deps: bump the production-dependencies group with 8 updates

[dependabot]

Bumps the production-dependencies group with 8 updates:

Package	From	To
actions/checkout	3	4
docker/setup-buildx-action	3.7.1	3.10.0
docker/login-action	3.3.0	3.4.0
docker/metadata-action	5.5.1	5.7.0
docker/build-push-action	6.9.0	6.15.0
sigstore/cosign-installer	3.7.0	3.8.1
anchore/scan-action	5.2.1	6.1.0
advanced-security/reusable-workflows	0.2.0	0.3.0

Updates actions/checkout from 3 to 4

Release notes

Sourced from actions/checkout's releases.

v4.0.0

What's Changed

• Update default runtime to node20 by @​takost in actions/checkout#1436
• Support fetching without the --progress option by @​simonbaird in actions/checkout#1067
• Release 4.0.0 by @​takost in actions/checkout#1447

New Contributors

• @​takost made their first contribution in actions/checkout#1436
• @​simonbaird made their first contribution in actions/checkout#1067

Full Changelog: actions/checkout@v3...v4.0.0

v3.6.0

What's Changed

• Mark test scripts with Bash'isms to be run via Bash by @​dscho in actions/checkout#1377
• Add option to fetch tags even if fetch-depth > 0 by @​RobertWieczoreck in actions/checkout#579
• Release 3.6.0 by @​luketomlinson in actions/checkout#1437

New Contributors

• @​RobertWieczoreck made their first contribution in actions/checkout#579
• @​luketomlinson made their first contribution in actions/checkout#1437

Full Changelog: actions/checkout@v3.5.3...v3.6.0

v3.5.3

What's Changed

• Fix: Checkout Issue in self hosted runner due to faulty submodule check-ins by @​megamanics in actions/checkout#1196
• Fix typos found by codespell by @​DimitriPapadopoulos in actions/checkout#1287
• Add support for sparse checkouts by @​dscho and @​dfdez in actions/checkout#1369
• Release v3.5.3 by @​TingluoHuang in actions/checkout#1376

New Contributors

• @​megamanics made their first contribution in actions/checkout#1196
• @​DimitriPapadopoulos made their first contribution in actions/checkout#1287
• @​dfdez made their first contribution in actions/checkout#1369

Full Changelog: actions/checkout@v3...v3.5.3

v3.5.2

What's Changed

• Fix: Use correct API url / endpoint in GHES by @​fhammerl in actions/checkout#1289 based on #1286 by @​1newsr

Full Changelog: actions/checkout@v3.5.1...v3.5.2

v3.5.1

What's Changed

• Improve checkout performance on Windows runners by upgrading @​actions/github dependency by @​BrettDong in actions/checkout#1246

New Contributors

• @​BrettDong made their first contribution in actions/checkout#1246

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

• Check git version before attempting to disable sparse-checkout by @​jww3 in actions/checkout#1656
• Add SSH user parameter by @​cory-miller in actions/checkout#1685
• Update actions/checkout version in update-main-version.yml by @​jww3 in actions/checkout#1650

v4.1.2

• Fix: Disable sparse checkout whenever sparse-checkout option is not present @​dscho in actions/checkout#1598

v4.1.1

• Correct link to GitHub Docs by @​peterbe in actions/checkout#1511
• Link to release page from what's new section by @​cory-miller in actions/checkout#1514

v4.1.0

• Add support for partial checkout filters

... (truncated)

Commits

• 11bd719 Prepare 4.2.2 Release (#1953)
• e3d2460 Expand unit test coverage (#1946)
• 163217d url-helper.ts now leverages well-known environment variables. (#1941)
• eef6144 Prepare 4.2.1 release (#1925)
• 6b42224 Add workflow file for publishing releases to immutable action package (#1919)
• de5a000 Check out other refs/* by commit if provided, fall back to ref (#1924)
• d632683 Prepare 4.2.0 release (#1878)
• 6d193bf Bump braces from 3.0.2 to 3.0.3 (#1777)
• db0cee9 Bump the minor-npm-dependencies group across 1 directory with 4 updates (#1872)
• b684943 Add Ref and Commit outputs (#1180)
• Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.7.1 to 3.10.0

Release notes

Sourced from docker/setup-buildx-action's releases.

v3.10.0

• Bump @​docker/actions-toolkit from 0.54.0 to 0.56.0 in docker/setup-buildx-action#408

