SDL security fixes (intel#32)

* Bump the llvm-docs-requirements group in /llvm/docs with 23 updates

Bumps the llvm-docs-requirements group in /llvm/docs with 23 updates:

| Package | From | To |
| --- | --- | --- |
| [alabaster](https://github.com/sphinx-doc/alabaster) | `0.7.13` | `0.7.16` |
| [babel](https://github.com/python-babel/babel) | `2.14.0` | `2.15.0` |
| [beautifulsoup4](https://www.crummy.com/software/BeautifulSoup/bs4/) | `4.12.2` | `4.12.3` |
| [certifi](https://github.com/certifi/python-certifi) | `2023.11.17` | `2024.6.2` |
| [docutils](https://docutils.sourceforge.io) | `0.20.1` | `0.21.2` |
| [furo](https://github.com/pradyunsg/furo) | `2023.8.19` | `2024.5.6` |
| [idna](https://github.com/kjd/idna) | `3.6` | `3.7` |
| [jinja2](https://github.com/pallets/jinja) | `3.1.2` | `3.1.4` |
| [markdown](https://github.com/Python-Markdown/markdown) | `3.5.1` | `3.6` |
| [markupsafe](https://github.com/pallets/markupsafe) | `2.1.3` | `2.1.5` |
| [mdit-py-plugins](https://github.com/executablebooks/mdit-py-plugins) | `0.4.0` | `0.4.1` |
| [myst-parser](https://github.com/executablebooks/MyST-Parser) | `2.0.0` | `3.0.1` |
| [packaging](https://github.com/pypa/packaging) | `23.2` | `24.0` |
| [pygments](https://github.com/pygments/pygments) | `2.17.2` | `2.18.0` |
| [requests](https://github.com/psf/requests) | `2.31.0` | `2.32.3` |
| [sphinx](https://github.com/sphinx-doc/sphinx) | `7.1.2` | `7.3.7` |
| [sphinx-automodapi](https://github.com/astropy/sphinx-automodapi) | `0.16.0` | `0.17.0` |
| [sphinxcontrib-applehelp](https://github.com/sphinx-doc/sphinxcontrib-applehelp) | `1.0.4` | `1.0.8` |
| [sphinxcontrib-devhelp](https://github.com/sphinx-doc/sphinxcontrib-devhelp) | `1.0.5` | `1.0.6` |
| [sphinxcontrib-htmlhelp](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp) | `2.0.4` | `2.0.5` |
| [sphinxcontrib-qthelp](https://github.com/sphinx-doc/sphinxcontrib-qthelp) | `1.0.6` | `1.0.7` |
| [sphinxcontrib-serializinghtml](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml) | `1.1.9` | `1.1.10` |
| [urllib3](https://github.com/urllib3/urllib3) | `2.1.0` | `2.2.1` |

Updates `alabaster` from 0.7.13 to 0.7.16
- [Release notes](https://github.com/sphinx-doc/alabaster/releases)
- [Changelog](https://github.com/sphinx-doc/alabaster/blob/master/docs/changelog.rst)
- [Commits](sphinx-doc/alabaster@0.7.13...0.7.16)

Updates `babel` from 2.14.0 to 2.15.0
- [Release notes](https://github.com/python-babel/babel/releases)
- [Changelog](https://github.com/python-babel/babel/blob/master/CHANGES.rst)
- [Commits](python-babel/babel@v2.14.0...v2.15.0)

Updates `beautifulsoup4` from 4.12.2 to 4.12.3

Updates `certifi` from 2023.11.17 to 2024.6.2
- [Commits](certifi/python-certifi@2023.11.17...2024.06.02)

Updates `docutils` from 0.20.1 to 0.21.2

Updates `furo` from 2023.8.19 to 2024.5.6
- [Release notes](https://github.com/pradyunsg/furo/releases)
- [Changelog](https://github.com/pradyunsg/furo/blob/main/docs/changelog.md)
- [Commits](pradyunsg/furo@2023.08.19...2024.05.06)

Updates `idna` from 3.6 to 3.7
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](kjd/idna@v3.6...v3.7)

Updates `jinja2` from 3.1.2 to 3.1.4
- [Release notes](https://github.com/pallets/jinja/releases)
- [Changelog](https://github.com/pallets/jinja/blob/main/CHANGES.rst)
- [Commits](pallets/jinja@3.1.2...3.1.4)

