chore(deps): bump the github-actions group with 13 updates

[dependabot]

Bumps the github-actions group with 13 updates:

Package	From	To
actions/checkout	3	4
docker/setup-qemu-action	2	3
docker/setup-buildx-action	2	3
docker/metadata-action	4.6.0	5.2.0
docker/login-action	2	3
docker/build-push-action	4	5
contributor-assistant/github-action	2.3.0	2.3.1
dessant/lock-threads	4	5
sigstore/cosign-installer	3.1.1	3.2.0
anchore/sbom-action	0.14.3	0.15.0
crazy-max/ghaction-upx	2	3
cachix/install-nix-action	22	24
goreleaser/goreleaser-action	4	5

Updates actions/checkout from 3 to 4

Release notes

Sourced from actions/checkout's releases.

v4.0.0

What's Changed

• Update default runtime to node20 by @​takost in actions/checkout#1436
• Support fetching without the --progress option by @​simonbaird in actions/checkout#1067
• Release 4.0.0 by @​takost in actions/checkout#1447

New Contributors

• @​takost made their first contribution in actions/checkout#1436
• @​simonbaird made their first contribution in actions/checkout#1067

Full Changelog: actions/checkout@v3...v4.0.0

v3.6.0

What's Changed

• Mark test scripts with Bash'isms to be run via Bash by @​dscho in actions/checkout#1377
• Add option to fetch tags even if fetch-depth > 0 by @​RobertWieczoreck in actions/checkout#579
• Release 3.6.0 by @​luketomlinson in actions/checkout#1437

New Contributors

• @​RobertWieczoreck made their first contribution in actions/checkout#579
• @​luketomlinson made their first contribution in actions/checkout#1437

Full Changelog: actions/checkout@v3.5.3...v3.6.0

v3.5.3

What's Changed

• Fix: Checkout Issue in self hosted runner due to faulty submodule check-ins by @​megamanics in actions/checkout#1196
• Fix typos found by codespell by @​DimitriPapadopoulos in actions/checkout#1287
• Add support for sparse checkouts by @​dscho and @​dfdez in actions/checkout#1369
• Release v3.5.3 by @​TingluoHuang in actions/checkout#1376

New Contributors

• @​megamanics made their first contribution in actions/checkout#1196
• @​DimitriPapadopoulos made their first contribution in actions/checkout#1287
• @​dfdez made their first contribution in actions/checkout#1369

Full Changelog: actions/checkout@v3...v3.5.3

v3.5.2

What's Changed

• Fix: Use correct API url / endpoint in GHES by @​fhammerl in actions/checkout#1289 based on #1286 by @​1newsr

Full Changelog: actions/checkout@v3.5.1...v3.5.2

v3.5.1

What's Changed

• Improve checkout performance on Windows runners by upgrading @​actions/github dependency by @​BrettDong in actions/checkout#1246

New Contributors

• @​BrettDong made their first contribution in actions/checkout#1246

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v4.1.0

• Add support for partial checkout filters

v4.0.0

• Support fetching without the --progress option
• Update to node20

v3.6.0

• Fix: Mark test scripts with Bash'isms to be run via Bash
• Add option to fetch tags even if fetch-depth > 0

v3.5.3

• Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in
• Fix typos found by codespell
• Add support for sparse checkouts

v3.5.2

• Fix api endpoint for GHES

v3.5.1

• Fix slow checkout on Windows

v3.5.0

• Add new public key for known_hosts

v3.4.0

• Upgrade codeql actions to v2
• Upgrade dependencies
• Upgrade @​actions/io

v3.3.0

• Implement branch list using callbacks from exec function
• Add in explicit reference to private checkout options
• [Fix comment typos (that got added in #770)](actions/checkout#1057)

v3.2.0

• Add GitHub Action to perform release
• Fix status badge
• Replace datadog/squid with ubuntu/squid Docker image
• Wrap pipeline commands for submoduleForeach in quotes
• Update @​actions/io to 1.1.2
• Upgrading version to 3.2.0

v3.1.0

• Use @​actions/core saveState and getState
• Add github-server-url input

v3.0.2

... (truncated)

