From aa8e18179967660b738c0b30f7dc887afbcf6e9c Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 22 Dec 2025 08:12:20 +0000 Subject: [PATCH] ci(deps): bump the github-actions group with 2 updates Bumps the github-actions group with 2 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner) and [anchore/sbom-action](https://github.com/anchore/sbom-action). Updates `step-security/harden-runner` from 2.13.2 to 2.14.0 - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](https://github.com/step-security/harden-runner/compare/95d9a5deda9de15063e7595e9719c11c38c90ae2...20cf305ff2072d973412fa9b1e3a4f227bda3c76) Updates `anchore/sbom-action` from 0.20.10 to 0.20.11 - [Release notes](https://github.com/anchore/sbom-action/releases) - [Changelog](https://github.com/anchore/sbom-action/blob/main/RELEASE.md) - [Commits](https://github.com/anchore/sbom-action/compare/fbfd9c6c189226748411491745178e0c2017392d...43a17d6e7add2b5535efe4dcae9952337c479a93) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.14.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions - dependency-name: anchore/sbom-action dependency-version: 0.20.11 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/continuous-integration.yml | 2 +- .github/workflows/image-cleanup.yml | 2 +- .github/workflows/issue-cleanup.yml | 2 +- .github/workflows/issue-creation-tool-versions.yml | 2 +- .github/workflows/linting-formatting.yml | 2 +- .github/workflows/ossf-scorecard.yml | 2 +- .github/workflows/pr-conventional-title.yml | 2 +- .github/workflows/pr-image-cleanup.yml | 4 ++-- .github/workflows/pr-report.yml | 2 +- .github/workflows/release-build.yml | 10 +++++----- .github/workflows/release-please.yml | 2 +- .github/workflows/update-dependencies.yml | 4 ++-- .github/workflows/vulnerability-scan.yml | 2 +- .github/workflows/wc-acceptance-test.yml | 2 +- .github/workflows/wc-build-push.yml | 6 +++--- .github/workflows/wc-dependency-review.yml | 2 +- .github/workflows/wc-document-generation.yml | 2 +- .github/workflows/wc-integration-test.yml | 2 +- .github/workflows/wc-sanitize-image-name.yml | 2 +- 19 files changed, 27 insertions(+), 27 deletions(-) diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml index 02364f52..6ea3ed0f 100644 --- a/.github/workflows/continuous-integration.yml +++ b/.github/workflows/continuous-integration.yml @@ -56,7 +56,7 @@ jobs: needs: build-push-test if: ${{ !cancelled() }} steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml index bf958c03..36908c03 100644 --- a/.github/workflows/image-cleanup.yml +++ b/.github/workflows/image-cleanup.yml @@ -15,7 +15,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete untagged and orphaned images steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true allowed-endpoints: > diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml index 7a1559f0..0c603310 100644 --- a/.github/workflows/issue-cleanup.yml +++ b/.github/workflows/issue-cleanup.yml @@ -15,7 +15,7 @@ jobs: issues: write # is needed by actions/stale to close/comment on issues pull-requests: write # is needed by actions/stale to close/comment on PRs steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/issue-creation-tool-versions.yml b/.github/workflows/issue-creation-tool-versions.yml index a167613a..53c80caa 100644 --- a/.github/workflows/issue-creation-tool-versions.yml +++ b/.github/workflows/issue-creation-tool-versions.yml @@ -15,7 +15,7 @@ jobs: permissions: issues: write # is needed by gh cli to create/close/pin/unpin issues steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml index 3511b69c..231810f5 100644 --- a/.github/workflows/linting-formatting.yml +++ b/.github/workflows/linting-formatting.yml @@ -26,7 +26,7 @@ jobs: pull-requests: write # is needed by oxsecurity/megalinter and reviewdog/action-suggester to post PR comments security-events: write # is needed by oxsecurity/megalinter for uploading sarif files steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 0352657e..626af95a 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -20,7 +20,7 @@ jobs: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files id-token: write # is needed by ossf/scorecard-action to authenticate with OIDC steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml index dde68df4..6a73a438 100644 --- a/.github/workflows/pr-conventional-title.yml +++ b/.github/workflows/pr-conventional-title.yml @@ -17,7 +17,7 @@ jobs: permissions: pull-requests: write # is needed by marocchino/sticky-pull-request-comment to post comments on PRs steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true allowed-endpoints: > diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml index 731feb53..ed7d876e 100644 --- a/.github/workflows/pr-image-cleanup.yml +++ b/.github/workflows/pr-image-cleanup.yml @@ -14,7 +14,7 @@ jobs: permissions: packages: write # is needed by dataaxiom/ghcr-cleanup-action to delete images steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit @@ -29,7 +29,7 @@ jobs: permissions: actions: write # is needed to delete workflow run caches steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml index f2a552d3..bb22e75a 100644 --- a/.github/workflows/pr-report.yml +++ b/.github/workflows/pr-report.yml @@ -18,7 +18,7 @@ jobs: actions: read # is needed by philips-software/pull-request-report-action to fetch workflow run information runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml index 1d028aa5..7eceb64a 100644 --- a/.github/workflows/release-build.yml +++ b/.github/workflows/release-build.yml @@ -47,7 +47,7 @@ jobs: # currently provide a more fine-grained permission for release modification. contents: write # is needed to modify a release steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit @@ -82,7 +82,7 @@ jobs: REF_NAME: ${{ github.ref_name }} REGISTRY: ghcr.io steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit @@ -124,7 +124,7 @@ jobs: permissions: packages: write # is needed by devcontainers/action to write templates as OCI artifacts steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit @@ -157,7 +157,7 @@ jobs: contents: write # is needed to modify a release needs: [generate-documents] steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit @@ -179,7 +179,7 @@ jobs: permissions: pull-requests: write # is needed by rdlf0/comment-released-prs-action to post comments on PRs steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index b63c8981..23ceba1f 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -18,7 +18,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml index 913e75ea..9ab3c056 100644 --- a/.github/workflows/update-dependencies.yml +++ b/.github/workflows/update-dependencies.yml @@ -22,7 +22,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 @@ -57,7 +57,7 @@ jobs: contents: write # is needed by peter-evans/create-pull-request to create branches and push commits pull-requests: write # is needed by peter-evans/create-pull-request to create a PR steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml index 2c0002bf..7b936ed1 100644 --- a/.github/workflows/vulnerability-scan.yml +++ b/.github/workflows/vulnerability-scan.yml @@ -18,7 +18,7 @@ jobs: permissions: security-events: write # is needed by github/codeql-action/upload-sarif to upload sarif files steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - uses: crazy-max/ghaction-container-scan@4d8e0acba576e46016cbd65b9ecfc604e85e3990 # v3.2.0 diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml index 95aaa55b..e557fb96 100644 --- a/.github/workflows/wc-acceptance-test.yml +++ b/.github/workflows/wc-acceptance-test.yml @@ -35,7 +35,7 @@ jobs: name: Acceptance Test runs-on: ubuntu-latest steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: false # Playwright requires root privileges to install browsers egress-policy: audit diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml index ccf29a80..a039b655 100644 --- a/.github/workflows/wc-build-push.yml +++ b/.github/workflows/wc-build-push.yml @@ -67,7 +67,7 @@ jobs: contents: read packages: write # is needed by docker/build-push-action to push images when using GitHub Container Registry steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit @@ -151,7 +151,7 @@ jobs: outputs: digest: ${{ steps.inspect-manifest.outputs.digest }} steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit @@ -236,7 +236,7 @@ jobs: header: container-size-diff-${{ needs.sanitize-image-name.outputs.image-basename }} message: | ${{ steps.container-size-diff.outputs.size-diff-markdown }} - - uses: anchore/sbom-action@fbfd9c6c189226748411491745178e0c2017392d # v0.20.10 + - uses: anchore/sbom-action@43a17d6e7add2b5535efe4dcae9952337c479a93 # v0.20.11 with: image: ${{ needs.sanitize-image-name.outputs.fully-qualified-image-name }}@${{ steps.inspect-manifest.outputs.digest }} dependency-snapshot: true diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml index 227965ab..4d9f9dc0 100644 --- a/.github/workflows/wc-dependency-review.yml +++ b/.github/workflows/wc-dependency-review.yml @@ -26,7 +26,7 @@ jobs: contents: read pull-requests: write # is needed by actions/dependency-review-action to write PR summaries steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true egress-policy: audit diff --git a/.github/workflows/wc-document-generation.yml b/.github/workflows/wc-document-generation.yml index c67d075c..4ed92d9a 100644 --- a/.github/workflows/wc-document-generation.yml +++ b/.github/workflows/wc-document-generation.yml @@ -13,7 +13,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: egress-policy: audit - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml index 1e4a966e..f07353f8 100644 --- a/.github/workflows/wc-integration-test.yml +++ b/.github/workflows/wc-integration-test.yml @@ -45,7 +45,7 @@ jobs: permissions: contents: read steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo: true egress-policy: audit diff --git a/.github/workflows/wc-sanitize-image-name.yml b/.github/workflows/wc-sanitize-image-name.yml index 18665c89..64853ecf 100644 --- a/.github/workflows/wc-sanitize-image-name.yml +++ b/.github/workflows/wc-sanitize-image-name.yml @@ -35,7 +35,7 @@ jobs: image-name: ${{ steps.sanitize-image-name.outputs.sanitized-image-name }} fully-qualified-image-name: ${{ inputs.registry }}/${{ steps.sanitize-image-name.outputs.sanitized-image-name }} steps: - - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2 + - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 with: disable-sudo-and-containers: true allowed-endpoints: >