build(deps): bump amannn/action-semantic-pull-request from 5.2.0 to 5.3.0 #5955
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
Bumps [amannn/action-semantic-pull-request](https://github.com/amannn/action-semantic-pull-request) from 5.2.0 to 5.3.0. - [Release notes](https://github.com/amannn/action-semantic-pull-request/releases) - [Changelog](https://github.com/amannn/action-semantic-pull-request/blob/main/CHANGELOG.md) - [Commits](amannn/action-semantic-pull-request@v5.2.0...v5.3.0) --- updated-dependencies: - dependency-name: amannn/action-semantic-pull-request dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>
dependabot
bot
added
dependencies
github_actions
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| @@ -18,6 +18,6 @@ jobs: | |||
| statuses: write | |||
| runs-on: ubuntu-latest | |||
| steps: | |||
| - uses: amannn/action-semantic-pull-request@v5.2.0 | |||
| - uses: amannn/action-semantic-pull-request@v5.3.0 | |||
There was a problem hiding this comment.
Reporter: Sarif
Rule: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
Severity: WARN
File: .github/workflows/lint-pr.yml L21
An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. For additional help see: An action sourced from a third-party repository on GitHub is not pinned to a full length commit SHA. Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps mitigate the risk of a bad actor adding a backdoor to the action's repository, as they would need to generate a SHA-1 collision for a valid Git object payload. <b>References:</b> - Semgrep Rule - https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components - https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
dependabot
bot
deleted the
dependabot/github_actions/amannn/action-semantic-pull-request-5.3.0
branch
Bumps amannn/action-semantic-pull-request from 5.2.0 to 5.3.0.
Release notes
Sourced from amannn/action-semantic-pull-request's releases.
Changelog
Sourced from amannn/action-semantic-pull-request's changelog.
Commits
47b15d5chore: Release 5.3.0 [skip ci]4c0d5a2feat: Use Node.js 20 in action (#240)00282d6docs: Update usersa67a88bdocs: Fix permissions for sticky-pull-request-comment example (#235 by@sheer...3bb5af3ci: Add push permission for release workflowc91b8fbdocs: Add permissions (#215 by@natterstefan)ff373f4docs: Minor README improvements3da6b20docs: README improvements4fc2edadocs: Update link in error message (#230)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)