Skip to content

chore(deps): bump the actions-updates group across 1 directory with 4 updates#492

Open
dependabot[bot] wants to merge 1 commit into
QA-Testfrom
dependabot/github_actions/QA-Test/actions-updates-5c0cddd67d
Open

chore(deps): bump the actions-updates group across 1 directory with 4 updates#492
dependabot[bot] wants to merge 1 commit into
QA-Testfrom
dependabot/github_actions/QA-Test/actions-updates-5c0cddd67d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps the actions-updates group with 4 updates in the / directory: foundry-rs/foundry-toolchain, step-security/harden-runner, ossf/scorecard-action and crytic/slither-action.

Updates foundry-rs/foundry-toolchain from 1.5.0 to 1.8.0

Release notes

Sourced from foundry-rs/foundry-toolchain's releases.

v1.8.0

Chores

Other

New Contributors

Full Changelog: foundry-rs/foundry-toolchain@v1...v1.8.0

v1.7.0

Features

Fixes

Other

Full Changelog: foundry-rs/foundry-toolchain@v1...v1.7.0

v1.6.0

What's Changed

Full Changelog: foundry-rs/foundry-toolchain@v1...v1.6.0

Commits
  • c7450ba chore: remove tempo fork support (#112)
  • e2b0dd5 chore(deps): bump the npm-weekly group with 2 updates (#114)
  • bd79005 chore: migrate from npm to pnpm (#113)
  • f886be4 chore(deps): bump actions/upload-artifact from 6 to 7 (#110)
  • 8789b3e chore(deps): bump to node v24.13.0 and update dependencies (#109)
  • 5fc04c4 fix: remove windows --force hack (#108)
  • 4a36879 feat: cache all of .foundry/cache instead of just /rpc (#107)
  • 2d49e48 refactor: rewrite in TypeScript (#106)
  • 61704be fix: allow v-prefix and no prefix for specific versions (#104)
  • eceac89 feat: print --version for all tools at end of action (#103)
  • Additional commits viewable in compare view

Updates step-security/harden-runner from 2.12.0 to 2.19.4

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.4

What's Changed

  • Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner

Full Changelog: step-security/harden-runner@v2.19.3...v2.19.4

v2.19.3

What's Changed

Full Changelog: step-security/harden-runner@v2.19.2...v2.19.3

v2.19.2

What's Changed

  • Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.

Full Changelog: step-security/harden-runner@v2.19.1...v2.19.2

v2.19.1

What's Changed

What the fix changes

  • Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

  • Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
  • Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

  • Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
  • System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

... (truncated)

Commits
  • 9af89fc Merge pull request #667 from step-security/update-agent-v1.8.6
  • 485dce8 Update agent to v1.8.6
  • ab7a940 Merge pull request #665 from step-security/fix/use-policy-store-default-audit
  • ec41b78 Default to audit mode when api-key missing with use-policy-store
  • 9ca718d Merge pull request #664 from step-security/update-agent-v1.8.5
  • 1dee3df Update agent to v1.8.5
  • a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
  • 6e92856 build dist and trim ubuntu-slim message
  • 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
  • 8d3c67d Release v2.19.0 (#661)
  • Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.0 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

Other

New Contributors

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

v2.4.1

What's Changed

  • This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
  • Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • Some errors were made into annotations to make them more visible
  • There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.

Docs

New Contributors

Commits
  • 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
  • 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
  • 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
  • 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
  • 92083b5 📖 Fix recommended command to test the image in development (#1583)
  • 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
  • 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
  • 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
  • c3f1350 🌱 Improve printing options (#1584)
  • 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
  • Additional commits viewable in compare view

Updates crytic/slither-action from 0.4.0 to 0.4.2

Release notes

Sourced from crytic/slither-action's releases.

v0.4.2

0.4.2 - 2026-01-16

This is a patch release for the Slither Action - the Github Action for Slither.

What's Changed

Full Changelog: crytic/slither-action@v0.4.1...v0.4.2

v0.4.1

0.4.1 - 2025-03-21

This is a patch release for the Slither Action - the Github Action for Slither.

What's Changed

Full Changelog: crytic/slither-action@v0.4.0...v0.4.1

Commits
  • b52cc1c Merge pull request #99 from crytic/dev-readme
  • 083e5be Update action README for v0.4.2
  • 92f27ba Merge pull request #98 from crytic/py310
  • 310f76e Bump Python version to 3.10
  • 4fd765a Merge pull request #95 from crytic/dev-update-readme
  • 6bbb739 Update action README for v0.4.1
  • 4c869f5 Merge pull request #93 from crytic/dev-foundryup-update
  • 3eef552 Update foundryup
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

… updates

Bumps the actions-updates group with 4 updates in the / directory: [foundry-rs/foundry-toolchain](https://github.com/foundry-rs/foundry-toolchain), [step-security/harden-runner](https://github.com/step-security/harden-runner), [ossf/scorecard-action](https://github.com/ossf/scorecard-action) and [crytic/slither-action](https://github.com/crytic/slither-action).


Updates `foundry-rs/foundry-toolchain` from 1.5.0 to 1.8.0
- [Release notes](https://github.com/foundry-rs/foundry-toolchain/releases)
- [Changelog](https://github.com/foundry-rs/foundry-toolchain/blob/master/RELEASE.md)
- [Commits](foundry-rs/foundry-toolchain@50d5a89...c7450ba)

Updates `step-security/harden-runner` from 2.12.0 to 2.19.4
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](step-security/harden-runner@0634a26...9af89fc)

Updates `ossf/scorecard-action` from 2.4.0 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@62b2cac...4eaacf0)

Updates `crytic/slither-action` from 0.4.0 to 0.4.2
- [Release notes](https://github.com/crytic/slither-action/releases)
- [Commits](crytic/slither-action@f197989...b52cc1c)

---
updated-dependencies:
- dependency-name: foundry-rs/foundry-toolchain
  dependency-version: 1.8.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-updates
- dependency-name: step-security/harden-runner
  dependency-version: 2.19.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-updates
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-updates
- dependency-name: crytic/slither-action
  dependency-version: 0.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-updates
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 22, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 22, 2026 23:15
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 22, 2026
@github-actions

Copy link
Copy Markdown

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
  • ⚠️ 1 packages with OpenSSF Scorecard issues.
See the Details below.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/crytic/slither-action b52cc1cbfee9ca3e8722dd5224299d16c9a6b80f ⚠️ 2.7
Details
CheckScoreReason
Binary-Artifacts🟢 10no binaries found in the repo
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ -1No tokens found
Code-Review⚠️ 0Found 0/14 approved changesets -- score normalized to 0
Dangerous-Workflow⚠️ -1no workflows found
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
License🟢 10license file detected
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
Security-Policy🟢 10security policy file detected
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
actions/foundry-rs/foundry-toolchain c7450ba673e133f5ee30098b3b54f444d3a2ca2d 🟢 8.3
Details
CheckScoreReason
Code-Review🟢 9Found 18/20 approved changesets -- score normalized to 9
Maintained🟢 1014 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 10
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 10all dependencies are pinned
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection🟢 6branch protection is not maximal on development and all release branches
Security-Policy🟢 9security policy file detected
SAST🟢 9SAST tool detected but not run on all commits

Scanned Files

  • .github/workflows/slither.yml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants