{"payload":{"feedbackUrl":"https://github.com/orgs/community/discussions/53140","repo":{"id":102692863,"defaultBranch":"main","name":"onnx","ownerLogin":"onnx","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2017-09-07T04:53:45.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/31675368?v=4","public":true,"private":false,"isOrgOwned":true},"refInfo":{"name":"","listCacheKey":"v0:1717608044.0","currentOid":""},"activityList":{"items":[{"before":"f80f63429379797effc31cc81663678b4a6b472d","after":null,"ref":"refs/heads/gh-readonly-queue/main/pr-6159-88f8ef15cfaa3138d336f3502aed5018d802bf43","pushedAt":"2024-06-05T17:20:44.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"}},{"before":null,"after":"f80f63429379797effc31cc81663678b4a6b472d","ref":"refs/heads/gh-readonly-queue/main/pr-6159-88f8ef15cfaa3138d336f3502aed5018d802bf43","pushedAt":"2024-06-05T17:16:25.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Bump ruff from 0.4.2 to 0.4.7 (#6159)\n\nBumps [ruff](https://github.com/astral-sh/ruff) from 0.4.2 to 0.4.7.\n
\nRelease notes\n

Sourced from ruff's\nreleases.

\n
\n

v0.4.7

\n

Changes

\n

Preview features

\n\n

Formatter

\n\n

Server

\n\n

Bug fixes

\n\n

Contributors

\n\n

v0.4.6

\n

Changes

\n

Breaking changes

\n\n\n
\n

... (truncated)

\n
\n
\nChangelog\n

Sourced from ruff's\nchangelog.

\n
\n

0.4.7

\n

Preview features

\n\n

Formatter

\n\n

Server

\n\n

Bug fixes

\n\n

0.4.6

\n

Breaking changes

\n\n

Preview features

\n\n

Rule changes

\n\n

Server

\n\n
\n

... (truncated)

\n
\n
\nCommits\n\n
\n
\n\n\n[![Dependabot compatibility\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ruff&package-manager=pip&previous-version=0.4.2&new-version=0.4.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't\nalter it yourself. You can also trigger a rebase manually by commenting\n`@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits\nthat have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after\nyour CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge\nand block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating\nit. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all\nof the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop\nDependabot creating any more for this major version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop\nDependabot creating any more for this minor version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop\nDependabot creating any more for this dependency (unless you reopen the\nPR or upgrade to it yourself)\n\n\n
\n\n---------\n\nSigned-off-by: dependabot[bot] \nSigned-off-by: Justin Chu \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>\nCo-authored-by: Justin Chu ","shortMessageHtmlLink":"Bump ruff from 0.4.2 to 0.4.7 (#6159)"}},{"before":"a00d9869b783291fbcb6d693f5d7b21053234466","after":null,"ref":"refs/heads/gh-readonly-queue/main/pr-6159-88f8ef15cfaa3138d336f3502aed5018d802bf43","pushedAt":"2024-06-05T16:39:37.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"}},{"before":null,"after":"a00d9869b783291fbcb6d693f5d7b21053234466","ref":"refs/heads/gh-readonly-queue/main/pr-6159-88f8ef15cfaa3138d336f3502aed5018d802bf43","pushedAt":"2024-06-05T16:34:41.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Bump ruff from 0.4.2 to 0.4.7 (#6159)\n\nBumps [ruff](https://github.com/astral-sh/ruff) from 0.4.2 to 0.4.7.\n
\nRelease notes\n

Sourced from ruff's\nreleases.

\n
\n

v0.4.7

\n

Changes

\n

Preview features

\n
    \n
  • [flake8-pyi] Implement PYI064 (#11325)
    • \n
  • [flake8-pyi] Implement PYI066 (#11541)
    • \n
  • [flake8-pyi] Implement PYI057 (#11486)
    • \n
  • [pyflakes] Add option to enable F822 in\n__init__.py files (#11370)
    • \n
\n

Formatter

\n
    \n
  • Fix incorrect placement of trailing stub function comments (#11632)
    • \n
\n

Server

\n
    \n
  • Respect file exclusions in ruff server (#11590)
    • \n
  • Add support for documents not exist on disk (#11588)
    • \n
  • Add Vim and Kate setup guide for ruff server (#11615)
    • \n
\n

Bug fixes

\n
    \n
  • Avoid removing newlines between docstring headers and rST blocks (#11609)
    • \n
  • Infer indentation with imports when logical indent is absent (#11608)
    • \n
  • Use char index rather than position for indent slice (#11645)
    • \n
  • [flake8-comprehension] Strip parentheses around\ngenerators in C400 (#11607)
    • \n
  • Mark repeated-isinstance-calls as unsafe on Python 3.10\nand later (#11622)
    • \n
\n

Contributors

\n\n

v0.4.6

\n

Changes

\n

Breaking changes

\n
    \n
  • Use project-relative paths when calculating GitLab fingerprints (#11532)
    • \n
\n\n
\n

... (truncated)

\n
\n
\nChangelog\n

Sourced from ruff's\nchangelog.

\n
\n

0.4.7

\n

Preview features

\n
    \n
  • [flake8-pyi] Implement PYI064 (#11325)
    • \n
  • [flake8-pyi] Implement PYI066 (#11541)
    • \n
  • [flake8-pyi] Implement PYI057 (#11486)
    • \n
  • [pyflakes] Add option to enable F822 in\n__init__.py files (#11370)
    • \n
\n

Formatter

\n
    \n
  • Fix incorrect placement of trailing stub function comments (#11632)
    • \n
\n

Server

\n
    \n
  • Respect file exclusions in ruff server (#11590)
    • \n
  • Add support for documents not exist on disk (#11588)
    • \n
  • Add Vim and Kate setup guide for ruff server (#11615)
    • \n
\n

Bug fixes

\n
    \n
  • Avoid removing newlines between docstring headers and rST blocks (#11609)
    • \n
  • Infer indentation with imports when logical indent is absent (#11608)
    • \n
  • Use char index rather than position for indent slice (#11645)
    • \n
  • [flake8-comprehension] Strip parentheses around\ngenerators in C400 (#11607)
    • \n
  • Mark repeated-isinstance-calls as unsafe on Python 3.10\nand later (#11622)
    • \n
\n

0.4.6

\n

Breaking changes

\n
    \n
  • Use project-relative paths when calculating GitLab fingerprints (#11532)
    • \n
  • Bump minimum supported Windows version to Windows 10 (#11613)
    • \n
\n

Preview features

\n
    \n
  • [flake8-async] Sleep with >24 hour interval should\nusually sleep forever (ASYNC116) (#11498)
    • \n
\n

