Skip to content

🌱 Bump the github-actions group with 3 updates #261

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 7, 2025
Merged

🌱 Bump the github-actions group with 3 updates #261

merged 1 commit into from
May 7, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 1, 2025

Bumps the github-actions group with 3 updates: google/osv-scanner, github/codeql-action and rtCamp/action-slack-notify.

Updates google/osv-scanner from 2.0.0 to 2.0.2

Release notes

Sourced from google/osv-scanner's releases.

v2.0.2

Fixes:

  • [Bug #1842](google/osv-scanner#1842) Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
  • [Bug #1806](google/osv-scanner#1806) Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
  • [Fix #1825](google/osv-scanner#1825), #1809, #1805, #1803, #1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

New Contributors

Full Changelog: google/osv-scanner@v2.0.1...v2.0.2

v2.0.1

Changelog

Features:

  • [Feature #1730](google/osv-scanner#1730) Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
  • [Feature #1770](google/osv-scanner#1770) Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
  • [Feature #1761](google/osv-scanner#1761) Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

API Changes:

New Contributors

Full Changelog: google/osv-scanner@v2.0.0...v2.0.1

Changelog

Sourced from google/osv-scanner's changelog.

v2.0.2

Fixes:

  • [Bug #1842](google/osv-scanner#1842) Fix an issue in the GitHub Action where call analysis for Go projects using the tool directive (Go 1.24+) in go.mod files would fail. The scanner image has been updated to use a newer Go version.
  • [Bug #1806](google/osv-scanner#1806) Fix an issue where license overrides were not correctly reflected in the final scan results and license summary.
  • [Fix #1825](google/osv-scanner#1825), #1809, #1805, #1803, #1787 Enhance XML output stability and consistency by preserving original spacing and minimizing unnecessary escaping. This helps reduce differences when XML files are processed.

v2.0.1

Features:

  • [Feature #1730](google/osv-scanner#1730) Add support for extracting dependencies from .NET packages.config and packages.lock.json files.
  • [Feature #1770](google/osv-scanner#1770) Add support for extracting dependencies from rust binaries compiled with cargo-auditable.
  • [Feature #1761](google/osv-scanner#1761) Improve output when scanning for OS packages, we now show binary packages associated with a source package in the table output.

Fixes:

Docs:

API Changes:

OSV-Scanner v2.0.0

This release merges the improvements, features, and fixes from v2.0.0-rc1, v2.0.0-beta2, and v2.0.0-beta1.

Important: This release includes several breaking changes aimed at future-proofing OSV-Scanner. Please consult our comprehensive Migration Guide to ensure a smooth upgrade.

Features:

  • Layer and base image-aware container scanning:
    • Rewritten support for Debian, Ubuntu, and Alpine container images.
    • Layer level analysis and vulnerability breakdown.
    • Supports Go, Java, Node, and Python artifacts within supported distros.
    • Base image identification via deps.dev.
    • Usage: osv-scanner scan image <image-name>:<tag>
  • Interactive HTML output:

... (truncated)

Commits
  • a2a2385 chore(deps-dev): bump nokogiri from 1.18.4 to 1.18.8 in /docs in the bundler ...
  • b8c9438 chore: Changelog for v2.0.2 (#1847)
  • 1766328 fix(gh-action): call analysis doesn't work for go 1.24 (#1842)
  • d76bc12 test(osv-scanner/fix): actually import command from package (#1845)
  • de15fc3 test(fix): use public package (#1832)
  • 63d392d test: add case for when "false" is explicitly passed as the value for `--offl...
  • 7d48ca4 refactor(cmd): rename and cleanup licenseGenericFlag implementation (#1834)
  • ffe3391 test: only include specific command under test in cmd package tests (#1831)
  • 8c09fbb test: update snapshots (#1833)
  • cb60d8a feat(xml): store the original text in CharData (#1825)
  • Additional commits viewable in compare view

Updates github/codeql-action from 3.28.13 to 3.28.16

Release notes

Sourced from github/codeql-action's releases.

v3.28.16

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.16 - 23 Apr 2025

  • Update default CodeQL bundle version to 2.21.1. #2863

See the full CHANGELOG.md for more information.

v3.28.15

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.15 - 07 Apr 2025

  • Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

See the full CHANGELOG.md for more information.

v3.28.14

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.14 - 07 Apr 2025

  • Update default CodeQL bundle version to 2.21.0. #2838

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

  • Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

  • Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

  • Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

  • Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

  • Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
  • Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

  • Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

  • Update default CodeQL bundle version to 2.20.5. #2772
  • Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

  • Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

  • Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

3.28.7 - 29 Jan 2025

No user facing changes.

