Bump the actions group with 7 updates

[dependabot]

Bumps the actions group with 7 updates:

Package	From	To
actions/checkout	2	3
actions/dependency-review-action	2	3
docker/login-action	1	2
docker/metadata-action	3	4
docker/setup-qemu-action	1	2
docker/setup-buildx-action	1	2
docker/build-push-action	2	4

Updates actions/checkout from 2 to 3

Release notes

Sourced from actions/checkout's releases.

v3.0.0

• Updated to the node16 runtime by default
  • This requires a minimum Actions Runner version of v2.285.0 to run, which is by default available in GHES 3.4 or later.

v2.7.0

What's Changed

• Add new public key for known_hosts (#1237) by @​TingluoHuang in actions/checkout#1238

Full Changelog: actions/checkout@v2.6.0...v2.7.0

v2.6.0

What's Changed

• Add backports to v2 branch by @​cory-miller in actions/checkout#1040
  • Includes backports from the following changes: actions/checkout#964, actions/checkout#1002, actions/checkout#1029
  • Upgraded the licensed version to match what is used in v3.

Full Changelog: actions/checkout@v2.5.0...v2.6.0

v2.5.0

What's Changed

• Update @​actions/core to 1.10.0 by @​rentziass in actions/checkout#962

Full Changelog: actions/checkout@v2...v2.5.0

v2.4.2

What's Changed

• Add set-safe-directory input to allow customers to take control. (#770) by @​TingluoHuang in actions/checkout#776
• Prepare changelog for v2.4.2. by @​TingluoHuang in actions/checkout#778

Full Changelog: actions/checkout@v2...v2.4.2

v2.4.1

• Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory

v2.4.0

• Convert SSH URLs like org-<ORG_ID>@github.com: to https://github.com/ - pr

v2.3.5

Update dependencies

v2.3.4

• Add missing awaits
• Swap to Environment Files

v2.3.3

• Remove Unneeded commit information from build logs
• Add Licensed to verify third party dependencies

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v3.6.0

• Fix: Mark test scripts with Bash'isms to be run via Bash
• Add option to fetch tags even if fetch-depth > 0

v3.5.3

• Fix: Checkout fail in self-hosted runners when faulty submodule are checked-in
• Fix typos found by codespell
• Add support for sparse checkouts

v3.5.2

• Fix api endpoint for GHES

v3.5.1

• Fix slow checkout on Windows

v3.5.0

• Add new public key for known_hosts

v3.4.0

• Upgrade codeql actions to v2
• Upgrade dependencies
• Upgrade @​actions/io

v3.3.0

• Implement branch list using callbacks from exec function
• Add in explicit reference to private checkout options
• [Fix comment typos (that got added in #770)](actions/checkout#1057)

v3.2.0

• Add GitHub Action to perform release
• Fix status badge
• Replace datadog/squid with ubuntu/squid Docker image
• Wrap pipeline commands for submoduleForeach in quotes
• Update @​actions/io to 1.1.2
• Upgrading version to 3.2.0

v3.1.0

• Use @​actions/core saveState and getState
• Add github-server-url input

v3.0.2

• Add input set-safe-directory

v3.0.1

• Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory
• Bumped various npm package versions

v3.0.0

... (truncated)

Commits

• f43a0e5 Release 3.6.0 (#1437)
• 7739b9b Add option to fetch tags even if fetch-depth > 0 (#579)
• 96f5310 Mark test scripts with Bash'isms to be run via Bash (#1377)
• c85c95e Release v3.5.3 (#1376)
• d106d46 Add support for sparse checkouts (#1369)
• f095bcc Fix typos found by codespell (#1287)
• 47fbe2d Fix: Checkout fail in self-hosted runners when faulty submodule are checked-i...
• 8e5e7e5 Release v3.5.2 (#1291)
• eb35239 Fix: convert baseUrl to serverApiUrl 'formatted' (#1289)
• 83b7061 Release v3.5.1 (#1284)
• Additional commits viewable in compare view

Updates actions/dependency-review-action from 2 to 3

Release notes

Sourced from actions/dependency-review-action's releases.

3.0.0

Breaking Changes

By default the action now expects SPDX-compliant licenses everywhere. If you were previously using license names in the allow or deny lists make sure they're valid!

What's Changed

Support for external configuration files

You can now specify a configuration file external to your repository. This allows organizations to have a single configuration file for all their repos.

