deps: bump the production-dependencies group across 1 directory with 17 updates

[dependabot]

Bumps the production-dependencies group with 17 updates in the / directory:

Package	From	To
actions/checkout	4	6
github/codeql-action	3	4
actions/github-script	7	8
dtolnay/rust-toolchain	56f84321dbccf38fb67ce29ab63e4754056677e0	0b1efabc08b657293548b77fb76cc02d26091c7e
actions/cache	4	5
docker/setup-buildx-action	3.10.0	3.11.1
docker/login-action	3.4.0	3.6.0
docker/metadata-action	5.7.0	5.10.0
docker/build-push-action	6.15.0	6.18.0
actions/attest-build-provenance	2.2.3	3.0.0
anchore/scan-action	6.1.0	7.2.2
actions/upload-artifact	4	6
actions/labeler	5	6
actions/setup-python	5	6
peter-evans/create-pull-request	7.0.8	8.0.0
42ByteLabs/patch-release-me	0.5.3	0.6.4
Andrew-Chen-Wang/github-wiki-action	4.4.0	5.0.3

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695

... (truncated)

Commits

• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• See full diff in compare view

Updates github/codeql-action from 3 to 4

Release notes

Sourced from github/codeql-action's releases.

v3.31.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.8 - 11 Dec 2025

• Update default CodeQL bundle version to 2.23.8. #3354

See the full CHANGELOG.md for more information.

v3.31.7

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.7 - 05 Dec 2025

• Update default CodeQL bundle version to 2.23.7. #3343

See the full CHANGELOG.md for more information.

v3.31.6

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.6 - 01 Dec 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.5

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #3321

See the full CHANGELOG.md for more information.

v3.31.4

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.4 - 18 Nov 2025

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

4.31.5 - 24 Nov 2025

• Update default CodeQL bundle version to 2.23.6. #3321

4.31.4 - 18 Nov 2025

No user facing changes.

Commits

• c4efbda Overlay: Check database metadata for overlayBaseSpecifier
• dd89143 CodeQL: Add resolveDatabase method
• 78357d3 Merge pull request #3341 from github/mbg/ci/update-cs-config-cli-tests
• d61a6fa Update CLI config test to account for overlay db changes on PRs
• ce27e95 Rebuild
• 43224eb Bump @​eslint/eslintrc from 3.3.1 to 3.3.3 in the npm-minor group
• f0ac9bf Merge pull request #3337 from github/mergeback/v4.31.6-to-main-fe4161a2
• c1ca379 Rebuild
• c3455c5 Update changelog and version after v4.31.6
• fe4161a Merge pull request #3336 from github/update-v4.31.6-ecec1f887
• Additional commits viewable in compare view

Updates actions/github-script from 7 to 8

Release notes

Sourced from actions/github-script's releases.

v8.0.0

What's Changed

• Update Node.js version support to 24.x by @​salmanmkc in actions/github-script#637
• README for updating actions/github-script from v7 to v8 by @​sneha-krip in actions/github-script#653

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

New Contributors

• @​salmanmkc made their first contribution in actions/github-script#637
• @​sneha-krip made their first contribution in actions/github-script#653

Full Changelog: actions/github-script@v7.1.0...v8.0.0

v7.1.0

What's Changed

• Upgrade husky to v9 by @​benelan in actions/github-script#482
• Add workflow file for publishing releases to immutable action package by @​Jcambass in actions/github-script#485
• Upgrade IA Publish by @​Jcambass in actions/github-script#486
• Fix workflow status badges by @​joshmgross in actions/github-script#497
• Update usage of actions/upload-artifact by @​joshmgross in actions/github-script#512
• Clear up package name confusion by @​joshmgross in actions/github-script#514
• Update dependencies with npm audit fix by @​joshmgross in actions/github-script#515
• Specify that the used script is JavaScript by @​timotk in actions/github-script#478
• chore: Add Dependabot for NPM and Actions by @​nschonni in actions/github-script#472
• Define permissions in workflows and update actions by @​joshmgross in actions/github-script#531
• chore: Add Dependabot for .github/actions/install-dependencies by @​nschonni in actions/github-script#532
• chore: Remove .vscode settings by @​nschonni in actions/github-script#533
• ci: Use github/setup-licensed by @​nschonni in actions/github-script#473
• make octokit instance available as octokit on top of github, to make it easier to seamlessly copy examples from GitHub rest api or octokit documentations by @​iamstarkov in actions/github-script#508
• Remove octokit README updates for v7 by @​joshmgross in actions/github-script#557
• docs: add "exec" usage examples by @​neilime in actions/github-script#546
• Bump ruby/setup-ruby from 1.213.0 to 1.222.0 by @​dependabot[bot] in actions/github-script#563
• Bump ruby/setup-ruby from 1.222.0 to 1.229.0 by @​dependabot[bot] in actions/github-script#575
• Clearly document passing inputs to the script by @​joshmgross in actions/github-script#603
• Update README.md by @​nebuk89 in actions/github-script#610