Rule changes

\n
    \n
  • [numpy] Add missing functions to NumPy 2.0 migration\nrule (#11528)
    • \n
  • [mccabe] Consider irrefutable pattern similar to\nif .. else for C901 (#11565)
    • \n
  • Consider match-case statements for\nC901, PLR0912, and PLR0915 (#11521)
    • \n
  • Remove empty strings when converting to f-string\n(UP032) (#11524)
    • \n
  • [flake8-bandit] request-without-timeout\nshould warn for requests.request (#11548)
    • \n
  • [flake8-self] Ignore sunder accesses in\nflake8-self rules (#11546)
    • \n
  • [pyupgrade] Lint for TypeAliasType usages\n(UP040) (#11530)
    • \n
\n

Server

\n\n
\n

... (truncated)

\n
\n
\nCommits\n
    \n
  • 1ad5f9c\nBump version to v0.4.7 (#11646)
    • \n
  • e914bc3\nF401 sort bindings before adding to all (#11648)
    • \n
  • 27f6f04\n[red-knot] initial (very incomplete) flow graph (#11624)
    • \n
  • d62a617\nred-knot: Don't refer to Module instances as IDs (#11649)
    • \n
  • 16a926d\n[red-knot] infer int literal types (#11623)
    • \n
  • 05566c6\nUpdate Who's Using Ruff? section to include\nGodot (#11647)
    • \n
  • 7ce17b7\nAdd Vim and Kate setup guide for ruff server (#11615)
    • \n
  • f9a6450\nUse char index rather than position for indent slice (#11645)
    • \n
  • 8a25531\nred-knot: improve internal documentation in module.rs (#11638)
    • \n
  • 9b6d2ce\nFix incorect placement of trailing stub function comments (#11632)
    • \n
  • Additional commits viewable in compare\nview
    • \n
\n
\n
\n\n\n[![Dependabot compatibility\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ruff&package-manager=pip&previous-version=0.4.2&new-version=0.4.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't\nalter it yourself. You can also trigger a rebase manually by commenting\n`@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits\nthat have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after\nyour CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge\nand block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating\nit. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all\nof the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop\nDependabot creating any more for this major version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop\nDependabot creating any more for this minor version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop\nDependabot creating any more for this dependency (unless you reopen the\nPR or upgrade to it yourself)\n\n\n
\n\n---------\n\nSigned-off-by: dependabot[bot] \nSigned-off-by: Justin Chu \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>\nCo-authored-by: Justin Chu ","shortMessageHtmlLink":"Bump ruff from 0.4.2 to 0.4.7 (#6159)"}},{"before":"88f8ef15cfaa3138d336f3502aed5018d802bf43","after":null,"ref":"refs/heads/gh-readonly-queue/main/pr-6161-149a926bb36b7762b6d1d628d66dd85f9242e1b3","pushedAt":"2024-06-03T15:49:02.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"}},{"before":"149a926bb36b7762b6d1d628d66dd85f9242e1b3","after":"88f8ef15cfaa3138d336f3502aed5018d802bf43","ref":"refs/heads/main","pushedAt":"2024-06-03T15:49:01.000Z","pushType":"merge_queue_merge","commitsCount":1,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Fix INT4 TensorProto byte size is 5x larger than expected with negative values (#6161)\n\n### Description\nFixes #6160 \n\nEnsures that two 4-bit elements are packed as a single [unsigned] uint8\nvalue within the `int32_data` field. Otherwise, the size of an int4\ntensor increases up 5x when the tensor contains negative data values.\nPlease refer to the above issue for more details.\n\n### Motivation and Context\nCertain models with INT4 weights were much larger than expected.\n\n---------\n\nSigned-off-by: adrianlizarraga \nSigned-off-by: dependabot[bot] \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"Fix INT4 TensorProto byte size is 5x larger than expected with negati…"}},{"before":null,"after":"88f8ef15cfaa3138d336f3502aed5018d802bf43","ref":"refs/heads/gh-readonly-queue/main/pr-6161-149a926bb36b7762b6d1d628d66dd85f9242e1b3","pushedAt":"2024-06-03T15:32:18.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Fix INT4 TensorProto byte size is 5x larger than expected with negative values (#6161)\n\n### Description\nFixes #6160 \n\nEnsures that two 4-bit elements are packed as a single [unsigned] uint8\nvalue within the `int32_data` field. Otherwise, the size of an int4\ntensor increases up 5x when the tensor contains negative data values.\nPlease refer to the above issue for more details.\n\n### Motivation and Context\nCertain models with INT4 weights were much larger than expected.\n\n---------\n\nSigned-off-by: adrianlizarraga \nSigned-off-by: dependabot[bot] \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"Fix INT4 TensorProto byte size is 5x larger than expected with negati…"}},{"before":"ec296fd1f470e21fd17c8f809c03e1d57ae9c217","after":null,"ref":"refs/heads/dependabot/github_actions/ossf/scorecard-action-2.3.3","pushedAt":"2024-06-01T19:37:41.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"justinchuby","name":"Justin Chu","path":"/justinchuby","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/11205048?s=80&v=4"}},{"before":"149a926bb36b7762b6d1d628d66dd85f9242e1b3","after":null,"ref":"refs/heads/gh-readonly-queue/main/pr-6154-c8781325a6ce3cc65f366a12fe92ea035a0eb0ba","pushedAt":"2024-06-01T19:37:40.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"}},{"before":"c8781325a6ce3cc65f366a12fe92ea035a0eb0ba","after":"149a926bb36b7762b6d1d628d66dd85f9242e1b3","ref":"refs/heads/main","pushedAt":"2024-06-01T19:37:39.000Z","pushType":"merge_queue_merge","commitsCount":1,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#6154)\n\nBumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action)\nfrom 2.3.1 to 2.3.3.\n
\nRelease notes\n

Sourced from ossf/scorecard-action's\nreleases.

\n
\n

v2.3.3

\n
\n

[!NOTE]
\nThere is no v2.3.2 release as a step was skipped in the release process.\nThis was fixed and re-released under the v2.3.3 tag

\n
\n

What's Changed

\n
    \n
  • :seedling: Bump github.com/ossf/scorecard/v4 (v4.13.1) to\ngithub.com/ossf/scorecard/v5 (v5.0.0-rc1) by @​spencerschrock\nin ossf/scorecard-action#1366
    • \n
  • :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to\nv5.0.0-rc2 by @​spencerschrock\nin ossf/scorecard-action#1374
    • \n
  • :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to\nv5.0.0-rc2.0.20240509182734-7ce860946928 by @​spencerschrock\nin ossf/scorecard-action#1377
    • \n
\n

For a full changelist of what these include, see the v5.0.0-rc1\nand v5.0.0-rc2\nrelease notes.

