chore(deps): update github actions minor and patch updates

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout	action	minor	v4.2.2 -> v4.3.0
anchore/sbom-action	action	patch	v0.20.0 -> v0.20.8
docker/login-action	action	minor	v3.4.0 -> v3.6.0
goreleaser/goreleaser-action	action	minor	v6.3.0 -> v6.4.0
sigstore/cosign-installer	action	minor	v3.8.2 -> v3.10.1
slsa-framework/slsa-verifier	action	patch	v2.7.0 -> v2.7.1
step-security/harden-runner	action	minor	v2.12.0 -> v2.13.1

---

Release Notes

actions/checkout (actions/checkout)

v4.3.0

Compare Source

What's Changed

• docs: update README.md by @​motss in https://github.com/actions/checkout/pull/1971
• Add internal repos for checking out multiple repositories by @​mouismail in https://github.com/actions/checkout/pull/1977
• Documentation update - add recommended permissions to Readme by @​benwells in https://github.com/actions/checkout/pull/2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in https://github.com/actions/checkout/pull/2044
• Update README.md by @​nebuk89 in https://github.com/actions/checkout/pull/2194
• Update CODEOWNERS for actions by @​TingluoHuang in https://github.com/actions/checkout/pull/2224
• Update package dependencies by @​salmanmkc in https://github.com/actions/checkout/pull/2236
• Prepare release v4.3.0 by @​salmanmkc in https://github.com/actions/checkout/pull/2237

New Contributors

• @​motss made their first contribution in https://github.com/actions/checkout/pull/1971
• @​mouismail made their first contribution in https://github.com/actions/checkout/pull/1977
• @​benwells made their first contribution in https://github.com/actions/checkout/pull/2043
• @​nebuk89 made their first contribution in https://github.com/actions/checkout/pull/2194
• @​salmanmkc made their first contribution in https://github.com/actions/checkout/pull/2236

Full Changelog: actions/checkout@v4...v4.3.0

anchore/sbom-action (anchore/sbom-action)

v0.20.8

Compare Source

Changes in v0.20.8

• chore(deps): update Syft to v1.34.2 (#​545) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]

v0.20.7

Compare Source

Changes in v0.20.7

• chore(deps): update Syft to v1.34.1 (#​544)

v0.20.6

Compare Source

Changes in v0.20.6

• chore(deps): update Syft to v1.33.0 (#​537) [[anchore-actions-token-generator[bot]](https://github.com/anchore-actions-token-generator[bot])]
• chore: update actions library to resolve critical vulnerability (#​536) [spiffcs]

v0.20.5

Compare Source

Changes in v0.20.5

• Update Syft to v1.31.0 (#​531)

v0.20.4

Compare Source

Changes in v0.20.4

• chore: update Syft to v1.29.0 (#​529)

v0.20.3

Compare Source

Changes in v0.20.3

• Fix: Strip emojis from correlator before using github APIs (#​527) [AndrewHendry]

v0.20.2

Compare Source

Changes in v0.20.2

• Update Syft to v1.28.0 (#​526)

v0.20.1

Compare Source

Changes in v0.20.1

• Update Syft to v1.27.1 (#​525)

docker/login-action (docker/login-action)

v3.6.0

Compare Source

• Add registry-auth input for raw authentication to registries by @​crazy-max in #​887
• Bump @​aws-sdk/client-ecr to 3.890.0 in #​882 #​890
• Bump @​aws-sdk/client-ecr-public to 3.890.0 in #​882 #​890
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​883
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​880
• Bump undici from 5.28.4 to 5.29.0 in #​879
• Bump tmp from 0.2.3 to 0.2.4 in #​881

Full Changelog: docker/login-action@v3.5.0...v3.6.0

v3.5.0

Compare Source

• Support dual-stack endpoints for AWS ECR by @​Spacefish @​crazy-max in #​874 #​876
• Bump @​aws-sdk/client-ecr to 3.859.0 in #​860 #​878
• Bump @​aws-sdk/client-ecr-public to 3.859.0 in #​860 #​878
• Bump @​docker/actions-toolkit from 0.57.0 to 0.62.1 in #​870
• Bump form-data from 2.5.1 to 2.5.5 in #​875

