From 1d59f150e09c2b7dbdb3a20e11946504801cea75 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 11 May 2026 16:32:53 +0000 Subject: [PATCH] ci(deps): bump the github-actions group across 1 directory with 4 updates Bumps the github-actions group with 4 updates in the / directory: [step-security/harden-runner](https://github.com/step-security/harden-runner), [github/codeql-action](https://github.com/github/codeql-action), [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) and [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action). Updates `step-security/harden-runner` from 2.19.0 to 2.19.1 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/8d3c67de8e2fe68ef647c8db1e6a09f647780f40...a5ad31d6a139d249332a2605b85202e8c0b78450) Updates `github/codeql-action` from 4.35.2 to 4.35.3 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/95e58e9a2cdfd71adc6e0353d5c52f41a045d225...e46ed2cbd01164d986452f91f178727624ae40d7) Updates `trufflesecurity/trufflehog` from 3.94.3 to 3.95.2 - [Release notes](https://github.com/trufflesecurity/trufflehog/releases) - [Commits](https://github.com/trufflesecurity/trufflehog/compare/47e7b7cd74f578e1e3145d48f669f22fd1330ca6...17456f8c7d042d8c82c9a8ca9e937231f9f42e26) Updates `aquasecurity/trivy-action` from 0.35.0 to 0.36.0 - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](https://github.com/aquasecurity/trivy-action/compare/57a97c7e7821a5776cebc9bb87c984fa69cba8f1...ed142fd0673e97e23eac54620cfb913e5ce36c25) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.19.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: github/codeql-action dependency-version: 4.35.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: trufflesecurity/trufflehog dependency-version: 3.95.2 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: aquasecurity/trivy-action dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/ci-guardrails.yml | 16 ++++++++-------- .github/workflows/ci.yml | 6 +++--- .../maintenance-update-tool-versions.yml | 2 +- .github/workflows/prs-review.yml | 12 ++++++------ .github/workflows/release.yml | 6 +++--- .github/workflows/reusable-native-build.yml | 2 +- .github/workflows/sast.yml | 12 ++++++------ .github/workflows/site.yml | 2 +- 8 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/ci-guardrails.yml b/.github/workflows/ci-guardrails.yml index 62c7d28..5b17516 100644 --- a/.github/workflows/ci-guardrails.yml +++ b/.github/workflows/ci-guardrails.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: false # needed for Zizmor's use of Docker egress-policy: block @@ -50,7 +50,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -86,7 +86,7 @@ jobs: > poutine_results.sarif - name: Upload poutine SARIF file - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: poutine_results.sarif @@ -96,7 +96,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: false # needed for TruffleHog's use of Docker egress-policy: block @@ -117,7 +117,7 @@ jobs: echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT" - name: Run TruffleHog - uses: trufflesecurity/trufflehog@47e7b7cd74f578e1e3145d48f669f22fd1330ca6 # v3.94.3 + uses: trufflesecurity/trufflehog@17456f8c7d042d8c82c9a8ca9e937231f9f42e26 # v3.95.2 with: extra_args: --results=verified,unknown version: ${{ steps.versions.outputs.trufflehog }} @@ -128,7 +128,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -157,7 +157,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -178,7 +178,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index de41681..8a9ef46 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,7 +25,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -68,7 +68,7 @@ jobs: # Scanning the SBOM is strictly more accurate than Trivy's own filesystem # heuristics, and the SBOM only exists after the build completes. - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: scan-type: sbom scan-ref: target/bom_all.json @@ -79,6 +79,6 @@ jobs: - name: Upload Trivy SARIF file if: always() - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: trivy-results.sarif diff --git a/.github/workflows/maintenance-update-tool-versions.yml b/.github/workflows/maintenance-update-tool-versions.yml index 3407232..b83afbf 100644 --- a/.github/workflows/maintenance-update-tool-versions.yml +++ b/.github/workflows/maintenance-update-tool-versions.yml @@ -23,7 +23,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block diff --git a/.github/workflows/prs-review.yml b/.github/workflows/prs-review.yml index c46ed96..22bcdfb 100644 --- a/.github/workflows/prs-review.yml +++ b/.github/workflows/prs-review.yml @@ -18,7 +18,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: false # actionlint needs to run in a container egress-policy: block @@ -47,7 +47,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -84,7 +84,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: false # require sudo to install shellcheck egress-policy: block @@ -127,7 +127,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -192,7 +192,7 @@ jobs: pull-requests: write # Required to post comments steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -218,7 +218,7 @@ jobs: pull-requests: write # Required to post review comments steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: false # markdownlint needs to run in a container egress-policy: block diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 913011f..dc89b0f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -34,7 +34,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: audit @@ -73,7 +73,7 @@ jobs: run: ./mvnw -B -ntp -P integration-tests,generate-sbom,release -Dsigstore.skip=false -Daether.checksums.omitChecksumsForExtensions=.asc,.sigstore.json clean deploy - name: Scan SBOM for vulnerabilities - uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 with: scan-type: sbom scan-ref: target/bom_all.json @@ -156,7 +156,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/reusable-native-build.yml b/.github/workflows/reusable-native-build.yml index 0104799..6487148 100644 --- a/.github/workflows/reusable-native-build.yml +++ b/.github/workflows/reusable-native-build.yml @@ -40,7 +40,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block diff --git a/.github/workflows/sast.yml b/.github/workflows/sast.yml index e3a7939..38a6829 100644 --- a/.github/workflows/sast.yml +++ b/.github/workflows/sast.yml @@ -27,7 +27,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -44,16 +44,16 @@ jobs: persist-credentials: false - name: Initialize CodeQL - uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: languages: java-kotlin,actions queries: security-and-quality - name: Autobuild - uses: github/codeql-action/autobuild@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 - name: Perform CodeQL analysis - uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 opengrep: name: Analyze (Opengrep) @@ -66,7 +66,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block @@ -120,7 +120,7 @@ jobs: - name: Upload results to GitHub Code Scanning if: always() - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 + uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3 with: sarif_file: opengrep.sarif category: opengrep diff --git a/.github/workflows/site.yml b/.github/workflows/site.yml index 7e1b80e..51f30e8 100644 --- a/.github/workflows/site.yml +++ b/.github/workflows/site.yml @@ -32,7 +32,7 @@ jobs: steps: - name: Harden Runner - uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0 + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 with: disable-sudo-and-containers: true egress-policy: block