\n

Documentation

\n
    \n
  • :book: Move token discussion out of main README. by @​spencerschrock\nin ossf/scorecard-action#1279
    • \n
  • :book: link to ossf/scorecard workflow instead of\nmaintaining an example by @​spencerschrock\nin ossf/scorecard-action#1352
    • \n
  • :book: update api links to new scorecard.dev site by @​spencerschrock\nin ossf/scorecard-action#1376
    • \n
\n

Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3

\n
\n
\n
\nCommits\n
    \n
  • dc50aa9\n:seedling: Bump docker tag for v2.3.3 release (#1368)
    • \n
  • 8ff5700\n:seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to\nv5.0.0-rc2.0....
    • \n
  • 8ba5e73\nupdate api links to new scorecard.dev site (#1376)
    • \n
  • 92ddde3\nBump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 (#1374)
    • \n
  • 6c55905\n:seedling: Bump golang.org/x/net from 0.24.0 to 0.25.0 (#1373)
    • \n
  • 09bb953\n:seedling: Bump distroless/base in the docker-images group (#1372)
    • \n
  • 1511e13\n:seedling: Bump the github-actions group across 1 directory with 6\nupdates (#...
    • \n
  • df66cd8\n:seedling: Bump the docker-images group with 2 updates (#1370)
    • \n
  • fad9a3c\n:seedling: Bump distroless/base in the docker-images group (#1364)
    • \n
  • 1e01a30\n:seedling: Bump the github-actions group with 3 updates (#1365)
    • \n
  • Additional commits viewable in compare\nview
    • \n
\n
\n
\n\n\n[![Dependabot compatibility\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action&package-manager=github_actions&previous-version=2.3.1&new-version=2.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't\nalter it yourself. You can also trigger a rebase manually by commenting\n`@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits\nthat have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after\nyour CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge\nand block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating\nit. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all\nof the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop\nDependabot creating any more for this major version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop\nDependabot creating any more for this minor version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop\nDependabot creating any more for this dependency (unless you reopen the\nPR or upgrade to it yourself)\n\n\n
\n\nSigned-off-by: dependabot[bot] \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#6154)"}},{"before":null,"after":"149a926bb36b7762b6d1d628d66dd85f9242e1b3","ref":"refs/heads/gh-readonly-queue/main/pr-6154-c8781325a6ce3cc65f366a12fe92ea035a0eb0ba","pushedAt":"2024-06-01T19:21:18.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#6154)\n\nBumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action)\nfrom 2.3.1 to 2.3.3.\n
\nRelease notes\n

Sourced from ossf/scorecard-action's\nreleases.

\n
\n

v2.3.3

\n
\n

[!NOTE]
\nThere is no v2.3.2 release as a step was skipped in the release process.\nThis was fixed and re-released under the v2.3.3 tag

\n
\n

What's Changed

\n
    \n
  • :seedling: Bump github.com/ossf/scorecard/v4 (v4.13.1) to\ngithub.com/ossf/scorecard/v5 (v5.0.0-rc1) by @​spencerschrock\nin ossf/scorecard-action#1366
    • \n
  • :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to\nv5.0.0-rc2 by @​spencerschrock\nin ossf/scorecard-action#1374
    • \n
  • :seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to\nv5.0.0-rc2.0.20240509182734-7ce860946928 by @​spencerschrock\nin ossf/scorecard-action#1377
    • \n
\n

For a full changelist of what these include, see the v5.0.0-rc1\nand v5.0.0-rc2\nrelease notes.

\n

Documentation

\n
    \n
  • :book: Move token discussion out of main README. by @​spencerschrock\nin ossf/scorecard-action#1279
    • \n
  • :book: link to ossf/scorecard workflow instead of\nmaintaining an example by @​spencerschrock\nin ossf/scorecard-action#1352
    • \n
  • :book: update api links to new scorecard.dev site by @​spencerschrock\nin ossf/scorecard-action#1376
    • \n
\n

Full Changelog: https://github.com/ossf/scorecard-action/compare/v2.3.1...v2.3.3

\n
\n
\n
\nCommits\n
    \n
  • dc50aa9\n:seedling: Bump docker tag for v2.3.3 release (#1368)
    • \n
  • 8ff5700\n:seedling: Bump github.com/ossf/scorecard/v5 from v5.0.0-rc2 to\nv5.0.0-rc2.0....
    • \n
  • 8ba5e73\nupdate api links to new scorecard.dev site (#1376)
    • \n
  • 92ddde3\nBump github.com/ossf/scorecard/v5 from v5.0.0-rc1 to v5.0.0-rc2 (#1374)
    • \n
  • 6c55905\n:seedling: Bump golang.org/x/net from 0.24.0 to 0.25.0 (#1373)
    • \n
  • 09bb953\n:seedling: Bump distroless/base in the docker-images group (#1372)
    • \n
  • 1511e13\n:seedling: Bump the github-actions group across 1 directory with 6\nupdates (#...
    • \n
  • df66cd8\n:seedling: Bump the docker-images group with 2 updates (#1370)
    • \n
  • fad9a3c\n:seedling: Bump distroless/base in the docker-images group (#1364)
    • \n
  • 1e01a30\n:seedling: Bump the github-actions group with 3 updates (#1365)
    • \n
  • Additional commits viewable in compare\nview
    • \n
\n
\n
\n\n\n[![Dependabot compatibility\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=ossf/scorecard-action&package-manager=github_actions&previous-version=2.3.1&new-version=2.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't\nalter it yourself. You can also trigger a rebase manually by commenting\n`@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits\nthat have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after\nyour CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge\nand block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating\nit. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all\nof the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop\nDependabot creating any more for this major version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop\nDependabot creating any more for this minor version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop\nDependabot creating any more for this dependency (unless you reopen the\nPR or upgrade to it yourself)\n\n\n
\n\nSigned-off-by: dependabot[bot] \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#6154)"}},{"before":"1f6435b4507f8e4b64389066b07a143812a628f6","after":null,"ref":"refs/heads/dependabot/pip/clang-format-18.1.5","pushedAt":"2024-06-01T19:20:51.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"}},{"before":"03ff75348b47d143e95fc35f45636f4fd16d099c","after":"7fd98134a3d6cbb886483d20f6260ce4299ef10d","ref":"refs/heads/dependabot/pip/ruff-0.4.7","pushedAt":"2024-06-01T19:19:46.000Z","pushType":"push","commitsCount":1,"pusher":{"login":"justinchuby","name":"Justin Chu","path":"/justinchuby","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/11205048?s=80&v=4"},"commit":{"message":"Update __init__.py\n\nSigned-off-by: Justin Chu ","shortMessageHtmlLink":"Update __init__.py"}},{"before":null,"after":"03ff75348b47d143e95fc35f45636f4fd16d099c","ref":"refs/heads/dependabot/pip/ruff-0.4.7","pushedAt":"2024-06-01T16:47:20.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump ruff from 0.4.2 to 0.4.7\n\nBumps [ruff](https://github.com/astral-sh/ruff) from 0.4.2 to 0.4.7.\n- [Release notes](https://github.com/astral-sh/ruff/releases)\n- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/astral-sh/ruff/compare/v0.4.2...v0.4.7)\n\n---\nupdated-dependencies:\n- dependency-name: ruff\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"Bump ruff from 0.4.2 to 0.4.7"}},{"before":null,"after":"1f6435b4507f8e4b64389066b07a143812a628f6","ref":"refs/heads/dependabot/pip/clang-format-18.1.5","pushedAt":"2024-06-01T16:46:51.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump clang-format from 17.0.6 to 18.1.5\n\nBumps [clang-format](https://github.com/ssciwr/clang-format-wheel) from 17.0.6 to 18.1.5.\n- [Release notes](https://github.com/ssciwr/clang-format-wheel/releases)\n- [Commits](https://github.com/ssciwr/clang-format-wheel/compare/v17.0.6...v18.1.5)\n\n---\nupdated-dependencies:\n- dependency-name: clang-format\n dependency-type: direct:production\n update-type: version-update:semver-major\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"Bump clang-format from 17.0.6 to 18.1.5"}},{"before":"ba09d196064fe852fdec773607abc8f7c6fa7f1a","after":null,"ref":"refs/heads/dependabot/github_actions/github/codeql-action-3.25.7","pushedAt":"2024-06-01T16:32:56.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"justinchuby","name":"Justin Chu","path":"/justinchuby","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/11205048?s=80&v=4"}},{"before":"c8781325a6ce3cc65f366a12fe92ea035a0eb0ba","after":null,"ref":"refs/heads/gh-readonly-queue/main/pr-6156-093a8d335a66ea136eb1f16b3a1ce6237ee353ab","pushedAt":"2024-06-01T16:32:55.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"}},{"before":"093a8d335a66ea136eb1f16b3a1ce6237ee353ab","after":"c8781325a6ce3cc65f366a12fe92ea035a0eb0ba","ref":"refs/heads/main","pushedAt":"2024-06-01T16:32:54.000Z","pushType":"merge_queue_merge","commitsCount":1,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Bump github/codeql-action from 2.13.4 to 3.25.7 (#6156)\n\nBumps [github/codeql-action](https://github.com/github/codeql-action)\nfrom 2.13.4 to 3.25.7.\n
\nRelease notes\n

