Bump osinfra-io/github-misc-called-workflows from 0.1.8 to 0.1.9 #71
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [osinfra-io/github-misc-called-workflows](https://github.com/osinfra-io/github-misc-called-workflows) from 0.1.8 to 0.1.9. - [Release notes](https://github.com/osinfra-io/github-misc-called-workflows/releases) - [Commits](osinfra-io/github-misc-called-workflows@v0.1.8...v0.1.9) --- updated-dependencies: - dependency-name: osinfra-io/github-misc-called-workflows dependency-version: 0.1.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
github-project-automation
bot
moved this to Todo ✏
in 🔨Open Source Infrastructure (as Code)
![pr-approve-and-merge-osinfra-io[bot]](https://avatars.githubusercontent.com/in/1080767?s=60&v=4){kind=small}
pr-approve-and-merge-osinfra-io
bot
deleted the
dependabot/github_actions/osinfra-io/github-misc-called-workflows-0.1.9
branch
github-project-automation
bot
moved this from Todo ✏
to Done ⚒
in 🔨Open Source Infrastructure (as Code)
![datadog-osinfra-io[bot]](https://avatars.githubusercontent.com/in/385504?s=60&v=4){kind=small}
| @@ -8,6 +8,6 @@ permissions: | |||
| jobs: | |||
| dependabot: | |||
| name: Dependabot | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/dependabot.yml@v0.1.8 | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/dependabot.yml@v0.1.9 | |||
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| @@ -29,7 +29,7 @@ jobs: | |||
|
|
|||
| build_and_push_us: | |||
| name: "Sandbox Registry: us-docker.pkg.dev" | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/build-and-push.yml@v0.1.8 | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/build-and-push.yml@v0.1.9 | |||
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| @@ -11,7 +11,7 @@ permissions: | |||
| jobs: | |||
| build_and_push_us: | |||
| name: "Sandbox Registry: us-docker.pkg.dev" | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/build-and-push.yml@v0.1.8 | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/build-and-push.yml@v0.1.9 | |||
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
| @@ -14,7 +14,7 @@ permissions: | |||
| jobs: | |||
| add-to-osinfra-project: | |||
| name: Open Source Infrastructure (as Code) | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/add-to-project.yml@v0.1.8 | |||
| uses: osinfra-io/github-misc-called-workflows/.github/workflows/add-to-project.yml@v0.1.9 | |||
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
Bumps osinfra-io/github-misc-called-workflows from 0.1.8 to 0.1.9.
Release notes
Sourced from osinfra-io/github-misc-called-workflows's releases.
Commits
656f3eeAdd release and Nuclei workflows (#76)85d7d31Bump actions/create-github-app-token from 1.11.7 to 1.12.0 (#73)a407747Bump actions/create-github-app-token from 1.11.6 to 1.11.7 (#72)592e810Bump docker/login-action from 3.3.0 to 3.4.0 (#71)2d0b13dBump actions/create-github-app-token from 1.11.5 to 1.11.6 (#70)2366ad1Bump docker/build-push-action from 6.14.0 to 6.15.0 (#68)12dc0a4Bump docker/build-push-action from 6.13.0 to 6.14.0 (#67)4e55fa8Bump actions/create-github-app-token from 1.11.3 to 1.11.5 (#66)7c57170Bump docker/setup-buildx-action from 3.8.0 to 3.9.0 (#65)9a38290Bump actions/create-github-app-token from 1.11.2 to 1.11.3 (#64)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)