Updates `markdown` from 3.5.1 to 3.6
- [Release notes](https://github.com/Python-Markdown/markdown/releases)
- [Changelog](https://github.com/Python-Markdown/markdown/blob/master/docs/changelog.md)
- [Commits](Python-Markdown/markdown@3.5.1...3.6)

Updates `markupsafe` from 2.1.3 to 2.1.5
- [Release notes](https://github.com/pallets/markupsafe/releases)
- [Changelog](https://github.com/pallets/markupsafe/blob/main/CHANGES.rst)
- [Commits](pallets/markupsafe@2.1.3...2.1.5)

Updates `mdit-py-plugins` from 0.4.0 to 0.4.1
- [Release notes](https://github.com/executablebooks/mdit-py-plugins/releases)
- [Changelog](https://github.com/executablebooks/mdit-py-plugins/blob/master/CHANGELOG.md)
- [Commits](executablebooks/mdit-py-plugins@v0.4.0...v0.4.1)

Updates `myst-parser` from 2.0.0 to 3.0.1
- [Release notes](https://github.com/executablebooks/MyST-Parser/releases)
- [Changelog](https://github.com/executablebooks/MyST-Parser/blob/master/CHANGELOG.md)
- [Commits](executablebooks/MyST-Parser@v2.0.0...v3.0.1)

Updates `packaging` from 23.2 to 24.0
- [Release notes](https://github.com/pypa/packaging/releases)
- [Changelog](https://github.com/pypa/packaging/blob/main/CHANGELOG.rst)
- [Commits](pypa/packaging@23.2...24.0)

Updates `pygments` from 2.17.2 to 2.18.0
- [Release notes](https://github.com/pygments/pygments/releases)
- [Changelog](https://github.com/pygments/pygments/blob/master/CHANGES)
- [Commits](pygments/pygments@2.17.2...2.18.0)

Updates `requests` from 2.31.0 to 2.32.3
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.31.0...v2.32.3)

Updates `sphinx` from 7.1.2 to 7.3.7
- [Release notes](https://github.com/sphinx-doc/sphinx/releases)
- [Changelog](https://github.com/sphinx-doc/sphinx/blob/master/CHANGES.rst)
- [Commits](sphinx-doc/sphinx@v7.1.2...v7.3.7)

Updates `sphinx-automodapi` from 0.16.0 to 0.17.0
- [Release notes](https://github.com/astropy/sphinx-automodapi/releases)
- [Changelog](https://github.com/astropy/sphinx-automodapi/blob/main/CHANGES.rst)
- [Commits](astropy/sphinx-automodapi@v0.16.0...v0.17.0)

Updates `sphinxcontrib-applehelp` from 1.0.4 to 1.0.8
- [Release notes](https://github.com/sphinx-doc/sphinxcontrib-applehelp/releases)
- [Changelog](https://github.com/sphinx-doc/sphinxcontrib-applehelp/blob/master/CHANGES)
- [Commits](sphinx-doc/sphinxcontrib-applehelp@1.0.4...1.0.8)

Updates `sphinxcontrib-devhelp` from 1.0.5 to 1.0.6
- [Release notes](https://github.com/sphinx-doc/sphinxcontrib-devhelp/releases)
- [Changelog](https://github.com/sphinx-doc/sphinxcontrib-devhelp/blob/1.0.6/CHANGES)
- [Commits](sphinx-doc/sphinxcontrib-devhelp@1.0.5...1.0.6)

Updates `sphinxcontrib-htmlhelp` from 2.0.4 to 2.0.5
- [Release notes](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/releases)
- [Changelog](https://github.com/sphinx-doc/sphinxcontrib-htmlhelp/blob/2.0.5/CHANGES)
- [Commits](sphinx-doc/sphinxcontrib-htmlhelp@2.0.4...2.0.5)

Updates `sphinxcontrib-qthelp` from 1.0.6 to 1.0.7
- [Release notes](https://github.com/sphinx-doc/sphinxcontrib-qthelp/releases)
- [Changelog](https://github.com/sphinx-doc/sphinxcontrib-qthelp/blob/1.0.7/CHANGES)
- [Commits](sphinx-doc/sphinxcontrib-qthelp@1.0.6...1.0.7)

Updates `sphinxcontrib-serializinghtml` from 1.1.9 to 1.1.10
- [Release notes](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/releases)
- [Changelog](https://github.com/sphinx-doc/sphinxcontrib-serializinghtml/blob/master/CHANGES)
- [Commits](sphinx-doc/sphinxcontrib-serializinghtml@1.1.9...1.1.10)

Updates `urllib3` from 2.1.0 to 2.2.1
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.1.0...2.2.1)

---
updated-dependencies:
- dependency-name: alabaster
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: babel
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: beautifulsoup4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: certifi
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: llvm-docs-requirements
- dependency-name: docutils
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: furo
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: llvm-docs-requirements
- dependency-name: idna
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: jinja2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: markdown
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: markupsafe
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: mdit-py-plugins
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: myst-parser
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: llvm-docs-requirements
- dependency-name: packaging
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: llvm-docs-requirements
- dependency-name: pygments
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: requests
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: sphinx
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: sphinx-automodapi
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
- dependency-name: sphinxcontrib-applehelp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: sphinxcontrib-devhelp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: sphinxcontrib-htmlhelp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: sphinxcontrib-qthelp
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: sphinxcontrib-serializinghtml
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: llvm-docs-requirements
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: llvm-docs-requirements
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump the github-actions group with 8 updates

Bumps the github-actions group with 8 updates:

| Package | From | To |
| --- | --- | --- |
| [tj-actions/changed-files](https://github.com/tj-actions/changed-files) | `39` | `44` |
| [actions/setup-python](https://github.com/actions/setup-python) | `4` | `5` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `3` | `4` |
| [actions/setup-node](https://github.com/actions/setup-node) | `3` | `4` |
| [actions/github-script](https://github.com/actions/github-script) | `6` | `7` |
| [actions/labeler](https://github.com/actions/labeler) | `4` | `5` |
| [ossf/scorecard-action](https://github.com/ossf/scorecard-action) | `2.1.2` | `2.3.3` |
| [github/codeql-action](https://github.com/github/codeql-action) | `2.2.4` | `3.25.8` |

Updates `tj-actions/changed-files` from 39 to 44
- [Release notes](https://github.com/tj-actions/changed-files/releases)
- [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md)
- [Commits](tj-actions/changed-files@v39...v44)

Updates `actions/setup-python` from 4 to 5
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v4...v5)

Updates `actions/download-artifact` from 3 to 4
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v3...v4)

Updates `actions/setup-node` from 3 to 4
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v3...v4)

Updates `actions/github-script` from 6 to 7
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@v6...v7)

Updates `actions/labeler` from 4 to 5
- [Release notes](https://github.com/actions/labeler/releases)
- [Commits](actions/labeler@v4...v5)

Updates `ossf/scorecard-action` from 2.1.2 to 2.3.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@e38b190...dc50aa9)

Updates `github/codeql-action` from 2.2.4 to 3.25.8
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@17573ee...2e230e8)

---
updated-dependencies:
- dependency-name: tj-actions/changed-files
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/labeler
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: ossf/scorecard-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump black from 23.9.1 to 24.3.0 in /llvm/utils/git

Bumps [black](https://github.com/psf/black) from 23.9.1 to 24.3.0.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](psf/black@23.9.1...24.3.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump requests from 2.31.0 to 2.32.2 in /llvm/utils/git

Bumps [requests](https://github.com/psf/requests) from 2.31.0 to 2.32.2.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md)
- [Commits](psf/requests@v2.31.0...v2.32.2)

---
updated-dependencies:
- dependency-name: requests
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump cryptography from 41.0.3 to 42.0.4 in /llvm/utils/git

Bumps [cryptography](https://github.com/pyca/cryptography) from 41.0.3 to 42.0.4.
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](pyca/cryptography@41.0.3...42.0.4)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump urllib3 from 2.0.4 to 2.0.7 in /llvm/utils/git

Bumps [urllib3](https://github.com/urllib3/urllib3) from 2.0.4 to 2.0.7.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/main/CHANGES.rst)
- [Commits](urllib3/urllib3@2.0.4...2.0.7)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

* Bump idna from 3.4 to 3.7 in /llvm/utils/git

Bumps [idna](https://github.com/kjd/idna) from 3.4 to 3.7.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](kjd/idna@v3.4...v3.7)

---
updated-dependencies:
- dependency-name: idna
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: 2 people

.github/workflows/docs.yml

@@ -65,7 +65,7 @@ jobs:
           fetch-depth: 1
       - name: Get subprojects that have doc changes
         id: docs-changed-subprojects
-        uses: tj-actions/changed-files@v39
+        uses: tj-actions/changed-files@v44
         with:
           files_yaml: |
             llvm:

.github/workflows/libclang-abi-tests.yml

@@ -143,12 +143,12 @@ jobs:
       - abi-dump
     steps:
       - name: Download baseline
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: build-baseline
           path: build-baseline
       - name: Download latest
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: build-latest
           path: build-latest

.github/workflows/llvm-bugs.yml

@@ -20,7 +20,7 @@ jobs:
           check-latest: true
       - run: npm install mailgun.js form-data
       - name: Send notification
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         env:
           MAILGUN_API_KEY: ${{ secrets.LLVM_BUGS_KEY }}
         with:

.github/workflows/llvm-tests.yml

@@ -157,17 +157,17 @@ jobs:
       - abi-dump
     steps:
       - name: Download baseline
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: build-baseline
           path: build-baseline
       - name: Download latest
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: build-latest
           path: build-latest
       - name: Download symbol list
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: symbol-list
           path: symbol-list

.github/workflows/new-prs.yml

@@ -67,7 +67,7 @@ jobs:
       github.event.pull_request.draft == false &&
       github.event.pull_request.commits < 10
     steps:
-      - uses: actions/labeler@v4
+      - uses: actions/labeler@v5
         with:
           configuration-path: .github/new-prs-labeler.yml
           # workaround for https://github.com/actions/labeler/issues/112

.github/workflows/pr-code-format.yml

@@ -27,7 +27,7 @@ jobs:
 
       - name: Get changed files
         id: changed-files
-        uses: tj-actions/changed-files@v39
+        uses: tj-actions/changed-files@v44
         with:
           separator: ","
           skip_initial_fetch: true

.github/workflows/release-binaries.yml

@@ -226,8 +226,11 @@ jobs:
     if: github.repository == 'llvm/llvm-project'
     runs-on: ${{ inputs.runs-on }}
     steps:
-    - name: Checkout Actions
-      uses: actions/checkout@v4
+    - name: Install Ninja
+      uses: llvm/actions/install-ninja@22e9f909d35b50bd1181709564bfe816eaeaae81 # main
+
+    - name: Download Stage 1 Artifacts
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
         sparse-checkout: |
@@ -260,8 +263,11 @@ jobs:
     if: github.repository == 'llvm/llvm-project'
     runs-on: ${{ inputs.runs-on }}
     steps:
-    - name: Checkout Actions
-      uses: actions/checkout@v4
+    - name: Install Ninja
+      uses: llvm/actions/install-ninja@22e9f909d35b50bd1181709564bfe816eaeaae81 # main
+
+    - name: 'Download artifact'
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
         sparse-checkout: |
@@ -429,7 +435,7 @@ jobs:
         sparse-checkout-cone-mode: false
 
     - name: 'Download artifact'
-      uses: actions/download-artifact@6b208ae046db98c579e8a3aa621ab581ff575935 # v4.1.1
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         pattern: '*-release-binary'
         merge-multiple: true
@@ -472,8 +478,16 @@ jobs:
       github.repository == 'llvm/llvm-project'
     runs-on: ${{ inputs.runs-on }}
     steps:
+<<<<<<< HEAD
     - name: Checkout Actions
       uses: actions/checkout@v4
+=======
+    - name: Install Ninja
+      uses: llvm/actions/install-ninja@22e9f909d35b50bd1181709564bfe816eaeaae81 # main
+
+    - name: 'Download artifact'
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
+>>>>>>> d408c7f36c5c (SDL security fixes (#32))
       with:
         ref: ${{ (github.event_name == 'pull_request' && github.sha) || 'main' }}
         sparse-checkout: |

.github/workflows/scorecard.yml

@@ -27,7 +27,7 @@ jobs:
       # Needed to upload the results to code-scanning dashboard.
       security-events: write
       # Needed to publish results and get a badge (see publish_results below).
-      id-token: write      
+      id-token: write
 
     steps:
       - name: "Checkout code"
@@ -36,14 +36,14 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3
         with:
           results_file: results.sarif
           results_format: sarif
 
           #   - Publish results to OpenSSF REST API for easy access by consumers
           #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.      
+          #   - See https://github.com/ossf/scorecard-action#publishing-results.
           publish_results: true
 
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
         with:
           sarif_file: results.sarif