolkit from 0.13.0 to 0.14.0
• b7feb76 Merge pull request #1005 from crazy-max/ci-inspect
• fae8018 ci: inspect sbom and provenance
• b625868 Merge pull request #1004 from crazy-max/ci-update-buildx
• 5193ef1 ci: update buildx to latest
• d3afd77 Merge pull request #991 from docker/dependabot/npm_and_yarn/babel/traverse-7....
• 7a786bb Merge pull request #992 from crazy-max/annotations
• c66ae3a chore: update generated content
• Additional commits viewable in compare view

Updates github/codeql-action from 2.22.5 to 3.23.0

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

Note that the only difference between v2 and v3 of the CodeQL Action is the node version they support, with v3 running on node 20 while we continue to release v2 to support running on node 16. For example 3.22.11 was the first v3 release and is functionally identical to 2.22.11. This approach ensures an easy way to track exactly which features are included in different versions, indicated by the minor and patch version numbers.

[UNRELEASED]

• Change the retention period for uploaded debug artifacts to 7 days. Previously, this was whatever the repository default was. #2079

3.23.0 - 08 Jan 2024

• We are rolling out a feature in January 2024 that will disable Python dependency installation by default for all users. This improves the speed of analysis while having only a very minor impact on results. You can override this behavior by setting CODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION=false in your workflow, however we plan to remove this ability in future versions of the CodeQL Action. #2031
• The CodeQL Action now requires CodeQL version 2.11.6 or later. For more information, see the corresponding changelog entry for CodeQL Action version 2.22.7. #2009

3.22.12 - 22 Dec 2023

• Update default CodeQL bundle version to 2.15.5. #2047

3.22.11 - 13 Dec 2023

• [v3+ only] The CodeQL Action now runs on Node.js v20. #2006

2.22.10 - 12 Dec 2023

• Update default CodeQL bundle version to 2.15.4. #2016

2.22.9 - 07 Dec 2023

No user facing changes.

2.22.8 - 23 Nov 2023

• Update default CodeQL bundle version to 2.15.3. #2001

2.22.7 - 16 Nov 2023

• Add a deprecation warning for customers using CodeQL version 2.11.5 and earlier. These versions of CodeQL were discontinued on 8 November 2023 alongside GitHub Enterprise Server 3.7, and will be unsupported by CodeQL Action v2.23.0 and later. #1993
  • If you are using one of these versions, please update to CodeQL CLI version 2.11.6 or later. For instance, if you have specified a custom version of the CLI using the 'tools' input to the 'init' Action, you can remove this input to use the default version.
  • Alternatively, if you want to continue using a version of the CodeQL CLI between 2.10.5 and 2.11.5, you can replace github/codeql-action/*@v2 by github/codeql-action/*@v2.22.7 in your code scanning workflow to ensure you continue using this version of the CodeQL Action.

2.22.6 - 14 Nov 2023

• Customers running Python analysis on macOS using version 2.14.6 or earlier of the CodeQL CLI should upgrade to CodeQL CLI version 2.15.0 or later. If you do not wish to upgrade the CodeQL CLI, ensure that you are using Python version 3.11 or earlier, as CodeQL version 2.14.6 and earlier do not support Python 3.12. You can achieve this by adding a setup-python step to your code scanning workflow before the step that invokes github/codeql-action/init.
• Update default CodeQL bundle version to 2.15.2. #1978

2.22.5 - 27 Oct 2023

No user facing changes.

... (truncated)

Commits

• e5f05b8 Merge pull request #2066 from github/update-v3.23.0-fd55bb0b0
• 48e7b8b Update changelog for v3.23.0
• fd55bb0 Merge pull request #2065 from github/henrymercer/further-run-queries-cleanup
• 838a022 Clean up running queries workflow now that the queries are determined by the CLI
• 8516954 Merge pull request #2062 from github/henrymercer/remove-action-config-parsing
• a533ec6 Merge branch 'main' into henrymercer/remove-action-config-parsing
• 08ae9bf Merge pull request #2063 from github/henrymercer/remove-ml-powered-queries-repo
• 58ff74a Merge pull request #2031 from github/rasmuswl/no-dep-inst-default
• 9926570 Generate JS
• 2e27b3c Create helper isPythonDependencyInstallationDisabled
• Additional commits viewable in compare view

Updates actions/upload-artifact from 3.1.2 to 4.1.0

Release notes

Sourced from actions/upload-artifact's releases.

v4.1.0

What's Changed

• Add migrations docs by @​robherley in actions/upload-artifact#482
• Update README.md by @​samuelwine in actions/upload-artifact#492
• Support artifact-url output by @​konradpabjan in actions/upload-artifact#496
• Update readme to reflect new 500 artifact per job limit by @​robherley in actions/upload-artifact#497

New Contributors

• @​samuelwine made their first contribution in actions/upload-artifact#492

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.1.0

v4.0.0

What's Changed

The release of upload-artifact@v4 and download-artifact@v4 are major changes to the backend architecture of Artifacts. They have numerous performance and behavioral improvements.