Commits

• b4ffde6 Link to release page from what's new section (#1514)
• 8530928 Correct link to GitHub Docs (#1511)
• 7cdaf2f Update CODEOWNERS to Launch team (#1510)
• 8ade135 Prepare 4.1.0 release (#1496)
• c533a0a Add support for partial checkout filters (#1396)
• 72f2cec Update README.md for V4 (#1452)
• 3df4ab1 Release 4.0.0 (#1447)
• 8b5e8b7 Support fetching without the --progress option (#1067)
• 97a652b Update default runtime to node20 (#1436)
• See full diff in compare view

Updates docker/setup-qemu-action from 2 to 3

Release notes

Sourced from docker/setup-qemu-action's releases.

v3.0.0

• Node 20 as default runtime (requires Actions Runner v2.308.0 or later) by @​crazy-max in docker/setup-qemu-action#102
• Bump @​actions/core from 1.10.0 to 1.10.1 in docker/setup-qemu-action#103
• Bump semver from 6.3.0 to 6.3.1 in docker/setup-qemu-action#89

Full Changelog: docker/setup-qemu-action@v2.2.0...v3.0.0

v2.2.0

• Trim off spaces in platforms input by @​Chocobo1 in docker/setup-qemu-action#64
• Switch to actions-toolkit implementation by @​crazy-max in docker/setup-qemu-action#70 docker/setup-qemu-action#80 docker/setup-qemu-action#83

Full Changelog: docker/setup-qemu-action@v2.1.0...v2.2.0

v2.1.0

• Use context for inputs by @​crazy-max (#62)
• Use built-in getExecOutput by @​crazy-max (#61)
• Remove workaround for setOutput by @​crazy-max (#63)
• Bump @​actions/core from 1.6.0 to 1.10.0 (#54 #58 #59)

Full Changelog: docker/setup-qemu-action@v2.0.0...v2.1.0

Commits

• 6882732 Merge pull request #103 from docker/dependabot/npm_and_yarn/actions/core-1.10.1
• 183f4af chore: update generated content
• f174935 build(deps): bump @​actions/core from 1.10.0 to 1.10.1
• 2e423eb Merge pull request #89 from docker/dependabot/npm_and_yarn/semver-6.3.1
• ecc406a Bump semver from 6.3.0 to 6.3.1
• 12dec5e Merge pull request #102 from crazy-max/update-node20
• c29b312 chore: node 20 as default runtime
• 34ae628 chore: update generated content
• 1f3d2e1 chore: fix author in package.json
• 277dbe8 vendor: bump @​docker/actions-toolkit from 0.3.0 to 0.12.0
• Additional commits viewable in compare view

Updates docker/setup-buildx-action from 2 to 3

Release notes

Sourced from docker/setup-buildx-action's releases.

v3.0.0

• Node 20 as default runtime (requires Actions Runner v2.308.0 or later) by @​crazy-max in docker/setup-buildx-action#264
• Bump @​actions/core from 1.10.0 to 1.10.1 in docker/setup-buildx-action#267

Full Changelog: docker/setup-buildx-action@v2.10.0...v3.0.0

v2.10.0

What's Changed

• Bump @​docker/actions-toolkit from 0.7.1 to 0.10.0 by @​crazy-max in docker/setup-buildx-action#258
• Bump word-wrap from 1.2.3 to 1.2.5 in docker/setup-buildx-action#253

Full Changelog: docker/setup-buildx-action@v2.9.1...v2.10.0

v2.9.1

• Bump @​docker/actions-toolkit from 0.7.0 to 0.7.1 in docker/setup-buildx-action#248
  • Fixes an issue where building Buildx does not match the local platform (docker/actions-toolkit#135)

Full Changelog: docker/setup-buildx-action@v2.9.0...v2.9.1

v2.9.0

• Bump @​docker/actions-toolkit from 0.6.0 to 0.7.0 in docker/setup-buildx-action#246
  • Adds support to cache Buildx binary to hosted tool cache and GHA cache backend

