⬆️ gha: Bump the github-actions group across 1 directory with 14 updates

[dependabot]

Bumps the github-actions group with 14 updates in the / directory:

Package	From	To
step-security/harden-runner	2.12.0	2.13.0
actions/checkout	4.2.2	5.0.0
actions/dependency-review-action	4.6.0	4.7.3
reviewdog/action-tflint	1.24.2	1.25.0
reviewdog/action-trivy	1.13.10	1.14.0
reviewdog/action-actionlint	1.65.2	1.67.0
actions/labeler	5.0.0	6.0.1
mikepenz/release-changelog-builder-action	5.3.0	5.4.1
softprops/action-gh-release	2.2.2	2.3.3
ossf/scorecard-action	2.4.1	2.4.2
github/codeql-action	3.28.16	3.30.1
actions/setup-go	5.4.0	6.0.0
actions/setup-node	4.4.0	5.0.0
aws-actions/configure-aws-credentials	4.1.0	5.0.0

Updates step-security/harden-runner from 2.12.0 to 2.13.0

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.0

What's Changed

• Improved job markdown summary
• Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:

• Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
• Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

What's Changed

• Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
• Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

Commits

• ec9f2d5 Merge pull request #565 from step-security/rc-24
• 04bcbc3 update agent
• 7c7a56f feat: get job summary from API
• 6c439dc Merge pull request #562 from step-security/rc-22
• bf56886 update agent
• 5436dac update agent
• 88d305a update agent
• b976878 update agent
• 875cc92 Update agent
• 002fdce Merge pull request #544 from step-security/rc-21
• Additional commits viewable in compare view

Updates actions/checkout from 4.2.2 to 5.0.0

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236
• Prepare release v4.3.0 by @​salmanmkc in actions/checkout#2237

New Contributors

• @​motss made their first contribution in actions/checkout#1971
• @​mouismail made their first contribution in actions/checkout#1977
• @​benwells made their first contribution in actions/checkout#2043
• @​nebuk89 made their first contribution in actions/checkout#2194
• @​salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

V4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• 08eba0b Prepare release v4.3.0 (#2237)
• 631c7dc Update package dependencies (#2236)
• 8edcb1b Update CODEOWNERS for actions (#2224)
• 09d2aca Update README.md (#2194)
• 85e6279 Adjust positioning of user email note and permissions heading (#2044)
• 009b9ae Documentation update - add recommended permissions to Readme (#2043)
• cbb7224 Update README.md (#1977)
• 3b9b8c8 docs: update README.md (#1971)
• See full diff in compare view

Updates actions/dependency-review-action from 4.6.0 to 4.7.3

Release notes

Sourced from actions/dependency-review-action's releases.

4.7.3

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in actions/dependency-review-action#966
• Claire153/fix spamming mentioned issue by @​claire153 in actions/dependency-review-action#974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

4.7.2

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in actions/dependency-review-action#945
• Deprecate deny lists by @​claire153 in actions/dependency-review-action#958
• Address discrepancy between docs and reality by @​ahpook in actions/dependency-review-action#960

New Contributors

• @​KyFaSt made their first contribution in actions/dependency-review-action#945
• @​claire153 made their first contribution in actions/dependency-review-action#958
• @​ahpook made their first contribution in actions/dependency-review-action#960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

v4.7.1

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

Commits

• 595b5ae Update package version (#975)
• fc5fd66 Claire153/fix spamming mentioned issue (#974)
• d38d1a4 Merge pull request #965 from actions/dependabot/npm_and_yarn/multi-c22e25d29b
• 8d420b8 Merge branch 'main' into dependabot/npm_and_yarn/multi-c22e25d29b
• bde0129 Merge pull request #966 from actions/ashelytc/add-permissions
• ab52490 remove ruby
• ef00a0a add permissions to workflows
• 74c8179 Bump brace-expansion
• bc41886 Cut 4.7.2 version release (#964)
• 1c73553 Merge pull request #960 from ahpook/ahpook/address-docs-dashes
• Additional commits viewable in compare view

Updates reviewdog/action-tflint from 1.24.2 to 1.25.0

Release notes

Sourced from reviewdog/action-tflint's releases.

