chore(deps): update github actions minor and patch updates

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	minor	v4.2.2 → v4.3.1
actions/setup-go	action	minor	v5.5.0 → v5.6.0
anchore/sbom-action	action	minor	v0.20.0 → v0.22.2
docker/login-action	action	minor	v3.4.0 → v3.7.0
goreleaser/goreleaser-action	action	minor	v6.3.0 → v6.4.0
sigstore/cosign-installer	action	minor	v3.8.2 → v3.10.1
slsa-framework/slsa-verifier	action	patch	v2.7.0 → v2.7.1
step-security/harden-runner	action	minor	v2.12.0 → v2.14.1

---

Release Notes

actions/checkout (actions/checkout)

v4.3.1

Compare Source

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in #​2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in #​1971
• Add internal repos for checking out multiple repositories by @​mouismail in #​1977
• Documentation update - add recommended permissions to Readme by @​benwells in #​2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in #​2044
• Update README.md by @​nebuk89 in #​2194
• Update CODEOWNERS for actions by @​TingluoHuang in #​2224
• Update package dependencies by @​salmanmkc in #​2236
• Prepare release v4.3.0 by @​salmanmkc in #​2237

New Contributors

• @​motss made their first contribution in #​1971
• @​mouismail made their first contribution in #​1977
• @​benwells made their first contribution in #​2043
• @​nebuk89 made their first contribution in #​2194
• @​salmanmkc made their first contribution in #​2236

Full Changelog: actions/checkout@v4...v4.3.0

actions/setup-go (actions/setup-go)

v5.6.0

Compare Source

What's Changed

• Fall back to downloading from go.dev/dl instead of storage.googleapis.com/golang by @​aparnajyothi-y in #​689

Full Changelog: actions/setup-go@v5...v5.6.0

anchore/sbom-action (anchore/sbom-action)

v0.22.2

Compare Source

v0.22.1

Compare Source

v0.22.1

⬆️ Dependencies

• chore(deps): update Syft to v1.41.0 (#​576) [@​anchore-actions-token-generator[bot]]
• chore(deps): bump lodash from 4.17.21 to 4.17.23 (#​573) [@​dependabot[bot]]

v0.22.0

Compare Source

Changes in v0.22.0

⬆️ Dependencies

• chore(deps-dev): bump the dev-dependencies group with 19 updates (#​566) [@​dependabot]
• chore(deps): bump npm-check-updates from 17.1.3 to 19.3.1 (#​567) [@​dependabot]
• chore(deps): update Syft to v1.40.1 (#​563) [@​anchore-actions-token-generator[bot]]

v0.21.1

Compare Source

Changes in v0.21.1

• chore(deps): update Syft to v1.40.0 (#​562) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v0.21.0

Compare Source

• chore(deps): update Syft to v1.39.0 (#​561)
• chore(deps): bump @​octokit/request-error, @​octokit/core and @​octokit/webhooks (#​560)
• chore(deps): bump peter-evans/create-pull-request from 7.0.11 to 8.0.0 (#​558)

v0.20.11

Compare Source

Changes in v0.20.11

• update Syft to v1.38.2 (#​557)
• bump @​octokit/plugin-paginate-rest, @​actions/artifact and @​actions/github (#​550) [[dependabot[bot]](https://github.com/dependabot[bot])]
• bump js-yaml (#​552) [[dependabot[bot]](https://github.com/dependabot[bot])]

v0.20.10

Compare Source

Changes in v0.20.10

• chore(deps): update Syft to v1.38.0 (#​548) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v0.20.9

Compare Source

Changes in v0.20.9

• chore(deps): update Syft to v1.36.0 (#​546) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v0.20.8

Compare Source

Changes in v0.20.8

• chore(deps): update Syft to v1.34.2 (#​545) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v0.20.7

Compare Source

Changes in v0.20.7

• chore(deps): update Syft to v1.34.1 (#​544)

v0.20.6

Compare Source

Changes in v0.20.6

• chore(deps): update Syft to v1.33.0 (#​537) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]
• chore: update actions library to resolve critical vulnerability (#​536) [spiffcs]

v0.20.5

Compare Source

Changes in v0.20.5

• Update Syft to v1.31.0 (#​531)

v0.20.4

Compare Source

Changes in v0.20.4

• chore: update Syft to v1.29.0 (#​529)

v0.20.3

Compare Source

Changes in v0.20.3

• Fix: Strip emojis from correlator before using github APIs (#​527) [AndrewHendry]

v0.20.2

Compare Source

Changes in v0.20.2

• Update Syft to v1.28.0 (#​526)

v0.20.1

Compare Source

Changes in v0.20.1

• Update Syft to v1.27.1 (#​525)

docker/login-action (docker/login-action)

v3.7.0

Compare Source

• Add scope input to set scopes for the authentication token by @​crazy-max in #​912
• Add support for AWS European Sovereign Cloud ECR by @​dphi in #​914
• Ensure passwords are redacted with registry-auth input by @​crazy-max in #​911
• build(deps): bump lodash from 4.17.21 to 4.17.23 in #​915