Full Changelog: docker/setup-buildx-action@v2.8.0...v2.9.0

v2.8.0

• Only set specific flags for drivers supporting them by @​nicks in docker/setup-buildx-action#241
• Bump @​docker/actions-toolkit from 0.5.0 to 0.6.0 in docker/setup-buildx-action#242

Full Changelog: docker/setup-buildx-action@v2.7.0...v2.8.0

v2.7.0

• Bump @​docker/actions-toolkit from 0.3.0 to 0.5.0 in docker/setup-buildx-action#237 docker/setup-buildx-action#238

Full Changelog: docker/setup-buildx-action@v2.6.0...v2.7.0

v2.6.0

• Set node name for k8s driver when appending nodes by @​crazy-max in docker/setup-buildx-action#219
• Bump @​docker/actions-toolkit from 0.1.0-beta.18 to 0.3.0 in docker/setup-buildx-action#220 docker/setup-buildx-action#229 docker/setup-buildx-action#231 docker/setup-buildx-action#236

Full Changelog: docker/setup-buildx-action@v2.5.0...v2.6.0

v2.5.0

• cleanup input to remove builder and temp files by @​crazy-max in docker/setup-buildx-action#213
• do not remove builder using the docker driver by @​crazy-max in docker/setup-buildx-action#218
• fix current context as builder name for docker driver by @​crazy-max in docker/setup-buildx-action#209

Full Changelog: docker/setup-buildx-action@v2.4.1...v2.5.0

v2.4.1

... (truncated)

Commits

• f95db51 Merge pull request #267 from docker/dependabot/npm_and_yarn/actions/core-1.10.1
• 998a87c chore: update generated content
• 28bae59 build(deps): bump @​actions/core from 1.10.0 to 1.10.1
• c215341 Merge pull request #264 from crazy-max/update-node20
• 02e9319 chore: node 20 as default runtime
• 5c9160e chore: update generated content
• 1283140 chore: fix author in package.json
• c6afe06 vendor: bump @​docker/actions-toolkit from 0.10.0 to 0.12.0
• f35e0d5 chore: update dev dependencies
• baeb468 dev: remove unneeded binaries
• Additional commits viewable in compare view

Updates docker/metadata-action from 4.6.0 to 5.2.0

Release notes

Sourced from docker/metadata-action's releases.

v5.2.0

• Custom annotations support by @​crazy-max in docker/metadata-action#361

Full Changelog: docker/metadata-action@v5.1.0...v5.2.0

v5.1.0

• Annotations support by @​crazy-max in docker/metadata-action#352
• Split bake definition into two files by @​crazy-max in docker/metadata-action#353
• Allow images input to be empty to output bare tags by @​crazy-max in docker/metadata-action#358
• Bump @​actions/github from 5.1.1 to 6.0.0 in docker/metadata-action#348
• Bump @​babel/traverse from 7.17.3 to 7.23.2 in docker/metadata-action#350
• Bump @​docker/actions-toolkit from 0.12.0 to 0.14.0 in docker/metadata-action#349 docker/metadata-action#357
• Bump csv-parse from 5.5.0 to 5.5.2 in docker/metadata-action#346
• Bump semver from 7.5.3 to 7.5.4 in docker/metadata-action#335

Full Changelog: docker/metadata-action@v5.0.0...v5.1.0

v5.0.0

• Node 20 as default runtime (requires Actions Runner v2.308.0 or later) by @​crazy-max in docker/metadata-action#328
• Bump @​actions/core from 1.10.0 to 1.10.1 in docker/metadata-action#333
• Bump csv-parse from 5.4.0 to 5.5.0 in docker/metadata-action#320
• Bump semver from 7.5.1 to 7.5.2 in docker/metadata-action#304
• Bump handlebars from 4.7.7 to 4.7.8 in docker/metadata-action#315

Full Changelog: docker/metadata-action@v4.6.0...v5.0.0

Upgrade guide

Sourced from docker/metadata-action's upgrade guide.

