Bump the gh-version-updates group with 2 updates #1

dependabot · 2024-12-02T10:49:22Z

Bumps the gh-version-updates group with 2 updates: oxsecurity/megalinter and peter-evans/create-pull-request.

Updates oxsecurity/megalinter from 7 to 8

Release notes

Sourced from oxsecurity/megalinter's releases.

v8.0.0

What's Changed

Run npx mega-linter-runner@latest --upgrade to upgrade to MegaLinter v8 :)

Reporters

New ApiReporter (can be used to build Grafana dashboards), by @nvuillam in oxsecurity/megalinter#3540

Removed deprecated linters, by @nvuillam in oxsecurity/megalinter#3854

CSS_SCSSLINT: Project discontinued and advising to use stylelint

OPENAPI_SPECTRAL: Replaced by API_SPECTRAL (same linter but more formats handled)

SQL_SQL_LINT: Project no longer maintained

Core

Hide to linters by default all environment variables that contain TOKEN, USERNAME or PASSWORD, by @nvuillam in oxsecurity/megalinter#3881

Allow to override CLI_LINT_MODE when defined as project, by @nvuillam in oxsecurity/megalinter#3772

Allow to use absolute paths for LINTER_RULES_PATH, by @nvuillam in oxsecurity/megalinter#3775

Allow to update variables from PRE/POST Commands using output_variables property, by @nvuillam in oxsecurity/megalinter#3861

Media

MegaLinter: un linter pour les gouverner tous (FR), by Guillaume Arnaud from WeScale

MegaLinter, by Stéphane Robert, from 3DS OutScale

30 Seconds to Setup MegaLinter: Your Go-To Tool for Automated Code Quality, by Peng Cao |

Linters enhancements

bandit Call bandit with quiet mode to generate less logs, by @nvuillam in oxsecurity/megalinter#3892

grype Count number of errors returned by Grype, by @nvuillam in oxsecurity/megalinter#3906

yamllint Fix yamllint default format to avoid special characters or GitHub sections in text logs, by @nvuillam in oxsecurity/megalinter#3898

Fixes

terrascan fixed errors and removed redundant code, by @TommyE123 in oxsecurity/megalinter#3767

dotnet-format various performance improvements and ability to specify sln or proj paths, by @TommyE123 in oxsecurity/megalinter#3741

swiftlint Remove deprecated argument --path

Salesforce linters: Disable SF CLI auto update warning, by @nvuillam in oxsecurity/megalinter#3883

Doc

Add images and links to Git, CI/CD & other tools integrations at the beginning of the README, by @nvuillam in oxsecurity/megalinter#3885

Create README animated GIF presentation of MegaLinter, by @nvuillam in oxsecurity/megalinter#3910

Format mkdocs search index in place, by @echoix in oxsecurity/megalinter#3890

Use consistent spelling of 'flavor', by @InputUsername in oxsecurity/megalinter#3789

CI

Fix docker warnings, by @nvuillam in oxsecurity/megalinter#3853

FromAsCasing: 'as' and 'FROM' keywords' casing do not match

NoEmptyContinuation: Empty continuation line

SecretsUsedInArgOrEnv: Do not use ARG or ENV instructions for sensitive data

Port Beta workflows to use docker/metadata-action, by @echoix in oxsecurity/megalinter#3860

AutoUpdate linters: Always create a PR if the job has been started manually, by @nvuillam in oxsecurity/megalinter#3863

... (truncated)

Changelog

Sourced from oxsecurity/megalinter's changelog.

[v8.2.0] - 2024-11-17

Media

10 MegaLinter Tips and Tricks Unlock its Full Potential by Wes Dean

MegaLinter Performance Tuning for Maximum Efficiency by Wes Dean

Linters enhancements

detekt Enable SARIF output + count errors

lintr: Support files in subdirectories, fix unit tests

phpcs: Activate APPLY_FIXES

Salesforce linters: Add SF_CLI_DISABLE_AUTOUPDATE for SF CLI JIT plugins

trivy: handle retry if failed to download Java DB is detected

tsqllint Re-enabled after .net 8 and security updates

Fixes

Add message in PR comment if FAIL_IF_UPDATED_SOURCES is triggered

Fix linting errors in GitHub Actions template

Reporters

UpdatedSourcesReporter will git commit & push fixed files to source branch if APPLY_FIXES is set

Fix AzureCommentReporter not adding comments to PR

Fix AzureCommentReporter fails when target repo contains spaces

Doc

Updated documentation with Azure central pipeline use case

Update DevSkim documentation to show a valid exclusion config file

Note about risky rules and how to fix rule violations with PHP-CS-Fixer

CI

Also prune volumes before pulling and pushing to docker hub

Externalize mirroring from ghcr.io to docker hub in another workflow to avoid memory issues

