Dependency Dashboard

[forking-renovate]

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
View this repository on the Mend.io Web Portal.

Repository Problems

These problems occurred while renovating this repository. View logs.

• ⚠️ WARN: Package lookup failures

Abandoned Dependencies

Note

Packages are marked as abandoned when they exceed the abandonmentThreshold since their last release. Unlike deprecated packages with official notices, abandonment is detected by release inactivity.

These dependencies have not received updates for an extended period and may be unmaintained:

View abandoned dependencies (17)

Datasource	Package	Last Updated
github-actions	bazelbuild/setup-bazelisk	2024-02-02
github-actions	gradle/gradle-build-action	2024-07-15
github-actions	thehanimo/pr-title-checker	2024-11-25
gomod	github.com/google/go-cmp	2025-01-14
gomod	github.com/pborman/uuid	2019-10-24
gomod	gopkg.in/yaml.v3	2022-05-27
npm	@octokit/webhooks-types	2024-10-03
npm	eslint-plugin-github	2025-03-19
npm	markdown-toc	2017-09-19

Awaiting Schedule

The following updates are awaiting their schedule. To get an update now, click on a checkbox below.

• chore(deps): update dependency org.apache.maven.plugins:maven-plugin-plugin to v3.15.2
• chore(deps): update dependency org.apache.maven.plugins:maven-shade-plugin to v3.6.2
• fix(deps): update dependency org.apache.maven:maven-plugin-api to v3.9.14
• fix(deps): update dependency org.apache.maven.plugin-tools:maven-plugin-annotations to v3.15.2
• chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.12.0
• chore(deps): update npm dev (major) (@types/jest, @types/node, @typescript-eslint/eslint-plugin, @typescript-eslint/parser, eslint, eslint-plugin-github, jest, renovate, sigstore, typescript)
• fix(deps): update dependency @sigstore/rekor-types to v4
• fix(deps): update dependency sigstore to v4
• fix(deps): update module github.com/sigstore/sigstore-go to v1
• 🔐 Create all awaiting schedule PRs at once 🔐

Rate-Limited

The following updates are currently rate-limited. To force their creation now, click on a checkbox below.

• chore(deps): update dependency org.apache.maven.plugins:maven-source-plugin to v3.4.0
• fix(deps): update module github.com/in-toto/in-toto-golang to v0.10.0
• chore(deps): update dependency pathspec to v1
• fix(deps): update dependency @actions/core to v3
• fix(deps): update dependency @actions/github to v9
• fix(deps): update module github.com/google/go-github/v57 to v84
• fix(deps): update module github.com/sigstore/cosign/v2 to v3
• chore(deps): lock file maintenance
• 🔐 Create all rate-limited PRs at once 🔐

PR Edited (Blocked)

The following updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox below.

• fix(deps): update go (github.com/coreos/go-oidc/v3, github.com/go-jose/go-jose/v4, github.com/go-openapi/strfmt, github.com/go-openapi/swag, github.com/google/go-cmp, github.com/secure-systems-lab/go-securesystemslib, github.com/sigstore/cosign/v2, github.com/sigstore/rekor, github.com/sigstore/sigstore, github.com/sigstore/sigstore-go, github.com/spf13/cobra, golang.org/x/oauth2)

---

Warning

Renovate failed to look up the following dependencies: Failed to look up maven package io.github.slsa-framework.slsa-github-generator:hash-maven-plugin: no-result.

Files affected: e2e/maven/workflow_dispatch/pom.xml

---

Open

The following updates have all been created. To force a retry/rebase of any, click on a checkbox below.

• chore(deps): update github-actions (actions/checkout, actions/setup-go, actions/setup-java, github/codeql-action, google-github-actions/auth, ossf/scorecard-action, sigstore/cosign-installer, softprops/action-gh-release)
• chore(deps): update dependency org.apache.maven.plugins:maven-deploy-plugin to v3.1.4
• chore(deps): update dependency org.apache.maven.plugins:maven-gpg-plugin to v3.2.8
• fix(deps): update dependency org.apache.maven:maven-core to v3.9.14
• fix(deps): update npm (@actions/github, yaml)
• chore(deps): update dependency yamllint to v1.38.0
• chore(deps): update npm dev (@sigstore/cli, @types/node, @vercel/ncc, eslint-plugin-prettier, markdownlint-cli, prettier, renovate, ts-jest, typescript)
• chore(deps): update github-actions (major) (actions/checkout, actions/download-artifact, actions/setup-go, actions/setup-java, actions/setup-node, actions/upload-artifact, geekyeggo/delete-artifact, github/codeql-action, google-github-actions/auth, sigstore/cosign-installer)
• Click on this checkbox to rebase all open PRs at once

PR Closed (Blocked)

The following updates are blocked by an existing closed PR. To recreate the PR, click on a checkbox below.

• fix(deps): update module github.com/pelletier/go-toml to v2

Detected Dependencies

github-actions (56)

.github/actions/generate-builder/action.yml (3)

• slsa-framework/slsa-github-generator main
• actions/setup-go v5.5.0@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 → [Updates: v5.6.0, v6.3.0]
• go ${{ inputs.go-version }}

.github/actions/secure-builder-checkout/action.yaml (1)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]

.github/actions/secure-download-artifact/action.yml (2)

• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• slsa-framework/slsa-github-generator main

.github/actions/secure-download-folder/action.yml (3)

• slsa-framework/slsa-github-generator main
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• slsa-framework/slsa-github-generator main

.github/actions/secure-project-checkout-go/action.yml (2)

• actions/setup-go v5.5.0@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 → [Updates: v5.6.0, v6.3.0]
• go ${{ steps.validate.outputs.go_version }}

.github/actions/secure-project-checkout-node/action.yml (2)

• actions/setup-node v4.4.0@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6.3.0]
• node ${{ inputs.node-version }}

.github/actions/secure-project-checkout/action.yaml (1)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]

.github/actions/secure-upload-artifact/action.yml (2)

• slsa-framework/slsa-github-generator main
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]

.github/actions/secure-upload-folder/action.yml (1)

• slsa-framework/slsa-github-generator main

.github/workflows/builder_bazel_slsa3.yml (2)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

.github/workflows/builder_container-based_slsa3.yml (21)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• slsa-framework/slsa-github-generator main
• google-github-actions/auth v2.1.10@ba79af03959ebeac9769e648f473a284504d9193 → [Updates: v2.1.13, v3.0.0]
• slsa-framework/slsa-github-generator main
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• slsa-framework/slsa-github-generator main
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• slsa-framework/slsa-github-generator main
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• softprops/action-gh-release v2.3.2@72f2c25fcb47643c292f7107632f7a47c1df5cd8 → [Updates: v2.6.1]
• softprops/action-gh-release v2.3.2@72f2c25fcb47643c292f7107632f7a47c1df5cd8 → [Updates: v2.6.1]
• geekyeggo/delete-artifact v5.1.0@f275313e70c08f6120db482d7a6b98377786765b → [Updates: v6.0.0]
• geekyeggo/delete-artifact v5.1.0@f275313e70c08f6120db482d7a6b98377786765b → [Updates: v6.0.0]
• geekyeggo/delete-artifact v5.1.0@f275313e70c08f6120db482d7a6b98377786765b → [Updates: v6.0.0]

.github/workflows/builder_go_slsa3.yml (10)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• slsa-framework/slsa-github-generator main
• softprops/action-gh-release v2.3.2@72f2c25fcb47643c292f7107632f7a47c1df5cd8 → [Updates: v2.6.1]

.github/workflows/builder_gradle_slsa3.yml (2)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

.github/workflows/builder_maven_slsa3.yml (2)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

.github/workflows/builder_nodejs_slsa3.yml (2)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

.github/workflows/codeql-analysis.yml (4)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• github/codeql-action v3.29.0@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 → [Updates: v3.34.1, v4.34.1]
• github/codeql-action v3.29.0@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 → [Updates: v3.34.1, v4.34.1]
• github/codeql-action v3.29.0@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 → [Updates: v3.34.1, v4.34.1]

.github/workflows/delegator_generic_slsa3.yml (14)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• geekyeggo/delete-artifact v5.1.0@f275313e70c08f6120db482d7a6b98377786765b → [Updates: v6.0.0]
• geekyeggo/delete-artifact v5.1.0@f275313e70c08f6120db482d7a6b98377786765b → [Updates: v6.0.0]

.github/workflows/delegator_lowperms-generic_slsa3.yml (14)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• geekyeggo/delete-artifact v5.1.0@f275313e70c08f6120db482d7a6b98377786765b → [Updates: v6.0.0]
• geekyeggo/delete-artifact v5.1.0@f275313e70c08f6120db482d7a6b98377786765b → [Updates: v6.0.0]

.github/workflows/e2e.create-container_based-predicate.schedule.yml (4)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• slsa-framework/slsa-github-generator main
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]