Upgrade notes

v2 to v3

• Repository has been moved to docker org. Replace crazy-max/ghaction-docker-meta@v2 with docker/metadata-action@v5
• The default bake target has been changed: ghaction-docker-meta > docker-metadata-action

v1 to v2

• inputs
  • tag-sha
  • tag-edge / tag-edge-branch
  • tag-semver
  • tag-match / tag-match-group
  • tag-latest
  • tag-schedule
  • tag-custom / tag-custom-only
  • label-custom
• Basic workflow
• Semver workflow

inputs

New	Unchanged	Removed
tags	images	tag-sha
flavor	sep-tags	tag-edge
labels	sep-labels	tag-edge-branch
		tag-semver
		tag-match
		tag-match-group
		tag-latest
		tag-schedule
		tag-custom
		tag-custom-only
		label-custom

tag-sha

tags: |
  type=sha

tag-edge / tag-edge-branch

tags: |
  # default branch
</tr></table> 

... (truncated)

Commits

• e6428a5 Merge pull request #361 from crazy-max/custom-annotations
• 26b4721 Merge pull request #359 from favonia/document-annotations
• 352ce8b chore: update generated content
• cb0becc custom annotations support
• 91224bc docs(README): add a hint about multi-arch builds
• f19c369 Merge pull request #358 from crazy-max/empty-images
• 4066f0c chore: update generated content
• d6a296c chore: use anonymous func to generate tags and add tests
• aacea38 feat: allow the images input to be empty, to output just tags
• 051f7ea Merge pull request #357 from docker/dependabot/npm_and_yarn/docker/actions-to...
• Additional commits viewable in compare view

Updates docker/login-action from 2 to 3

Release notes

Sourced from docker/login-action's releases.

v3.0.0

• Node 20 as default runtime (requires Actions Runner v2.308.0 or later) by @​crazy-max in docker/login-action#593
• Bump @​actions/core from 1.10.0 to 1.10.1 in docker/login-action#598
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.410.0 in docker/login-action#555 docker/login-action#560 docker/login-action#582 docker/login-action#599
• Bump semver from 6.3.0 to 6.3.1 in docker/login-action#556
• Bump https-proxy-agent to 7.0.2 docker/login-action#561 docker/login-action#588

Full Changelog: docker/login-action@v2.2.0...v3.0.0

v2.2.0

• Switch to actions-toolkit implementation by @​crazy-max in docker/login-action#409 docker/login-action#470 docker/login-action#476
• Bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.347.1 in docker/login-action#524 docker/login-action#364 docker/login-action#363
• Bump minimatch from 3.0.4 to 3.1.2 in docker/login-action#354
• Bump json5 from 2.2.0 to 2.2.3 in docker/login-action#378
• Bump http-proxy-agent from 5.0.0 to 7.0.0 in docker/login-action#509
• Bump https-proxy-agent from 5.0.1 to 7.0.0 in docker/login-action#508

Full Changelog: docker/login-action@v2.1.0...v2.2.0

v2.1.0

• Ensure AWS temp credentials are redacted in workflow logs by @​crazy-max (#275)
• Bump @​actions/core from 1.6.0 to 1.10.0 (#252 #292)
• Bump @​aws-sdk/client-ecr from 3.53.0 to 3.186.0 (#298)
• Bump @​aws-sdk/client-ecr-public from 3.53.0 to 3.186.0 (#299)

Full Changelog: docker/login-action@v2.0.0...v2.1.0

Commits

• 343f7c4 Merge pull request #599 from docker/dependabot/npm_and_yarn/aws-sdk-dependenc...
• aad0f97 chore: update generated content
• 2e0cd39 build(deps): bump the aws-sdk-dependencies group with 2 updates
• 203bc9c Merge pull request #588 from docker/dependabot/npm_and_yarn/proxy-agent-depen...
• 2199648 chore: update generated content
• b489376 build(deps): bump the proxy-agent-dependencies group with 1 update
• 7c309e7 Merge pull request #598 from docker/dependabot/npm_and_yarn/actions/core-1.10.1
• 0ccf222 chore: update generated content
• 56d703e Merge pull request #597 from docker/dependabot/github_actions/aws-actions/con...
• 24d3b35 build(deps): bump @​actions/core from 1.10.0 to 1.10.1
• Additional commits viewable in compare view

Updates docker/build-push-action from 4 to 5

Release notes

Sourced from docker/build-push-action's releases.

v5.0.0

• Node 20 as default runtime (requires Actions Runner v2.308.0 or later) by @​crazy-max in docker/build-push-action#954
• Bump @​actions/core from 1.10.0 to 1.10.1 in docker/build-push-action#959

Full Changelog: docker/build-push-action@v4.2.1...v5.0.0

v4.2.1

Note

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. Google Cloud Run and AWS Lambda). You can optionally disable the default provenance attestation functionality using provenance: false.