Broader license support

We've added support for a much broader set of project licenses by using GitHub's Licenses API.

SPDX Compliance

All of our license-related code now expects SPDX-compliant licenses or expressions. This allows us to standardize on a license naming scheme that already supports OR/AND expressions.

Disable individual checks

You can now use the boolean options license-check and vulnerability-check to disable either one of the checks. More information in our configuration options.

Thanks

Contributors for this release include:

• @​cnagadya
• @​courtneycl
• @​ericcornelissen
• @​elireisman
• @​hmaurer

Thanks everyone! Full Changelog: actions/dependency-review-action@v2...v3.0.0

2.5.1

Adding some quality-of-life improvements to the local development experience. You can now pass a flag to the scripts/scan_pr script using the -c/--config-file flags to use an external configuration file:

Example:

  scripts/scan_pr https://github.com/actions/dependency-review-action/pull/294

2.5.0

Fallback on GitHub Licenses API data for missing Dependency Review API Licenses. This should improve our license coverage.

2.4.1

This patch release fixes the bugs below:

• Display the dependency name instead of the manifest name in the detailed list of dependents.
• Fix an issue where undefined GHSAs would remove filter out all changes.

... (truncated)

Commits

• 32037a1 bumping to 3.0.8
• f6fff72 Merge pull request #540 from sgmurphy/comment-on-failure
• 61ee12c Merge pull request #548 from actions/dependabot/npm_and_yarn/typescript-eslin...
• 7d5babf Merge pull request #547 from actions/dependabot/npm_and_yarn/eslint-8.47.0
• ddb1b93 Bump @​typescript-eslint/eslint-plugin from 6.2.0 to 6.3.0
• 7c3177d Bump eslint from 8.46.0 to 8.47.0
• 31afeba Add unit tests
• 7ef37f3 Merge branch 'main' into comment-on-failure
• 2e59943 Parse boolean to enum
• 7d90b4f bumping to 3.0.7
• Additional commits viewable in compare view

Updates docker/login-action from 1 to 2

Release notes

Sourced from docker/login-action's releases.

v2.0.0

• Node 16 as default runtime by @​crazy-max (#161)
  • This requires a minimum Actions Runner version of v2.285.0, which is by default available in GHES 3.4 or later.
• chore: update dev dependencies and workflow by @​crazy-max (#170)
• Bump @​actions/exec from 1.1.0 to 1.1.1 (#167)
• Bump @​actions/io from 1.1.1 to 1.1.2 (#168)
• Bump minimist from 1.2.5 to 1.2.6 (#176)
• Bump https-proxy-agent from 5.0.0 to 5.0.1 (#182)

Full Changelog: docker/login-action@v1.14.1...v2.0.0

v1.14.1

• Revert to Node 12 as default runtime to fix issue for GHE users (#160)

v1.14.0

• Update to node 16 (#158)
• Bump @​aws-sdk/client-ecr from 3.45.0 to 3.53.0 (#157)
• Bump @​aws-sdk/client-ecr-public from 3.45.0 to 3.53.0 (#156)

v1.13.0

• Handle proxy settings for aws-sdk (#152)
• Workload identity based authentication docs for GCR and GAR (#112)
• Test login against ACR (#49)
• Bump @​aws-sdk/client-ecr from 3.44.0 to 3.45.0 (#132)
• Bump @​aws-sdk/client-ecr-public from 3.43.0 to 3.45.0 (#131)

v1.12.0

• ECR: only set credentials if username and password are specified (#128)
• Refactor to use aws-sdk v3 (#128)

v1.11.0

• ECR: switch implementation to use the AWS SDK (#126)
• ecr input to specify whether the given registry is ECR (#123)
• Test against Windows runner (#126)
• Update instructions for Google registry (#127)
• Update dev workflow (#111)
• Small changes for GHCR doc (#86)
• Update dev dependencies (#85)
• Bump ansi-regex from 5.0.0 to 5.0.1 (#101)
• Bump tmpl from 1.0.4 to 1.0.5 (#100)
• Bump @​actions/core from 1.4.0 to 1.6.0 (#94 #103)
• Bump codecov/codecov-action from 1 to 2 (#88)
• Bump hosted-git-info from 2.8.8 to 2.8.9 (#83)
• Bump node-notifier from 8.0.0 to 8.0.2 (#82)
• Bump ws from 7.3.1 to 7.5.0 (#81)
• Bump lodash from 4.17.20 to 4.17.21 (#80)
• Bump y18n from 4.0.0 to 4.0.3 (#79)

v1.10.0

• GitHub Packages Docker Registry deprecated (#78)

