chore(deps): update github-actions (#4132)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/download-artifact](https://redirect.github.com/actions/download-artifact)
| action | minor | `v4.1.8` -> `v4.2.0` |
| [actions/setup-java](https://redirect.github.com/actions/setup-java) |
action | minor | `v4.6.0` -> `v4.7.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | minor | `v4.2.0` -> `v4.3.0` |
| [actions/setup-node](https://redirect.github.com/actions/setup-node) |
action | digest | `1d0ff46` -> `cdca736` |
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | patch | `v4.6.0` -> `v4.6.1` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v3.28.6` -> `v3.28.11` |
|
[google-github-actions/auth](https://redirect.github.com/google-github-actions/auth)
| action | patch | `v2.1.7` -> `v2.1.8` |
|
[ianlewis/todo-issue-reopener](https://redirect.github.com/ianlewis/todo-issue-reopener)
| action | minor | `v1.4.0` -> `v1.6.0` |
|
[ossf/scorecard-action](https://redirect.github.com/ossf/scorecard-action)
| action | patch | `v2.4.0` -> `v2.4.1` |
|
[sigstore/cosign-installer](https://redirect.github.com/sigstore/cosign-installer)
| action | minor | `v3.7.0` -> `v3.8.1` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.2.0`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.2.0)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.9...v4.2.0)

#### What's Changed

- Update README.md by
[@&#8203;lkfortuna](https://redirect.github.com/lkfortuna) in
[https://github.com/actions/download-artifact/pull/384](https://redirect.github.com/actions/download-artifact/pull/384)
- Bump artifact version, do digest check by
[@&#8203;GhadimiR](https://redirect.github.com/GhadimiR) in
[https://github.com/actions/download-artifact/pull/383](https://redirect.github.com/actions/download-artifact/pull/383)

#### New Contributors

- [@&#8203;lkfortuna](https://redirect.github.com/lkfortuna) made their
first contribution in
[https://github.com/actions/download-artifact/pull/384](https://redirect.github.com/actions/download-artifact/pull/384)
- [@&#8203;GhadimiR](https://redirect.github.com/GhadimiR) made their
first contribution in
[https://github.com/actions/download-artifact/pull/383](https://redirect.github.com/actions/download-artifact/pull/383)

**Full Changelog**:
actions/download-artifact@v4.1.9...v4.2.0

###
[`v4.1.9`](https://redirect.github.com/actions/download-artifact/releases/tag/v4.1.9)

[Compare
Source](https://redirect.github.com/actions/download-artifact/compare/v4.1.8...v4.1.9)

#### What's Changed

- Add workflow file for publishing releases to immutable action package
by [@&#8203;Jcambass](https://redirect.github.com/Jcambass) in
[https://github.com/actions/download-artifact/pull/354](https://redirect.github.com/actions/download-artifact/pull/354)
- docs: small migration fix by
[@&#8203;froblesmartin](https://redirect.github.com/froblesmartin) in
[https://github.com/actions/download-artifact/pull/370](https://redirect.github.com/actions/download-artifact/pull/370)
- Update MIGRATION.md by
[@&#8203;andyfeller](https://redirect.github.com/andyfeller) in
[https://github.com/actions/download-artifact/pull/372](https://redirect.github.com/actions/download-artifact/pull/372)
- Update artifact package to 2.2.2 by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[https://github.com/actions/download-artifact/pull/380](https://redirect.github.com/actions/download-artifact/pull/380)

#### New Contributors

- [@&#8203;Jcambass](https://redirect.github.com/Jcambass) made their
first contribution in
[https://github.com/actions/download-artifact/pull/354](https://redirect.github.com/actions/download-artifact/pull/354)
- [@&#8203;froblesmartin](https://redirect.github.com/froblesmartin)
made their first contribution in
[https://github.com/actions/download-artifact/pull/370](https://redirect.github.com/actions/download-artifact/pull/370)
- [@&#8203;andyfeller](https://redirect.github.com/andyfeller) made
their first contribution in
[https://github.com/actions/download-artifact/pull/372](https://redirect.github.com/actions/download-artifact/pull/372)
- [@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) made their
first contribution in
[https://github.com/actions/download-artifact/pull/380](https://redirect.github.com/actions/download-artifact/pull/380)

**Full Changelog**:
actions/download-artifact@v4...v4.1.9

</details>

<details>
<summary>actions/setup-java (actions/setup-java)</summary>

###
[`v4.7.0`](https://redirect.github.com/actions/setup-java/releases/tag/v4.7.0)

[Compare
Source](https://redirect.github.com/actions/setup-java/compare/v4.6.0...v4.7.0)

#### What's Changed

- Configure Dependabot settings by
[@&#8203;HarithaVattikuti](https://redirect.github.com/HarithaVattikuti)
in
[https://github.com/actions/setup-java/pull/722](https://redirect.github.com/actions/setup-java/pull/722)
- README Update: Added a permissions section by
[@&#8203;benwells](https://redirect.github.com/benwells) in
[https://github.com/actions/setup-java/pull/723](https://redirect.github.com/actions/setup-java/pull/723)
- Upgrade `cache` from version 3.2.4 to 4.0.0 by
[@&#8203;aparnajyothi-y](https://redirect.github.com/aparnajyothi-y) in
[https://github.com/actions/setup-java/pull/724](https://redirect.github.com/actions/setup-java/pull/724)
- Upgrade `@actions/http-client` from 2.2.1 to 2.2.3 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/setup-java/pull/728](https://redirect.github.com/actions/setup-java/pull/728)
- Upgrade `actions/publish-immutable-action` from 0.0.3 to 0.0.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/setup-java/pull/727](https://redirect.github.com/actions/setup-java/pull/727)
- Upgrade `@types/jest` from 29.5.12 to 29.5.14 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/actions/setup-java/pull/729](https://redirect.github.com/actions/setup-java/pull/729)

#### New Contributors

- [@&#8203;benwells](https://redirect.github.com/benwells) made their
first contribution in
[https://github.com/actions/setup-java/pull/723](https://redirect.github.com/actions/setup-java/pull/723)

**Full Changelog**:
actions/setup-java@v4...v4.7.0

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v4.3.0`](https://redirect.github.com/actions/setup-node/compare/v4.2.0...v4.3.0)

[Compare
Source](https://redirect.github.com/actions/setup-node/compare/v4.2.0...v4.3.0)

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.6.1`](https://redirect.github.com/actions/upload-artifact/releases/tag/v4.6.1)

[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v4.6.0...v4.6.1)

#### What's Changed

- Update to use artifact 2.2.2 package by
[@&#8203;yacaovsnc](https://redirect.github.com/yacaovsnc) in
[https://github.com/actions/upload-artifact/pull/673](https://redirect.github.com/actions/upload-artifact/pull/673)

**Full Changelog**:
actions/upload-artifact@v4...v4.6.1

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.28.11`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.11)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.28.10...v3.28.11)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 3.28.11 - 07 Mar 2025

- Update default CodeQL bundle version to 2.20.6.
[#&#8203;2793](https://redirect.github.com/github/codeql-action/pull/2793)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.11/CHANGELOG.md)
for more information.

###
[`v3.28.10`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.10)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.28.9...v3.28.10)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 3.28.10 - 21 Feb 2025

- Update default CodeQL bundle version to 2.20.5.
[#&#8203;2772](https://redirect.github.com/github/codeql-action/pull/2772)
- Address an issue where the CodeQL Bundle would occasionally fail to
decompress on macOS.
[#&#8203;2768](https://redirect.github.com/github/codeql-action/pull/2768)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.10/CHANGELOG.md)
for more information.

###
[`v3.28.9`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.9)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.28.8...v3.28.9)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 3.28.9 - 07 Feb 2025

- Update default CodeQL bundle version to 2.20.4.
[#&#8203;2753](https://redirect.github.com/github/codeql-action/pull/2753)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.9/CHANGELOG.md)
for more information.

###
[`v3.28.8`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.8)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.28.7...v3.28.8)

### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

#### 3.28.8 - 29 Jan 2025

- Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3.
[#&#8203;2744](https://redirect.github.com/github/codeql-action/pull/2744)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.8/CHANGELOG.md)
for more information.

###
[`v3.28.7`](https://redirect.github.com/github/codeql-action/releases/tag/v3.28.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3.28.6...v3.28.7)

##### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

##### 3.28.7 - 29 Jan 2025

No user facing changes.

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v3.28.7/CHANGELOG.md)
for more information.

</details>

<details>
<summary>google-github-actions/auth
(google-github-actions/auth)</summary>

###
[`v2.1.8`](https://redirect.github.com/google-github-actions/auth/releases/tag/v2.1.8)

[Compare
Source](https://redirect.github.com/google-github-actions/auth/compare/v2.1.7...v2.1.8)

##### What's Changed

- Update TROUBLESHOOTING.md by
[@&#8203;sethvargo](https://redirect.github.com/sethvargo) in
[https://github.com/google-github-actions/auth/pull/457](https://redirect.github.com/google-github-actions/auth/pull/457)
- fix: add runs-on to README.md example by
[@&#8203;lbarthon](https://redirect.github.com/lbarthon) in
[https://github.com/google-github-actions/auth/pull/460](https://redirect.github.com/google-github-actions/auth/pull/460)
- security: bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group
by [@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/google-github-actions/auth/pull/463](https://redirect.github.com/google-github-actions/auth/pull/463)
- Update deps by
[@&#8203;sethvargo](https://redirect.github.com/sethvargo) in
[https://github.com/google-github-actions/auth/pull/466](https://redirect.github.com/google-github-actions/auth/pull/466)
- Release: v2.1.8 by
[@&#8203;google-github-actions-bot](https://redirect.github.com/google-github-actions-bot)
in
[https://github.com/google-github-actions/auth/pull/467](https://redirect.github.com/google-github-actions/auth/pull/467)

##### New Contributors

- [@&#8203;lbarthon](https://redirect.github.com/lbarthon) made their
first contribution in
[https://github.com/google-github-actions/auth/pull/460](https://redirect.github.com/google-github-actions/auth/pull/460)

**Full Changelog**:
google-github-actions/auth@v2...v2.1.8

</details>

<details>
<summary>ianlewis/todo-issue-reopener
(ianlewis/todo-issue-reopener)</summary>

###
[`v1.6.0`](https://redirect.github.com/ianlewis/todo-issue-reopener/releases/tag/v1.6.0)

[Compare
Source](https://redirect.github.com/ianlewis/todo-issue-reopener/compare/v1.5.0...v1.6.0)

#### Updated in v1.6.0

- Updated the version of `todos` used to v0.12.0
([#&#8203;1810](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1810)).

#### What's Changed since v1.6.0

- chore: Update todos to v0.12.0 by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1753](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1753)
- chore(deps-dev): Bump the development-dependencies group across 1
directory with 11 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1774](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1774)
- chore(deps): Bump the all-dependencies group with 5 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1741](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1741)
- chore(deps): Bump uuid from 11.0.5 to 11.1.0 in the
production-dependencies group by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1735](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1735)
- chore(release): 1.6.0 by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1810](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1810)
- chore: Sync w/ repo-template-ts by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1826](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1826)

**Full Changelog**:
ianlewis/todo-issue-reopener@v1.5.0...v1.6.0

###
[`v1.5.0`](https://redirect.github.com/ianlewis/todo-issue-reopener/releases/tag/v1.5.0)

[Compare
Source](https://redirect.github.com/ianlewis/todo-issue-reopener/compare/v1.4.0...v1.5.0)

#### Updated in v1.5.0

- Updated the version of `todos` used to v0.11.0
([#&#8203;1474](https://redirect.github.com/ianlewis/todo-issue-reopener/issues/1474)).
- Fixed edge cases in `vanityURLs` feature
([#&#8203;1475](https://redirect.github.com/ianlewis/todo-issue-reopener/issues/1475)).

#### What's Changed since v1.4.0

- chore: Sync with repo-template-ts by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1481](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1481)
- chore: Update todos to v0.11.0 by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1578](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1578)
- docs: Add contents: read permission by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1594](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1594)
- fix: vanityURLs feature by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1605](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1605)
- chore(deps-dev): Bump
[@&#8203;types/node](https://redirect.github.com/types/node) from
20.17.19 to 22.13.4 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1557](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1557)
- chore(deps): Bump actions/checkout from 4.1.7 to 4.2.2 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1354](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1354)
- chore: group dependabot updates by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1661](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1661)
- chore(deps): Bump the all-dependencies group with 4 updates by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1672](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1672)
- chore(deps-dev): Bump the development-dependencies group with 2
updates by [@&#8203;dependabot](https://redirect.github.com/dependabot)
in
[https://github.com/ianlewis/todo-issue-reopener/pull/1678](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1678)
- chore(deps): Bump codecov/codecov-action from 4.6.0 to 5.3.1 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1550](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1550)
- chore(deps): Bump uuid from 10.0.0 to 11.0.5 by
[@&#8203;dependabot](https://redirect.github.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1551](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1551)
- chore(release): v1.5.0 by
[@&#8203;ianlewis](https://redirect.github.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/1719](https://redirect.github.com/ianlewis/todo-issue-reopener/pull/1719)

**Full Changelog**:
ianlewis/todo-issue-reopener@v1.4.0...v1.5.0

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.4.1`](https://redirect.github.com/ossf/scorecard-action/releases/tag/v2.4.1)

[Compare
Source](https://redirect.github.com/ossf/scorecard-action/compare/v2.4.0...v2.4.1)

#### What's Changed

- This update bumps the Scorecard version to the v5.1.1 release. For a
complete list of changes, please refer to the
[v5.1.0](https://redirect.github.com/ossf/scorecard/releases/tag/v5.1.0)
and
[v5.1.1](https://redirect.github.com/ossf/scorecard/releases/tag/v5.1.1)
release notes.
- Publishing results now uses half the API quota as before. The exact
savings depends on the repository in question.
- use Scorecard library entrypoint instead of Cobra hooking by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1423](https://redirect.github.com/ossf/scorecard-action/pull/1423)
-   Some errors were made into annotations to make them more visible
- Make default branch error more prominent by
[@&#8203;jsoref](https://redirect.github.com/jsoref) in
[https://github.com/ossf/scorecard-action/pull/1459](https://redirect.github.com/ossf/scorecard-action/pull/1459)
- There is now an optional `file_mode` input which controls how
repository files are fetched from GitHub. The default is `archive`, but
`git` produces the most accurate results for repositories with
`.gitattributes` files at the cost of analysis speed.
- add input for specifying `--file-mode` by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1509](https://redirect.github.com/ossf/scorecard-action/pull/1509)
- The underlying container for the action is now [hosted on GitHub
Container
Registry](https://redirect.github.com/ossf/scorecard-action/pkgs/container/scorecard-action).
There should be no functional changes.
- 🌱 publish docker images to GitHub Container Registry by
[@&#8203;spencerschrock](https://redirect.github.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1453](https://redirect.github.com/ossf/scorecard-action/pull/1453)

##### Docs

- Installation docs update by
[@&#8203;JeremiahAHoward](https://redirect.github.com/JeremiahAHoward)
in
[https://github.com/ossf/scorecard-action/pull/1416](https://redirect.github.com/ossf/scorecard-action/pull/1416)

#### New Contributors

- [@&#8203;JeremiahAHoward](https://redirect.github.com/JeremiahAHoward)
made their first contribution in
[https://github.com/ossf/scorecard-action/pull/1416](https://redirect.github.com/ossf/scorecard-action/pull/1416)
- [@&#8203;jsoref](https://redirect.github.com/jsoref) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1459](https://redirect.github.com/ossf/scorecard-action/pull/1459)
**Full Changelog**:
ossf/scorecard-action@v2.4.0...v2.4.1

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.8.1`](https://redirect.github.com/sigstore/cosign-installer/releases/tag/v3.8.1)

[Compare
Source](https://redirect.github.com/sigstore/cosign-installer/compare/v3.8.0...v3.8.1)

##### What's Changed

- use cosign 2.4.3 and other updates by
[@&#8203;cpanato](https://redirect.github.com/cpanato) in
[https://github.com/sigstore/cosign-installer/pull/182](https://redirect.github.com/sigstore/cosign-installer/pull/182)

**Full Changelog**:
sigstore/cosign-installer@v3...v3.8.1

###
[`v3.8.0`](https://redirect.github.com/sigstore/cosign-installer/releases/tag/v3.8.0)

[Compare
Source](https://redirect.github.com/sigstore/cosign-installer/compare/v3.7.0...v3.8.0)

#### What's Changed

- test action against all non-rc releases, verify entry in rekor log by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/179](https://redirect.github.com/sigstore/cosign-installer/pull/179)
- bump for cosign v2.4.2 release by
[@&#8203;bobcallaway](https://redirect.github.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/181](https://redirect.github.com/sigstore/cosign-installer/pull/181)

**Full Changelog**:
sigstore/cosign-installer@v3...v3.8.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "* 0-3 1 * *" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4xNzYuMiIsInVwZGF0ZWRJblZlciI6IjM5LjIwNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <[email protected]>

Author: renovate-bot

.github/actions/secure-download-artifact/action.yml

@@ -78,7 +78,7 @@ runs:
         echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}"
 
     - name: Download the artifact
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.validate-path.outputs.folder_path }}"

.github/actions/secure-download-folder/action.yml

@@ -34,7 +34,7 @@ runs:
       uses: slsa-framework/slsa-github-generator/.github/actions/rng@main
 
     - name: Download the artifact
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.rng.outputs.random }}"

.github/actions/secure-project-checkout-node/action.yml

@@ -41,6 +41,6 @@ runs:
         path: ${{ inputs.path }}
 
     - name: Set up Node environment
-      uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+      uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
       with:
         node-version: ${{ inputs.node-version }}

.github/actions/secure-upload-artifact/action.yml

@@ -37,7 +37,7 @@ runs:
         path: "${{ inputs.path }}"
 
     - name: Upload the artifact
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
       with:
         name: "${{ inputs.name }}"
         path: "${{ inputs.path }}"

.github/workflows/builder_container-based_slsa3.yml

@@ -209,7 +209,7 @@ jobs:
           allow-private-repository: ${{ inputs.rekor-log-public }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -306,7 +306,7 @@ jobs:
       - id: auth
         name: Authenticate to Google Cloud
         if: inputs.gcp-workload-identity-provider != ''
-        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
+        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
         with:
           token_format: "access_token"
           workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }}
@@ -462,7 +462,7 @@ jobs:
         # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
         # secure upload or verify this against the SLSA layout file.
         id: upload-artifacts
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: ${{ steps.build.outputs.build-outputs-name }}
           path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
@@ -535,7 +535,7 @@ jobs:
       - name: Upload unsigned intoto attestations file for pull request
         if: ${{ github.event_name == 'pull_request' }}
         id: upload-unsigned
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "attestations-${{ needs.rng.outputs.value }}"
@@ -556,7 +556,7 @@ jobs:
       - name: Upload the signed attestations
         id: upload-signed
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
@@ -584,15 +584,15 @@ jobs:
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
       # layout files and their checksums to validate the artifacts.
       - name: Download artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
         with:
           name: "${{ needs.build.outputs.build-outputs-name }}"
           path: "${{ needs.build.outputs.build-outputs-name }}"
 
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
       # secure-folder-download action.
       - name: Download provenance
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@b14cf4c92620c250e1c074ab0a5800e37df86765 # v4.2.0
         with:
           name: "${{ needs.provenance.outputs.provenance-name }}"
           path: "${{ needs.provenance.outputs.provenance-name }}"

.github/workflows/builder_go_slsa3.yml

@@ -169,7 +169,7 @@ jobs:
           allow-private-repository: ${{ inputs.private-repository }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -358,7 +358,7 @@ jobs:
             --workingDir "$UNTRUSTED_WORKING_DIR"
 
       - name: Upload the signed provenance
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
           path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"

.github/workflows/codeql-analysis.yml

@@ -59,7 +59,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
+        uses: github/codeql-action/init@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -72,7 +72,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
+        uses: github/codeql-action/autobuild@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
 
       # Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -85,7 +85,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@17a820bf2e43b47be2c72b39cc905417bc1ab6d0 # v3.28.6
+        uses: github/codeql-action/analyze@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
 
   # NOTE: Checks that the matrix job above completes successfully.
   # This is necessary because the matrix strategy generates new jobs with

.github/workflows/e2e.sign-attestations.schedule.yml

@@ -40,7 +40,7 @@ jobs:
           attestations: .github/actions/sign-attestations/testdata/attestations
           output-folder: outputs
       - name: Setup node
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4
         with:
           node-version: 22
       - name: install sigstore-js

.github/workflows/generator_container_slsa3.yml

@@ -158,14 +158,14 @@ jobs:
       - id: auth
         name: Authenticate to Google Cloud
         if: inputs.gcp-workload-identity-provider != ''
-        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7
+        uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
         with:
           token_format: "access_token"
           workload_identity_provider: ${{ inputs.gcp-workload-identity-provider }}
           service_account: ${{ inputs.gcp-service-account }}
 
       - id: cosign-install
-        uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
+        uses: sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a # v3.8.1
         with:
           cosign-release: v2.2.3
         continue-on-error: true

.github/workflows/generator_generic_slsa3.yml

@@ -239,7 +239,7 @@ jobs:
       - name: Upload the signed provenance
         id: upload-prov
         continue-on-error: true
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: "${{ steps.sign-prov.outputs.provenance-name }}"
           path: "${{ steps.sign-prov.outputs.provenance-name }}"