... (truncated)

Commits
  • 28deaed Merge pull request #2865 from github/update-v3.28.16-2a8cbadc0
  • 03c5d71 Update changelog for v3.28.16
  • 2a8cbad Merge pull request #2863 from github/update-bundle/codeql-bundle-v2.21.1
  • f76eaf5 Add changelog note
  • e63b3f5 Update default bundle to codeql-bundle-v2.21.1
  • 4c3e536 Merge pull request #2853 from github/dependabot/npm_and_yarn/npm-7d84c66b66
  • 56dd02f Merge pull request #2852 from github/dependabot/github_actions/actions-457587...
  • 192406d Merge branch 'main' into dependabot/github_actions/actions-4575878e06
  • c7dbb20 Merge pull request #2857 from github/nickfyson/address-vulns
  • 9a45cd8 move use of input variables into env vars
  • Additional commits viewable in compare view

Updates rtCamp/action-slack-notify from 2.3.2 to 2.3.3

Release notes

Sourced from rtCamp/action-slack-notify's releases.

v2.3.3

What's Changed

Changelog:

What's Changed

New Contributors

Full Changelog: rtCamp/action-slack-notify@v2.3.1...v2.3.3

Commits
  • e31e87e Update action image version to v2.3.3
  • b2acbf4 Merge pull request #221 from Tello-Wharton/master
  • 0410d0a Pinning slackify-markdown-action to specific version
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
🌱 Bump the github-actions group with 3 updates
7627243 
Bumps the github-actions group with 3 updates: [google/osv-scanner](https://github.com/google/osv-scanner), [github/codeql-action](https://github.com/github/codeql-action) and [rtCamp/action-slack-notify](https://github.com/rtcamp/action-slack-notify).


Updates `google/osv-scanner` from 2.0.0 to 2.0.2
- [Release notes](https://github.com/google/osv-scanner/releases)
- [Changelog](https://github.com/google/osv-scanner/blob/main/CHANGELOG.md)
- [Commits](google/osv-scanner@0e986b4...a2a2385)

Updates `github/codeql-action` from 3.28.13 to 3.28.16
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@1b549b9...28deaed)

Updates `rtCamp/action-slack-notify` from 2.3.2 to 2.3.3
- [Release notes](https://github.com/rtcamp/action-slack-notify/releases)
- [Commits](rtCamp/action-slack-notify@c337377...e31e87e)

---
updated-dependencies:
- dependency-name: google/osv-scanner
  dependency-version: 2.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-version: 3.28.16
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
- dependency-name: rtCamp/action-slack-notify
  dependency-version: 2.3.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label May 1, 2025
@metal3-io-bot metal3-io-bot requested review from lentzi90 and tuminoid May 1, 2025 21:20
@metal3-io-bot
Copy link
Contributor

Hi @dependabot[bot]. Thanks for your PR.

I'm waiting for a metal3-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@metal3-io-bot metal3-io-bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label May 1, 2025
lentzi90
lentzi90 reviewed May 2, 2025
View reviewed changes
Copy link
Member

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@metal3-io-bot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lentzi90

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@metal3-io-bot metal3-io-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 2, 2025
tuminoid
tuminoid reviewed May 7, 2025
View reviewed changes
Copy link
Member

@tuminoid tuminoid left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@metal3-io-bot metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label May 7, 2025
@metal3-io-bot metal3-io-bot merged commit a81bb19 into main May 7, 2025
14 checks passed
@dependabot dependabot bot deleted the dependabot/github_actions/main/github-actions-27d050b2b5 branch May 7, 2025 08:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tuminoid tuminoid tuminoid left review comments

+1 more reviewer

@lentzi90 lentzi90 lentzi90 left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@metal3-io-bot @tuminoid @lentzi90