Full Changelog: docker/setup-buildx-action@v3.9.0...v3.10.0

v3.9.0

• Bump @​docker/actions-toolkit from 0.48.0 to 0.54.0 in docker/setup-buildx-action#402 docker/setup-buildx-action#404

Full Changelog: docker/setup-buildx-action@v3.8.0...v3.9.0

v3.8.0

• Make cloud prefix optional to download buildx if driver is cloud by @​crazy-max in docker/setup-buildx-action#390
• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/setup-buildx-action#370
• Bump @​docker/actions-toolkit from 0.39.0 to 0.48.0 in docker/setup-buildx-action#389
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/setup-buildx-action#382

Full Changelog: docker/setup-buildx-action@v3.7.1...v3.8.0

Commits

• b5ca514 Merge pull request #408 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 1418a4e chore: update generated content
• 93acf83 build(deps): bump @​docker/actions-toolkit from 0.54.0 to 0.56.0
• f7ce87c Merge pull request #404 from docker/dependabot/npm_and_yarn/docker/actions-to...
• aa1e2a0 chore: update generated content
• 673e008 build(deps): bump @​docker/actions-toolkit from 0.53.0 to 0.54.0
• ba31df4 Merge pull request #402 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 5475af1 chore: update generated content
• acacad9 build(deps): bump @​docker/actions-toolkit from 0.48.0 to 0.53.0
• 6a25f98 Merge pull request #396 from crazy-max/bake-v6
• Additional commits viewable in compare view

Updates docker/login-action from 3.3.0 to 3.4.0

Release notes

Sourced from docker/login-action's releases.

v3.4.0

• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/login-action#791
• Bump @​aws-sdk/client-ecr to 3.766.0 in docker/login-action#789 docker/login-action#856
• Bump @​aws-sdk/client-ecr-public to 3.758.0 in docker/login-action#789 docker/login-action#856
• Bump @​docker/actions-toolkit from 0.35.0 to 0.57.0 in docker/login-action#801 docker/login-action#806 docker/login-action#858
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/login-action#814
• Bump https-proxy-agent from 7.0.5 to 7.0.6 in docker/login-action#823
• Bump path-to-regexp from 6.2.2 to 6.3.0 in docker/login-action#777

Full Changelog: docker/login-action@v3.3.0...v3.4.0

Commits

• 74a5d14 Merge pull request #856 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 2f4f00e chore: update generated content
• 67c1845 build(deps): bump the aws-sdk-dependencies group across 1 directory with 2 up...
• 3d4cc89 Merge pull request #844 from graysonpike/master
• 6cc823a Merge pull request #823 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
• d94e792 chore: update generated content
• 033db0d Merge pull request #812 from docker/dependabot/github_actions/codecov/codecov...
• 09c2ae9 build(deps): bump https-proxy-agent
• ba56f00 ci: update deprecated input for codecov-action
• 75bf9a7 Merge pull request #858 from docker/dependabot/npm_and_yarn/docker/actions-to...
• Additional commits viewable in compare view

Updates docker/metadata-action from 5.5.1 to 5.7.0

Release notes

Sourced from docker/metadata-action's releases.

v5.7.0

• Global expressions support for labels and annotations by @​crazy-max in docker/metadata-action#489
• Support disabling outputs as environment variables by @​omus in docker/metadata-action#497
• Bump @​docker/actions-toolkit from 0.44.0 to 0.56.0 in docker/metadata-action#507 docker/metadata-action#509
• Bump csv-parse from 5.5.6 to 5.6.0 in docker/metadata-action#482
• Bump moment-timezone from 0.5.46 to 0.5.47 in docker/metadata-action#501
• Bump semver from 7.6.3 to 7.7.1 in docker/metadata-action#504

Full Changelog: docker/metadata-action@v5.6.1...v5.7.0

v5.6.1

• Fix GitHub API request fallback for commit date by @​crazy-max in docker/metadata-action#478
• Revert to default commit SHA length of 7 by @​crazy-max in docker/metadata-action#480