Full Changelog: docker/login-action@v3.6.0...v3.7.0

v3.6.0

Compare Source

• Add registry-auth input for raw authentication to registries by @​crazy-max in #​887
• Bump @​aws-sdk/client-ecr to 3.890.0 in #​882 #​890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in #​882 #​890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​883
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​880
• Bump undici from 5.28.4 to 5.29.0 in #​879
• Bump tmp from 0.2.3 to 0.2.4 in #​881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

Compare Source

• Support dual-stack endpoints for AWS ECR by @​Spacefish @​crazy-max in #​874 #​876
• Bump @​aws-sdk/client-ecr to 3.859.0 in #​860 #​878
• Bump @​aws-sdk/client-ecr-public to 3.859.0 in #​860 #​878
• Bump @​docker/actions-toolkit from 0.57.0 to 0.62.1 in #​870
• Bump form-data from 2.5.1 to 2.5.5 in #​875

Full Changelog: docker/login-action@v3.4.0...v3.5.0

goreleaser/goreleaser-action (goreleaser/goreleaser-action)

v6.4.0

Compare Source

What's Changed

• ci: set contents read as default workflow permissions by @​crazy-max in #​494
• fix: support .config directory for goreleaser config files by @​haya14busa in #​500
• chore(deps): bump semver from 7.7.1 to 7.7.2 by @​dependabot[bot] in #​495
• chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 by @​dependabot[bot] in #​498
• fix: do not get releases.json if version is specific by @​caarlos0 in #​502
• chore(deps): bump undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​496
• feat: retry downloading releases json by @​caarlos0 in #​503

New Contributors

• @​haya14busa made their first contribution in #​500

Full Changelog: goreleaser/goreleaser-action@v6.3.0...v6.4.0

sigstore/cosign-installer (sigstore/cosign-installer)

v3.10.1

Compare Source

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

• Bump default Cosign to v2.6.1 (#​203)

v3.10.0

Compare Source

What's Changed

• Bump default Cosign to v2.6.0 in #​200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

Compare Source

What's Changed

• not fail fast and setup permissions in #​195
• drop old unsupported versions <v2.0.0 in #​192
• Update default to v2.5.3 in #​196

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

v3.9.1

Compare Source

What's Changed

• default action install to use release v2.5.1 by @​cpanato in #​193
• default cosign to v2.5.2 by @​cpanato in #​194

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

v3.9.0

Compare Source

What's Changed

• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in #​189
• bump cosign install to use release v2.5.0 as default by @​cpanato in #​191

Full Changelog: sigstore/cosign-installer@v3...v3.9.0

slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)

v2.7.1

Compare Source

What's Changed

• chore: Update docs for v2.7.0 by @​ramonpetgrave64 in #​829
• docs(npm): "exmaple" spelling fix by @​scop in #​832
• chore: update test files for v2.1.0 by @​ramonpetgrave64 in #​836
• feat: verify provenance for bcr modules produced by trusted reusable workflows by @​loosebazooka in #​840
• chore(deps): update golang:1.23 docker digest to cc458d7 by @​renovate-bot in #​838
• fix: less parallelism in tests by @​ramonpetgrave64 in #​851
• chore(deps): bump @​octokit/request-error from 5.0.1 to 5.1.1 in /actions/installer in the npm_and_yarn group across 1 directory by @​dependabot in #​833
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in the go_modules group by @​dependabot in #​835
• chore(deps): bump the go_modules group across 1 directory with 2 updates by @​dependabot in #​853
• fix(deps): update npm by @​renovate-bot in #​843
• fix(deps): update golang.org/x/exp digest to dcc06ee by @​renovate-bot in #​839
• fix: no parallel regression tests by @​ramonpetgrave64 in #​855
• chore(deps): update golang:1.23 docker digest to dd5cc4b by @​renovate-bot in #​847
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to 0a0dc20 by @​renovate-bot in #​844
• chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates by @​dependabot in #​854
• feat: Bazel not experimental by @​ramonpetgrave64 in #​850
• docs: add section for verify-github-attestation by @​loosebazooka in #​858

New Contributors

• @​scop made their first contribution in #​832
• @​loosebazooka made their first contribution in #​840

Full Changelog: slsa-framework/slsa-verifier@v2.7.0...v2.7.1

step-security/harden-runner (step-security/harden-runner)

v2.14.1

Compare Source

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

Compare Source

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

Compare Source

What's Changed

• Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

Compare Source

What's Changed

• Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
• Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

Compare Source

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed

• Improved job markdown summary
• Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

Compare Source

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

• Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
• Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

Compare Source

What's Changed

• Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
• Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.