.github/workflows/e2e.detect-workflow-js.schedule.yml (3)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]

.github/workflows/e2e.sign-attestations.schedule.yml (5)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-node v4@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• node 22

.github/workflows/e2e.upload-folder.schedule.yml (4)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]

.github/workflows/generator_container_slsa3.yml (4)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• google-github-actions/auth v2.1.10@ba79af03959ebeac9769e648f473a284504d9193 → [Updates: v2.1.13, v3.0.0]
• sigstore/cosign-installer v3.9.1@398d4b0eeef1380460a10c8013a76f728fb906ac → [Updates: v3.10.1, v4.1.1]

.github/workflows/generator_generic_slsa3.yml (6)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• slsa-framework/slsa-github-generator main
• softprops/action-gh-release v2.3.2@72f2c25fcb47643c292f7107632f7a47c1df5cd8 → [Updates: v2.6.1]

.github/workflows/pre-submit.actions.yml (20)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-node v4.4.0@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6.3.0]
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• node 22

.github/workflows/pre-submit.apis.yml (1)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]

.github/workflows/pre-submit.delegators.yml (1)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]

.github/workflows/pre-submit.e2e.container-based.default.yml (3)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]

.github/workflows/pre-submit.e2e.generic.default.yml (6)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]

.github/workflows/pre-submit.e2e.go.config-ldflags-main-dir.yml (3)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]

.github/workflows/pre-submit.e2e.maven.yml (1)

• slsa-framework/slsa-github-generator main

.github/workflows/pre-submit.lint.yml (18)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-go v5.5.0@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 → [Updates: v5.6.0, v6.3.0]
• actions/setup-node v3.9.1@3235b876344d2a9aa001b8d1453c930bba69e610 → [Updates: v6.3.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-node v4.4.0@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6.3.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-go v5.5.0@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 → [Updates: v5.6.0, v6.3.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-node v4.4.0@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6.3.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-node v4.4.0@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6.3.0]
• go 1.22.3
• node 22
• node 22
• node 22
• node 22

.github/workflows/pre-submit.pr-title.yml (1)

• thehanimo/pr-title-checker v1.4.3@7fbfe05602bdd86f926d3fb3bccb6f3aed43bc70

.github/workflows/pre-submit.units.yml (6)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-go v5.5.0@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 → [Updates: v5.6.0, v6.3.0]
• actions/setup-node v4.4.0@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6.3.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• node 22

.github/workflows/release.yml (6)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

.github/workflows/schedule.issue-reopener.yml (2)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• ianlewis/todo-issue-reopener v1.7.0@05ca1b2493e450e1cc464bb25e0fa735ae8e4a00

.github/workflows/scorecards.yml (4)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• ossf/scorecard-action v2.4.2@05b42c624433fc40578a4040d5cf5e36ddca8cde → [Updates: v2.4.3]
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• github/codeql-action v3.29.0@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 → [Updates: v3.34.1, v4.34.1]

.github/workflows/update-actions-dist-post-commit.yml (4)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/upload-artifact v4.6.2@ea165f8d65b6e75b540449e92b4886f43607fa02 → [Updates: v7.0.0]
• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/download-artifact v4.3.0@d3f86a106a0bac45b974a628896c90dbdf5c8093 → [Updates: v8.0.1]

actions/delegator/random/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/delegator/secure-attestations-download/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/delegator/secure-download-folder/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/delegator/secure-upload-folder/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/generator/generic/create-base64-subjects-from-file/action.yml (2)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

actions/gradle/publish/action.yml (4)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-java v4.7.1@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 → [Updates: v4.8.0, v5.2.0]
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

actions/gradle/secure-download-attestations/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/gradle/secure-download-target/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/maven/publish/action.yml (5)

• slsa-framework/slsa-github-generator main
• actions/setup-java v4.7.1@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 → [Updates: v4.8.0, v5.2.0]
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

actions/maven/secure-download-attestations/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/maven/secure-download-target/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/nodejs/publish/action.yml (2)

• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

actions/nodejs/secure-attestations-download/action.yml (1)

• slsa-framework/slsa-github-generator main

actions/nodejs/secure-package-download/action.yml (1)

• slsa-framework/slsa-github-generator main

internal/builders/bazel/action.yml (4)

• bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
• actions/setup-java v4.7.1@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 → [Updates: v4.8.0, v5.2.0]
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

internal/builders/gradle/action.yml (5)

• actions/checkout v4.2.2@11bd71901bbe5b1630ceea73d27597364c9af683 → [Updates: v4.3.1, v6.0.2]
• actions/setup-java v4.7.1@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 → [Updates: v4.8.0, v5.2.0]
• gradle/gradle-build-action v3.5.0@ac2d340dc04d9e1113182899e983b5400c17cda1
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

internal/builders/maven/action.yml (5)

• actions/checkout 09d2acae674a48949e3602304ab46fd20ae0c42f → [Updates: undefined]
• actions/setup-java v4.7.1@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 → [Updates: v4.8.0, v5.2.0]
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main

internal/builders/nodejs/action.yml (4)

• actions/setup-node v4.4.0@49933ea5288caeca8642d1e84afbd3f7d6820020 → [Updates: v6.3.0]
• slsa-framework/slsa-github-generator main
• slsa-framework/slsa-github-generator main
• node ${{ fromJson(inputs.slsa-workflow-inputs).node-version }}

gomod (3)

go.mod (17)

• go 1.23.1
• github.com/coreos/go-oidc/v3 v3.11.0 → [Updates: v3.17.0]
• github.com/go-jose/go-jose/v4 v4.0.4 → [Updates: v4.1.3]
• github.com/go-openapi/strfmt v0.23.0 → [Updates: v0.26.1]
• github.com/go-openapi/swag v0.23.0 → [Updates: v0.25.5]
• github.com/google/go-cmp v0.6.0 → [Updates: v0.7.0]
• github.com/google/go-github/v57 v57.0.0 → [Updates: v84.0.0]
• github.com/in-toto/in-toto-golang v0.9.0 → [Updates: v0.10.0]
• github.com/pelletier/go-toml v1.9.5 → [Updates: v2.3.0]
• github.com/secure-systems-lab/go-securesystemslib v0.8.0 → [Updates: v0.10.0]
• github.com/sigstore/cosign/v2 v2.4.1 → [Updates: v2.6.2, v3.0.5]
• github.com/sigstore/rekor v1.3.6 → [Updates: v1.5.1]
• github.com/sigstore/sigstore v1.8.10 → [Updates: v1.10.4]
• github.com/sigstore/sigstore-go v0.6.1 → [Updates: v0.7.3, v1.1.4]
• github.com/spf13/cobra v1.8.1 → [Updates: v1.10.2]
• golang.org/x/oauth2 v0.23.0 → [Updates: v0.36.0]
• gopkg.in/yaml.v3 v3.0.1

internal/builders/go/e2e-presubmits/go.mod (2)

• go 1.23.1
• github.com/pborman/uuid v1.2.1

internal/builders/go/pkg/testdata/go/go.mod (1)

• go 1.23.1

maven (2)

actions/maven/publish/slsa-hashing-plugin/pom.xml (5)

• org.apache.maven:maven-plugin-api 3.9.9 → [Updates: 3.9.14]
• org.apache.maven.plugin-tools:maven-plugin-annotations 3.15.1 → [Updates: 3.15.2]
• org.apache.maven:maven-core 3.9.9 → [Updates: 3.9.14]
• org.json:json 20231013
• org.apache.maven.plugins:maven-plugin-plugin 3.15.1 → [Updates: 3.15.2]

e2e/maven/workflow_dispatch/pom.xml (7)

• org.apache.maven.plugins:maven-source-plugin 3.3.1 → [Updates: 3.4.0]
• org.apache.maven.plugins:maven-javadoc-plugin 3.11.2 → [Updates: 3.12.0]
• org.apache.maven.plugins:maven-shade-plugin 3.6.0 → [Updates: 3.6.2]
• org.sonatype.plugins:nexus-staging-maven-plugin 1.7.0
• org.apache.maven.plugins:maven-gpg-plugin 3.2.7 → [Updates: 3.2.8]
• org.apache.maven.plugins:maven-deploy-plugin 3.1.3 → [Updates: 3.1.4]
• io.github.slsa-framework.slsa-github-generator:hash-maven-plugin 0.0.1

npm (10)

.github/actions/compute-sha256/package.json (10)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• prettier 3.5.1 → [Updates: 3.8.1]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

.github/actions/create-container_based-predicate/package.json (15)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @actions/github 6.0.0 → [Updates: 6.0.1, 9.0.0]
• @types/jest 29.5.14 → [Updates: 30.0.0]
• @types/make-fetch-happen 10.0.4
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• jest 29.7.0 → [Updates: 30.3.0]
• prettier 3.5.1 → [Updates: 3.8.1]
• ts-jest 29.2.5 → [Updates: 29.4.6]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

.github/actions/detect-workflow-js/package.json (13)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @actions/github 6.0.0 → [Updates: 6.0.1, 9.0.0]
• @types/jest 29.5.14 → [Updates: 30.0.0]
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• prettier 3.5.1 → [Updates: 3.8.1]
• ts-jest 29.2.5 → [Updates: 29.4.6]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

.github/actions/generate-attestations/package.json (13)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @actions/github 6.0.0 → [Updates: 6.0.1, 9.0.0]
• @types/jest 29.5.14 → [Updates: 30.0.0]
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• prettier 3.5.1 → [Updates: 3.8.1]
• ts-jest 29.2.5 → [Updates: 29.4.6]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

.github/actions/privacy-check/package.json (11)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @actions/github 6.0.0 → [Updates: 6.0.1, 9.0.0]
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• prettier 3.5.1 → [Updates: 3.8.1]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

.github/actions/sign-attestations/package.json (14)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @actions/github 6.0.0 → [Updates: 6.0.1, 9.0.0]
• @sigstore/rekor-types 2.0.0 → [Updates: 4.0.0]
• sigstore 2.3.1 → [Updates: 4.1.0]
• @types/make-fetch-happen 10.0.4
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• prettier 3.5.1 → [Updates: 3.8.1]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

.github/actions/tscommon/package.json (11)

• @types/jest 29.5.14 → [Updates: 30.0.0]
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• prettier 3.5.1 → [Updates: 3.8.1]
• ts-jest 29.2.5 → [Updates: 29.4.6]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

.github/actions/verify-token/package.json (19)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @actions/github 6.0.0 → [Updates: 6.0.1, 9.0.0]
• @octokit/webhooks-types 7.6.1
• @sigstore/rekor-types 2.0.0 → [Updates: 4.0.0]
• sigstore 2.3.1 → [Updates: 4.1.0]
• yaml 2.5.1 → [Updates: 2.8.3]
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @types/jest 29.5.14 → [Updates: 30.0.0]
• @types/make-fetch-happen 10.0.4
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• jest 29.7.0 → [Updates: 30.3.0]
• prettier 3.5.1 → [Updates: 3.8.1]
• ts-jest 29.2.5 → [Updates: 29.4.6]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

actions/delegator/setup-generic/package.json (14)

• @actions/core 1.11.1 → [Updates: 3.0.0]
• @actions/github 6.0.0 → [Updates: 6.0.1, 9.0.0]
• @sigstore/rekor-types 2.0.0 → [Updates: 4.0.0]
• sigstore 2.3.1 → [Updates: 4.1.0]
• @types/make-fetch-happen 10.0.4
• @types/node 20.17.19 → [Updates: 20.19.37, 24.12.0]
• @typescript-eslint/eslint-plugin 6.21.0 → [Updates: 8.57.2]
• @typescript-eslint/parser 6.21.0 → [Updates: 8.57.2]
• @vercel/ncc 0.38.3 → [Updates: 0.38.4]
• eslint 8.57.1 → [Updates: 10.1.0]
• eslint-plugin-github 4.10.2 → [Updates: 6.0.0]
• eslint-plugin-prettier 5.2.3 → [Updates: 5.5.5]
• prettier 3.5.1 → [Updates: 3.8.1]
• typescript 5.7.3 → [Updates: 5.9.3, 6.0.2]

package.json (6)

• @sigstore/cli 0.8.1 → [Updates: 0.9.1]
• markdown-toc 1.2.0
• markdownlint-cli 0.44.0 → [Updates: 0.48.0]
• prettier 3.5.1 → [Updates: 3.8.1]
• renovate 39.174.3 → [Updates: 39.264.1, 43.88.0]
• sigstore 2.3.1 → [Updates: 4.1.0]

pip_requirements (1)

requirements.txt (2)

• yamllint ==1.35.1 → [Updates: ==1.38.0]
• pathspec ==0.12.1 → [Updates: ==1.0.4]

---

• Check this box to trigger a request for Renovate to run again on this repository

[ianlewis]

Keeping this pinned since renovate updates it to provide it's current status.

[ianlewis]

@rarkins Renovate seems stuck and has closed all it's PRs. It doesn't seem to be responding to the checkboxes in this issue.

[ianlewis]

@rarkins Renovate seems stuck and has closed all it's PRs. It doesn't seem to be responding to the checkboxes in this issue.

nevermind, I think I figured out what the issue is -> #404

[rarkins]

Fix PR: #3638