chore(deps): update github-actions (#3642)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/checkout | action | digest | `b4ffde6` -> `a5ac7e5` |
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v4.1.1` -> `v4.1.6` |
|
[actions/download-artifact](https://togithub.com/actions/download-artifact)
| action | patch | `v4.1.4` -> `v4.1.7` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v4.3.1` -> `v4.3.3` |
|
[ianlewis/todo-issue-reopener](https://togithub.com/ianlewis/todo-issue-reopener)
| action | patch | `v1.2.0` -> `v1.2.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.3.0` -> `v2.3.3` |
|
[sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer)
| action | minor | `v3.4.0` -> `v3.5.0` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.6`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v416)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.5...v4.1.6)

- Check platform to set archive extension appropriately by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1732](https://togithub.com/actions/checkout/pull/1732)

###
[`v4.1.5`](https://togithub.com/actions/checkout/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update NPM dependencies by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1703](https://togithub.com/actions/checkout/pull/1703)
- Bump github/codeql-action from 2 to 3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1694](https://togithub.com/actions/checkout/pull/1694)
- Bump actions/setup-node from 1 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1696](https://togithub.com/actions/checkout/pull/1696)
- Bump actions/upload-artifact from 2 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1695](https://togithub.com/actions/checkout/pull/1695)
- README: Suggest `user.email` to be
`41898282+github-actions[bot]@&#8203;users.noreply.github.com` by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1707](https://togithub.com/actions/checkout/pull/1707)

**Full Changelog**:
actions/checkout@v4.1.4...v4.1.5

###
[`v4.1.4`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v414)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.3...v4.1.4)

- Disable `extensions.worktreeConfig` when disabling `sparse-checkout`
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1692](https://togithub.com/actions/checkout/pull/1692)
- Add dependabot config by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1688](https://togithub.com/actions/checkout/pull/1688)
- Bump the minor-actions-dependencies group with 2 updates by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1693](https://togithub.com/actions/checkout/pull/1693)
- Bump word-wrap from 1.2.3 to 1.2.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1643](https://togithub.com/actions/checkout/pull/1643)

###
[`v4.1.3`](https://togithub.com/actions/checkout/releases/tag/v4.1.3)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.2...v4.1.3)

#### What's Changed

- Update `actions/checkout` version in `update-main-version.yml` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1650](https://togithub.com/actions/checkout/pull/1650)
- Check git version before attempting to disable `sparse-checkout` by
[@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1656](https://togithub.com/actions/checkout/pull/1656)
- Add SSH user parameter by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1685](https://togithub.com/actions/checkout/pull/1685)

**Full Changelog**:
actions/checkout@v4.1.2...v4.1.3

###
[`v4.1.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v412)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.1...v4.1.2)

- Fix: Disable sparse checkout whenever `sparse-checkout` option is not
present [@&#8203;dscho](https://togithub.com/dscho) in
[https://github.com/actions/checkout/pull/1598](https://togithub.com/actions/checkout/pull/1598)

</details>

<details>
<summary>actions/download-artifact (actions/download-artifact)</summary>

###
[`v4.1.7`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.7)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.6...v4.1.7)

#### What's Changed

- Update
[@&#8203;actions/artifact](https://togithub.com/actions/artifact)
dependency by [@&#8203;bethanyj28](https://togithub.com/bethanyj28) in
[https://github.com/actions/download-artifact/pull/325](https://togithub.com/actions/download-artifact/pull/325)

**Full Changelog**:
actions/download-artifact@v4.1.6...v4.1.7

###
[`v4.1.6`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.6)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.5...v4.1.6)

#### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/download-artifact/pull/324](https://togithub.com/actions/download-artifact/pull/324)

**Full Changelog**:
actions/download-artifact@v4.1.5...v4.1.6

###
[`v4.1.5`](https://togithub.com/actions/download-artifact/releases/tag/v4.1.5)

[Compare
Source](https://togithub.com/actions/download-artifact/compare/v4.1.4...v4.1.5)

#### What's Changed

- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/download-artifact/pull/322](https://togithub.com/actions/download-artifact/pull/322)
- Update dependencies `@actions/core` to v1.10.1 and `@actions/artifact`
to v2.1.5

**Full Changelog**:
actions/download-artifact@v4.1.4...v4.1.5

</details>

<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>

###
[`v4.3.3`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.3)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.2...v4.3.3)

##### What's Changed

- updating `@actions/artifact` dependency to v2.1.6 by
[@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/565](https://togithub.com/actions/upload-artifact/pull/565)

**Full Changelog**:
actions/upload-artifact@v4.3.2...v4.3.3

###
[`v4.3.2`](https://togithub.com/actions/upload-artifact/releases/tag/v4.3.2)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v4.3.1...v4.3.2)

#### What's Changed

- Update release-new-action-version.yml by
[@&#8203;konradpabjan](https://togithub.com/konradpabjan) in
[https://github.com/actions/upload-artifact/pull/516](https://togithub.com/actions/upload-artifact/pull/516)
- Minor fix to the migration readme by
[@&#8203;andrewakim](https://togithub.com/andrewakim) in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)
- Update readme with v3/v2/v1 deprecation notice by
[@&#8203;robherley](https://togithub.com/robherley) in
[https://github.com/actions/upload-artifact/pull/561](https://togithub.com/actions/upload-artifact/pull/561)
- updating `@actions/artifact` dependency to v2.1.5 and `@actions/core`
to v1.0.1 by [@&#8203;eggyhead](https://togithub.com/eggyhead) in
[https://github.com/actions/upload-artifact/pull/562](https://togithub.com/actions/upload-artifact/pull/562)

#### New Contributors

- [@&#8203;andrewakim](https://togithub.com/andrewakim) made their first
contribution in
[https://github.com/actions/upload-artifact/pull/523](https://togithub.com/actions/upload-artifact/pull/523)

**Full Changelog**:
actions/upload-artifact@v4.3.1...v4.3.2

</details>

<details>
<summary>ianlewis/todo-issue-reopener
(ianlewis/todo-issue-reopener)</summary>

###
[`v1.2.1`](https://togithub.com/ianlewis/todo-issue-reopener/releases/tag/v1.2.1)

[Compare
Source](https://togithub.com/ianlewis/todo-issue-reopener/compare/v1.2.0...v1.2.1)

##### Fixed in 1.2.1

- Fixed the "error updating to TUF remote mirror: invalid key" error
([#&#8203;688](https://togithub.com/ianlewis/todo-issue-reopener/issues/688)).

#### All changes

- fix: Update slsa-verifier version by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/689](https://togithub.com/ianlewis/todo-issue-reopener/pull/689)
- chore(deps): Bump github/codeql-action from 3.23.2 to 3.25.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/711](https://togithub.com/ianlewis/todo-issue-reopener/pull/711)
- chore(deps): Bump codecov/codecov-action from 4.0.1 to 4.4.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/705](https://togithub.com/ianlewis/todo-issue-reopener/pull/705)
- chore(deps): Bump actions/upload-artifact from 4.3.0 to 4.3.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/670](https://togithub.com/ianlewis/todo-issue-reopener/pull/670)
- chore(deps-dev): Bump
[@&#8203;types/jest](https://togithub.com/types/jest) from 29.5.11 to
29.5.12 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/664](https://togithub.com/ianlewis/todo-issue-reopener/pull/664)
- chore(deps): Bump actions/setup-node from 4.0.1 to 4.0.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/605](https://togithub.com/ianlewis/todo-issue-reopener/pull/605)
- chore(deps): Bump yamllint from 1.33.0 to 1.35.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/598](https://togithub.com/ianlewis/todo-issue-reopener/pull/598)
- chore(deps-dev): Bump eslint-plugin-github from 4.9.1 to 4.10.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/592](https://togithub.com/ianlewis/todo-issue-reopener/pull/592)
- chore(deps): Bump thehanimo/pr-title-checker from 1.4.1 to 1.4.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/604](https://togithub.com/ianlewis/todo-issue-reopener/pull/604)
- chore(deps): Bump yaml from 2.3.4 to 2.4.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/727](https://togithub.com/ianlewis/todo-issue-reopener/pull/727)
- chore(deps-dev): Bump
[@&#8203;vercel/ncc](https://togithub.com/vercel/ncc) from 0.36.1 to
0.38.1 by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/635](https://togithub.com/ianlewis/todo-issue-reopener/pull/635)
- chore(deps-dev): Bump eslint from 8.56.0 to 8.57.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ianlewis/todo-issue-reopener/pull/634](https://togithub.com/ianlewis/todo-issue-reopener/pull/634)
- chore(release): v1.2.1 by
[@&#8203;ianlewis](https://togithub.com/ianlewis) in
[https://github.com/ianlewis/todo-issue-reopener/pull/833](https://togithub.com/ianlewis/todo-issue-reopener/pull/833)

**Full Changelog**:
ianlewis/todo-issue-reopener@v1.2.0...v1.2.1

</details>

<details>
<summary>ossf/scorecard-action (ossf/scorecard-action)</summary>

###
[`v2.3.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.2...v2.3.3)

> \[!NOTE]\
> There is no v2.3.2 release as a step was skipped in the release
process. This was fixed and re-released under the v2.3.3 tag

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 (v4.13.1) to
github.com/ossf/scorecard/v5 (v5.0.0-rc1) by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1366](https://togithub.com/ossf/scorecard-action/pull/1366)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to
v5.0.0-rc2 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1374](https://togithub.com/ossf/scorecard-action/pull/1374)
- 🌱 Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to
v5.0.0-rc2.0.20240509182734-7ce860946928 by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1377](https://togithub.com/ossf/scorecard-action/pull/1377)

For a full changelist of what these include, see the
[v5.0.0-rc1](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc1)
and
[v5.0.0-rc2](https://togithub.com/ossf/scorecard/releases/tag/v5.0.0-rc2)
release notes.

##### Documentation

- 📖 Move token discussion out of main README. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1279](https://togithub.com/ossf/scorecard-action/pull/1279)
- 📖 link to `ossf/scorecard` workflow instead of maintaining an
example by [@&#8203;spencerschrock](https://togithub.com/spencerschrock)
in
[https://github.com/ossf/scorecard-action/pull/1352](https://togithub.com/ossf/scorecard-action/pull/1352)
- 📖 update api links to new scorecard.dev site by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1376](https://togithub.com/ossf/scorecard-action/pull/1376)

**Full Changelog**:
ossf/scorecard-action@v2.3.1...v2.3.3

###
[`v2.3.2`](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.1...v2.3.2)

###
[`v2.3.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.3.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1)

#### What's Changed

- 🌱 Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by [@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1282](https://togithub.com/ossf/scorecard-action/pull/1282)
- Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
[v4.13.1](https://togithub.com/ossf/scorecard/releases/tag/v4.13.1)
release notes

**Full Changelog**:
ossf/scorecard-action@v2.3.0...v2.3.1

</details>

<details>
<summary>sigstore/cosign-installer (sigstore/cosign-installer)</summary>

###
[`v3.5.0`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.5.0)

[Compare
Source](https://togithub.com/sigstore/cosign-installer/compare/v3.4.0...v3.5.0)

#### What's Changed

- Bump actions/checkout from 4.1.1 to 4.1.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/sigstore/cosign-installer/pull/157](https://togithub.com/sigstore/cosign-installer/pull/157)
- use go 1.22 now by
[@&#8203;bobcallaway](https://togithub.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/160](https://togithub.com/sigstore/cosign-installer/pull/160)
- bump default version to v2.2.4, prep for v3.5.0 release by
[@&#8203;bobcallaway](https://togithub.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/159](https://togithub.com/sigstore/cosign-installer/pull/159)

**Full Changelog**:
sigstore/cosign-installer@v3.4.0...v3.5.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4zNjMuNSIsInVwZGF0ZWRJblZlciI6IjM3LjM2My41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <[email protected]>

Author: renovate-bot

.github/actions/secure-builder-checkout/action.yaml

@@ -37,7 +37,7 @@ runs:
     # and has an associated release. This will require exceptions
     # for e2e tests.
     - name: Checkout the repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}

.github/actions/secure-download-artifact/action.yml

@@ -78,7 +78,7 @@ runs:
         echo "folder_path=${folder_path}" >> "${GITHUB_OUTPUT}"
 
     - name: Download the artifact
-      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.validate-path.outputs.folder_path }}"

.github/actions/secure-download-folder/action.yml

@@ -34,7 +34,7 @@ runs:
       uses: slsa-framework/slsa-github-generator/.github/actions/rng@main
 
     - name: Download the artifact
-      uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+      uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
       with:
         name: "${{ inputs.name }}"
         path: "${{ steps.rng.outputs.random }}"

.github/actions/secure-project-checkout/action.yaml

@@ -40,7 +40,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout the repository
-      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       with:
         fetch-depth: ${{ inputs.fetch-depth }}
         ref: ${{ inputs.checkout-sha1 }}

.github/actions/secure-upload-artifact/action.yml

@@ -37,7 +37,7 @@ runs:
         path: "${{ inputs.path }}"
 
     - name: Upload the artifact
-      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
       with:
         name: "${{ inputs.name }}"
         path: "${{ inputs.path }}"

.github/workflows/builder_container-based_slsa3.yml

@@ -209,7 +209,7 @@ jobs:
           allow-private-repository: ${{ inputs.rekor-log-public }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -228,7 +228,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [rng, detect-env, generate-builder]
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Checkout builder repository
         uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
         with:
@@ -372,7 +372,7 @@ jobs:
           set-executable: true
 
       - name: Checkout the source repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 1
           persist-credentials: false
@@ -462,7 +462,7 @@ jobs:
         # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use a
         # secure upload or verify this against the SLSA layout file.
         id: upload-artifacts
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: ${{ steps.build.outputs.build-outputs-name }}
           path: /tmp/build-outputs-${{ needs.rng.outputs.value }}
@@ -535,7 +535,7 @@ jobs:
       - name: Upload unsigned intoto attestations file for pull request
         if: ${{ github.event_name == 'pull_request' }}
         id: upload-unsigned
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "attestations-${{ needs.rng.outputs.value }}"
@@ -556,7 +556,7 @@ jobs:
       - name: Upload the signed attestations
         id: upload-signed
         if: ${{ github.event_name != 'pull_request' }}
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.OUTPUT_FOLDER }}-${{ needs.rng.outputs.value }}"
@@ -584,15 +584,15 @@ jobs:
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the SLSA
       # layout files and their checksums to validate the artifacts.
       - name: Download artifacts
-        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: "${{ needs.build.outputs.build-outputs-name }}"
           path: "${{ needs.build.outputs.build-outputs-name }}"
 
       # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/1655): Use the
       # secure-folder-download action.
       - name: Download provenance
-        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e # v4.1.7
         with:
           name: "${{ needs.provenance.outputs.provenance-name }}"
           path: "${{ needs.provenance.outputs.provenance-name }}"

.github/workflows/builder_go_slsa3.yml

@@ -169,7 +169,7 @@ jobs:
           allow-private-repository: ${{ inputs.private-repository }}
 
       - name: Upload builder
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: "${{ env.BUILDER_BINARY }}-${{ needs.rng.outputs.value }}"
           path: "${{ env.BUILDER_BINARY }}"
@@ -358,7 +358,7 @@ jobs:
             --workingDir "$UNTRUSTED_WORKING_DIR"
 
       - name: Upload the signed provenance
-        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
         with:
           name: "${{ steps.sign-prov.outputs.signed-provenance-name }}"
           path: "${{ steps.sign-prov.outputs.signed-provenance-name }}"

.github/workflows/codeql-analysis.yml

@@ -55,7 +55,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/e2e.create-container_based-predicate.schedule.yml

@@ -39,7 +39,7 @@ jobs:
     permissions:
       id-token: write # Needed to detect the current reusable repository and ref.
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - name: Detect the builder ref
         id: detect
         uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main
@@ -71,7 +71,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -85,7 +85,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/e2e.detect-workflow-js.schedule.yml

@@ -33,7 +33,7 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
       - id: detect
         uses: ./.github/actions/detect-workflow-js
       - id: verify
@@ -70,7 +70,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -84,7 +84,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: slsa-framework/example-package
           ref: main