... (truncated)

Commits

• 465a078 Merge pull request #524 from crazy-max/bump-aws
• 360b4b5 Merge pull request #512 from jhihruei/change/update-gitlab-readme
• c156700 update generated content
• f605cf1 bump @​aws-sdk/client-ecr and @​aws-sdk/client-ecr-public to 3.347.1
• 2a93a3e Merge pull request #508 from docker/dependabot/npm_and_yarn/https-proxy-agent...
• 422e90f update generated content
• bc8c4d0 build(deps): bump https-proxy-agent from 5.0.1 to 7.0.0
• 052c2c4 Merge pull request #509 from docker/dependabot/npm_and_yarn/http-proxy-agent-...
• beabccd update generated content
• b56ed1c build(deps): bump http-proxy-agent from 5.0.0 to 7.0.0
• Additional commits viewable in compare view

Updates docker/metadata-action from 3 to 4

Release notes

Sourced from docker/metadata-action's releases.

v4.0.0

• Node 16 as default runtime by @​crazy-max (#176)
  • This requires a minimum Actions Runner version of v2.285.0, which is by default available in GHES 3.4 or later.
• Do not sanitize before pattern matching by @​crazy-max (#201)
  • Breaking change with type=match pattern matching

Full Changelog: docker/metadata-action@v3.8.0...v4.0.0

v3.8.0

• Add attribute to enable/disable images by @​crazy-max (#193)
• Add is_default_branch global expression by @​crazy-max (#192 #197 #198)
• Update fixtures (dev) by @​crazy-max (#190)
• Bump semver from 7.3.5 to 7.3.7 (#185)
• Bump moment from 2.29.2 to 2.29.3 (#187)
• Bump csv-parse from 4.16.3 to 5.0.4 (#195)

Full Changelog: docker/metadata-action@v3.7.0...v3.8.0

v3.7.0

• Handle comments for multi-line inputs (#172)
• Missing json output in action.yml (#167)
• Update dev dependencies and workflow (#175)
• Bump minimist from 1.2.5 to 1.2.6 (#182)
• Bump moment from 2.29.1 to 2.29.2 (#180)
• Bump @​actions/github from 5.0.0 to 5.0.1 (#179)
• Bump node-fetch from 2.6.1 to 2.6.7 (#173)

v3.6.2

• Handle raw statement for pre-release (#155 #156)

v3.6.1

• Preserve quotes inside unquoted field (#153)

v3.6.0

• base_ref global expression (#142)
• Trim tags and flavor inputs (#143)
• Bump @​actions/core from 1.5.0 to 1.6.0 (#135)
• Bump ansi-regex from 5.0.0 to 5.0.1 (#134)
• Bump tmpl from 1.0.4 to 1.0.5 (#132)
• Bump csv-parse from 4.16.0 to 4.16.3 (#131)

v3.5.0

• Add global expression date (#121)
• Bump @​actions/core from 1.4.0 to 1.5.0 (#122)

v3.4.1

• Only return edge if branch matches (#115)

v3.4.0

• PEP 440 support (#108)

... (truncated)

Upgrade guide

Sourced from docker/metadata-action's upgrade guide.

Upgrade notes

v2 to v3

• Repository has been moved to docker org. Replace crazy-max/ghaction-docker-meta@v2 with docker/metadata-action@v4
• The default bake target has been changed: ghaction-docker-meta > docker-metadata-action

v1 to v2

• inputs
  • tag-sha
  • tag-edge / tag-edge-branch
  • tag-semver
  • tag-match / tag-match-group
  • tag-latest
  • tag-schedule
  • tag-custom / tag-custom-only
  • label-custom
• Basic workflow
• Semver workflow

inputs

New	Unchanged	Removed
tags	images	tag-sha
flavor	sep-tags	tag-edge
labels	sep-labels	tag-edge-branch
		tag-semver
		tag-match
		tag-match-group
		tag-latest
		tag-schedule
		tag-custom
		tag-custom-only
		label-custom

tag-sha

tags: |
  type=sha

tag-edge / tag-edge-branch

tags: |
  # default branch
</tr></table> 

... (truncated)