Sourced from github/codeql-action's\nreleases.

\n
\n

CodeQL Bundle v2.17.4

\n

Bundles CodeQL CLI v2.17.4

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.4:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
  • codeql/cpp-all (changelog,\nsource)
    • \n
  • codeql/csharp-queries (changelog,\nsource)
    • \n
  • codeql/csharp-all (changelog,\nsource)
    • \n
  • codeql/go-queries (changelog,\nsource)
    • \n
  • codeql/go-all (changelog,\nsource)
    • \n
  • codeql/java-queries (changelog,\nsource)
    • \n
  • codeql/java-all (changelog,\nsource)
    • \n
  • codeql/javascript-queries (changelog,\nsource)
    • \n
  • codeql/javascript-all (changelog,\nsource)
    • \n
  • codeql/python-queries (changelog,\nsource)
    • \n
  • codeql/python-all (changelog,\nsource)
    • \n
  • codeql/ruby-queries (changelog,\nsource)
    • \n
  • codeql/ruby-all (changelog,\nsource)
    • \n
  • codeql/swift-queries (changelog,\nsource)
    • \n
  • codeql/swift-all (changelog,\nsource)
    • \n
\n

CodeQL Bundle v2.17.3

\n

Bundles CodeQL CLI v2.17.3

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.3:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
  • codeql/cpp-all (changelog,\nsource)
    • \n
  • codeql/csharp-queries (changelog,\nsource)
    • \n
  • codeql/csharp-all (changelog,\nsource)
    • \n
  • codeql/go-queries (changelog,\nsource)
    • \n
  • codeql/go-all (changelog,\nsource)
    • \n
  • codeql/java-queries (changelog,\nsource)
    • \n
  • codeql/java-all (changelog,\nsource)
    • \n
  • codeql/javascript-queries (changelog,\nsource)
    • \n
  • codeql/javascript-all (changelog,\nsource)
    • \n
  • codeql/python-queries (changelog,\nsource)
    • \n
  • codeql/python-all (changelog,\nsource)
    • \n
  • codeql/ruby-queries (changelog,\nsource)
    • \n
  • codeql/ruby-all (changelog,\nsource)
    • \n
  • codeql/swift-queries (changelog,\nsource)
    • \n
  • codeql/swift-all (changelog,\nsource)
    • \n
\n

CodeQL Bundle v2.17.2

\n

Bundles CodeQL CLI v2.17.2

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.2:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
\n\n
\n

... (truncated)

\n
\n
\nChangelog\n

Sourced from github/codeql-action's\nchangelog.

\n
\n

CodeQL Action Changelog

\n

See the releases\npage for the relevant changes to the CodeQL CLI and language\npacks.

\n

Note that the only difference between v2 and\nv3 of the CodeQL Action is the node version they support,\nwith v3 running on node 20 while we continue to release\nv2 to support running on node 16. For example\n3.22.11 was the first v3 release and is\nfunctionally identical to 2.22.11. This approach ensures an\neasy way to track exactly which features are included in different\nversions, indicated by the minor and patch version numbers.

\n

[UNRELEASED]

\n

No user facing changes.

\n

3.25.7 - 31 May 2024

\n
    \n
  • We are rolling out a feature in May/June 2024 that will reduce the\nActions cache usage of the Action by keeping only the newest TRAP cache\nfor each language. #2306
    • \n
\n

3.25.6 - 20 May 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.3. #2295
    • \n
\n

3.25.5 - 13 May 2024

\n
    \n
  • Add a compatibility matrix of supported CodeQL Action, CodeQL CLI,\nand GitHub Enterprise Server versions to the https://github.com/github/codeql-action/blob/main/README.md.\n#2273
    • \n
  • Avoid printing out a warning for a missing on.push\ntrigger when the CodeQL Action is triggered via a\nworkflow_call event. #2274
    • \n
  • The tools: latest input to the init Action\nhas been renamed to tools: linked. This option specifies\nthat the Action should use the tools shipped at the same time as the\nAction. The old name will continue to work for backwards compatibility,\nbut we recommend that new workflows use the new name. #2281
    • \n
\n

3.25.4 - 08 May 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.2. #2270
    • \n
\n

3.25.3 - 25 Apr 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.1. #2247
    • \n
  • Workflows running on macos-latest using CodeQL CLI\nversions before v2.15.1 will need to either upgrade their CLI version to\nv2.15.1 or newer, or change the platform to an Intel MacOS runner, such\nas macos-12. ARM machines with SIP disabled, including the\nnewest macos-latest image, are unsupported for CLI versions\nbefore 2.15.1. #2261
    • \n
\n

3.25.2 - 22 Apr 2024

\n

No user facing changes.

\n

3.25.1 - 17 Apr 2024

\n
    \n
  • We are rolling out a feature in April/May 2024 that improves the\nreliability and performance of analyzing code when analyzing a compiled\nlanguage with the autobuild build\nmode. #2235
    • \n
  • Fix a bug where the init Action would fail if\n--overwrite was specified in\nCODEQL_ACTION_EXTRA_OPTIONS. #2245
    • \n
\n

3.25.0 - 15 Apr 2024

\n
    \n
  • \n

    The deprecated feature for extracting dependencies for a Python\nanalysis has been removed. #2224

    \n

    As a result, the following inputs and environment variables are now\nignored:

    \n
      \n
    • The setup-python-dependencies input to the\ninit Action
      • \n
    • The\nCODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION\nenvironment variable
      • \n
    \n
    • \n
\n\n
\n

... (truncated)

\n
\n
\nCommits\n
    \n
  • f079b84\nMerge pull request #2317\nfrom github/update-v3.25.7-a095bf2a1
    • \n
  • e1a4268\nUpdate changelog for v3.25.7
    • \n
  • a095bf2\nMerge pull request #2313\nfrom github/revert-2312-update-bundle/codeql-bundle-...
    • \n
  • bbd4e19\nRevert "Update default bundle to 2.17.4"
    • \n
  • 9ab5d16\nMerge pull request #2312\nfrom github/update-bundle/codeql-bundle-v2.17.4
    • \n
  • 028346e\nAdd changelog note
    • \n
  • 5fe0847\nUpdate default bundle to codeql-bundle-v2.17.4
    • \n
  • 9550da9\nMerge pull request #2311\nfrom github/henrymercer/pack-missing-auth-config-error
    • \n
  • 6548a4d\nAdd configuration error for missing auth to package registry
    • \n
  • 7927df0\nBump micromatch from 4.0.5 to 4.0.7 in the npm group (#2310)
    • \n
  • Additional commits viewable in compare\nview
    • \n
\n
\n
\n\n\n[![Dependabot compatibility\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2.13.4&new-version=3.25.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't\nalter it yourself. You can also trigger a rebase manually by commenting\n`@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits\nthat have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after\nyour CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge\nand block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating\nit. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all\nof the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop\nDependabot creating any more for this major version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop\nDependabot creating any more for this minor version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop\nDependabot creating any more for this dependency (unless you reopen the\nPR or upgrade to it yourself)\n\n\n
\n\nSigned-off-by: dependabot[bot] \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"Bump github/codeql-action from 2.13.4 to 3.25.7 (#6156)"}},{"before":null,"after":"c8781325a6ce3cc65f366a12fe92ea035a0eb0ba","ref":"refs/heads/gh-readonly-queue/main/pr-6156-093a8d335a66ea136eb1f16b3a1ce6237ee353ab","pushedAt":"2024-06-01T16:16:40.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Bump github/codeql-action from 2.13.4 to 3.25.7 (#6156)\n\nBumps [github/codeql-action](https://github.com/github/codeql-action)\nfrom 2.13.4 to 3.25.7.\n
\nRelease notes\n

Sourced from github/codeql-action's\nreleases.

\n
\n

CodeQL Bundle v2.17.4

\n

Bundles CodeQL CLI v2.17.4

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.4:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
  • codeql/cpp-all (changelog,\nsource)
    • \n
  • codeql/csharp-queries (changelog,\nsource)
    • \n
  • codeql/csharp-all (changelog,\nsource)
    • \n
  • codeql/go-queries (changelog,\nsource)
    • \n
  • codeql/go-all (changelog,\nsource)
    • \n
  • codeql/java-queries (changelog,\nsource)
    • \n
  • codeql/java-all (changelog,\nsource)
    • \n
  • codeql/javascript-queries (changelog,\nsource)
    • \n
  • codeql/javascript-all (changelog,\nsource)
    • \n
  • codeql/python-queries (changelog,\nsource)
    • \n
  • codeql/python-all (changelog,\nsource)
    • \n
  • codeql/ruby-queries (changelog,\nsource)
    • \n
  • codeql/ruby-all (changelog,\nsource)
    • \n
  • codeql/swift-queries (changelog,\nsource)
    • \n
  • codeql/swift-all (changelog,\nsource)
    • \n
\n

CodeQL Bundle v2.17.3

\n

Bundles CodeQL CLI v2.17.3

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.3:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
  • codeql/cpp-all (changelog,\nsource)
    • \n
  • codeql/csharp-queries (changelog,\nsource)
    • \n
  • codeql/csharp-all (changelog,\nsource)
    • \n
  • codeql/go-queries (changelog,\nsource)
    • \n
  • codeql/go-all (changelog,\nsource)
    • \n
  • codeql/java-queries (changelog,\nsource)
    • \n
  • codeql/java-all (changelog,\nsource)
    • \n
  • codeql/javascript-queries (changelog,\nsource)
    • \n
  • codeql/javascript-all (changelog,\nsource)
    • \n
  • codeql/python-queries (changelog,\nsource)
    • \n
  • codeql/python-all (changelog,\nsource)
    • \n
  • codeql/ruby-queries (changelog,\nsource)
    • \n
  • codeql/ruby-all (changelog,\nsource)
    • \n
  • codeql/swift-queries (changelog,\nsource)
    • \n
  • codeql/swift-all (changelog,\nsource)
    • \n
\n

CodeQL Bundle v2.17.2

\n

Bundles CodeQL CLI v2.17.2

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.2:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
\n\n
\n

... (truncated)

\n
\n
\nChangelog\n

Sourced from github/codeql-action's\nchangelog.

\n
\n

CodeQL Action Changelog

\n

See the releases\npage for the relevant changes to the CodeQL CLI and language\npacks.

\n

Note that the only difference between v2 and\nv3 of the CodeQL Action is the node version they support,\nwith v3 running on node 20 while we continue to release\nv2 to support running on node 16. For example\n3.22.11 was the first v3 release and is\nfunctionally identical to 2.22.11. This approach ensures an\neasy way to track exactly which features are included in different\nversions, indicated by the minor and patch version numbers.

\n

[UNRELEASED]

\n

No user facing changes.

\n

3.25.7 - 31 May 2024

\n
    \n
  • We are rolling out a feature in May/June 2024 that will reduce the\nActions cache usage of the Action by keeping only the newest TRAP cache\nfor each language. #2306
    • \n
\n

3.25.6 - 20 May 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.3. #2295
    • \n
\n

3.25.5 - 13 May 2024

\n
    \n
  • Add a compatibility matrix of supported CodeQL Action, CodeQL CLI,\nand GitHub Enterprise Server versions to the https://github.com/github/codeql-action/blob/main/README.md.\n#2273
    • \n
  • Avoid printing out a warning for a missing on.push\ntrigger when the CodeQL Action is triggered via a\nworkflow_call event. #2274
    • \n
  • The tools: latest input to the init Action\nhas been renamed to tools: linked. This option specifies\nthat the Action should use the tools shipped at the same time as the\nAction. The old name will continue to work for backwards compatibility,\nbut we recommend that new workflows use the new name. #2281
    • \n
\n

3.25.4 - 08 May 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.2. #2270
    • \n
\n

3.25.3 - 25 Apr 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.1. #2247
    • \n
  • Workflows running on macos-latest using CodeQL CLI\nversions before v2.15.1 will need to either upgrade their CLI version to\nv2.15.1 or newer, or change the platform to an Intel MacOS runner, such\nas macos-12. ARM machines with SIP disabled, including the\nnewest macos-latest image, are unsupported for CLI versions\nbefore 2.15.1. #2261
    • \n
\n

3.25.2 - 22 Apr 2024

\n

No user facing changes.

