chore(ci): bump the ci-deps group across 1 directory with 6 updates

[dependabot]

Bumps the ci-deps group with 6 updates in the / directory:

Package	From	To
step-security/harden-runner	2.13.1	2.13.2
actions/cache	4.2.4	4.3.0
actions/dependency-review-action	4.7.3	4.8.1
cachix/install-nix-action	31.6.1	31.8.3
softprops/action-gh-release	2.3.3	2.4.2
ossf/scorecard-action	2.4.2	2.4.3

Updates step-security/harden-runner from 2.13.1 to 2.13.2

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.2

What's Changed

• Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
• Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

Commits

• 95d9a5d Merge pull request #606 from step-security/rc-28
• 87e429d Update limitations.md
• ef891c3 feat: add support for custom vm image
• 1fa8c8a update agent
• 92c522a Merge pull request #593 from step-security/ak-readme-updates
• 4719ad5 README updates
• 4fde639 Merge pull request #591 from eromosele-stepsecurity/Upd
• f682f2f Update README.md
• See full diff in compare view

Updates actions/cache from 4.2.4 to 4.3.0

Release notes

Sourced from actions/cache's releases.

v4.3.0

What's Changed

• Add note on runner versions by @​GhadimiR in actions/cache#1642
• Prepare v4.3.0 release by @​Link- in actions/cache#1655

New Contributors

• @​GhadimiR made their first contribution in actions/cache#1642

Full Changelog: actions/cache@v4...v4.3.0

Changelog

Sourced from actions/cache's changelog.

Releases

4.3.0

• Bump @actions/cache to v4.1.0

4.2.4

• Bump @actions/cache to v4.0.5

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

• Bump @actions/cache to v4.0.2

4.2.1

• Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

4.1.2

• Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - #1474
• Security fix: Bump braces from 3.0.2 to 3.0.3 - #1475

4.1.1

• Restore original behavior of cache-hit output - #1467

4.1.0

• Ensure cache-hit output is set when a cache is missed - #1404
• Deprecate save-always input - #1452

... (truncated)

Commits

• 0057852 Merge pull request #1655 from actions/Link-/prepare-4.3.0
• 4f5ea67 Update licensed cache
• 9fcad95 Upgrade actions/cache to 4.1.0 and prepare 4.3.0 release
• 638ed79 Merge pull request #1642 from actions/GhadimiR-patch-1
• 3862dcc Add note on runner versions
• See full diff in compare view

Updates actions/dependency-review-action from 4.7.3 to 4.8.1

Release notes

Sourced from actions/dependency-review-action's releases.

Dependency Review Action v4.8.1

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in actions/dependency-review-action#1000
• Bump version for 4.8.1 release by @​ahpook in actions/dependency-review-action#1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

What's Changed

• Make Ruby Code Scannable by @​ljones140 in actions/dependency-review-action#978
• Batch some contributions for release by @​brrygrdn in actions/dependency-review-action#986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in actions/dependency-review-action#978
• @​jasperkamerling made their first contribution in actions/dependency-review-action#986
• @​MattMencel made their first contribution in actions/dependency-review-action#986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

Commits

• 40c09b7 Merge pull request #1001 from actions/ahpook/v4.8.1-release
• 4552948 Bump version for 4.8.1 release
• e63da9a Merge pull request #1000 from actions/ahpook/deprecation-redux
• 71365c7 (bug) Fix spamming link test in deprecation warning (again)
• 56339e5 Merge pull request #988 from actions/brrygrdn/rc-4.8.0
• 1688b74 Bump to a 4.8.0
• 31c9f17 Merge pull request #987 from actions/rc-4.7.4
• eacde78 Update version
• 8151009 Merge pull request #986 from actions/brrygrdn/rc-4.7.4
• b472ec9 Add a quick regression test for the artefact summary
• Additional commits viewable in compare view

Updates cachix/install-nix-action from 31.6.1 to 31.8.3

Release notes

Sourced from cachix/install-nix-action's releases.

v31.8.3

What's Changed

• nix: 2.32.2 -> 2.32.3 by @​github-actions[bot] in cachix/install-nix-action#260

Full Changelog: cachix/install-nix-action@v31.8.2...v31.8.3

v31.8.2

What's Changed

• nix: 2.32.1 -> 2.32.2 by @​github-actions[bot] in cachix/install-nix-action#259

Full Changelog: cachix/install-nix-action@v31.8.1...v31.8.2

v31.8.1

What's Changed

• nix: 2.32.0 -> 2.32.1 by @​github-actions[bot] in cachix/install-nix-action#258

Full Changelog: cachix/install-nix-action@v31...v31.8.1

v31.8.0

What's Changed

• nix: 2.31.2 -> 2.32.0 by @​github-actions[bot] in cachix/install-nix-action#257 Release notes: https://discourse.nixos.org/t/nix-2-32-0-released/70528

Full Changelog: cachix/install-nix-action@v31.7.0...v31.8.0

v31.7.0

What's Changed

• feat: set up the environment based on the installer shell scripts by @​sandydoo in cachix/install-nix-action#251

  Configures the following environment variables:

  • NIX_PROFILES
  • NIX_SSL_CERT_FILE (if not set)

  Adds the bin directory from the user's profile to $PATH.