Commits

• 818d4b7 Merge pull request #302 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 948134a update generated content
• ef7eee9 enable comments to avoid breaking change with current impl
• 8ec80c3 Bump @​docker/actions-toolkit from 0.3.0 to 0.5.0
• 38650bb Merge pull request #301 from crazy-max/dedup-labels
• ebbd9b4 update generated content
• 2dadb92 dedup and sort labels
• 2c0bd77 Merge pull request #296 from docker/dependabot/npm_and_yarn/docker/actions-to...
• b10b364 update generated content
• 40a1c6f Bump @​docker/actions-toolkit from 0.1.0 to 0.3.0
• Additional commits viewable in compare view

Updates docker/setup-qemu-action from 1 to 2

Release notes

Sourced from docker/setup-qemu-action's releases.

v2.0.0

• Node 16 as default runtime by @​crazy-max (#48)
  • This requires a minimum Actions Runner version of v2.285.0, which is by default available in GHES 3.4 or later.
• chore: update dev dependencies and workflow by @​crazy-max (#43 #47)
• Bump @​actions/core from 1.3.0 to 1.6.0 (#37 #39 #41)
• Bump @​actions/exec from 1.0.4 to 1.1.1 (#38 #46)

Full Changelog: docker/setup-qemu-action@v1.2.0...v2.0.0

v1.2.0

• Display image information (#36)
• Bump @​actions/core from 1.2.7 to 1.3.0 (#35)

v1.1.0

• Remove os limitation (#30)
• Bump @​actions/core from 1.2.6 to 1.2.7 (#29)

v1.0.2

• Enhance workflow (#26)
• Container based developer flow (#19 #20)

v1.0.1

• Fix CVE-2020-15228

Commits

• 2b82ce8 Merge pull request #83 from docker/dependabot/npm_and_yarn/docker/actions-too...
• 3eae0a2 Merge pull request #81 from docker/dependabot/github_actions/docker/bake-acti...
• 1fd9478 Bump @​docker/actions-toolkit from 0.1.0 to 0.3.0
• f9e93f9 Bump docker/bake-action from 2 to 3
• 9d429d4 Merge pull request #80 from docker/dependabot/npm_and_yarn/docker/actions-too...
• b5a257c update generated content
• c915c25 use new implementation from toolkit
• 25bbf89 update dev dependencies
• faaa95d Bump @​docker/actions-toolkit from 0.1.0-beta.14 to 0.1.0
• de3982d Merge pull request #70 from crazy-max/switch-toolkit
• Additional commits viewable in compare view

Updates docker/setup-buildx-action from 1 to 2

Release notes

Sourced from docker/setup-buildx-action's releases.

v2.0.0

• Node 16 as default runtime by @​crazy-max (#131)
  • This requires a minimum Actions Runner version of v2.285.0, which is by default available in GHES 3.4 or later.

Full Changelog: docker/setup-buildx-action@v1.7.0...v2.0.0

v1.7.0

• Standalone mode by @​crazy-max in (#119)
• Update dev dependencies and workflow by @​crazy-max (#114 #130)
• Bump tmpl from 1.0.4 to 1.0.5 (#108)
• Bump ansi-regex from 5.0.0 to 5.0.1 (#109)
• Bump @​actions/core from 1.5.0 to 1.6.0 (#110)
• Bump actions/checkout from 2 to 3 (#126)
• Bump @​actions/tool-cache from 1.7.1 to 1.7.2 (#128)
• Bump @​actions/exec from 1.1.0 to 1.1.1 (#129)
• Bump minimist from 1.2.5 to 1.2.6 (#132)
• Bump codecov/codecov-action from 2 to 3 (#133)
• Bump semver from 7.3.5 to 7.3.7 (#136)

v1.6.0

• Add config-inline input (#106)
• Bump @​actions/core from 1.4.0 to 1.5.0 (#104)
• Bump codecov/codecov-action from 1 to 2 (#101)

v1.5.1

• Explicit version spec for caching (#100)

v1.5.0

• Allow building buildx from source (#99)

v1.4.1

• Fix docker: invalid reference format (#97)

v1.4.0

• Update dev deps (#95)
• Use built-in getExecOutput (#94)
• Use core.getBooleanInput (#93)
• Bump @​actions/exec from 1.0.4 to 1.1.0 (#85)
• Bump y18n from 4.0.0 to 4.0.3 (#91)
• Bump hosted-git-info from 2.8.8 to 2.8.9 (#89)
• Bump ws from 7.3.1 to 7.5.0 (#90)
• Bump @​actions/tool-cache from 1.6.1 to 1.7.1 (#82 #86)
• Bump @​actions/core from 1.2.7 to 1.4.0 (#80 #87)

v1.3.0

• Display BuildKit version (#72)

v1.2.0

• Remove os limitation (#71)
• Add test job for config input (#68)