Full Changelog: docker/login-action@v3.4.0...v3.5.0

goreleaser/goreleaser-action (goreleaser/goreleaser-action)

v6.4.0

Compare Source

What's Changed

• ci: set contents read as default workflow permissions by @​crazy-max in #​494
• fix: support .config directory for goreleaser config files by @​haya14busa in #​500
• chore(deps): bump semver from 7.7.1 to 7.7.2 by @​dependabot[bot] in #​495
• chore(deps): bump brace-expansion from 1.1.11 to 1.1.12 by @​dependabot[bot] in #​498
• fix: do not get releases.json if version is specific by @​caarlos0 in #​502
• chore(deps): bump undici from 5.28.5 to 5.29.0 by @​dependabot[bot] in #​496
• feat: retry downloading releases json by @​caarlos0 in #​503

New Contributors

• @​haya14busa made their first contribution in #​500

Full Changelog: goreleaser/goreleaser-action@v6.3.0...v6.4.0

sigstore/cosign-installer (sigstore/cosign-installer)

v3.10.1

Compare Source

What's Changed?

Note: cosign-installer v3.x cannot be used to install Cosign v3.x. You must upgrade to cosign-installer v4 in order to use Cosign v3.

Note: This is planned to be the final release of Cosign v2, though we will cut new releases for any critical security or bug fixes. We recommend transitioning to Cosign v3.

• Bump default Cosign to v2.6.1 (#​203)

v3.10.0

Compare Source

What's Changed

• Bump default Cosign to v2.6.0 in #​200

Full Changelog: sigstore/cosign-installer@v3.9.2...v3.10.0

v3.9.2

Compare Source

What's Changed

• not fail fast and setup permissions in #​195
• drop old unsupported versions <v2.0.0 in #​192
• Update default to v2.5.3 in #​196

Full Changelog: sigstore/cosign-installer@v3.9.1...v3.9.2

v3.9.1

Compare Source

What's Changed

• default action install to use release v2.5.1 by @​cpanato in #​193
• default cosign to v2.5.2 by @​cpanato in #​194

Full Changelog: sigstore/cosign-installer@v3.9.0...v3.9.1

v3.9.0

Compare Source

What's Changed

• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in #​189
• bump cosign install to use release v2.5.0 as default by @​cpanato in #​191

Full Changelog: sigstore/cosign-installer@v3...v3.9.0

slsa-framework/slsa-verifier (slsa-framework/slsa-verifier)

v2.7.1

Compare Source

What's Changed

• chore: Update docs for v2.7.0 by @​ramonpetgrave64 in #​829
• docs(npm): "exmaple" spelling fix by @​scop in #​832
• chore: update test files for v2.1.0 by @​ramonpetgrave64 in #​836
• feat: verify provenance for bcr modules produced by trusted reusable workflows by @​loosebazooka in #​840
• chore(deps): update golang:1.23 docker digest to cc458d7 by @​renovate-bot in #​838
• fix: less parallelism in tests by @​ramonpetgrave64 in #​851
• chore(deps): bump @​octokit/request-error from 5.0.1 to 5.1.1 in /actions/installer in the npm_and_yarn group across 1 directory by @​dependabot in #​833
• chore(deps): bump github.com/go-jose/go-jose/v4 from 4.0.4 to 4.0.5 in the go_modules group by @​dependabot in #​835
• chore(deps): bump the go_modules group across 1 directory with 2 updates by @​dependabot in #​853
• fix(deps): update npm by @​renovate-bot in #​843
• fix(deps): update golang.org/x/exp digest to dcc06ee by @​renovate-bot in #​839
• fix: no parallel regression tests by @​ramonpetgrave64 in #​855
• chore(deps): update golang:1.23 docker digest to dd5cc4b by @​renovate-bot in #​847
• chore(deps): update gcr.io/distroless/base:nonroot docker digest to 0a0dc20 by @​renovate-bot in #​844
• chore(deps): bump the npm_and_yarn group across 2 directories with 5 updates by @​dependabot in #​854
• feat: Bazel not experimental by @​ramonpetgrave64 in #​850
• docs: add section for verify-github-attestation by @​loosebazooka in #​858

New Contributors

• @​scop made their first contribution in #​832
• @​loosebazooka made their first contribution in #​840

Full Changelog: slsa-framework/slsa-verifier@v2.7.0...v2.7.1

step-security/harden-runner (step-security/harden-runner)

v2.13.1

Compare Source

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

Compare Source

What's Changed

• Improved job markdown summary
• Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

Compare Source

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com
Bug fixes:

• Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
• Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

Compare Source

What's Changed

• Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
• Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.