Squash docker images to have less layers and size

Comment jobs related to GitHub Worker images, as CodeTotal is not actively maintained

Make gitpod workflow not blocking until uv install is fixed

Update stale comment

Try several times to embed trivy db during Docker build, as a workaround to the random failures

Wait 10 secondes instead of 1 before retrying a failing test method, to avoid race conditions

Linter versions upgrades (104)

actionlint from 1.7.3 to 1.7.4

ansible-lint from 24.9.2 to 24.10.0

bicep_linter from 0.30.23 to 0.31.92

cfn-lint from 1.16.1 to 1.19.0

checkov from 3.2.257 to 3.2.298

checkstyle from 10.18.2 to 10.20.1

clippy from 0.1.81 to 0.1.82

clj-kondo from 2024.09.27 to 2024.11.14

cspell from 8.15.1 to 8.16.0

devskim from 1.0.33 to 1.0.44

djlint from 1.35.2 to 1.36.1

... (truncated)

Commits

1fc052d Release MegaLinter v8.3.0
e8a20cd [automation] Auto-update linters version, help and documentation (#4304)
9824f37 Fix Docker mirroring job for release context (#4303)
9cb4ec7 [automation] Auto-update linters version, help and documentation (#4299)
010c8bd chore(deps): update dependency sfdx-hardis to v5.7.1 (#4302)
1a219e1 chore(deps): update trufflesecurity/trufflehog docker tag to v3.84.1 (#4301)
09ab582 Env variable replacement for PRE_COMMIT + command in log (#4298)
e33c1c7 retry in case of BLOB_UNKNOWN while downloading vulnerability list (#4300)
7f790c0 [automation] Auto-update linters version, help and documentation (#4297)
797a3d1 [automation] Auto-update linters version, help and documentation (#4296)
Additional commits viewable in compare view

Updates peter-evans/create-pull-request from 6 to 7

Release notes

Sourced from peter-evans/create-pull-request's releases.

Create Pull Request v7.0.0

✨ Now supports commit signing with bot-generated tokens! See "What's new" below. ✍️🤖

Behaviour changes

Action input git-token has been renamed branch-token, to be more clear about its purpose. The branch-token is the token that the action will use to create and update the branch.

The action now handles requests that have been rate-limited by GitHub. Requests hitting a primary rate limit will retry twice, for a total of three attempts. Requests hitting a secondary rate limit will not be retried.

The pull-request-operation output now returns none when no operation was executed.

Removed deprecated output environment variable PULL_REQUEST_NUMBER. Please use the pull-request-number action output instead.

What's new

The action can now sign commits as github-actions[bot] when using GITHUB_TOKEN, or your own bot when using GitHub App tokens. See commit signing for details.

Action input draft now accepts a new value always-true. This will set the pull request to draft status when the pull request is updated, as well as on creation.

A new action input maintainer-can-modify indicates whether maintainers can modify the pull request. The default is true, which retains the existing behaviour of the action.

A new output pull-request-commits-verified returns true or false, indicating whether GitHub considers the signature of the branch's commits to be verified.

What's Changed

build(deps-dev): bump @types/node from 18.19.36 to 18.19.39 by @dependabot in peter-evans/create-pull-request#3000

build(deps-dev): bump ts-jest from 29.1.5 to 29.2.0 by @dependabot in peter-evans/create-pull-request#3008

build(deps-dev): bump prettier from 3.3.2 to 3.3.3 by @dependabot in peter-evans/create-pull-request#3018

build(deps-dev): bump ts-jest from 29.2.0 to 29.2.2 by @dependabot in peter-evans/create-pull-request#3019

build(deps-dev): bump eslint-plugin-prettier from 5.1.3 to 5.2.1 by @dependabot in peter-evans/create-pull-request#3035

build(deps-dev): bump @types/node from 18.19.39 to 18.19.41 by @dependabot in peter-evans/create-pull-request#3037

build(deps): bump undici from 6.19.2 to 6.19.4 by @dependabot in peter-evans/create-pull-request#3036

build(deps-dev): bump ts-jest from 29.2.2 to 29.2.3 by @dependabot in peter-evans/create-pull-request#3038

build(deps-dev): bump @types/node from 18.19.41 to 18.19.42 by @dependabot in peter-evans/create-pull-request#3070

build(deps): bump undici from 6.19.4 to 6.19.5 by @dependabot in peter-evans/create-pull-request#3086

build(deps-dev): bump @types/node from 18.19.42 to 18.19.43 by @dependabot in peter-evans/create-pull-request#3087

build(deps-dev): bump ts-jest from 29.2.3 to 29.2.4 by @dependabot in peter-evans/create-pull-request#3088

build(deps): bump undici from 6.19.5 to 6.19.7 by @dependabot in peter-evans/create-pull-request#3145

build(deps-dev): bump @types/node from 18.19.43 to 18.19.44 by @dependabot in peter-evans/create-pull-request#3144

Update distribution by @actions-bot in peter-evans/create-pull-request#3154

build(deps): bump undici from 6.19.7 to 6.19.8 by @dependabot in peter-evans/create-pull-request#3213

build(deps-dev): bump @types/node from 18.19.44 to 18.19.45 by @dependabot in peter-evans/create-pull-request#3214

Update distribution by @actions-bot in peter-evans/create-pull-request#3221

build(deps-dev): bump eslint-import-resolver-typescript from 3.6.1 to 3.6.3 by @dependabot in peter-evans/create-pull-request#3255

build(deps-dev): bump @types/node from 18.19.45 to 18.19.46 by @dependabot in peter-evans/create-pull-request#3254

build(deps-dev): bump ts-jest from 29.2.4 to 29.2.5 by @dependabot in peter-evans/create-pull-request#3256

v7 - signed commits by @peter-evans in peter-evans/create-pull-request#3057

New Contributors

@rustycl0ck made their first contribution in peter-evans/create-pull-request#3057

Full Changelog: peter-evans/create-pull-request@v6.1.0...v7.0.0

Create Pull Request v6.1.0

✨ Adds pull-request-branch as an action output.

What's Changed

... (truncated)

Commits

5e91468 fix: support symlinks when commit signing (#3359)
2f38cd2 fix: support submodules when commit signing (#3354)
7a8aeac build(deps-dev): bump eslint from 8.57.0 to 8.57.1 (#3344)
d39d596 build(deps-dev): bump @types/jest from 29.5.12 to 29.5.13 (#3343)
f6f978f docs: correct suggestion for bot setup (#3342)
6cd32fd fix: disable abbreviated commit shas in diff (#3337)
d121e62 fix: disable diff detection for renames and copies (#3330)
f4d66f4 build(deps-dev): bump typescript from 5.5.4 to 5.6.2 (#3319)
488c869 build(deps-dev): bump @types/node from 18.19.48 to 18.19.50 (#3320)
5354f85 docs: update readme
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the gh-version-updates group with 2 updates: [oxsecurity/megalinter](https://github.com/oxsecurity/megalinter) and [peter-evans/create-pull-request](https://github.com/peter-evans/create-pull-request). Updates `oxsecurity/megalinter` from 7 to 8 - [Release notes](https://github.com/oxsecurity/megalinter/releases) - [Changelog](https://github.com/oxsecurity/megalinter/blob/main/CHANGELOG.md) - [Commits](oxsecurity/megalinter@v7...v8) Updates `peter-evans/create-pull-request` from 6 to 7 - [Release notes](https://github.com/peter-evans/create-pull-request/releases) - [Commits](peter-evans/create-pull-request@v6...v7) --- updated-dependencies: - dependency-name: oxsecurity/megalinter dependency-type: direct:production update-type: version-update:semver-major dependency-group: gh-version-updates - dependency-name: peter-evans/create-pull-request dependency-type: direct:production update-type: version-update:semver-major dependency-group: gh-version-updates ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 2, 2024

dependabot bot force-pushed the dependabot/github_actions/gh-version-updates-1328be377d branch from 39a9c3e to d5a0833 Compare December 2, 2024 13:57

dependabot bot force-pushed the dependabot/github_actions/gh-version-updates-1328be377d branch from d5a0833 to 4329b8d Compare December 9, 2024 12:56

sudeepkunhis approved these changes Dec 10, 2024

View reviewed changes

liamtoozer approved these changes Dec 10, 2024

View reviewed changes

sudeepkunhis merged commit ed4cd39 into main Dec 10, 2024
4 checks passed

sudeepkunhis deleted the dependabot/github_actions/gh-version-updates-1328be377d branch December 10, 2024 11:08

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the gh-version-updates group with 2 updates #1

Bump the gh-version-updates group with 2 updates #1

dependabot bot commented on behalf of github Dec 2, 2024 •

edited

Loading

Bump the gh-version-updates group with 2 updates #1

Bump the gh-version-updates group with 2 updates #1

Conversation

dependabot bot commented on behalf of github Dec 2, 2024 • edited Loading

v8.0.0

What's Changed

[v8.2.0] - 2024-11-17

Create Pull Request v7.0.0

Behaviour changes

What's new

What's Changed

New Contributors

Create Pull Request v6.1.0

What's Changed

dependabot bot commented on behalf of github Dec 2, 2024 •

edited

Loading