New Contributors

• @​benelan made their first contribution in actions/github-script#482
• @​Jcambass made their first contribution in actions/github-script#485
• @​timotk made their first contribution in actions/github-script#478
• @​iamstarkov made their first contribution in actions/github-script#508
• @​neilime made their first contribution in actions/github-script#546
• @​nebuk89 made their first contribution in actions/github-script#610

Full Changelog: actions/github-script@v7...v7.1.0

... (truncated)

Commits

• ed59741 Merge pull request #653 from actions/sneha-krip/readme-for-v8
• 2dc352e Bold minimum Actions Runner version in README
• 01e118c Update README for Node 24 runtime requirements
• 8b222ac Apply suggestion from @​salmanmkc
• adc0eea README for updating actions/github-script from v7 to v8
• 20fe497 Merge pull request #637 from actions/node24
• e7b7f22 update licenses
• 2c81ba0 Update Node.js version support to 24.x
• See full diff in compare view

Updates dtolnay/rust-toolchain from 56f84321dbccf38fb67ce29ab63e4754056677e0 to 0b1efabc08b657293548b77fb76cc02d26091c7e

Commits

• 0b1efab Update actions/checkout@v5 -> v6
• 0f44b27 Add 1.91.1 patch release
• 6d653ac Merge pull request #171 from dtolnay/up
• 30dc51d Update Linux arm64 runner to Ubuntu 24.04
• e97e2d8 Update actions/checkout@v4 -> v5
• 3bd6ba1 Merge pull request #168 from dtolnay/sed
• 0185c06 Fix update-revs.sh to recognize only the intended required: true
• 350b817 Merge pull request #166 from dtolnay/fix1
• 6ded28b Try without comment?
• cc2784c Merge pull request #165 from dtolnay/fix2
• Additional commits viewable in compare view

Updates actions/cache from 4 to 5

Release notes

Sourced from actions/cache's releases.

v5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

What's Changed

• Upgrade to use node24 by @​salmanmkc in actions/cache#1630
• Prepare v5.0.0 release by @​salmanmkc in actions/cache#1684

Full Changelog: actions/cache@v4.3.0...v5.0.0

v4.3.0

What's Changed

• Add note on runner versions by @​GhadimiR in actions/cache#1642
• Prepare v4.3.0 release by @​Link- in actions/cache#1655

New Contributors

• @​GhadimiR made their first contribution in actions/cache#1642

Full Changelog: actions/cache@v4...v4.3.0

v4.2.4

What's Changed

• Update README.md by @​nebuk89 in actions/cache#1620
• Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @​Link- in actions/cache#1634
• Prepare release 4.2.4 by @​Link- in actions/cache#1636

New Contributors

• @​nebuk89 made their first contribution in actions/cache#1620

Full Changelog: actions/cache@v4...v4.2.4

v4.2.3

What's Changed

• Update to use @​actions/cache 4.0.3 package & prepare for new release by @​salmanmkc in actions/cache#1577 (SAS tokens for cache entries are now masked in debug logs)

New Contributors

• @​salmanmkc made their first contribution in actions/cache#1577

Full Changelog: actions/cache@v4.2.2...v4.2.3

... (truncated)

Changelog

Sourced from actions/cache's changelog.