ℹ️ However, this is a major update that includes breaking changes. Artifacts created with versions v3 and below are not compatible with the v4 actions. Uploads and downloads must use the same major actions versions. There are also key differences from previous versions that may require updates to your workflows.

For more information, please see:

1. The changelog post.
2. The README.
3. The migration documentation.
4. As well as the underlying npm package, @​actions/artifact documentation.

New Contributors

• @​vmjoseph made their first contribution in actions/upload-artifact#464

Full Changelog: https://github.com/actions/upload-artifact/compare/v3...v4.0.0

v3.1.3

What's Changed

• chore(github): remove trailing whitespaces by @​ljmf00 in actions/upload-artifact#313
• Bump @​actions/artifact version to v1.1.2 by @​bethanyj28 in actions/upload-artifact#436

Full Changelog: https://github.com/actions/upload-artifact/compare/v3...v3.1.3

Commits

• 1eb3cb2 Merge pull request #497 from actions/robherley/update-readme-limit
• 8688a86 Update readme to reflect new artifact/job limit
• 73d8b66 Support artifact-url output (#496)
• c320f57 Update README.md (#492)
• cf8714c Merge pull request #482 from actions/robherley/add-migration-docs
• 7f16e37 add migrations docs
• 3530730 Merge pull request #468 from actions/robherley/misc-updates
• 6c139af update imports and old v4-beta references
• c7d193f Merge pull request #466 from actions/v4-beta
• 13131bb licensed cache
• Additional commits viewable in compare view

Updates crate-ci/typos from 1.16.21 to 1.17.1

Release notes

Sourced from crate-ci/typos's releases.

v1.17.1

[1.17.1] - 2024-01-12

Features

• First attempt at aarch64 for Mac

v1.17.0

[1.17.0] - 2024-01-03

Fixes

• Updated the dictionary with the November/December 2023 changes

v1.16.26

[1.16.26] - 2023-12-27

Fixes

• Apply extend-ignore-re to file names in addition to file content

v1.16.25

[1.16.25] - 2023-12-13

Fixes

• Have correction in extend-words match the original word's case

v1.16.24

[1.16.24] - 2023-12-08

Fixes

• Don't silently ignore config when there is an error in a field

v1.16.23

[1.16.23] - 2023-11-06

Fixes

• Ensure --force-exclude handles simple patterns like some-dir

v1.16.22

[1.16.22] - 2023-11-01

Fixes

• Updated the dictionary with the October 2023 changes

Changelog

Sourced from crate-ci/typos's changelog.

Change Log

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

[Unreleased] - ReleaseDate

[1.17.1] - 2024-01-12

Features

• First attempt at aarch64 for Mac

[1.17.0] - 2024-01-03

Fixes

• Updated the dictionary with the November/December 2023 changes

[1.16.26] - 2023-12-27

Fixes

• Apply extend-ignore-re to file names in addition to file content

[1.16.25] - 2023-12-13

Fixes

• Have correction in extend-words match the original word's case

[1.16.24] - 2023-12-08

Fixes

• Don't silently ignore config when there is an error in a field

[1.16.23] - 2023-11-06

Fixes

• Ensure --force-exclude handles simple patterns like some-dir

[1.16.22] - 2023-11-01

Fixes

• Updated the dictionary with the October 2023 changes

... (truncated)

Commits

• a35b382 chore: Release
• 4c32fc5 docs: Update changelog
• b02f589 Merge pull request #908 from epage/ci
• 7b12730 chore(ci): Build for aarch64
• 5adfdc2 chore(ci): Show what gets bundled
• 657d1b1 chore(ci): Remove use of undefined variable
• a776278 chore(ci): Ensure rustfmt is available
• 2361394 chore: Release
• 9c418af chore: Release
• 03aec70 docs: Update changelog
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions

[dependabot[bot]]

Looks like these dependencies are updatable in another way, so this is no longer needed.