Full Changelog: docker/metadata-action@v5.6.0...v5.6.1

v5.6.0

• Add commit_date global expression by @​trim21 in docker/metadata-action#471 docker/metadata-action#475
• Increase short commit sha length to 12 for uniqueness by @​crazy-max in docker/metadata-action#467
• Bump @​actions/core from 1.10.1 to 1.11.1 docker/metadata-action#460
• Bump @​docker/actions-toolkit from 0.16.1 to 0.44.0 docker/metadata-action#391 docker/metadata-action#399 docker/metadata-action#413 docker/metadata-action#441
• Bump braces from 3.0.2 to 3.0.3 docker/metadata-action#424
• Bump cross-spawn from 7.0.3 to 7.0.5 docker/metadata-action#474
• Bump csv-parse from 5.5.5 to 5.5.6 docker/metadata-action#412
• Bump moment-timezone from 0.5.44 to 0.5.46 docker/metadata-action#383 docker/metadata-action#470 docker/metadata-action#459
• Bump path-to-regexp from 6.2.2 to 6.3.0 docker/metadata-action#454
• Bump semver from 7.6.0 to 7.6.3 docker/metadata-action#400 docker/metadata-action#411 docker/metadata-action#440
• Bump undici from 5.26.3 to 5.28.4 docker/metadata-action#386 docker/metadata-action#402

Full Changelog: docker/metadata-action@v5.5.1...v5.6.0

Commits

• 902fa8e Merge pull request #504 from docker/dependabot/npm_and_yarn/semver-7.7.1
• c30b9c2 chore: update generated content
• 0698804 chore(deps): Bump semver from 7.6.3 to 7.7.1
• bb3eeca Merge pull request #501 from docker/dependabot/npm_and_yarn/moment-timezone-0...
• 94a839c chore: update generated content
• ecd51a0 Merge pull request #509 from docker/dependabot/npm_and_yarn/docker/actions-to...
• a85b1db chore(deps): Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0
• 5a76a0e chore(deps): Bump moment-timezone from 0.5.46 to 0.5.47
• 1cc4a98 Merge pull request #482 from docker/dependabot/npm_and_yarn/csv-parse-5.6.0
• d84de1e chore: update generated content
• Additional commits viewable in compare view

Updates docker/build-push-action from 6.9.0 to 6.15.0

Release notes

Sourced from docker/build-push-action's releases.

v6.15.0

• Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0 in docker/build-push-action#1330

Full Changelog: docker/build-push-action@v6.14.0...v6.15.0

v6.14.0

• Bump @​docker/actions-toolkit from 0.53.0 to 0.55.0 in docker/build-push-action#1324

Full Changelog: docker/build-push-action@v6.13.0...v6.14.0

v6.13.0

• Bump @​docker/actions-toolkit from 0.51.0 to 0.53.0 in docker/build-push-action#1308

Full Changelog: docker/build-push-action@v6.12.0...v6.13.0

v6.12.0

• Bump @​docker/actions-toolkit from 0.49.0 to 0.51.0 in docker/build-push-action#1300

Full Changelog: docker/build-push-action@v6.11.0...v6.12.0

v6.11.0

• Handlebar defaultContext support for build-contexts input by @​crazy-max in docker/build-push-action#1283
• Bump @​docker/actions-toolkit from 0.46.0 to 0.49.0 in docker/build-push-action#1281

Full Changelog: docker/build-push-action@v6.10.0...v6.11.0

v6.10.0

• Add call input to set method for evaluating build by @​crazy-max in docker/build-push-action#1265
• Bump @​actions/core from 1.10.1 to 1.11.1 in docker/build-push-action#1238
• Bump @​docker/actions-toolkit from 0.39.0 to 0.46.0 in docker/build-push-action#1268
• Bump cross-spawn from 7.0.3 to 7.0.6 in docker/build-push-action#1261

Full Changelog: docker/build-push-action@v6.9.0...v6.10.0

Commits

• 471d1dc Merge pull request #1330 from docker/dependabot/npm_and_yarn/docker/actions-t...
• b89ff0a chore: update generated content
• 1e3ae3a chore(deps): Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0
• b16f42f Merge pull request #1325 from crazy-max/buildx-edge
• dc0fea5 ci: update buildx to edge and buildkit to latest
• 0adf995 Merge pull request #1324 from docker/dependabot/npm_and_yarn/docker/actions-t...
• d88cd28 chore: update generated content
• 3d09a6b chore(deps): Bump @​docker/actions-toolkit from 0.53.0 to 0.55.0
• ca877d9 Merge pull request #1308 from docker/dependabot/npm_and_yarn/docker/actions-t...
• d2fe919 chore: update generated content
• Additional commits viewable in compare view