\n

3.25.1 - 17 Apr 2024

\n
    \n
  • We are rolling out a feature in April/May 2024 that improves the\nreliability and performance of analyzing code when analyzing a compiled\nlanguage with the autobuild build\nmode. #2235
    • \n
  • Fix a bug where the init Action would fail if\n--overwrite was specified in\nCODEQL_ACTION_EXTRA_OPTIONS. #2245
    • \n
\n

3.25.0 - 15 Apr 2024

\n
    \n
  • \n

    The deprecated feature for extracting dependencies for a Python\nanalysis has been removed. #2224

    \n

    As a result, the following inputs and environment variables are now\nignored:

    \n
      \n
    • The setup-python-dependencies input to the\ninit Action
      • \n
    • The\nCODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION\nenvironment variable
      • \n
    \n
    • \n
\n\n
\n

... (truncated)

\n
\n
\nCommits\n
    \n
  • f079b84\nMerge pull request #2317\nfrom github/update-v3.25.7-a095bf2a1
    • \n
  • e1a4268\nUpdate changelog for v3.25.7
    • \n
  • a095bf2\nMerge pull request #2313\nfrom github/revert-2312-update-bundle/codeql-bundle-...
    • \n
  • bbd4e19\nRevert "Update default bundle to 2.17.4"
    • \n
  • 9ab5d16\nMerge pull request #2312\nfrom github/update-bundle/codeql-bundle-v2.17.4
    • \n
  • 028346e\nAdd changelog note
    • \n
  • 5fe0847\nUpdate default bundle to codeql-bundle-v2.17.4
    • \n
  • 9550da9\nMerge pull request #2311\nfrom github/henrymercer/pack-missing-auth-config-error
    • \n
  • 6548a4d\nAdd configuration error for missing auth to package registry
    • \n
  • 7927df0\nBump micromatch from 4.0.5 to 4.0.7 in the npm group (#2310)
    • \n
  • Additional commits viewable in compare\nview
    • \n
\n
\n
\n\n\n[![Dependabot compatibility\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2.13.4&new-version=3.25.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't\nalter it yourself. You can also trigger a rebase manually by commenting\n`@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits\nthat have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after\nyour CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge\nand block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating\nit. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all\nof the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop\nDependabot creating any more for this major version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop\nDependabot creating any more for this minor version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop\nDependabot creating any more for this dependency (unless you reopen the\nPR or upgrade to it yourself)\n\n\n
\n\nSigned-off-by: dependabot[bot] \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"Bump github/codeql-action from 2.13.4 to 3.25.7 (#6156)"}},{"before":"a876ce9da8b1e331ecef666dc9a5ac58f1bd2c3c","after":null,"ref":"refs/heads/gh-readonly-queue/main/pr-6156-093a8d335a66ea136eb1f16b3a1ce6237ee353ab","pushedAt":"2024-06-01T16:07:44.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"}},{"before":null,"after":"a876ce9da8b1e331ecef666dc9a5ac58f1bd2c3c","ref":"refs/heads/gh-readonly-queue/main/pr-6156-093a8d335a66ea136eb1f16b3a1ce6237ee353ab","pushedAt":"2024-06-01T15:56:23.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"},"commit":{"message":"Bump github/codeql-action from 2.13.4 to 3.25.7 (#6156)\n\nBumps [github/codeql-action](https://github.com/github/codeql-action)\nfrom 2.13.4 to 3.25.7.\n
\nRelease notes\n

Sourced from github/codeql-action's\nreleases.

\n
\n

CodeQL Bundle v2.17.4

\n

Bundles CodeQL CLI v2.17.4

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.4:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
  • codeql/cpp-all (changelog,\nsource)
    • \n
  • codeql/csharp-queries (changelog,\nsource)
    • \n
  • codeql/csharp-all (changelog,\nsource)
    • \n
  • codeql/go-queries (changelog,\nsource)
    • \n
  • codeql/go-all (changelog,\nsource)
    • \n
  • codeql/java-queries (changelog,\nsource)
    • \n
  • codeql/java-all (changelog,\nsource)
    • \n
  • codeql/javascript-queries (changelog,\nsource)
    • \n
  • codeql/javascript-all (changelog,\nsource)
    • \n
  • codeql/python-queries (changelog,\nsource)
    • \n
  • codeql/python-all (changelog,\nsource)
    • \n
  • codeql/ruby-queries (changelog,\nsource)
    • \n
  • codeql/ruby-all (changelog,\nsource)
    • \n
  • codeql/swift-queries (changelog,\nsource)
    • \n
  • codeql/swift-all (changelog,\nsource)
    • \n
\n

CodeQL Bundle v2.17.3

\n

Bundles CodeQL CLI v2.17.3

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.3:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
  • codeql/cpp-all (changelog,\nsource)
    • \n
  • codeql/csharp-queries (changelog,\nsource)
    • \n
  • codeql/csharp-all (changelog,\nsource)
    • \n
  • codeql/go-queries (changelog,\nsource)
    • \n
  • codeql/go-all (changelog,\nsource)
    • \n
  • codeql/java-queries (changelog,\nsource)
    • \n
  • codeql/java-all (changelog,\nsource)
    • \n
  • codeql/javascript-queries (changelog,\nsource)
    • \n
  • codeql/javascript-all (changelog,\nsource)
    • \n
  • codeql/python-queries (changelog,\nsource)
    • \n
  • codeql/python-all (changelog,\nsource)
    • \n
  • codeql/ruby-queries (changelog,\nsource)
    • \n
  • codeql/ruby-all (changelog,\nsource)
    • \n
  • codeql/swift-queries (changelog,\nsource)
    • \n
  • codeql/swift-all (changelog,\nsource)
    • \n
\n

CodeQL Bundle v2.17.2

\n

Bundles CodeQL CLI v2.17.2

\n
    \n
  • (changelog,\nrelease)
    • \n
\n

Includes the following CodeQL language packs from github/codeql@codeql-cli/v2.17.2:

\n
    \n
  • codeql/cpp-queries (changelog,\nsource)
    • \n
\n\n
\n

... (truncated)

\n
\n
\nChangelog\n

Sourced from github/codeql-action's\nchangelog.