Release v1.25.0

What's Changed

• chore(deps): update reviewdog/action-misspell action to v1.26.2 by @​renovate[bot] in reviewdog/action-tflint#105
• chore(deps): update reviewdog/action-depup action to v1.6.4 by @​renovate[bot] in reviewdog/action-tflint#104
• chore(deps): update reviewdog/action-misspell action to v1.26.3 by @​renovate[bot] in reviewdog/action-tflint#106
• README: Pin GitHub Actions with commit SHA using pinact by @​haya14busa in reviewdog/action-tflint#108
• chore(deps): update reviewdog/reviewdog to 0.21.0 by @​github-actions[bot] in reviewdog/action-tflint#101

Full Changelog: reviewdog/action-tflint@v1.24.2...v1.25.0

Commits

• 54a5e5a chore(deps): update reviewdog/reviewdog to 0.21.0 (#101)
• 92ecd5b README: Pin GitHub Actions with commit SHA using pinact (#108)
• 4e022bb chore(deps): update reviewdog/action-misspell action to v1.26.3 (#106)
• 1848510 chore(deps): update reviewdog/action-depup action to v1.6.4 (#104)
• f1101e4 chore(deps): update reviewdog/action-misspell action to v1.26.2 (#105)
• See full diff in compare view

Updates reviewdog/action-trivy from 1.13.10 to 1.14.0

Release notes

Sourced from reviewdog/action-trivy's releases.

Release v1.14.0

v1.14.0: PR #104 - chore(deps): update reviewdog to 0.21.0

Commits

• a1e6d7d Merge pull request #104 from reviewdog/depup/reviewdog
• 20b6816 chore(deps): update reviewdog to 0.21.0
• a1a479d Merge pull request #94 from reviewdog/renovate/azurerm-4.x
• 7a02290 chore(deps): update terraform azurerm to ~> 4.26.0
• 590ac69 Merge pull request #93 from reviewdog/renovate/aws-5.x
• f895ad5 chore(deps): update terraform aws to ~> 5.94.0
• 5392bcc Merge pull request #92 from reviewdog/renovate/azurerm-4.x
• 0e5f775 chore(deps): update terraform azurerm to ~> 4.25.0
• 90be6ba Merge pull request #91 from reviewdog/renovate/aws-5.x
• 536d9aa chore(deps): update terraform aws to ~> 5.93.0
• Additional commits viewable in compare view

Updates reviewdog/action-actionlint from 1.65.2 to 1.67.0

Release notes

Sourced from reviewdog/action-actionlint's releases.

Release v1.67.0

v1.67.0: PR #172 - chore(deps): update reviewdog to 0.21.0

Release v1.66.1

v1.66.1: PR #171 - bump the patch version

v1.66.0

What's Changed

• chore(deps): update reviewdog/action-depup action to v1.6.4 by @​renovate[bot] in reviewdog/action-actionlint#158
• README: Pin GitHub Actions with commit SHA using pinact by @​haya14busa in reviewdog/action-actionlint#161
• chore(deps): update shogo82148/actions-create-release action to v1.7.7 by @​renovate[bot] in reviewdog/action-actionlint#162
• chore(deps): update shogo82148/actions-create-release action to v1.7.8 by @​renovate[bot] in reviewdog/action-actionlint#164
• chore(deps): update shellcheck to 0.11.0 by @​github-actions[bot] in reviewdog/action-actionlint#166
• chore(deps): update docker/setup-buildx-action action to v3.11.1 by @​renovate[bot] in reviewdog/action-actionlint#165
• chore(deps): update haya14busa/action-bumpr action to v1.11.4 by @​renovate[bot] in reviewdog/action-actionlint#163

Full Changelog: reviewdog/action-actionlint@v1.65.2...v1.66.0

Release v1.65.3

v1.65.3: PR #170 - bump the patch version

Commits

• 95395aa bump v1.67.0
• af47a90 Merge branch 'main' into releases/v1
• 93dc1f9 Merge pull request #172 from reviewdog/depup/reviewdog
• 37d6325 chore(deps): update reviewdog to 0.21.0
• e37e2ca bump v1.66.1
• 421367c Merge branch 'main' into releases/v1
• 93ee9b0 Merge pull request #171 from reviewdog/bump-minor
• 41038bc bump the minor version
• 4a597f8 bump v1.65.3
• 826eac1 Merge branch 'main' into releases/v1
• Additional commits viewable in compare view

Updates actions/labeler from 5.0.0 to 6.0.1

Release notes

Sourced from actions/labeler's releases.

v6.0.1

What's Changed

• Upgrade publish-action from 0.2.2 to 0.4.0 by @​aparnajyothi-y in actions/labeler#901

New Contributors

• @​aparnajyothi-y made their first contribution in actions/labeler#901

Full Changelog: actions/labeler@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Add workflow file for publishing releases to immutable action package by @​jcambass in actions/labeler#802

Breaking Changes

• Upgrade Node.js version to 24 in action and dependencies @​salmanmkc in actions/labeler#891 Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. Release Notes

Dependency Upgrades

• Upgrade eslint-config-prettier from 9.0.0 to 9.1.0 by @​dependabot[bot] in actions/labeler#711
• Upgrade eslint from 8.52.0 to 8.55.0 by @​dependabot[bot] in actions/labeler#720
• Upgrade @​types/jest from 29.5.6 to 29.5.11 by @​dependabot[bot] in actions/labeler#719
• Upgrade @​types/js-yaml from 4.0.8 to 4.0.9 by @​dependabot[bot] in actions/labeler#718
• Upgrade @​typescript-eslint/parser from 6.9.0 to 6.14.0 by @​dependabot[bot] in actions/labeler#717
• Upgrade prettier from 3.0.3 to 3.1.1 by @​dependabot[bot] in actions/labeler#726
• Upgrade eslint from 8.55.0 to 8.56.0 by @​dependabot[bot] in actions/labeler#725
• Upgrade @​typescript-eslint/parser from 6.14.0 to 6.19.0 by @​dependabot[bot] in actions/labeler#745
• Upgrade eslint-plugin-jest from 27.4.3 to 27.6.3 by @​dependabot[bot] in actions/labeler#744
• Upgrade @​typescript-eslint/eslint-plugin from 6.9.0 to 6.20.0 by @​dependabot[bot] in actions/labeler#750
• Upgrade prettier from 3.1.1 to 3.2.5 by @​dependabot[bot] in actions/labeler#752
• Upgrade undici from 5.26.5 to 5.28.3 by @​dependabot[bot] in actions/labeler#757
• Upgrade braces from 3.0.2 to 3.0.3 by @​dependabot[bot] in actions/labeler#789
• Upgrade minimatch from 9.0.3 to 10.0.1 by @​dependabot[bot] in actions/labeler#805
• Upgrade @​actions/core from 1.10.1 to 1.11.1 by @​dependabot[bot] in actions/labeler#811
• Upgrade typescript from 5.4.3 to 5.7.2 by @​dependabot[bot] in actions/labeler#819
• Upgrade @​typescript-eslint/parser from 7.3.1 to 8.17.0 by @​dependabot[bot] in actions/labeler#824
• Upgrade prettier from 3.2.5 to 3.4.2 by @​dependabot[bot] in actions/labeler#825
• Upgrade @​types/jest from 29.5.12 to 29.5.14 by @​dependabot[bot] in actions/labeler#827
• Upgrade eslint-plugin-jest from 27.9.0 to 28.9.0 by @​dependabot[bot] in actions/labeler#832
• Upgrade ts-jest from 29.1.2 to 29.2.5 by @​dependabot[bot] in actions/labeler#831
• Upgrade @​vercel/ncc from 0.38.1 to 0.38.3 by @​dependabot[bot] in actions/labeler#830
• Upgrade typescript from 5.7.2 to 5.7.3 by @​dependabot[bot] in actions/labeler#835
• Upgrade eslint-plugin-jest from 28.9.0 to 28.11.0 by @​dependabot[bot] in actions/labeler#839
• Upgrade undici from 5.28.4 to 5.28.5 by @​dependabot[bot] in actions/labeler#842
• Upgrade @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot[bot] in actions/labeler#846

Documentation changes

• Add note regarding pull_request_target to README.md by @​silverwind in actions/labeler#669
• Update readme with additional examples and important note about pull_request_target event by @​IvanZosimov in actions/labeler#721
• Document update - permission section by @​harithavattikuti in actions/labeler#840

... (truncated)

Commits

• 634933e publish-action upgrade to 0.4.0 from 0.2.2 (#901)
• f1a63e8 Update Node.js version to 24 in action and dependencies (#891)
• b0a1180 Bump @​octokit/request-error from 5.0.1 to 5.1.1 (#846)
• 110d441 Update README.md (#871)
• bee50fe Bump undici from 5.28.4 to 5.28.5 (#842)
• 6463cdb Bump eslint-plugin-jest from 28.9.0 to 28.11.0 (#839)
• c209686 Bump typescript from 5.7.2 to 5.7.3 (#835)
• 5184940 Bump @​vercel/ncc from 0.38.1 to 0.38.3 (#830)
• 3629d55 Document update - permission section (#840)
• d24f7f3 Bump ts-jest from 29.1.2 to 29.2.5 (#831)
• Additional commits viewable in compare view

Updates mikepenz/release-changelog-builder-action from 5.3.0 to 5.4.1

Release notes

Sourced from mikepenz/release-changelog-builder-action's releases.

v5.4.1

💬 Other

• Improve CI test run report
  • PR: #1463

📦 Dependencies

• Upgrade dependencies
  • PR: #1462

Contributors:

• @​mikepenz

v5.4.0

🚀 Features

• Add new offlineMode
  • PR: #1460

Contributors:

• @​mikepenz

v5.3.1

🚀 Features

• Upgrade action dependencies
  • PR: #1454

🐛 Fixes

• Fix documentation for gitea
  • PR: #1453

Contributors:

• @​mikepenz

Commits

• c9dc836 Merge pull request #1465 from mikepenz/develop
• 825abd1 Merge pull request #1463 from mikepenz/ci/impr
• 59e4e52 Merge pull request #1462 from mikepenz/feature/dependency_upgrades
• e1c7bbf - combined run for tests to get a full report
• 981311d - upgrade dependencies globals, and ton of dev dependencies
• e97a713 Merge pull request #1461 from mikepenz/develop
• af5898d Merge pull request #1460 from mikepenz/feature/1459
• 6c979ed - also test the offline variant
• 8357bc6 - make sure we reset env prior to the next test
• 0f359e3 - apply codeQL rule
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.2.2 to 2.3.3

Release notes

Sourced from softprops/action-gh-release's releases.

v2.3.3

What's Changed

Exciting New Features 🎉

• feat: add input option overwrite_files by @​asfernandes in softprops/action-gh-release#343

Other Changes 🔄

• dependency updates

New Contributors

• @​asfernandes made their first contribution in softprops/action-gh-release#343

Full Changelog: softprops/action-gh-release@v2...v2.3.3

v2.3.2

• fix: revert fs readableWebStream change

v2.3.1

What's Changed

Bug fixes 🐛

• fix: fix file closing issue by @​WailGree in softprops/action-gh-release#629

New Contributors

• @​WailGree made their first contribution in softprops/action-gh-release#629

Full Changelog: softprops/action-gh-release@v2.3.0...v2.3.1

v2.3.0

• Migrate from jest to vitest
• Replace mime with mime-types
• Bump to use node 24
• Dependency updates

Full Changelog: softprops/action-gh-release@v2.2.2...v2.3.0

Changelog

Sourced from softprops/action-gh-release's changelog.