Updates sigstore/cosign-installer from 3.7.0 to 3.8.1

Release notes

Sourced from sigstore/cosign-installer's releases.

v3.8.1

What's Changed

• use cosign 2.4.3 and other updates by @​cpanato in sigstore/cosign-installer#182

Full Changelog: sigstore/cosign-installer@v3...v3.8.1

v3.8.0

What's Changed

• test action against all non-rc releases, verify entry in rekor log by @​bobcallaway in sigstore/cosign-installer#179
• bump for cosign v2.4.2 release by @​bobcallaway in sigstore/cosign-installer#181

Full Changelog: sigstore/cosign-installer@v3...v3.8.0

Commits

• d7d6bc7 use cosign 2.4.3 and other updates (#182)
• c56c2d3 Bump actions/setup-go from 5.2.0 to 5.3.0 (#180)
• 02e36b8 bump for cosign v2.4.2 release (#181)
• 789d288 test action against all non-rc releases, verify entry in rekor log (#179)
• e11c089 Bump actions/setup-go from 5.1.0 to 5.2.0 (#178)
• 718228a Bump actions/setup-go from 5.0.2 to 5.1.0 (#176)
• 325063e Bump actions/checkout from 4.2.1 to 4.2.2 (#177)
• b929758 Bump actions/checkout from 4.2.0 to 4.2.1 (#175)
• See full diff in compare view

Updates anchore/scan-action from 5.2.1 to 6.1.0

Release notes

Sourced from anchore/scan-action's releases.

v6.1.0

New in scan-action v6.1.0

• Feature (deps): update Grype to v0.87.0 (#430)
  • See Grype changes for new updates

v6.0.0

New in scan-action v6.0.0

Breaking Change

• feat: add output-file option, default to random directory output in temp (#346) [kzantow]

The action no longer generates files in your working directory by default, instead you should use the action outputs: ${{ steps.<id>.outputs.sarif }} where the <id> needs to match the id you configured to reference the scan-action, e.g.:

      - uses: anchore/scan-action@v6
        id: scan
        ...
      - uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

Other Changes

• chore(deps): update Grype to v0.86.1 (#416) [anchore-actions-token-generator]
• feat: add support for cyclonedx and cyclonedx-json output-formats (#396) [ps-e]
• chore(deps): bump @​actions/cache from 3.3.0 to 4.0.0 (#412) [dependabot]
• chore(deps): update Grype to v0.86.0 (#413) [anchore-actions-token-generator]

v5.3.0

New in scan-action v5.3.0

• chore(deps): update Grype to v0.85.0 (#408) [anchore-actions-token-generator]
• chore(deps-dev): bump @​vercel/ncc from 0.38.2 to 0.38.3 (#406) [dependabot]
• chore(deps-dev): bump eslint from 9.14.0 to 9.15.0 (#405) [dependabot]
• chore(deps-dev): bump husky from 9.1.6 to 9.1.7 (#407) [dependabot]

Commits

• 7c05671 chore(deps): bump undici from 5.28.4 to 5.28.5 (#429)
• 0a0c9f0 chore(deps): bump @​actions/tool-cache from 2.0.1 to 2.0.2 (#425)
• 1133611 chore(deps-dev): bump lint-staged from 15.3.0 to 15.4.1 (#426)
• 3830b3c chore(deps): update Grype to v0.87.0 (#430)
• 3081c32 chore(deps): bump release-drafter/release-drafter from 6.0.0 to 6.1.0 (#428)
• 54c4de5 chore(deps-dev): bump eslint from 9.17.0 to 9.18.0 (#423)
• 46a02d8 chore(deps): bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (#419)
• 6eaf06d docs: update docs to v6 remove stale changelog (#422)
• 27d81ab chore(deps-dev): bump eslint from 9.16.0 to 9.17.0 (#417)
• abae793 chore(deps): update Grype to v0.86.1 (#416)
• Additional commits viewable in compare view

Updates advanced-security/reusable-workflows from 0.2.0 to 0.3.0

Release notes

Sourced from advanced-security/reusable-workflows's releases.

v0.3.0

What's Changed

• feat(ci): Improve Python concurrency + Python 3.13 by @​GeekMasher in advanced-security/reusable-workflows#38
• Add initial QL for QL support by @​GeekMasher in advanced-security/reusable-workflows#39

Full Changelog: v0.2.0...v0.3.0

Commits

• bc5a760 Merge pull request #39 from advanced-security/ql-for-ql
• d1c7f2f feat: Update CodeQL binary detection logic in workflow
• 556b438 fix: Update slash typo and sarif output
• d20d00b fix: Update output
• e290c96 feat: Add initial QL for QL support
• ed19480 Merge pull request #38 from advanced-security/GeekMasher-patch-1
• c7f1ccf feat(ci): Improve Python concurrency
• d570c86 feat: add Python 3.13 to test versions
• db44710 fix: remove load
• 23e178b fix: missing step id
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.5	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 4 Found 3/7 approved changesets -- score normalized to 4 Maintained 🟢 10 24 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/login-action	74a5d142397b4f367a81961eba4e8cd7edddf772	🟢 6.3	Details Check Score Reason Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 8 SAST tool detected but not run on all commits Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.6	Details Check Score Reason Code-Review 🟢 6 Found 3/5 approved changesets -- score normalized to 6 Maintained 🟢 10 15 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/sigstore/cosign-installer	d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a	🟢 7.7	Details Check Score Reason Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/anchore/scan-action	7c05671ae9be166aeb155bad2d7df9121823df32	🟢 6.4	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.5	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 4 Found 3/7 approved changesets -- score normalized to 4 Maintained 🟢 10 24 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.6	Details Check Score Reason Code-Review 🟢 6 Found 3/5 approved changesets -- score normalized to 6 Maintained 🟢 10 15 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/advanced-security/reusable-workflows/.github/workflows/release.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-linting.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-release.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-testing.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-vendor.yml	0.3.0	Unknown	Unknown
actions/actions/checkout	4.*.*	🟢 5.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 9 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/advanced-security/reusable-workflows/.github/workflows/dependency-review.yml	0.3.0	Unknown	Unknown

Scanned Files

• .github/workflows/container-publish.yml
• .github/workflows/container-security.yml
• .github/workflows/python-release.yml
• .github/workflows/python.yml
• .github/workflows/release.yml
• .github/workflows/self-dependency-review.yml

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.5	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 4 Found 3/7 approved changesets -- score normalized to 4 Maintained 🟢 10 24 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/login-action	74a5d142397b4f367a81961eba4e8cd7edddf772	🟢 6.3	Details Check Score Reason Maintained 🟢 10 16 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Security-Policy 🟢 9 security policy file detected Code-Review 🟢 10 all changesets reviewed Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 8 SAST tool detected but not run on all commits Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.6	Details Check Score Reason Code-Review 🟢 6 Found 3/5 approved changesets -- score normalized to 6 Maintained 🟢 10 15 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/sigstore/cosign-installer	d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a	🟢 7.7	Details Check Score Reason Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Token-Permissions 🟢 9 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies 🟢 10 all dependencies are pinned Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed Vulnerabilities 🟢 10 0 existing vulnerabilities detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/anchore/scan-action	7c05671ae9be166aeb155bad2d7df9121823df32	🟢 6.4	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 16 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 9 binaries present in source code Code-Review 🟢 10 all changesets reviewed Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 7 dependency not pinned by hash detected -- score normalized to 7 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Packaging 🟢 10 packaging workflow detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.5	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 4 Found 3/7 approved changesets -- score normalized to 4 Maintained 🟢 10 24 commit(s) and 12 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.6	Details Check Score Reason Code-Review 🟢 6 Found 3/5 approved changesets -- score normalized to 6 Maintained 🟢 10 15 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 3 7 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/advanced-security/reusable-workflows/.github/workflows/release.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-linting.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-release.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-testing.yml	0.3.0	Unknown	Unknown
actions/advanced-security/reusable-workflows/.github/workflows/python-vendor.yml	0.3.0	Unknown	Unknown
actions/actions/checkout	4.*.*	🟢 5.8	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed Maintained ⚠️ 1 2 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 9 security policy file detected Packaging 🟢 10 packaging workflow detected SAST 🟢 9 SAST tool detected but not run on all commits Vulnerabilities ⚠️ 2 8 existing vulnerabilities detected
actions/advanced-security/reusable-workflows/.github/workflows/dependency-review.yml	0.3.0	Unknown	Unknown

Scanned Files

• .github/workflows/container-publish.yml
• .github/workflows/container-security.yml
• .github/workflows/python-release.yml
• .github/workflows/python.yml
• .github/workflows/release.yml
• .github/workflows/self-dependency-review.yml