\n
\n

CodeQL Action Changelog

\n

See the releases\npage for the relevant changes to the CodeQL CLI and language\npacks.

\n

Note that the only difference between v2 and\nv3 of the CodeQL Action is the node version they support,\nwith v3 running on node 20 while we continue to release\nv2 to support running on node 16. For example\n3.22.11 was the first v3 release and is\nfunctionally identical to 2.22.11. This approach ensures an\neasy way to track exactly which features are included in different\nversions, indicated by the minor and patch version numbers.

\n

[UNRELEASED]

\n

No user facing changes.

\n

3.25.7 - 31 May 2024

\n
    \n
  • We are rolling out a feature in May/June 2024 that will reduce the\nActions cache usage of the Action by keeping only the newest TRAP cache\nfor each language. #2306
    • \n
\n

3.25.6 - 20 May 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.3. #2295
    • \n
\n

3.25.5 - 13 May 2024

\n
    \n
  • Add a compatibility matrix of supported CodeQL Action, CodeQL CLI,\nand GitHub Enterprise Server versions to the https://github.com/github/codeql-action/blob/main/README.md.\n#2273
    • \n
  • Avoid printing out a warning for a missing on.push\ntrigger when the CodeQL Action is triggered via a\nworkflow_call event. #2274
    • \n
  • The tools: latest input to the init Action\nhas been renamed to tools: linked. This option specifies\nthat the Action should use the tools shipped at the same time as the\nAction. The old name will continue to work for backwards compatibility,\nbut we recommend that new workflows use the new name. #2281
    • \n
\n

3.25.4 - 08 May 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.2. #2270
    • \n
\n

3.25.3 - 25 Apr 2024

\n
    \n
  • Update default CodeQL bundle version to 2.17.1. #2247
    • \n
  • Workflows running on macos-latest using CodeQL CLI\nversions before v2.15.1 will need to either upgrade their CLI version to\nv2.15.1 or newer, or change the platform to an Intel MacOS runner, such\nas macos-12. ARM machines with SIP disabled, including the\nnewest macos-latest image, are unsupported for CLI versions\nbefore 2.15.1. #2261
    • \n
\n

3.25.2 - 22 Apr 2024

\n

No user facing changes.

\n

3.25.1 - 17 Apr 2024

\n
    \n
  • We are rolling out a feature in April/May 2024 that improves the\nreliability and performance of analyzing code when analyzing a compiled\nlanguage with the autobuild build\nmode. #2235
    • \n
  • Fix a bug where the init Action would fail if\n--overwrite was specified in\nCODEQL_ACTION_EXTRA_OPTIONS. #2245
    • \n
\n

3.25.0 - 15 Apr 2024

\n
    \n
  • \n

    The deprecated feature for extracting dependencies for a Python\nanalysis has been removed. #2224

    \n

    As a result, the following inputs and environment variables are now\nignored:

    \n
      \n
    • The setup-python-dependencies input to the\ninit Action
      • \n
    • The\nCODEQL_ACTION_DISABLE_PYTHON_DEPENDENCY_INSTALLATION\nenvironment variable
      • \n
    \n
    • \n
\n\n
\n

... (truncated)