2.3.3

What's Changed

Exciting New Features 🎉

• feat: add input option overwrite_files by @​asfernandes in softprops/action-gh-release#343

Other Changes 🔄

• dependency updates

2.3.2

• fix: revert fs readableWebStream change

2.3.1

Bug fixes 🐛

• fix: fix file closing issue by @​WailGree in softprops/action-gh-release#629

2.3.0

• Migrate from jest to vitest
• Replace mime with mime-types
• Bump to use node 24
• Dependency updates

2.2.2

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in softprops/action-gh-release#316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in softprops/action-gh-release#598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in softprops/action-gh-release#599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in softprops/action-gh-release#603
• dependency updates

2.2.1

What's Changed

Bug fixes 🐛

... (truncated)

Commits

• 6cbd405 release 2.3.3
• fbadcc9 update to use actions/checkout@v5
• 4a84006 chore(deps): bump @​types/node from 20.19.10 to 20.19.11 in the npm group (#648)
• 7191749 chore(deps): bump actions/checkout in the github-actions group (#649)
• 126b1e7 chore(deps): bump @​types/node from 20.19.9 to 20.19.10 in the npm group (#647)
• f82d31e chore(deps): bump the npm group with 3 updates (#643)
• f2352b9 chore(deps): bump @​types/node from 20.19.2 to 20.19.7 in the npm group (#640)
• f0b3259 chore(deps): bump the npm group across 1 directory with 4 updates (#638)
• f37a2f9 chore(deps): bump the npm group with 2 updates (#635)
• db56014 chore(deps): bump brace-expansion from 2.0.1 to 2.0.2 (#634)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.2

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

Commits

• 05b42c6 🌱 bump docker to ghcr v2.4.2 (#1548)
• b225da6 Bump github.com/ossf/scorecard/v5 from v5.2.0 to v5.2.1 (#1550)
• 9399f6f 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• e1daa8c 🌱 Bump the github-actions group across 1 directory with 5 updates (#...
• 9fe6511 🌱 Bump golang.org/x/net from 0.39.0 to 0.40.0 (#1542)
• 25b9cd9 🌱 Bump github.com/ossf/scorecard/v5 from v5.1.1 to v5.2.0 (#1547)
• 18cc9b8 🌱 Bump golang.org/x/net from 0.38.0 to 0.39.0 (#1536)
• db78142 🌱 Bump the github-actions group with 2 updates (#1538)
• de386ed 🌱 Bump golang from 1.24.1 to 1.24.2 in the docker-images group (#1534)
• 5b7cedb 🌱 Bump github.com/sigstore/cosign/v2 from 2.4.3 to 2.5.0 (#1537)
• Additional commits viewable in compare view

Updates github/codeql-action from 3.28.16 to 3.30.1

Release notes

Sourced from github/codeql-action's releases.

v3.30.1

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.1 - 05 Sep 2025

• Update default CodeQL bundle version to 2.23.0. #3077

See the full CHANGELOG.md for more information.

v3.30.0

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.0 - 01 Sep 2025

• Reduce the size of the CodeQL Action, speeding up workflows by approximately 4 seconds. #3054

See the full CHANGELOG.md for more information.

v3.29.11

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.11 - 21 Aug 2025

• Update default CodeQL bundle version to 2.22.4. #3044

See the full CHANGELOG.md for more information.

v3.29.10

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.29.10 - 18 Aug 2025

No user facing changes.

See the full ...