... (truncated)

Commits

• 885d146 Merge pull request #258 from crazy-max/update-toolkit
• e5fad01 ci: check lab releases
• 45161fd update generated content
• a4d51f5 bump @​docker/actions-toolkit from 0.7.1 to 0.10.0
• 93b8eca ci: docker-ce packages are now installed on GitHub Runners
• 7703e82 Merge pull request #253 from docker/dependabot/npm_and_yarn/word-wrap-1.2.5
• 0005881 Merge pull request #254 from crazy-max/rm-codeowners
• b699069 chore: remove CODEOWNERS
• 9bfc549 Bump word-wrap from 1.2.3 to 1.2.5
• b92d4d8 Merge pull request #252 from crazy-max/dependabot-update
• Additional commits viewable in compare view

Updates docker/build-push-action from 2 to 4

Release notes

Sourced from docker/build-push-action's releases.

v4.0.0

Note

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. Google Cloud Run and AWS Lambda). You can optionally disable the default provenance attestation functionality using provenance: false.

• Enable provenance by default if not set by @​crazy-max in docker/build-push-action#784

Full Changelog: docker/build-push-action@v3.3.1...v4.0.0

v3.3.1

• Disable provenance by default if not set by @​crazy-max (#781)

Full Changelog: docker/build-push-action@v3.3.0...v3.3.1

v3.3.0

Note

Buildx v0.10 enables support for a minimal SLSA Provenance attestation, which requires support for OCI-compliant multi-platform images. This may introduce issues with registry and runtime support (e.g. Google Cloud Run and AWS Lambda). You can optionally disable the default provenance attestation functionality using provenance: false.

• Add attests, provenance and sbom inputs by @​crazy-max (#746 #759)
• Log GitHub Actions runtime token access controls by @​crazy-max (#707)
• Examples moved to docs website by @​crazy-max (#718)
• Bump minimatch from 3.0.4 to 3.1.2 (#732)
• Bump csv-parse from 5.3.0 to 5.3.3 (#729)
• Bump json5 from 2.2.0 to 2.2.3 (#749)

Full Changelog: docker/build-push-action@v3.2.0...v3.3.0

v3.2.0

• Remove workaround for setOutput by @​crazy-max (#704)
• Docs: fix Git context link and add more details about subdir support by @​crazy-max (#685)
• Docs: named context by @​baibaratsky and @​crazy-max (#665)
• Bump @​actions/core from 1.9.0 to 1.10.0 (#667 #695)
• Bump @​actions/github from 5.0.3 to 5.1.1 (#696)

Full Changelog: docker/build-push-action@v3.1.1...v3.2.0

v3.1.1

• Fix GitHub token not passed with Git context if subdir defined by @​crazy-max (#663)
• Replace deprecated fs.rmdir with fs.rm by @​bendrucker (#657)

Full Changelog: docker/build-push-action@v3.1.0...v3.1.1

v3.1.0

• no-cache-filters input by @​crazy-max (#653)
• Bump @​actions/github from 5.0.1 to 5.0.3 (#619)
• Bump @​actions/core from 1.6.0 to 1.9.0 (#620 #637)
• Bump csv-parse from 5.0.4 to 5.3.0 (#623 #650)

Full Changelog: docker/build-push-action@v3.0.0...v3.1.0

... (truncated)

Commits

• 2eb1c19 Merge pull request #880 from crazy-max/fix-inputlist
• 27376fe update generated content
• c933000 test: build-arg with hash
• dac08d4 chore(deps): Bump @​docker/actions-toolkit from 0.3.0 to 0.5.0
• 44ea916 Merge pull request #875 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 0167eef update generated content
• 91bf8bf chore(deps): Bump @​docker/actions-toolkit from 0.2.0 to 0.3.0
• a799b4d Merge pull request #860 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 87480bd update generated content
• f9efed5 Merge pull request #871 from dvdksn/fix/secret-example-link
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions