deps(ci)(deps): bump the actions-minor-patch group with 3 updates

[dependabot]

Bumps the actions-minor-patch group with 3 updates: step-security/harden-runner, pypa/gh-action-pypi-publish and ossf/scorecard-action.

Updates step-security/harden-runner from 2.12.1 to 2.19.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.19.1

What's Changed

• fix: detect ubuntu-slim runners early and bail out by @​devantler in step-security/harden-runner#657

What the fix changes

• Harden-Runner will detect ubuntu-slim runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.

What the fix does not do

• Jobs running on ubuntu-slim will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).
• Per GitHub's docs on single-CPU runners: "The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported." Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.

For StepSecurity enterprise customers If your security posture requires that workflows are always monitored, you can block the use of ubuntu-slim via workflow run policies see the Runner Label Policy docs. This lets you enforce that jobs only run on monitored runner types.

New Contributors

• @​devantler made their first contribution in step-security/harden-runner#657

Full Changelog: step-security/harden-runner@v2.19.0...v2.19.1

v2.19.0

What's Changed

New Runner Support

Harden-Runner now supports Depot, Blacksmith, Namespace, and WarpBuild runners with the same egress monitoring, runtime monitoring, and policy enforcement available on GitHub-hosted runners.

Automated Incident Response for Supply Chain Attacks

• Global block list: Outbound connections to known malicious domains and IPs are now blocked even in audit mode.
• System-defined detection rules: Harden-Runner will trigger lockdown mode when a high risk event is detected during an active supply chain attack (for example, a process reading the memory of the runner worker process, a common technique for stealing GitHub Actions secrets).

Bug Fixes

Windows and macOS: stability and reliability fixes

Full Changelog: step-security/harden-runner@v2.18.0...v2.19.0

v2.18.0

What's Changed

Global Block List: During supply chain incidents like the recent axios and trivy compromises, StepSecurity will add known malicious domains and IP addresses (IOCs) to a global block list. These will be automatically blocked, even in audit mode, providing immediate protection without requiring any workflow changes.

Deploy on Self-Hosted VM: Added deploy-on-self-hosted-vm input that allows the Harden Runner agent to be installed directly on ephemeral self-hosted Linux runner VMs at workflow runtime. This is intended as an alternative when baking the agent into the VM image is not possible.

Full Changelog: step-security/harden-runner@v2.17.0...v2.18.0

v2.17.0

What's Changed

Policy Store Support

Added use-policy-store and api-key inputs to fetch security policies directly from the StepSecurity Policy Store. Policies can be defined and attached at the workflow, repo, org, or cluster (ARC) level, with the most granular policy taking precedence. This is the preferred method over the existing policy input which requires id-token: write permission. If no policy is found in the store, the action defaults to audit mode.

Full Changelog: step-security/harden-runner@v2.16.1...v2.17.0

v2.16.1

... (truncated)

Commits

• a5ad31d Merge pull request #657 from devantler/fix/ubuntu-slim-user-env
• 6e92856 build dist and trim ubuntu-slim message
• 4e0504e Merge branch 'main' into fix/ubuntu-slim-user-env
• 8d3c67d Release v2.19.0 (#661)
• 6c3c2f2 Feature/deploy on self hosted vm (#658)
• 376d25a fix: detect ubuntu-slim runners early and bail out
• f808768 Feature/policy store (#656)
• fe10465 v2.16.1 (#654)
• fa2e9d6 Release v2.16.0 (#646)
• 58077d3 Release v2.15.1 (#641)
• Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.12.4 to 1.14.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

• @​him2him2 made their first contribution in #395
• @​whitequark made their first contribution in #397

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip]

... (truncated)

Commits

• cef2210 Merge pull request #397 from whitequark/patch-1
• b4595e2 Enable verbose and print-hash by default.
• e2bab26 Merge pull request #395 from him2him2/docs/fix-typos-and-grammar
• 7495c38 docs: fix typos and grammar in README and SECURITY
• 03f86fe Merge pull request #388 from woodruffw-forks/ww/rm-experimental
• 4c78f1c Merge branch 'unstable/v1' into ww/rm-experimental
• b5a6e8b deps: bump sigstore and pypi-attestations
• a48a03e remove another experimental mention
• 8087a88 action: remove a lingering mention of PEP 740 being experimental
• 3317ede 🧪 Integrate actionlint via pre-commit framework
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

• docs: clarify GITHUB_TOKEN permissions needed for private repos by @​pankajtaneja5 in ossf/scorecard-action#1574
• 📖 Fix recommended command to test the image in development by @​deivid-rodriguez in ossf/scorecard-action#1583

Other

• add missing top-level token permissions to workflows by @​timothyklee in ossf/scorecard-action#1566
• setup codeowners for requesting reviews by @​spencerschrock in ossf/scorecard-action#1576
• 🌱 Improve printing options by @​deivid-rodriguez in ossf/scorecard-action#1584

New Contributors

• @​timothyklee made their first contribution in ossf/scorecard-action#1566
• @​pankajtaneja5 made their first contribution in ossf/scorecard-action#1574
• @​deivid-rodriguez made their first contribution in ossf/scorecard-action#1584

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

Commits

• 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
• 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
• 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
• 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
• 92083b5 📖 Fix recommended command to test the image in development (#1583)
• 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
• 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
• c3f1350 🌱 Improve printing options (#1584)
• 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.