\n
\n
\nCommits\n
    \n
  • f079b84\nMerge pull request #2317\nfrom github/update-v3.25.7-a095bf2a1
    • \n
  • e1a4268\nUpdate changelog for v3.25.7
    • \n
  • a095bf2\nMerge pull request #2313\nfrom github/revert-2312-update-bundle/codeql-bundle-...
    • \n
  • bbd4e19\nRevert "Update default bundle to 2.17.4"
    • \n
  • 9ab5d16\nMerge pull request #2312\nfrom github/update-bundle/codeql-bundle-v2.17.4
    • \n
  • 028346e\nAdd changelog note
    • \n
  • 5fe0847\nUpdate default bundle to codeql-bundle-v2.17.4
    • \n
  • 9550da9\nMerge pull request #2311\nfrom github/henrymercer/pack-missing-auth-config-error
    • \n
  • 6548a4d\nAdd configuration error for missing auth to package registry
    • \n
  • 7927df0\nBump micromatch from 4.0.5 to 4.0.7 in the npm group (#2310)
    • \n
  • Additional commits viewable in compare\nview
    • \n
\n
\n
\n\n\n[![Dependabot compatibility\nscore](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=2.13.4&new-version=3.25.7)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)\n\nDependabot will resolve any conflicts with this PR as long as you don't\nalter it yourself. You can also trigger a rebase manually by commenting\n`@dependabot rebase`.\n\n[//]: # (dependabot-automerge-start)\n[//]: # (dependabot-automerge-end)\n\n---\n\n
\nDependabot commands and options\n
\n\nYou can trigger Dependabot actions by commenting on this PR:\n- `@dependabot rebase` will rebase this PR\n- `@dependabot recreate` will recreate this PR, overwriting any edits\nthat have been made to it\n- `@dependabot merge` will merge this PR after your CI passes on it\n- `@dependabot squash and merge` will squash and merge this PR after\nyour CI passes on it\n- `@dependabot cancel merge` will cancel a previously requested merge\nand block automerging\n- `@dependabot reopen` will reopen this PR if it is closed\n- `@dependabot close` will close this PR and stop Dependabot recreating\nit. You can achieve the same result by closing it manually\n- `@dependabot show ignore conditions` will show all\nof the ignore conditions of the specified dependency\n- `@dependabot ignore this major version` will close this PR and stop\nDependabot creating any more for this major version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this minor version` will close this PR and stop\nDependabot creating any more for this minor version (unless you reopen\nthe PR or upgrade to it yourself)\n- `@dependabot ignore this dependency` will close this PR and stop\nDependabot creating any more for this dependency (unless you reopen the\nPR or upgrade to it yourself)\n\n\n
\n\nSigned-off-by: dependabot[bot] \nCo-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>","shortMessageHtmlLink":"Bump github/codeql-action from 2.13.4 to 3.25.7 (#6156)"}},{"before":null,"after":"27ae4fa05ca77377b31c0b56f50e0cb7f37b40aa","ref":"refs/heads/dependabot/github_actions/ZedThree/clang-tidy-review-0.19.0","pushedAt":"2024-06-01T15:37:10.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump ZedThree/clang-tidy-review from 0.18.0 to 0.19.0\n\nBumps [ZedThree/clang-tidy-review](https://github.com/zedthree/clang-tidy-review) from 0.18.0 to 0.19.0.\n- [Release notes](https://github.com/zedthree/clang-tidy-review/releases)\n- [Changelog](https://github.com/ZedThree/clang-tidy-review/blob/master/CHANGELOG.md)\n- [Commits](https://github.com/zedthree/clang-tidy-review/compare/900895863e31d749b3a97e8d4de93f15927d235f...85799d63d217e8d0686b7735fb923acc986d8043)\n\n---\nupdated-dependencies:\n- dependency-name: ZedThree/clang-tidy-review\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"Bump ZedThree/clang-tidy-review from 0.18.0 to 0.19.0"}},{"before":null,"after":"ba09d196064fe852fdec773607abc8f7c6fa7f1a","ref":"refs/heads/dependabot/github_actions/github/codeql-action-3.25.7","pushedAt":"2024-06-01T15:37:05.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump github/codeql-action from 2.13.4 to 3.25.7\n\nBumps [github/codeql-action](https://github.com/github/codeql-action) from 2.13.4 to 3.25.7.\n- [Release notes](https://github.com/github/codeql-action/releases)\n- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)\n- [Commits](https://github.com/github/codeql-action/compare/cdcdbb579706841c47f7063dda365e292e5cad7a...f079b8493333aace61c81488f8bd40919487bd9f)\n\n---\nupdated-dependencies:\n- dependency-name: github/codeql-action\n dependency-type: direct:production\n update-type: version-update:semver-major\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"Bump github/codeql-action from 2.13.4 to 3.25.7"}},{"before":null,"after":"aef13133b04280da8f57214aca537461cd22996b","ref":"refs/heads/dependabot/github_actions/reviewdog/action-cpplint-1.3.0","pushedAt":"2024-06-01T15:36:55.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump reviewdog/action-cpplint from 1.2.0 to 1.3.0\n\nBumps [reviewdog/action-cpplint](https://github.com/reviewdog/action-cpplint) from 1.2.0 to 1.3.0.\n- [Release notes](https://github.com/reviewdog/action-cpplint/releases)\n- [Commits](https://github.com/reviewdog/action-cpplint/compare/f4595711c17503b596166b81782d83774541c2d8...61869daa530674de5aec805f3eac22e6fdcf7dfe)\n\n---\nupdated-dependencies:\n- dependency-name: reviewdog/action-cpplint\n dependency-type: direct:production\n update-type: version-update:semver-minor\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"Bump reviewdog/action-cpplint from 1.2.0 to 1.3.0"}},{"before":null,"after":"ec296fd1f470e21fd17c8f809c03e1d57ae9c217","ref":"refs/heads/dependabot/github_actions/ossf/scorecard-action-2.3.3","pushedAt":"2024-06-01T15:36:49.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"dependabot[bot]","name":null,"path":"/apps/dependabot","primaryAvatarUrl":"https://avatars.githubusercontent.com/in/29110?s=80&v=4"},"commit":{"message":"Bump ossf/scorecard-action from 2.3.1 to 2.3.3\n\nBumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.3.1 to 2.3.3.\n- [Release notes](https://github.com/ossf/scorecard-action/releases)\n- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)\n- [Commits](https://github.com/ossf/scorecard-action/compare/0864cf19026789058feabb7e87baa5f140aac736...dc50aa9510b46c811795eb24b2f1ba02a914e534)\n\n---\nupdated-dependencies:\n- dependency-name: ossf/scorecard-action\n dependency-type: direct:production\n update-type: version-update:semver-patch\n...\n\nSigned-off-by: dependabot[bot] ","shortMessageHtmlLink":"Bump ossf/scorecard-action from 2.3.1 to 2.3.3"}},{"before":"244c7e43f23fd3ac57c7c3c615f8034aeb9a6af1","after":null,"ref":"refs/heads/1.16.1-pick","pushedAt":"2024-05-23T16:33:08.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"cjvolzka","name":"Charles Volzka","path":"/cjvolzka","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/42243335?s=80&v=4"}},{"before":"52ebb5d668918c6b1d40250f9c0bee0165d8f4a3","after":"595228d99e3977ac27cb79d5963adda262af99ad","ref":"refs/heads/rel-1.16.1","pushedAt":"2024-05-23T16:33:07.000Z","pushType":"pr_merge","commitsCount":1,"pusher":{"login":"cjvolzka","name":"Charles Volzka","path":"/cjvolzka","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/42243335?s=80&v=4"},"commit":{"message":"Pin onnxruntime to 1.17.3 for release CIs (#6143) (#6148)\n\n### Description\r\nThe latest ORT 1.18.0 does not implement ML ops required for\r\ntest_backend_onnxruntime.py. Pin to the previous ort release to pass the\r\nrelease CIs.\r\n\r\n### Motivation and Context\r\nhttps://github.com/onnx/onnx/pull/6138#issuecomment-2118368537\r\n\r\n---------\r\n\r\nSigned-off-by: Liqun Fu \r\n(cherry picked from commit 093a8d335a66ea136eb1f16b3a1ce6237ee353ab)\r\n\r\nCo-authored-by: liqun Fu ","shortMessageHtmlLink":"Pin onnxruntime to 1.17.3 for release CIs (#6143) (#6148)"}},{"before":null,"after":"244c7e43f23fd3ac57c7c3c615f8034aeb9a6af1","ref":"refs/heads/1.16.1-pick","pushedAt":"2024-05-23T12:46:56.000Z","pushType":"branch_creation","commitsCount":0,"pusher":{"login":"cjvolzka","name":"Charles Volzka","path":"/cjvolzka","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/42243335?s=80&v=4"},"commit":{"message":"Pin onnxruntime to 1.17.3 for release CIs (#6143)\n\n### Description\nThe latest ORT 1.18.0 does not implement ML ops required for\ntest_backend_onnxruntime.py. Pin to the previous ort release to pass the\nrelease CIs.\n\n### Motivation and Context\nhttps://github.com/onnx/onnx/pull/6138#issuecomment-2118368537\n\n---------\n\nSigned-off-by: Liqun Fu \n(cherry picked from commit 093a8d335a66ea136eb1f16b3a1ce6237ee353ab)","shortMessageHtmlLink":"Pin onnxruntime to 1.17.3 for release CIs (#6143)"}},{"before":"beed4a4f11a36f5817788c77340a832438e04962","after":null,"ref":"refs/heads/liqun/rel-ci-pin-ort-version","pushedAt":"2024-05-23T05:58:14.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"liqunfu","name":"liqun Fu","path":"/liqunfu","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/3318051?s=80&v=4"}},{"before":"093a8d335a66ea136eb1f16b3a1ce6237ee353ab","after":null,"ref":"refs/heads/gh-readonly-queue/main/pr-6143-b90e252da11dea9bdc191d6b9b8d01511ef3e3bd","pushedAt":"2024-05-23T05:58:13.000Z","pushType":"branch_deletion","commitsCount":0,"pusher":{"login":"github-merge-queue[bot]","name":null,"path":"/apps/github-merge-queue","primaryAvatarUrl":"https://avatars.githubusercontent.com/u/9919?s=80&v=4"}}],"hasNextPage":true,"hasPreviousPage":false,"activityType":"all","actor":null,"timePeriod":"all","sort":"DESC","perPage":30,"cursor":"djE6ks8AAAAEXWMopwA","startCursor":null,"endCursor":null}},"title":"Activity · onnx/onnx"}