chore(deps): update all non-major dependencies

[renovate-coveo]

DEF-160

This PR contains the following updates:

Package	Type	Update	Change
github/codeql-action	action	minor	v2.2.4 -> v2.24.9
ossf/scorecard-action	action	minor	v2.1.2 -> v2.3.1

---

Release Notes

github/codeql-action (github/codeql-action)

v2.24.9

Compare Source

v2.24.8

Compare Source

v2.24.7

Compare Source

v2.24.6

Compare Source

v2.24.5

Compare Source

v2.24.4

Compare Source

v2.24.3

Compare Source

v2.24.2

Compare Source

v2.24.1

Compare Source

v2.24.0

Compare Source

v2.23.2

Compare Source

v2.23.1

Compare Source

v2.23.0

Compare Source

v2.22.12

Compare Source

v2.22.11

Compare Source

v2.22.10

Compare Source

v2.22.9

Compare Source

v2.22.8

Compare Source

v2.22.7

Compare Source

v2.22.6

Compare Source

v2.22.5

Compare Source

v2.22.4

Compare Source

v2.22.3

Compare Source

v2.22.2

Compare Source

v2.22.1

Compare Source

v2.22.0

Compare Source

v2.21.9

Compare Source

v2.21.8

Compare Source

v2.21.7

Compare Source

v2.21.6

Compare Source

v2.21.5

Compare Source

v2.21.4

Compare Source

v2.21.3

Compare Source

v2.21.2

Compare Source

v2.21.1

Compare Source

v2.21.0

Compare Source

v2.20.4

Compare Source

v2.20.3

Compare Source

v2.20.2

Compare Source

v2.20.1

Compare Source

v2.20.0

Compare Source

v2.3.6

Compare Source

v2.3.5

Compare Source

v2.3.4

Compare Source

v2.3.3

Compare Source

v2.3.2

Compare Source

v2.3.1

Compare Source

v2.3.0

Compare Source

v2.2.12

Compare Source

v2.2.11

Compare Source

v2.2.10

Compare Source

v2.2.9

Compare Source

v2.2.8

Compare Source

v2.2.7

Compare Source

v2.2.6

Compare Source

v2.2.5

Compare Source

ossf/scorecard-action (ossf/scorecard-action)

v2.3.1

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1282
  • Adds additional Fuzzing detection and fixes a SAST bug related to detecting CodeQL. For a full changelist of what this includes, see the v4.13.1 release notes

Full Changelog: ossf/scorecard-action@v2.3.0...v2.3.1

v2.3.0

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.11.0 to v4.13.0 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1270
  • For a full changelist of what this includes, see the v4.12.0 and v4.13.0 release notes
• ✨ Send rekor tlog index to webapp when publishing results by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1169
• 🐛 Prevent url clipping for GHES instances by @​rajbos in https://github.com/ossf/scorecard-action/pull/1225

Documentation

• 📖 Update access rights needed to see the results in code scanning by @​rajbos in https://github.com/ossf/scorecard-action/pull/1229
• 📖 Add package comments. by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1221
• 📖 Add SECURITY.md file by @​david-a-wheeler in https://github.com/ossf/scorecard-action/pull/1250
• 📖 Fix typo in token input docs by @​aabouzaid in https://github.com/ossf/scorecard-action/pull/1258

New Contributors

• @​david-a-wheeler made their first contribution in https://github.com/ossf/scorecard-action/pull/1250
• @​aabouzaid made their first contribution in https://github.com/ossf/scorecard-action/pull/1258

Full Changelog: ossf/scorecard-action@v2.2.0...v2.3.0

v2.2.0

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from v4.10.5 to v4.11.0 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1192

Scorecard Result Viewer

Thanks to contributions from @​cynthia-sg and @​tegioz at CLOMonitor, there is a new Scorecard Result visualization page at https://securityscorecards.dev/viewer/?uri=<project-url>.

• https://github.com/ossf/scorecard-webapp/pull/406
• https://github.com/ossf/scorecard-webapp/pull/422

As an example, you can see our own score visualized here
Checkout our README to learn how to link your README badge to the new visualization page.

Publishing Results

This release contains two fixes which will improve the user experience when publish_results is true

• Runs that fail our workflow restrictions will fail with a 400 response indicating the problem, instead of a vague 500 status. (https://github.com/ossf/scorecard-action/pull/1156, resolved https://github.com/ossf/scorecard-action/issues/1150)
• Scorecard action will retry when signing results and submitting them to our web API. This should help with flakiness from connection failures. (https://github.com/ossf/scorecard-action/pull/1191)

Docs

• 📖 Update README to accept fine-grained tokens by @​pnacht in https://github.com/ossf/scorecard-action/pull/1175
• 📖 Update installation instructions to match current GitHub UI by @​joycebrum in https://github.com/ossf/scorecard-action/pull/1153
• 📖 Document the GitHub action workflow restrictions when publishing results. by @​spencerschrock in

New Contributors

• @​bobcallaway made their first contribution in https://github.com/ossf/scorecard-action/pull/1140
• @​pnacht made their first contribution in https://github.com/ossf/scorecard-action/pull/1175

Full Changelog: ossf/scorecard-action@v2.1.3...v2.2.0

v2.1.3

Compare Source

What's Changed

• 🌱 Bump github.com/ossf/scorecard/v4 from 4.10.2 to 4.10.5 by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1111

Bug Fixes

• Invalid SARIF files from a bug in scorecard
  • #​1076, #​1094
• Vulnerabilities check crashes if a vulnerable dependency is found via OSVScanner
  • #​1092
• Scorecard action not reporting binary artifacts in the repo
  • #​1116

Full Scorecard Changelog: ossf/scorecard@v4.10.2...v4.10.5

Full Changelog: ossf/scorecard-action@v2.1.2...v2.1.3

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" in timezone America/Toronto, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by the Coveo Renovate Bot

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/github/codeql-action/upload-sarif	a82bad71823183e5b120ab52d521460ecb0585fe	Unknown	Unknown
actions/ossf/scorecard-action	0864cf19026789058feabb7e87baa5f140aac736	🟢 7.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Code-Review 🟢 10 30 out of last 30 changesets reviewed before merge -- score normalized to 10 Contributors 🟢 10 19 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 22 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 SAST 🟢 10 SAST tool is run on all commits Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Vulnerabilities ⚠️ -1 internal error: vulnerabilitiesClient.ListUnfixedVulnerabilities: osvscanner.DoScan: vulnerabilities found
actions/github/codeql-action/upload-sarif	17573ee1cc1b9d061760f3a006fc4aac4f944fd5	Unknown	Unknown
actions/ossf/scorecard-action	e38b1902ae4f44df626f11ba0734b14fb91f8f86	🟢 7.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no badge detected Code-Review 🟢 10 30 out of last 30 changesets reviewed before merge -- score normalized to 10 Contributors 🟢 10 19 different organizations found -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 30 commit(s) out of 30 and 22 issue activity out of 30 found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 no published package detected Pinned-Dependencies 🟢 8 dependency not pinned by hash detected -- score normalized to 8 SAST 🟢 10 SAST tool is run on all commits Security-Policy ⚠️ 0 security policy file not detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 non read-only tokens detected in GitHub workflows Vulnerabilities ⚠️ -1 internal error: vulnerabilitiesClient.ListUnfixedVulnerabilities: osvscanner.DoScan: vulnerabilities found

Scanned Manifest Files

.github/workflows/scorecard.yml

• github/codeql-action@a82bad7
• ossf/scorecard-action@0864cf1
• github/codeql-action@17573ee
• ossf/scorecard-action@e38b190