Releases

Changelog

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/[email protected] #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

4.3.0

• Bump @actions/cache to v4.1.0

4.2.4

• Bump @actions/cache to v4.0.5

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

• Bump @actions/cache to v4.0.2

4.2.1

• Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

4.1.2

... (truncated)

Commits

• 9255dc7 Merge pull request #1686 from actions/cache-v5.0.1-release
• 8ff5423 chore: release v5.0.1
• 9233019 Merge pull request #1685 from salmanmkc/node24-storage-blob-fix
• b975f2b fix: add peer property to package-lock.json for dependencies
• d0a0e18 fix: update license files for @​actions/cache, fast-xml-parser, and strnum
• 74de208 fix: update @​actions/cache to ^5.0.1 for Node.js 24 punycode fix
• ac7f115 peer
• b0f846b fix: update @​actions/cache with storage-blob fix for Node.js 24 punycode depr...
• a783357 Merge pull request #1684 from actions/prepare-cache-v5-release
• 3bb0d78 docs: highlight v5 runner requirement in releases
• Additional commits viewable in compare view

Updates docker/setup-buildx-action from 3.10.0 to 3.11.1

Release notes

Sourced from docker/setup-buildx-action's releases.

v3.11.1

• Fix keep-state not being respected by @​crazy-max in docker/setup-buildx-action#429

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

v3.11.0

• Keep BuildKit state support by @​crazy-max in docker/setup-buildx-action#427
• Remove aliases created when installing by default by @​hashhar in docker/setup-buildx-action#139
• Bump @​docker/actions-toolkit from 0.56.0 to 0.62.1 in docker/setup-buildx-action#422 docker/setup-buildx-action#425

Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0

Commits

• e468171 Merge pull request #429 from crazy-max/fix-keep-state
• a3e7502 chore: update generated content
• b145473 fix keep-state not being respected
• 18ce135 Merge pull request #425 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 0e198e9 chore: update generated content
• 05f3f3a build(deps): bump @​docker/actions-toolkit from 0.61.0 to 0.62.1
• 6229134 Merge pull request #427 from crazy-max/keep-state
• c6f6a07 chore: update generated content
• 6c5e29d skip builder creation if one already exists with the same name
• 548b297 ci: keep-state check
• Additional commits viewable in compare view

Updates docker/login-action from 3.4.0 to 3.6.0

Release notes

Sourced from docker/login-action's releases.

v3.6.0

• Add registry-auth input for raw authentication to registries by @​crazy-max in docker/login-action#887
• Bump @​aws-sdk/client-ecr to 3.890.0 in docker/login-action#882 docker/login-action#890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in docker/login-action#882 docker/login-action#890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in docker/login-action#883
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/login-action#880
• Bump undici from 5.28.4 to 5.29.0 in docker/login-action#879
• Bump tmp from 0.2.3 to 0.2.4 in docker/login-action#881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

• Support dual-stack endpoints for AWS ECR by @​Spacefish @​crazy-max in docker/login-action#874 docker/login-action#876
• Bump @​aws-sdk/client-ecr to 3.859.0 in docker/login-action#860 docker/login-action#878
• Bump @​aws-sdk/client-ecr-public to 3.859.0 in docker/login-action#860 docker/login-action#878
• Bump @​docker/actions-toolkit from 0.57.0 to 0.62.1 in docker/login-action#870
• Bump form-data from 2.5.1 to 2.5.5 in docker/login-action#875

Full Changelog: docker/login-action@v3.4.0...v3.5.0

Commits

• 5e57cd1 Merge pull request #890 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• 97e3143 chore: update generated content
• 3a0796b build(deps): bump the aws-sdk-dependencies group with 2 updates
• 5b7b28b Merge pull request #882 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• abc9fb3 chore: update generated content
• d468688 build(deps): bump the aws-sdk-dependencies group with 2 updates
• a99b2f8 Merge pull request #883 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 0d7fae8 chore: update generated content
• 9832253 build(deps): bump @​docker/actions-toolkit from 0.62.1 to 0.63.0
• 09e05bb Merge pull request #881 from docker/dependabot/npm_and_yarn/tmp-0.2.4
• Additional commits viewable in compare view

Updates docker/metadata-action from 5.7.0 to 5.10.0

Release notes

Sourced from docker/metadata-action's releases.

v5.10.0

• Bump @​docker/actions-toolkit from 0.66.0 to 0.68.0 in docker/metadata-action#559 docker/metadata-action#569
• Bump js-yaml from 3.14.1 to 3.14.2 in docker/metadata-action#564

