Bump the github-actions group across 1 directory with 9 updates

[dependabot]

Bumps the github-actions group with 9 updates in the / directory:

Package	From	To
step-security/harden-runner	2.10.4	2.13.1
actions/checkout	4.2.2	5.0.0
github/codeql-action	3	4
actions/dependency-review-action	4.5.0	4.8.1
tj-actions/changed-files	d6e91a2266cdb9d62096cebf1e8546899c6aa18f	0ff001de0805038ff3f118de4875002200057732
aminya/setup-cpp	0.46.0	1.7.1
actions/setup-python	5.4.0	6.0.0
ossf/scorecard-action	2.4.0	2.4.3
actions/upload-artifact	3.2.1.pre.node20	5

Updates step-security/harden-runner from 2.10.4 to 2.13.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.13.1

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

v2.13.0

What's Changed

• Improved job markdown summary
• Https monitoring for all domains (included with the enterprise tier)

Full Changelog: step-security/harden-runner@v2...v2.13.0

v2.12.2

What's Changed

Added HTTPS Monitoring for additional destinations - *.githubusercontent.com Bug fixes:

• Implicitly allow local multicast, local unicast and broadcast IP addresses in block mode
• Increased policy map size for block mode

Full Changelog: step-security/harden-runner@v2...v2.12.2

v2.12.1

What's Changed

• Detection capabilities have been upgraded to better recognize attempts at runner tampering. These improvements are informed by real-world incident learnings, including analysis of anomalous behaviors observed in the tj-actions and reviewdog supply chain attack.
• Resolved an issue where the block policy was not enforced correctly when the GitHub Actions job was running inside a container on a self-hosted VM runner.

Full Changelog: step-security/harden-runner@v2...v2.12.1

v2.12.0

What's Changed

1. A new option, disable-sudo-and-containers, is now available to replace the disable-sudo policy, addressing Docker-based privilege escalation (CVE-2025-32955). More details can be found in this blog post.

2. New detections have been added based on insights from the tj-actions and reviewdog actions incidents.

Full Changelog: step-security/harden-runner@v2...v2.12.0

v2.11.1

What's Changed

• cache: add support for GitHub Actions cache v2 by @​h0x0er in step-security/harden-runner#529

Full Changelog: step-security/harden-runner@v2...v2.11.1

... (truncated)

Commits

• f4a75cf Merge pull request #588 from step-security/rc-26
• 95503d0 ci: remove code-review workflow
• 4b250a0 ci: add job to confirm dist is as expected
• 5b0ab6a update dependencies
• d11f2c1 fix bug where status code was not being preserved
• b3fc98e improve error handling for policy store sceanrio
• 92fc5d4 update error message
• b61b0a4 policy store improvements
• e3d3f2b use GitHub release instead of packages
• 646ac01 update agent
• Additional commits viewable in compare view

Updates actions/checkout from 4.2.2 to 5.0.0

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236
• Prepare release v4.3.0 by @​salmanmkc in actions/checkout#2237

New Contributors

• @​motss made their first contribution in actions/checkout#1971
• @​mouismail made their first contribution in actions/checkout#1977
• @​benwells made their first contribution in actions/checkout#2043
• @​nebuk89 made their first contribution in actions/checkout#2194
• @​salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

V4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• 08eba0b Prepare release v4.3.0 (#2237)
• 631c7dc Update package dependencies (#2236)
• 8edcb1b Update CODEOWNERS for actions (#2224)
• 09d2aca Update README.md (#2194)
• 85e6279 Adjust positioning of user email note and permissions heading (#2044)
• 009b9ae Documentation update - add recommended permissions to Readme (#2043)
• cbb7224 Update README.md (#1977)
• 3b9b8c8 docs: update README.md (#1971)
• See full diff in compare view

Updates github/codeql-action from 3 to 4

Release notes

Sourced from github/codeql-action's releases.

v3.31.2

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.2 - 30 Oct 2025

No user facing changes.

See the full CHANGELOG.md for more information.

v3.31.1

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.1 - 30 Oct 2025

• The add-snippets input has been removed from the analyze action. This input has been deprecated since CodeQL Action 3.26.4 in August 2024 when this removal was announced.

See the full CHANGELOG.md for more information.

v3.31.0

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.31.0 - 24 Oct 2025

• Bump minimum CodeQL bundle version to 2.17.6. #3223
• When SARIF files are uploaded by the analyze or upload-sarif actions, the CodeQL Action automatically performs post-processing steps to prepare the data for the upload. Previously, these post-processing steps were only performed before an upload took place. We are now changing this so that the post-processing steps will always be performed, even when the SARIF files are not uploaded. This does not change anything for the upload-sarif action. For analyze, this may affect Advanced Setup for CodeQL users who specify a value other than always for the upload input. #3222

See the full CHANGELOG.md for more information.

v3.30.9

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.30.9 - 17 Oct 2025

• Update default CodeQL bundle version to 2.23.3. #3205
• Experimental: A new setup-codeql action has been added which is similar to init, except it only installs the CodeQL CLI and does not initialize a database. Do not use this in production as it is part of an internal experiment and subject to change at any time. #3204

See the full CHANGELOG.md for more information.

v3.30.8

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

... (truncated)

Commits

• 74c8748 Update analyze/action.yml
• 34c50c1 Merge pull request #3251 from github/mbg/user-error/enablement
• 4ae68af Warn if the add-snippets input is used
• 52a7bd7 Check for 403 status
• 194ba0e Make error message tests less brittle
• 53acf0b Turn enablement errors into configuration errors
• ac9aeee Merge pull request #3249 from github/henrymercer/api-logging
• d49e837 Merge branch 'main' into henrymercer/api-logging
• 3d988b2 Pass minimal copy of core
• 8cc18ac Merge pull request #3250 from github/henrymercer/prefer-fs-delete
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 4.5.0 to 4.8.1

Release notes

Sourced from actions/dependency-review-action's releases.

Dependency Review Action v4.8.1

What's Changed

• (bug) Fix spamming link test in deprecation warning (again) by @​ahpook in actions/dependency-review-action#1000
• Bump version for 4.8.1 release by @​ahpook in actions/dependency-review-action#1001

Full Changelog: actions/dependency-review-action@v4...v4.8.1

v4.8.0

What's Changed

• Make Ruby Code Scannable by @​ljones140 in actions/dependency-review-action#978
• Batch some contributions for release by @​brrygrdn in actions/dependency-review-action#986
  • Make license lists collapsable by @​jasperkamerling
  • feat: add large summary handling with artifact upload by @​MattMencel

New Contributors

• @​ljones140 made their first contribution in actions/dependency-review-action#978
• @​jasperkamerling made their first contribution in actions/dependency-review-action#986
• @​MattMencel made their first contribution in actions/dependency-review-action#986

Full Changelog: actions/dependency-review-action@v4...v4.8.0

4.7.3

What's Changed

• Add explicit permissions to workflow files by @​AshelyTC in actions/dependency-review-action#966
• Claire153/fix spamming mentioned issue by @​claire153 in actions/dependency-review-action#974

Full Changelog: actions/dependency-review-action@v4...v4.7.3

4.7.2

What's Changed

• Add Missing Languages to CodeQL Advanced Configuration by @​KyFaSt in actions/dependency-review-action#945
• Deprecate deny lists by @​claire153 in actions/dependency-review-action#958
• Address discrepancy between docs and reality by @​ahpook in actions/dependency-review-action#960

New Contributors

• @​KyFaSt made their first contribution in actions/dependency-review-action#945
• @​claire153 made their first contribution in actions/dependency-review-action#958
• @​ahpook made their first contribution in actions/dependency-review-action#960

Full Changelog: actions/dependency-review-action@v4...v4.7.2

v4.7.1

• Packages added to allow-dependencies-licenses will be allowed even if the package in question has no license information #889
• License expressions (e.g. Ruby OR GPL-2.0) in the allow list are automatically discarded so that they don't invalidate the whole allow list, which should just be license identifier (e.g. Ruby)

v4.7.0

• Handle complex license expressions (e.g. MIT AND GPL-2.0) in allow lists (fixes #809 and probably others)
• Replace OTHER in package licenses with LicenseRef-clearlydefined-OTHER so that parsing passes

... (truncated)

Commits

• 40c09b7 Merge pull request #1001 from actions/ahpook/v4.8.1-release
• 4552948 Bump version for 4.8.1 release
• e63da9a Merge pull request #1000 from actions/ahpook/deprecation-redux
• 71365c7 (bug) Fix spamming link test in deprecation warning (again)
• 56339e5 Merge pull request #988 from actions/brrygrdn/rc-4.8.0
• 1688b74 Bump to a 4.8.0
• 31c9f17 Merge pull request #987 from actions/rc-4.7.4
• eacde78 Update version
• 8151009 Merge pull request #986 from actions/brrygrdn/rc-4.7.4
• b472ec9 Add a quick regression test for the artefact summary
• Additional commits viewable in compare view

Updates tj-actions/changed-files from d6e91a2266cdb9d62096cebf1e8546899c6aa18f to 0ff001de0805038ff3f118de4875002200057732

Changelog

Sourced from tj-actions/changed-files's changelog.

Changelog

47.0.0 - (2025-09-13)

🚀 Features

• Add any_added to outputs (#2567) (c260d49) - (Jellyfrog)

➖ Remove

• Commit and push step from build job (#2538) (be393a9) - (Tonye Jack)

🔄 Update

• Updated README.md (#2592)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (3dbc1e1) - (github-actions[bot])

• Updated README.md (#2591)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (b1ccff8) - (github-actions[bot])

• Updated README.md (#2574)

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@​users.noreply.github.com> (050a3d3) - (github-actions[bot])

📚 Documentation

• Update link to glob patterns (#2590) (a892f50) - (Tonye Jack)
• Add Jellyfrog as a contributor for code, and doc (#2573) (f000a9b) - (allcontributors[bot])

🧪 Testing

• Manual triggered workflows (#2637) (c2ca249) - (Tonye Jack)

⚙️ Miscellaneous Tasks

• deps-dev: Bump jest from 30.0.5 to 30.1.3 (#2655) (9a67555) - (dependabot[bot])
• deps: Bump tj-actions/git-cliff from 2.1.0 to 2.2.0 (#2660) (b67e30d) - (dependabot[bot])
• deps: Bump github/codeql-action from 3.30.2 to 3.30.3 (#2661) (62aef42) - (dependabot[bot])
• deps: Bump github/codeql-action from 3.29.11 to 3.30.2 (#2659) (e874f3c) - (dependabot[bot])
• deps: Bump actions/setup-node from 4.4.0 to 5.0.0 (#2656) (8c14441) - (dependabot[bot])
• deps-dev: Bump @​types/node from 24.3.0 to 24.3.1 (#2657) (e995ac4) - (dependabot[bot])
• deps-dev: Bump @​types/node from 24.2.1 to 24.3.0 (#2649) (3b04099) - (dependabot[bot])
• deps: Bump github/codeql-action from 3.29.9 to 3.29.11 (#2651) (e7b6c97) - (dependabot[bot])
• deps: Bump tj-actions/git-cliff from 2.0.2 to 2.1.0 (#2648) (765d62b) - (dependabot[bot])
• deps: Bump github/codeql-action from 3.29.8 to 3.29.9 (#2647) (2036da1) - (dependabot[bot])
• deps: Bump github/codeql-action from 3.29.7 to 3.29.8 (#2644) (239aef8) - (dependabot[bot])
• deps-dev: Bump @​types/node from 24.2.0 to 24.2.1 (#2645) (a7d5f5f) - (dependabot[bot])
• deps: Bump actions/checkout from 4.2.2 to 5.0.0 (#2646) (5107f3a) - (dependabot[bot])
• deps-dev: Bump @​types/node from 24.1.0 to 24.2.0 (#2640) (f963b3f) - (dependabot[bot])
• deps: Bump actions/download-artifact from 4.3.0 to 5.0.0 (#2641) (f956744) - (dependabot[bot])

... (truncated)

Commits

• 0ff001d chore(deps-dev): bump ts-jest from 29.4.4 to 29.4.5 (#2688)
• 52b808a chore(deps-dev): bump @​types/micromatch from 4.0.9 to 4.0.10 (#2699)
• d6388b7 chore(deps): bump actions/download-artifact from 5.0.0 to 6.0.0 (#2697)
• cf5e80a chore(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 (#2698)
• cff4543 chore(deps-dev): bump @​types/node from 24.9.1 to 24.9.2 (#2700)
• 9dc1b5f chore(deps): bump github/codeql-action from 4.30.9 to 4.31.2 (#2702)
• dbf178c chore(deps): bump actions/setup-node from 5.0.0 to 6.0.0 (#2690)
• 1900262 chore(deps): bump github/codeql-action from 3.30.6 to 4.30.9 (#2693)
• 27e5d78 chore(deps-dev): bump @​types/node from 24.6.2 to 24.9.1 (#2695)
• d03a93c chore(deps): bump github/codeql-action from 3.30.5 to 3.30.6 (#2680)
• Additional commits viewable in compare view

Updates aminya/setup-cpp from 0.46.0 to 1.7.1

Release notes

Sourced from aminya/setup-cpp's releases.

v1.7.1

What's Changed

• fix: prefer complete Window LLVM package @​aminya in aminya/setup-cpp#425
• fix: add LLVM 20.1.7 by @​aminya in aminya/setup-cpp#424
• fix: add mingw 15.1-r2 by @​aminya in aminya/setup-cpp#424
• fix: install gcovr via apt on Ubuntu by default by @​aminya in aminya/setup-cpp#424
• feat: add tar tool by @​aminya in aminya/setup-cpp#425

Full Changelog: aminya/setup-cpp@v1.7.0...v1.7.1

v1.7.0

What's Changed

• feat: update default LLVM to v20 by @​aminya in aminya/setup-cpp#387
• feat: default to GCC 15 on Windows and MacOS by @​aminya in aminya/setup-cpp#387
• fix: update cmake, task, powershell, meson, doxygen by @​aminya in aminya/setup-cpp#414

Full Changelog: aminya/setup-cpp@v1.6.2...v1.7.0

v1.6.2

Full Changelog: aminya/setup-cpp@v1.6.1...v1.6.2

v1.6.0

What's Changed

• feat: add apt-fast as an installable tool by @​aminya in aminya/setup-cpp#401
• fix: add apt-fast optimizations by @​aminya in aminya/setup-cpp#402

Full Changelog: aminya/setup-cpp@v1.5.4...v1.6.0

v1.5.4

What's Changed

• fix: avoid rc sourcing loops + fix: always add guards for sourcing rc files by @​aminya in aminya/setup-cpp#397
• fix: add missing git option for actions by @​aminya
• fix: ignore setup-cpp cli installation errors by @​aminya
• fix: fix addition of git to PATH on Windows by @​aminya
• fix: fix add-apt-repository in Debian by @​aminya
• fix: fix llvm add-apt-repository for debian by @​aminya

Full Changelog: aminya/setup-cpp@v1.5.3...v1.5.4

v1.5.3

• fix: remove exports map from package by @​aminya in 7f46810eeda56

Full Changelog: aminya/setup-cpp@v1.5.2...v1.5.3

v1.5.2

• fix: fix CLI shabang not working - independent lib by @​aminya in c88b4364ef50

... (truncated)

Commits

• a276e6e chore(release): v1.7.1 [skip test]
• 1c89539 fix: handle no update failures for llvm
• b32feb0 chore(deps): update devdependencies (#426)
• d857140 Merge pull request #425 from aminya/windows-llvm
• aa0fcb9 fix: use 7z for tar extraction on windows
• 988cdb3 fix: extra tar by 7z on windows
• d09e6b8 Merge pull request #418 from aminya/renovate/dependencies
• c43a237 fix(deps): update dependency @​types/node to v22.16.0
• 6004eca Merge pull request #423 from aminya/renovate/node-22.x
• d42bb0b chore(deps): update node.js to v22.17.0
• Additional commits viewable in compare view

Updates actions/setup-python from 5.4.0 to 6.0.0

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in actions/setup-python#1129
• Enhance reading from .python-version by @​krystof-k in actions/setup-python#787
• Add version parsing from Pipfile by @​aradkdj in actions/setup-python#1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in actions/setup-python#1183
• Change missing cache directory error to warning by @​aparnajyothi-y in actions/setup-python#1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in actions/setup-python#1122
• Include python version in PyPy python-version output by @​cdce8p in actions/setup-python#1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in actions/setup-python#1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in actions/setup-python#843
• Upgrade form-data to fix critical vulnerabilities #182 & #183 by @​aparnajyothi-y in actions/setup-python#1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in actions/setup-python#1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-python#1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in actions/setup-python#1095

New Contributors

• @​krystof-k made their first contribution in actions/setup-python#787
• @​cdce8p made their first contribution in actions/setup-python#1110
• @​aradkdj made their first contribution in actions/setup-python#1067

Full Changelog: actions/setup-python@v5...v6.0.0

v5.6.0

What's Changed

• Workflow updates related to Ubuntu 20.04 by @​aparnajyothi-y in actions/setup-python#1065
• Fix for Candidate Not Iterable Error by @​aparnajyothi-y in actions/setup-python#1082
• Upgrade semver and @​types/semver by @​dependabot in actions/setup-python#1091
• Upgrade prettier from 2.8.8 to 3.5.3 by @​dependabot in actions/setup-python#1046
• Upgrade ts-jest from 29.1.2 to 29.3.2 by @​dependabot in actions/setup-python#1081

Full Changelog: actions/setup-python@v5...v5.6.0

v5.5.0

What's Changed

Enhancements:

• Support free threaded Python versions like '3.13t' by @​colesbury in actions/setup-python#973
• Enhance Workflows: Include ubuntu-arm runners, Add e2e Testing for free threaded and Upgrade @​action/cache from 4.0.0 to 4.0.3 by @​priya-kinthali in actions/setup-python#1056
• Add support for .tool-versions file in setup-python by @​mahabaleshwars in actions/setup-python#1043

Bug fixes:

• Fix architecture for pypy on Linux ARM64 by @​mayeut in actions/setup-python#1011 This update maps arm64 to aarch64 for Linux ARM64 PyPy installations.

... (truncated)

Commits

• e797f83 Upgrade to node 24 (#1164)
• 3d1e2d2 Revert "Enhance cache-dependency-path handling to support files outside the w...
• 65b0712 Clarify pythonLocation behavior for PyPy and GraalPy in environment variables...
• 5b668cf Bump actions/checkout from 4 to 5 (#1181)
• f62a0e2 Change missing cache directory error to warning (#1182)
• 9322b3c Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIn...
• fbeb884 Bump form-data to fix critical vulnerabilities #182 & #183 (#1163)
• 03bb615 Bump idna from 2.9 to 3.7 in /tests/data (#843)
• 36da51d Add version parsing from Pipfile (#1067)
• 3c6f142 update documentation (#1156)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.0 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/s...

  Description has been truncated