Skip to content

Commit

Permalink
Bump ossf/scorecard-action from 2.4.0 to 2.4.1 (#3033)
Browse files Browse the repository at this point in the history 
Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action)
from 2.4.0 to 2.4.1.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's
releases</a>.</em></p>
<blockquote>
<h2>v2.4.1</h2>
<h2>What's Changed</h2>
<ul>
<li>This update bumps the Scorecard version to the v5.1.1 release. For a
complete list of changes, please refer to the <a
href="https://github.com/ossf/scorecard/releases/tag/v5.1.0">v5.1.0</a>
and <a
href="https://github.com/ossf/scorecard/releases/tag/v5.1.1">v5.1.1</a>
release notes.</li>
<li>Publishing results now uses half the API quota as before. The exact
savings depends on the repository in question.
<ul>
<li>use Scorecard library entrypoint instead of Cobra hooking by <a
href="https://github.com/spencerschrock"><code>@​spencerschrock</code></a>
in <a
href="https://github.com/ossf/scorecard-action/pull/1423">ossf/scorecard-action#1423</a></li>
</ul>
</li>
<li>Some errors were made into annotations to make them more visible
<ul>
<li>Make default branch error more prominent by <a
href="https://github.com/jsoref"><code>@​jsoref</code></a> in <a
href="https://github.com/ossf/scorecard-action/pull/1459">ossf/scorecard-action#1459</a></li>
</ul>
</li>
<li>There is now an optional <code>file_mode</code> input which controls
how repository files are fetched from GitHub. The default is
<code>archive</code>, but <code>git</code> produces the most accurate
results for repositories with <code>.gitattributes</code> files at the
cost of analysis speed.
<ul>
<li>add input for specifying <code>--file-mode</code> by <a
href="https://github.com/spencerschrock"><code>@​spencerschrock</code></a>
in <a
href="https://github.com/ossf/scorecard-action/pull/1509">ossf/scorecard-action#1509</a></li>
</ul>
</li>
<li>The underlying container for the action is now <a
href="https://github.com/ossf/scorecard-action/pkgs/container/scorecard-action">hosted
on GitHub Container Registry</a>. There should be no functional changes.
<ul>
<li>:seedling: publish docker images to GitHub Container Registry by <a
href="https://github.com/spencerschrock"><code>@​spencerschrock</code></a>
in <a
href="https://github.com/ossf/scorecard-action/pull/1453">ossf/scorecard-action#1453</a></li>
</ul>
</li>
</ul>
<h3>Docs</h3>
<ul>
<li>Installation docs update by <a
href="https://github.com/JeremiahAHoward"><code>@​JeremiahAHoward</code></a>
in <a
href="https://github.com/ossf/scorecard-action/pull/1416">ossf/scorecard-action#1416</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/JeremiahAHoward"><code>@​JeremiahAHoward</code></a>
made their first contribution in <a
href="https://github.com/ossf/scorecard-action/pull/1416">ossf/scorecard-action#1416</a></li>
<li><a href="https://github.com/jsoref"><code>@​jsoref</code></a> made
their first contribution in <a
href="https://github.com/ossf/scorecard-action/pull/1459">ossf/scorecard-action#1459</a>
<strong>Full Changelog</strong>: <a
href="https://github.com/ossf/scorecard-action/compare/v2.4.0...v2.4.1">https://github.com/ossf/scorecard-action/compare/v2.4.0...v2.4.1</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ossf/scorecard-action/commit/f49aabe0b5af0936a0987cfb85d86b75731b0186"><code>f49aabe</code></a>
bump docker to ghcr v2.4.1 (<a
href="https://github.com/ossf/scorecard-action/issues/1478">#1478</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/30a595ba8670f7bd5e2d33119dfeeb6ab2f64991"><code>30a595b</code></a>
:seedling: Bump github.com/sigstore/cosign/v2 from 2.4.2 to 2.4.3 (<a
href="https://github.com/ossf/scorecard-action/issues/1515">#1515</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/69ae593b7addfd5241b46c43c7ed6abbd7203d55"><code>69ae593</code></a>
omit vcs info from build (<a
href="https://github.com/ossf/scorecard-action/issues/1514">#1514</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/6a62a1cbf28018bd61197d0c2852b94b046fe1a4"><code>6a62a1c</code></a>
add input for specifying <code>--file-mode</code> (<a
href="https://github.com/ossf/scorecard-action/issues/1509">#1509</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/2722664778d49161a69d42f8e82e15ed38fea8d1"><code>2722664</code></a>
:seedling: Bump the github-actions group with 2 updates (<a
href="https://github.com/ossf/scorecard-action/issues/1510">#1510</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/ae0ef3171a81cb48c3fdaaf34cba323d0c51fefb"><code>ae0ef31</code></a>
:seedling: Bump github.com/spf13/cobra from 1.8.1 to 1.9.1 (<a
href="https://github.com/ossf/scorecard-action/issues/1512">#1512</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/3676bbc29082184ac34a84d1573c0419f81c4a68"><code>3676bbc</code></a>
:seedling: Bump golang from 1.23.6 to 1.24.0 in the docker-images group
(<a
href="https://github.com/ossf/scorecard-action/issues/1513">#1513</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/ae7548a0ff1b94dda3a89eeda8f59c031874f035"><code>ae7548a</code></a>
Limit codeQL push trigger to main branch (<a
href="https://github.com/ossf/scorecard-action/issues/1507">#1507</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/9165624e75f0c73d13a9db2d4d920bcc5fc3a801"><code>9165624</code></a>
upgrade scorecard to v5.1.0 (<a
href="https://github.com/ossf/scorecard-action/issues/1508">#1508</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/620fd28d6b2ba01c1d70cf63dfb4bdf868e19d6f"><code>620fd28</code></a>
:seedling: Bump the github-actions group with 2 updates (<a
href="https://github.com/ossf/scorecard-action/issues/1505">#1505</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/ossf/scorecard-action/compare/62b2cac7ed8198b15735ed49ab1e5cf35480ba46...f49aabe0b5af0936a0987cfb85d86b75731b0186">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action&package-manager=github_actions&previous-version=2.4.0&new-version=2.4.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
  • Loading branch information
@dependabot
dependabot[bot] authored Feb 23, 2025
1 parent 2404ceb commit ec5018c
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/scorecards.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
persist-credentials: false

- name: "Run analysis"
uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
with:
results_file: results.sarif
results_format: sarif
Expand Down

0 comments on commit ec5018c

Please sign in to comment.