Full Changelog: docker/metadata-action@v5.9.0...v5.10.0

v5.9.0

• Add tag-names output to return tag names without image base name by @​crazy-max in docker/metadata-action#553
• Bump @​babel/runtime-corejs3 from 7.14.7 to 7.28.2 in docker/metadata-action#539
• Bump @​docker/actions-toolkit from 0.62.1 to 0.66.0 in docker/metadata-action#555
• Bump brace-expansion from 1.1.11 to 1.1.12 in docker/metadata-action#540
• Bump csv-parse from 5.6.0 to 6.1.0 in docker/metadata-action#532
• Bump semver from 7.7.2 to 7.7.3 in in docker/metadata-action#554
• Bump tmp from 0.2.3 to 0.2.5 in docker/metadata-action#541

Full Changelog: docker/metadata-action@v5.8.0...v5.9.0

v5.8.0

• New is_not_default_branch global expression by @​crazy-max in docker/metadata-action#535
• Allow to match part of the git tag or value for semver/pep440 types by @​crazy-max in docker/metadata-action#536 docker/metadata-action#537
• Bump @​actions/github from 6.0.0 to 6.0.1 in docker/metadata-action#523
• Bump @​docker/actions-toolkit from 0.56.0 to 0.62.1 in docker/metadata-action#526
• Bump form-data from 2.5.1 to 2.5.5 in docker/metadata-action#533
• Bump moment-timezone from 0.5.47 to 0.6.0 in docker/metadata-action#525
• Bump semver from 7.7.1 to 7.7.2 in docker/metadata-action#524

Full Changelog: docker/metadata-action@v5.7.0...v5.8.0

Commits

• c299e40 Merge pull request #569 from docker/dependabot/npm_and_yarn/docker/actions-to...
• f015d79 chore: update generated content
• 121bcc2 chore(deps): Bump @​docker/actions-toolkit from 0.67.0 to 0.68.0
• f7b6bf4 Merge pull request #564 from docker/dependabot/npm_and_yarn/js-yaml-3.14.2
• 0b95c6b Merge pull request #565 from docker/dependabot/github_actions/actions/checkout-6
• 17f70d7 Merge pull request #568 from motoki317/docs/fix-to-24h-schedule-pattern
• afd7e6d docs(README): Fix date format from 12h to 24h in schedule pattern
• 602aff8 chore(deps): Bump actions/checkout from 5 to 6
• aecb1a4 chore(deps): Bump js-yaml from 3.14.1 to 3.14.2
• 8d8c7c1 Merge pull request #559 from docker/dependabot/npm_and_yarn/docker/actions-to...
• Additional commits viewable in compare view

Updates docker/build-push-action from 6.15.0 to 6.18.0

Release notes

Sourced from docker/build-push-action's releases.

v6.18.0

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in docker/build-push-action#1381

[!NOTE] Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in docker/build-push-action#1364

[!NOTE] Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

• Handle no default attestations env var by @​crazy-max in docker/build-push-action#1343
• Only print secret keys in build summary output by @​crazy-max in docker/build-push-action#1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in docker/build-push-action#1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

Commits

• 2634353 Merge pull request #1381 from docker/dependabot/npm_and_yarn/docker/actions-t...
• c0432d2 chore: update generated content
• 0bb1f27 set builder driver and endpoint attributes for dbc summary support
• 5f9dbf9 chore(deps): Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1
• 0788c44 Merge pull request #1375 from crazy-max/remove-gcr
• aa179ca e2e: remove GCR
• 1dc7386 Merge pull request #1364 from crazy-max/history-export-cmd
• 9c9803f chore: update generated content
• db1f6c4 DOCKER_BUILD_EXPORT_LEGACY env var to opt-in for legacy export
• 721e8c7 Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0
• Additional commits viewable in compare view

Updates actions/attest-build-provenance from 2.2.3 to 3.0.0

Release notes

Sourced from actions/attest-build-provenance's releases.

v3.0.0

What's Changed

• Adjust node max-http-header-size setting by @​bdehamer in actions/attest-build-provenance#687
• Bump actions/attest from v2.4.0 to v3.0.0 by @​bdehamer in actions/attest-build-provenance#691
  • Bump to node24 runtime
  • Improved checksum parsing
• Bump attest-build-provenance/predicate to v2.0.0 by @​bdehamer in actions/attest-build-provenance#693
  • Bump to node24 runtime by @​bdehamer in actions/attest-build-provenance#692

⚠️ Minimum Compatible Runner Version

v2.327.1 Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/attest-build-provenance@v2.4.0...v3.0.0

v2.4.0

What's Changed

• Bump undici from 5.28.5 to 5.29.0 by @​dependabot in actions/attest-build-provenance#633
• Bump actions/attest from 2.3.0 to 2.4.0 by @​bdehamer in actions/attest-build-provenance#654
  • Includes support for the new well-known summary file which will accumulate paths to all attestations generated in a given workflow run

