Bump the github-actions group with 3 updates
Bumps the github-actions group with 3 updates: [step-security/harden-runner](https://github.com/step-security/harden-runner), [bazelbuild/continuous-integration](https://github.com/bazelbuild/continuous-integration) and [github/codeql-action](https://github.com/github/codeql-action).
Closes #23820.
PiperOrigin-RevId: 681412302
Change-Id: I06837d15c72c2c337760b5b8e30d1773fc81fcf7
diff --git a/.github/workflows/cherry-picker.yml b/.github/workflows/cherry-picker.yml
index 04ed7d1..3d7a970 100644
--- a/.github/workflows/cherry-picker.yml
+++ b/.github/workflows/cherry-picker.yml
@@ -19,19 +19,19 @@
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit
- if: github.event.pull_request
name: Run cherrypicker on closed PR
- uses: bazelbuild/continuous-integration/actions/cherry_picker@40accd1e24b7d296e87b573002ed0903828c0cf0
+ uses: bazelbuild/continuous-integration/actions/cherry_picker@312ab25f6994b2fac89dc6910b3ebd6cb93cfa74
with:
triggered-on: closed
pr-number: ${{ github.event.number }}
is-prod: True
- if: github.event.issue
name: Run cherrypicker on closed issue
- uses: bazelbuild/continuous-integration/actions/cherry_picker@40accd1e24b7d296e87b573002ed0903828c0cf0
+ uses: bazelbuild/continuous-integration/actions/cherry_picker@312ab25f6994b2fac89dc6910b3ebd6cb93cfa74
with:
triggered-on: closed
pr-number: ${{ github.event.issue.number }}
@@ -41,12 +41,12 @@
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit
- if: startsWith(github.event.issue.body, 'Forked from')
name: Run cherrypicker on comment
- uses: bazelbuild/continuous-integration/actions/cherry_picker@40accd1e24b7d296e87b573002ed0903828c0cf0
+ uses: bazelbuild/continuous-integration/actions/cherry_picker@312ab25f6994b2fac89dc6910b3ebd6cb93cfa74
with:
triggered-on: commented
pr-number: ${{ github.event.issue.body }}
@@ -55,7 +55,7 @@
is-prod: True
- if: startsWith(github.event.issue.body, '### Commit IDs')
name: Run cherrypicker on demand
- uses: bazelbuild/continuous-integration/actions/cherry_picker@40accd1e24b7d296e87b573002ed0903828c0cf0
+ uses: bazelbuild/continuous-integration/actions/cherry_picker@312ab25f6994b2fac89dc6910b3ebd6cb93cfa74
with:
triggered-on: ondemand
milestone-title: ${{ github.event.milestone.title }}
diff --git a/.github/workflows/issue-labeler.yml b/.github/workflows/issue-labeler.yml
index 6972374..097d0d0 100644
--- a/.github/workflows/issue-labeler.yml
+++ b/.github/workflows/issue-labeler.yml
@@ -19,7 +19,7 @@
steps:
- uses: actions/checkout@v4
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index c6d998d..454567a 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -15,7 +15,7 @@
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
diff --git a/.github/workflows/release-helper.yml b/.github/workflows/release-helper.yml
index 5622d62..acfc9ee 100644
--- a/.github/workflows/release-helper.yml
+++ b/.github/workflows/release-helper.yml
@@ -13,11 +13,11 @@
issues: write
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Run helper
- uses: bazelbuild/continuous-integration/actions/release-helper@40accd1e24b7d296e87b573002ed0903828c0cf0 # master
+ uses: bazelbuild/continuous-integration/actions/release-helper@312ab25f6994b2fac89dc6910b3ebd6cb93cfa74 # master
with:
token: ${{ secrets.BAZEL_IO_TOKEN }}
diff --git a/.github/workflows/remove-labels.yml b/.github/workflows/remove-labels.yml
index 4302bee..1c1880d 100644
--- a/.github/workflows/remove-labels.yml
+++ b/.github/workflows/remove-labels.yml
@@ -14,7 +14,7 @@
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index b09c5e2..f919e6d 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
@@ -72,6 +72,6 @@
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
- uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6
+ uses: github/codeql-action/upload-sarif@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v3.26.10
with:
sarif_file: results.sarif
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 36c74ca..d04d06e 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -23,7 +23,7 @@
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde # v2.9.1
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml
index d1c18fe..b4fb999 100644
--- a/.github/workflows/update-lockfiles.yml
+++ b/.github/workflows/update-lockfiles.yml
@@ -18,11 +18,11 @@
runs-on: ubuntu-latest
steps:
- name: Harden Runner
- uses: step-security/harden-runner@5c7944e73c4c2a096b17a9cb74d65b6c2bbafbde
+ uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7
with:
egress-policy: audit
- name: Update lockfile(s) on closed PR
- uses: bazelbuild/continuous-integration/actions/update-lockfile@40accd1e24b7d296e87b573002ed0903828c0cf0
+ uses: bazelbuild/continuous-integration/actions/update-lockfile@312ab25f6994b2fac89dc6910b3ebd6cb93cfa74
with:
release-branch: ${{ github.base_ref }}
is-prod: True