Description has been truncated

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

💰 Infracost report

Monthly estimate generated

_{This comment will be updated when code changes.}

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/dependency-review-action	595b5aeba73380359d98a5e087f648dbb0edce1b	🟢 7.9	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 9 security policy file detected Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 2 dependency not pinned by hash detected -- score normalized to 2 Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 9 1 existing vulnerabilities detected
actions/step-security/harden-runner	ec9f2d5744a09debf3a187a3f4f675c53b671911	🟢 8.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/reviewdog/action-actionlint	95395aac8c053577d0bc67eb7b74936c660c6f66	🟢 4.9	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 1 Found 1/6 approved changesets -- score normalized to 1 Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/reviewdog/action-tflint	54a5e5aed57dcfbb4662ec548de876df33d6288d	🟢 5.2	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 8 Found 13/16 approved changesets -- score normalized to 8 Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/reviewdog/action-trivy	a1e6d7dd5520369c076d7ce639a16442938535d8	🟢 3.3	Details Check Score Reason Maintained ⚠️ 0 0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0 Code-Review ⚠️ 0 Found 0/3 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Signed-Releases ⚠️ -1 no releases found Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected
actions/step-security/harden-runner	ec9f2d5744a09debf3a187a3f4f675c53b671911	🟢 8.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/labeler	634933edcd8ababfe52f92936142cc22ac488b1b	🟢 5.3	Details Check Score Reason Maintained 🟢 3 3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 6 SAST tool is not run on all commits -- score normalized to 6 Vulnerabilities 🟢 6 4 existing vulnerabilities detected
actions/step-security/harden-runner	ec9f2d5744a09debf3a187a3f4f675c53b671911	🟢 8.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/mikepenz/release-changelog-builder-action	c9dc8369bccbc41e0ac887f8fd674f5925d315f7	🟢 6.3	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/4 approved changesets -- score normalized to 0 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/softprops/action-gh-release	6cbd405e2c4e67a21c47fa9e383d020e4e28b836	🟢 5.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 2 Found 4/16 approved changesets -- score normalized to 2 Maintained 🟢 10 22 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 10 all dependencies are pinned Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/step-security/harden-runner	ec9f2d5744a09debf3a187a3f4f675c53b671911	🟢 8.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif	f1f6e5f6af878fb37288ce1c627459e94dbf7d01	Unknown	Unknown
actions/ossf/scorecard-action	05b42c624433fc40578a4040d5cf5e36ddca8cde	🟢 9.1	Details Check Score Reason Dependency-Update-Tool 🟢 10 update tool detected Security-Policy 🟢 10 security policy file detected Maintained 🟢 10 17 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 License 🟢 10 license file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected SAST 🟢 10 SAST tool is run on all commits Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 16 contributing companies or organizations
actions/step-security/harden-runner	ec9f2d5744a09debf3a187a3f4f675c53b671911	🟢 8.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/actions/checkout	08c6903cd8c0fde910a37f88322edcfb5dd907a8	🟢 6.8	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Maintained 🟢 5 7 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ -1 internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/setup-go	44694675825211faa026b3c33043df3e48a5fa00	🟢 6.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 6 8 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 6 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/actions/setup-node	a0853c24544627f65ddf259abe73b1d18a591444	🟢 5.7	Details Check Score Reason Maintained 🟢 4 5 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 4 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 9 binaries present in source code CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 1 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9 Vulnerabilities 🟢 8 2 existing vulnerabilities detected
actions/aws-actions/configure-aws-credentials	a03048d87541d1d9fcf2ecf528a4a65ba9bd7838	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 6 Found 12/19 approved changesets -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST 🟢 10 SAST tool is run on all commits Vulnerabilities 🟢 10 0 existing vulnerabilities detected
actions/step-security/harden-runner	ec9f2d5744a09debf3a187a3f4f675c53b671911	🟢 8.5	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 7 out of 7 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 6 project has 2 contributing companies or organizations -- score normalized to 6 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 13 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 SAST 🟢 9 SAST tool detected but not run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Vulnerabilities 🟢 8 2 existing vulnerabilities detected

Scanned Files

• .github/workflows/dependency-review.yml
• .github/workflows/infracost.yml
• .github/workflows/lint.yml
• .github/workflows/pr-label.yml
• .github/workflows/release.yml
• .github/workflows/scorecard.yml
• .github/workflows/test.yml

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot rebase.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.