google
diff --git a/‎.github/workflows/analyze.yaml‎
Lines changed: 6 additions & 1 deletion b/‎.github/workflows/analyze.yaml‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎.github/workflows/boilerplate.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/boilerplate.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/build.yaml‎
Lines changed: 3 additions & 8 deletions b/‎.github/workflows/build.yaml‎
Lines changed: 3 additions & 8 deletions
diff --git a/‎.github/workflows/bump-deps.yaml‎
Lines changed: 3 additions & 4 deletions b/‎.github/workflows/bump-deps.yaml‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎.github/workflows/donotsubmit.yaml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/donotsubmit.yaml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/e2e.yaml‎
Lines changed: 7 additions & 7 deletions b/‎.github/workflows/e2e.yaml‎
Lines changed: 7 additions & 7 deletions
diff --git a/‎.github/workflows/ecr-auth.yaml‎
Lines changed: 6 additions & 8 deletions b/‎.github/workflows/ecr-auth.yaml‎
Lines changed: 6 additions & 8 deletions
diff --git a/‎.github/workflows/ghcr-auth.yaml‎
Lines changed: 4 additions & 5 deletions b/‎.github/workflows/ghcr-auth.yaml‎
Lines changed: 4 additions & 5 deletions
diff --git a/‎.github/workflows/presubmit.yaml‎
Lines changed: 3 additions & 4 deletions b/‎.github/workflows/presubmit.yaml‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 6 additions & 4 deletions b/‎.github/workflows/release.yml‎
Lines changed: 6 additions & 4 deletions
@@ -7,12 +7,17 @@ on:
   pull_request:
     branches: ['main']
 
+permissions:
+  security-events: write
+  actions: read
+  contents: read
+
 jobs:
   analyze:
     name: Analyze
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
 
@@ -25,9 +25,9 @@ jobs:
 
     steps:
       - name: Check out code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
-      - uses: chainguard-dev/actions/boilerplate@5e21cb47971231c078a677dfe89a348371cb880c # main
+      - uses: chainguard-dev/actions/boilerplate@main
         with:
           extension: ${{ matrix.extension }}
           language: ${{ matrix.language }}
@@ -10,16 +10,11 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
 
-    strategy:
-      matrix:
-        go-version: [1.19, '1.20']
-
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: ${{ matrix.go-version }}
-          check-latest: true
+          go-version-file: go.mod
 
       - run: |
           go build ./...
 
@@ -18,11 +18,10 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-go@v4
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
       with:
-        go-version: 1.19
-        check-latest: true
+        go-version-file: go.mod
 
     - run: ./hack/bump-deps.sh
     - name: Create Pull Request
 
@@ -11,5 +11,5 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: chainguard-dev/actions/donotsubmit@5e21cb47971231c078a677dfe89a348371cb880c # main
+    - uses: actions/checkout@v4
+    - uses: chainguard-dev/actions/donotsubmit@main
@@ -16,11 +16,10 @@ jobs:
     runs-on: ${{ matrix.platform }}
 
     steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-go@v4
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
       with:
-        go-version: 1.19
-        check-latest: true
+        go-version-file: go.mod
 
     - name: crane append to an image, set the entrypoint, run it locally, roundtrip it
       shell: bash
@@ -29,6 +28,7 @@ jobs:
 
         # Setup local registry
         go run ./cmd/registry &
+        sleep 3
 
         base=alpine
         platform=linux/amd64
@@ -82,13 +82,13 @@ jobs:
         ./app/crane pull --platform=linux/arm64 --format=oci $remote $distroless
         ./app/crane push $distroless $local
         diff <(./app/crane manifest --platform linux/arm64 $remote) <(./app/crane manifest $local)
-                
+
     - name: crane pull image, and export it from stdin to filesystem tar to stdout
       shell: bash
       run: |
         set -euxo pipefail
-        
+
         ./app/crane pull ubuntu ubuntu.tar
         ./app/crane export - - < ubuntu.tar > filesystem.tar
         ls -la *.tar
-        
+
@@ -18,11 +18,10 @@ jobs:
       AWS_REGION: us-east-2
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.19
-          check-latest: true
+          go-version-file: go.mod
 
       - name: Install krane
         working-directory: ./cmd/krane
@@ -58,11 +57,10 @@ jobs:
       AWS_REGION: us-east-2
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.19
-          check-latest: true
+          go-version-file: go.mod
 
       - name: Install crane
         working-directory: ./cmd/crane
 
@@ -14,11 +14,10 @@ jobs:
   krane:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.19
-          check-latest: true
+          go-version-file: go.mod
 
       - name: Install krane
         working-directory: ./cmd/krane
@@ -44,4 +43,4 @@ jobs:
           if [[ "$CRED1" == "$CRED2" ]] ; then
             echo "credentials are cached by infrastructure"
           fi
-          
+
@@ -26,9 +26,8 @@ jobs:
     runs-on: 'ubuntu-latest'
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v4
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
-          go-version: 1.19
-          check-latest: true
+          go-version-file: go.mod
       - run: ./hack/presubmit.sh
@@ -6,14 +6,16 @@ on:
 
 jobs:
   goreleaser:
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Unshallow
         run: git fetch --prune --unshallow
-      - uses: actions/setup-go@v4
+      - uses: actions/setup-go@v5
         with:
           go-version: 1.21
           check-latest: true
@@ -40,7 +42,7 @@ jobs:
       actions: read # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true # upload to a new release
@@ -51,7 +53,7 @@ jobs:
     permissions: read-all
     steps:
       - name: Install SLSA verifier
-        uses: slsa-framework/slsa-verifier/actions/installer@v2.2.0
+        uses: slsa-framework/slsa-verifier/actions/installer@v2.7.0
       - name: Download assets
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}