Scorecard currently has experimental support for the `pull_request`
trigger, so we want to allow analysis to be run for it in the future.
Signed-off-by: Spencer Schrock <sschrock@google.com>
1. Scorecard update v2.4.1 was released, which includes months of bug
fixes and a new `file_mode` input to address a .gitattributes bug.
2. Bumped actions/upload-artifact to the v4 branch. This was previously
kept at v3 as GHES doesn't support v4, but github.com no longer
supports v3: as uploads return the following error "Create Artifact
Container failed: The artifact name JSON file is not valid."
Signed-off-by: Spencer Schrock <sschrock@google.com>
* update action hashes and version comments
ossf/scorecard-action v2.1.2 is old and doesnt work after a Sigstore
change. https://blog.sigstore.dev/tuf-root-update/
Signed-off-by: Spencer Schrock <sschrock@google.com>
* downgrade actions/upload-artifact to node20 version of v3
dependabot will suggest upgrade to v4.3.1 for repos that can upgrade.
note: v3.pre.node20 is how dependabot refers to the pinned hash, so
use that so it can upgrade the comment
Signed-off-by: Spencer Schrock <sschrock@google.com>
* upgrade github/codeql-action/upload-sarif to v3.24.9
Signed-off-by: Spencer Schrock <sschrock@google.com>
---------
Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Alexis Abril <alexisabril@github.com>