• warn if docker config can't be parsed by @​crazy-max in docker/build-push-action#957

Full Changelog: docker/build-push-action@v4.2.0...v4.2.1

v4.2.0

Note

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. Google Cloud Run and AWS Lambda). You can optionally disable the default provenance attestation functionality using provenance: false.

• display proxy configuration by @​crazy-max in docker/build-push-action#872
• chore(deps): Bump @​docker/actions-toolkit from 0.6.0 to 0.8.0 in docker/build-push-action#930
• chore(deps): Bump word-wrap from 1.2.3 to 1.2.5 in docker/build-push-action#925
• chore(deps): Bump semver from 6.3.0 to 6.3.1 in docker/build-push-action#902

Full Changelog: docker/build-push-action@v4.1.1...v4.2.0

v4.1.1

Note

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. Google Cloud Run and AWS Lambda). You can optionally disable the default provenance attestation functionality using provenance: false.

• Bump @​docker/actions-toolkit from 0.3.0 to 0.5.0 by @​crazy-max in docker/build-push-action#880

Full Changelog: docker/build-push-action@v4.1.0...v4.1.1

v4.1.0

Note

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. Google Cloud Run and AWS Lambda). You can optionally disable the default provenance attestation functionality using provenance: false.

• Switch to actions-toolkit implementation by @​crazy-max in docker/build-push-action#811 docker/build-push-action#838 docker/build-push-action#855 docker/build-push-action#860 docker/build-push-action#875
• e2e: quay.io by @​crazy-max in docker/build-push-action#799 docker/build-push-action#805
• e2e: local harbor and nexus by @​crazy-max in docker/build-push-action#800
• e2e: add artifactory container registry to test against by @​jedevc in docker/build-push-action#804
• e2e: add distribution tests by @​jedevc in docker/build-push-action#814 docker/build-push-action#815

Full Changelog: docker/build-push-action@v4.0.0...v4.1.0

Commits

• 4a13e50 Merge pull request #1006 from docker/dependabot/npm_and_yarn/docker/actions-t...
• 7416668 chore: update generated content
• b4f76a5 chore(deps): Bump @​docker/actions-toolkit from 0.13.0 to 0.14.0
• b7feb76 Merge pull request #1005 from crazy-max/ci-inspect
• fae8018 ci: inspect sbom and provenance
• b625868 Merge pull request #1004 from crazy-max/ci-update-buildx
• 5193ef1 ci: update buildx to latest
• d3afd77 Merge pull request #991 from docker/dependabot/npm_and_yarn/babel/traverse-7....
• 7a786bb Merge pull request #992 from crazy-max/annotations
• c66ae3a chore: update generated content
• Additional commits viewable in compare view

Updates contributor-assistant/github-action from 2.3.0 to 2.3.1

Release notes

Sourced from contributor-assistant/github-action's releases.

v2.3.1

What's Changed

• Explicitly configure workflow permissions by @​rokups in contributor-assistant/github-action#134
• Reduce unnecessary mentions by @​wh201906 in contributor-assistant/github-action#136
• Adds energy consumption measurement by @​ibakshay in contributor-assistant/github-action#137
• Fix potential error for repos with more than 30 workflows by @​darrellwarde in contributor-assistant/github-action#139

New Contributors

• @​rokups made their first contribution in contributor-assistant/github-action#134
• @​wh201906 made their first contribution in contributor-assistant/github-action#136
• @​darrellwarde made their first contribution in contributor-assistant/github-action#139