Full Changelog: cachix/install-nix-action@v31.6.2...v31.7.0

v31.6.2

What's Changed

• nix: 2.31.1 -> 2.31.2 by @​github-actions[bot] in cachix/install-nix-action#256

Full Changelog: cachix/install-nix-action@v31...v31.6.2

Commits

• 7ec16f2 Merge pull request #260 from cachix/create-pull-request/patch
• 5afc2ac nix: 2.32.2 -> 2.32.3
• 456688f Merge pull request #259 from cachix/create-pull-request/patch
• 0cacfe0 nix: 2.32.1 -> 2.32.2
• fd24c48 Merge pull request #258 from cachix/create-pull-request/patch
• a55fd2d nix: 2.32.0 -> 2.32.1
• 7ab6e7f Merge pull request #257 from cachix/create-pull-request/patch
• a851831 nix: 2.31.2 -> 2.32.0
• 0b2de19 docs: update the ci badge
• b8a94d3 ci: pass correct args to the act test
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.3.3 to 2.4.2

Release notes

Sourced from softprops/action-gh-release's releases.

v2.4.2

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in softprops/action-gh-release#684

Other Changes 🔄

• dependency updates

New Contributors

• @​BeryJu made their first contribution in softprops/action-gh-release#684

Full Changelog: softprops/action-gh-release@v2.4.1...v2.4.2

v2.4.1

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in softprops/action-gh-release#672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in softprops/action-gh-release#671

Full Changelog: softprops/action-gh-release@v2...v2.4.1

v2.4.0

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in softprops/action-gh-release#667

Other Changes 🔄

• chore(deps): bump the npm group with 2 updates by @​dependabot[bot] in softprops/action-gh-release#668

Full Changelog: softprops/action-gh-release@v2.3.4...v2.4.0

v2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

• chore(deps): bump actions/setup-node from 4.4.0 to 5.0.0 in the github-actions group by @​dependabot[bot] in softprops/action-gh-release#656
• chore(deps): bump @​types/node from 20.19.11 to 20.19.13 in the npm group by @​dependabot[bot] in softprops/action-gh-release#655
• chore(deps): bump vite from 7.0.0 to 7.1.5 by @​dependabot[bot] in softprops/action-gh-release#657
• chore(deps): bump the npm group across 1 directory with 2 updates by @​dependabot[bot] in softprops/action-gh-release#662
• chore(deps): bump the npm group with 3 updates by @​dependabot[bot] in softprops/action-gh-release#666

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

2.4.2

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in softprops/action-gh-release#684

Other Changes 🔄

• dependency updates

2.4.1

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in softprops/action-gh-release#672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in softprops/action-gh-release#671

2.4.0

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in softprops/action-gh-release#667

2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

• dependency updates

2.3.3

What's Changed

Exciting New Features 🎉

• feat: add input option overwrite_files by @​asfernandes in softprops/action-gh-release#343

Other Changes 🔄

... (truncated)

Commits

• 5be0e66 release 2.4.2
• af658b4 feat: Ensure generated release notes cannot be over 125000 characters (#684)
• 237aacc chore: bump node to 24.11.0
• 00362be chore(deps): bump the npm group with 5 updates (#687)
• 0adea5a chore(deps): bump the npm group with 3 updates (#686)
• aa05f9d chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 in the github-action...
• bbaccb3 chore(deps): bump @​types/node from 20.19.21 to 20.19.22 in the npm group (#682)
• 50fda3f chore(deps): bump vite from 7.1.5 to 7.1.11 (#681)
• 5434409 chore(deps): bump @​types/node from 20.19.19 to 20.19.21 in the npm group (#679)
• 6da8fa9 release 2.4.1
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.2 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/scorecard-action#1566
• setup codeowners for requesting reviews by @​spencerschrock in ossf/scorecard-action#1576
• 🌱 Improve printing options by @​deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

• @​timothyklee made their first contribution in ossf/scorecard-action#1566
• @​pankajtaneja5 made their first contribution in ossf/scorecard-action#1574
• @​deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

Commits

• 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
• 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
• 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
• 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
• 92083b5 📖 Fix recommended command to test the image in development (#1583)
• 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
• 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
• c3f1350 🌱 Improve printing options (#1584)
• 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[V0ldek]

@dependabot rebase

[dependabot]

Dependabot tried to update this pull request, but something went wrong. We're looking into it, but in the meantime you can retry the update by commenting @dependabot recreate.

[V0ldek]

@dependabot recreate

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.