Release v2024.12.11: chore(deps): update workflows (#2974) · google/osv.dev

v2024.12.11
a5ef713
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Learn about vigilant mode
Compare

Choose a tag to compare

Loading

View all tags
v2024.12.11: chore(deps): update workflows (#2974)
v2024.12.11
a5ef713
Compare

Choose a tag to compare

Loading

View all tags
Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.

GPG key ID: B5690EEEBB952194

Learn about vigilant mode
renovate-bot tagged this 10 Dec 22:34
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v2.27.6` -> `v2.27.7` |
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v3.27.6` -> `v3.27.7` |
|
[pypa/gh-action-pypi-publish](https://redirect.github.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.12.2` -> `v1.12.3` |

---

### Release Notes

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v2.27.7`](https://redirect.github.com/github/codeql-action/releases/tag/v2.27.7)

[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v2.27.6...v2.27.7)

### CodeQL Action Changelog

See the [releases
page](https://redirect.github.com/github/codeql-action/releases) for the
relevant changes to the CodeQL CLI and language packs.

Note that the only difference between `v2` and `v3` of the CodeQL Action
is the node version they support, with `v3` running on node 20 while we
continue to release `v2` to support running on node 16. For example
`3.22.11` was the first `v3` release and is functionally identical to
`2.22.11`. This approach ensures an easy way to track exactly which
features are included in different versions, indicated by the minor and
patch version numbers.

#### 2.27.7 - 10 Dec 2024

- We are rolling out a change in December 2024 that will extract the
CodeQL bundle directly to the toolcache to improve performance.
[#&#8203;2631](https://redirect.github.com/github/codeql-action/pull/2631)
- Update default CodeQL bundle version to 2.20.0.
[#&#8203;2636](https://redirect.github.com/github/codeql-action/pull/2636)

See the full
[CHANGELOG.md](https://redirect.github.com/github/codeql-action/blob/v2.27.7/CHANGELOG.md)
for more information.

</details>

<details>
<summary>pypa/gh-action-pypi-publish
(pypa/gh-action-pypi-publish)</summary>

###
[`v1.12.3`](https://redirect.github.com/pypa/gh-action-pypi-publish/releases/tag/v1.12.3)

[Compare
Source](https://redirect.github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3)

#### ✨ What's Improved

With the updates by
[@&#8203;woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw)
and
[@&#8203;webknjaz](https://redirect.github.com/webknjaz)[💰](https://redirect.github.com/sponsors/webknjaz)
via
[#&#8203;309](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/309)
and
[#&#8203;313](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313),
it is now possible to publish [distribution packages] that include [core
metadata v2.4], like those built using [maturin]. This is done by
bumping `Twine` to v6.0.1 and `pkginfo` to v1.12.0.

#### 📝 Docs

We've made an attempt to clarify the runtime and workflow shape that are
expected to be supported for calling this action in:
https://github.com/marketplace/actions/pypi-publish#Non-goals.

> \[!TIP]
> Please, let us know in the [release discussion] if anything still
remains unclear.
> *TL;DR* always call [`pypi-publish`][pypi-publish] once per job; don't
invoke it in reusable workflows; physically move building the dists into
separate jobs having restricted permissions and storing the dists as
GitHub Actions artifacts; when using self-hosted runners, make sure to
still use [`pypi-publish`][pypi-publish] on a GitHub-provided infra with
`runs-on: ubuntu-latest`, while building and testing may remain
self-hosted; don't perform any other actions in the publishing job;
don't call [`pypi-publish`][pypi-publish] from composite actions.

#### 🛠️ Internal Updates


[@&#8203;br3ndonland](https://redirect.github.com/br3ndonland)[💰](https://redirect.github.com/sponsors/br3ndonland)
improved the container image generation automation to include Git SHA in
[#&#8203;301](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/301).
And
[@&#8203;woodruffw](https://redirect.github.com/woodruffw)[💰](https://redirect.github.com/sponsors/woodruffw)
added the `workflow_ref` context to Trusted Publishing debug logging in
[#&#8203;305](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/305),
helping us diagnose misconfigurations faster.
[#&#8203;313](https://redirect.github.com/pypa/gh-action-pypi-publish/issues/313)
also extends the smoke test in the CI to check against the
[maturin]-made dists. Additionally, `jeepney` and `secretstorage`
transitive deps have been added to the pip constraint-based lock file,
as Dependabot seems to have missed those earlier.

**🪞 Full Diff**:
https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.2...v1.12.3

**🧔‍♂️ Release Manager:**
[@&#8203;webknjaz](https://redirect.github.com/sponsors/webknjaz)
[🇺🇦](https://stand-with-ukraine.pp.ua)

**🙏 Special Thanks** to
[@&#8203;samuelcolvin](https://redirect.github.com/samuelcolvin)[💰](https://redirect.github.com/sponsors/samuelcolvin)
for nudging me to cut this release sooner and for [sponsoring
me](https://redirect.github.com/sponsors/webknjaz) via
[@&#8203;pydantic](https://redirect.github.com/pydantic)[💰](https://redirect.github.com/sponsors/pydantic)!

**🔌 Shameless Plug**: The other day I've made this [🦋 Bluesky 🇺🇦 FOSS
Maintainers Starter Pack] subscribe to read news from people like me :)

**💬 Discuss** [on Bluesky
🦋](https://bsky.app/profile/webknjaz.me/post/3lcve36mtpk22), [on
Mastodon 🐘](https://mastodon.social/@&#8203;webknjaz/113624274498685157)
and [on GitHub][release discussion].

[core metadata v2.4]:
https://packaging.python.org/en/latest/specifications/core-metadata/#metadata-version

[distribution packages]:
https://packaging.python.org/en/latest/glossary/#term-Distribution-Package

[maturin]: https://www.maturin.rs/tutorial

[`pypi-publish`]:
https://redirect.github.com/marketplace/actions/pypi-publish

[🦋 Bluesky 🇺🇦 FOSS Maintainers Starter Pack]:
https://bsky.app/starter-pack/webknjaz.me/3lbt5nu3vw22b

[release discussion]:
https://redirect.github.com/pypa/gh-action-pypi-publish/discussions/314

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on wednesday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS41OC4xIiwidXBkYXRlZEluVmVyIjoiMzkuNTguMSIsInRhcmdldEJyYW5jaCI6Im1hc3RlciIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
Assets 2
Provide feedback

Saved searches

Use saved searches to filter your results more quickly