Full Changelog: contributor-assistant/github-action@v2.3.0...v2.3.1

Commits

• a895a43 Update action.yml
• 8ceac4b docs(contributor): contrib-readme-action has updated readme
• 6b3a4e0 Merge pull request #139 from darrellwarde/fix/check-all-repo-workflows-pages
• dece446 Fix error where repos with more than 30 workflows if workflow is not on first...
• f2ab9ee Merge pull request #137 from contributor-assistant/adds-energy-consumption-me...
• fb644d8 Update nodejs.yml
• 61d2e20 Adds energy consumption measurement
• 6f3a2c1 docs(contributor): contrib-readme-action has updated readme
• 0a1cc84 Merge pull request #136 from wh201906/mentions
• 70b1169 Reduce unnecessary mentions
• Additional commits viewable in compare view

Updates dessant/lock-threads from 4 to 5

Release notes

Sourced from dessant/lock-threads's releases.

v5.0.0

Learn more about this release from the changelog.

v4.0.1

Learn more about this release from the changelog.

Changelog

Sourced from dessant/lock-threads's changelog.

5.0.0 (2023-11-14)

⚠ BREAKING CHANGES

• Discussions are also processed by default, set the process-only input parameter to preserve the old behavior

    steps:
      - uses: dessant/lock-threads@v5
        with:
          process-only: 'issues, prs'

• the action now requires Node.js 20

Features

• lock discussions (0a0976f), closes #25

Bug Fixes

• update dependencies (5a25b54)

4.0.1 (2023-06-12)

Bug Fixes

• retry and throttle GitHub API requests (1618e91), closes #35

4.0.0 (2022-12-04)

⚠ BREAKING CHANGES

• the action now requires Node.js 16

Bug Fixes

• update dependencies (38e9185)
• update docs (32986e2)

3.0.0 (2021-09-27)

⚠ BREAKING CHANGES

• input parameter names have changed

... (truncated)

Commits

• 1bf7ec2 chore(release): 5.0.1
• adf4aa5 chore: update package
• 0a63678 fix: support filtering threads by labels with spaces
• d42e5f4 chore(release): 5.0.0
• d8da6c1 chore: update package
• c1eab4b chore: update workflow
• 0a0976f feat: lock discussions
• 53f3f0c chore: migrate package to ESM
• 5a25b54 fix: update dependencies
• See full diff in compare view

Updates sigstore/cosign-installer from 3.1.1 to 3.2.0

Release notes

Sourced from sigstore/cosign-installer's releases.

v3.2.0

Note: This release comes with a fix for CVE-2023-46737 described in this Github Security Advisory. Please upgrade to this release ASAP

see https://github.com/sigstore/cosign/releases/tag/v2.2.1

What's Changed

• Support the runner context of gitea act by @​josedev-union in sigstore/cosign-installer#147
• bump cosign to v2.2.1 by @​cpanato in sigstore/cosign-installer#148
• test with latest go version by @​bobcallaway in sigstore/cosign-installer#150

New Contributors

• @​josedev-union made their first contribution in sigstore/cosign-installer#147

Full Changelog: sigstore/cosign-installer@v3...v3.2.0

v3.1.2

What's Changed

• Fix build and push step Readme missing id by @​hbenali in sigstore/cosign-installer#138
• bump cosign to v2.2.0 by @​cpanato in sigstore/cosign-installer#142

New Contributors

• @​hbenali made their first contribution in sigstore/cosign-installer#138

Full Changelog: sigstore/cosign-installer@v3...v3.1.2

Commits

• 1fc5bd3 test with latest go version (#150)
• 9ce7d60 bump cosign to v2.2.1 (#148)
• 4b014e3 Support the runner context of gitea act (#147)
• 38ab09d Bump actions/checkout from 4.1.0 to 4.1.1 (#145)
• 9c520b9 Bump actions/checkout from 4.0.0 to 4.1.0 (#144)
• Description has been truncated

[sweep-ai]

Apply Sweep Rules to your PR?

• Apply: All new business logic should have corresponding unit tests.
• Apply: Refactor large functions to be more modular.
• Apply: Add docstrings to all functions and file headers.

[dependabot]

Superseded by #282.