Full Changelog: actions/attest-build-provenance@v2.3.0...v2.4.0

v2.3.0

What's Changed

• Bump actions/attest from 2.2.1 to 2.3.0 by @​bdehamer in actions/attest-build-provenance#615
  • Updates @sigstore/oci from 0.4.0 to 0.5.0

Full Changelog: actions/attest-build-provenance@v2.2.3...v2.3.0

Commits

• 977bb37 bump attest-build-provenance/predicate to v2.0.0 (#693)
• 864457a Bump to node24 runtime (

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/attest-build-provenance	977bb373ede98d70efdf65b84cb5f73e068dcc2a	Unknown	Unknown
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/docker/build-push-action	263435318d21b8e681c14492fe198d362a7d2c83	🟢 5.4	Details Check Score Reason Code-Review 🟢 7 Found 7/9 approved changesets -- score normalized to 7 Maintained 🟢 9 1 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 9 Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/login-action	5e57cd118135c172c3672efd75eb46360885c0ef	🟢 5.4	Details Check Score Reason Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 28 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool detected but not run on all commits
actions/docker/metadata-action	c299e40c65443455700f0fdfc63efafe5b349051	🟢 5	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Code-Review ⚠️ 2 Found 1/4 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	e468171a9de216ec08956ac3ada2f0791b6bd435	🟢 4.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Maintained 🟢 4 2 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 4 Code-Review ⚠️ 1 Found 1/6 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	6.*.*	🟢 5.2	Details Check Score Reason Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/Andrew-Chen-Wang/github-wiki-action	6448478bd55f1f3f752c93af8ac03207eccc3213	🟢 4.3	Details Check Score Reason Code-Review ⚠️ 2 Found 3/12 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 3 3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/container-publish.yml
• .github/workflows/language-detection-and-assignment.yml
• .github/workflows/python-testing.yml
• .github/workflows/self-wiki.yml

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/attest-build-provenance	977bb373ede98d70efdf65b84cb5f73e068dcc2a	Unknown	Unknown
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/docker/build-push-action	263435318d21b8e681c14492fe198d362a7d2c83	🟢 5.4	Details Check Score Reason Code-Review 🟢 7 Found 7/9 approved changesets -- score normalized to 7 Maintained 🟢 9 1 commit(s) and 10 issue activity found in the last 90 days -- score normalized to 9 Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 12 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/login-action	5e57cd118135c172c3672efd75eb46360885c0ef	🟢 5.4	Details Check Score Reason Code-Review 🟢 3 Found 1/3 approved changesets -- score normalized to 3 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Maintained 🟢 10 28 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Vulnerabilities ⚠️ 1 9 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST 🟢 9 SAST tool detected but not run on all commits
actions/docker/metadata-action	c299e40c65443455700f0fdfc63efafe5b349051	🟢 5	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Code-Review ⚠️ 2 Found 1/4 approved changesets -- score normalized to 2 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	e468171a9de216ec08956ac3ada2f0791b6bd435	🟢 4.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 9 security policy file detected Maintained 🟢 4 2 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 4 Code-Review ⚠️ 1 Found 1/6 approved changesets -- score normalized to 1 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Signed-Releases ⚠️ -1 no releases found Packaging 🟢 10 packaging workflow detected Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/setup-python	6.*.*	🟢 5.2	Details Check Score Reason Maintained 🟢 7 9 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Vulnerabilities ⚠️ 0 10 existing vulnerabilities detected SAST 🟢 9 SAST tool is not run on all commits -- score normalized to 9
actions/Andrew-Chen-Wang/github-wiki-action	6448478bd55f1f3f752c93af8ac03207eccc3213	🟢 4.3	Details Check Score Reason Code-Review ⚠️ 2 Found 3/12 approved changesets -- score normalized to 2 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 3 3 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 3 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Vulnerabilities 🟢 10 0 existing vulnerabilities detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md Security-Policy ⚠️ 0 security policy file not detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/actions/checkout	6.*.*	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5 Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 8 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/container-publish.yml
• .github/workflows/language-detection-and-assignment.yml
• .github/workflows/python-testing.yml
• .github/workflows/self-wiki.yml