Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>

…#717)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
|
[@actions/core](https://togithub.com/actions/toolkit/tree/main/packages/core)
([source](https://togithub.com/actions/toolkit/tree/HEAD/packages/core))
| [`1.10.0` ->
`1.10.1`](https://renovatebot.com/diffs/npm/@actions%2fcore/1.10.0/1.10.1)
|
[![age](https://developer.mend.io/api/mc/badges/age/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/@actions%2fcore/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/@actions%2fcore/1.10.0/1.10.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the Dependency
Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/toolkit (@&#8203;actions/core)</summary>

###
[`v1.10.1`](https://togithub.com/actions/toolkit/blob/HEAD/packages/core/RELEASES.md#1101)

- Fix error message reference in oidc utils
[#&#8203;1511](https://togithub.com/actions/toolkit/pull/1511)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-verifier).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy44LjEiLCJ1cGRhdGVkSW5WZXIiOiIzNy4zNDAuMTAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

---------

Signed-off-by: Mend Renovate <[email protected]>
Signed-off-by: github-actions <[email protected]>
Co-authored-by: github-actions <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

This reverts commit e855e4f.

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Updates `thehanimo/pr-title-checker` to v1.4.2 and fixes the version
comment.

Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>

# Summary

Updates renovate config to use the
[`config:best-practices`](https://docs.renovatebot.com/presets-config/#configbest-practices)
preset rather than the `config:base` preset since `config:base` seems to
be deprecated.

Also updates the `schedule` config to use the
[`schedule:monthly`](https://docs.renovatebot.com/presets-schedule/#schedulemonthly)
preset.

Also adds a pre-submit to run the
[`renovate-config-validator`](https://docs.renovatebot.com/config-validation/)
to ensure that renovate config is valid. This pre-submit will need to be
made required in the repository branch protection rule for `main` in the
repository settings after this PR is merged.

---------

Signed-off-by: Ian Lewis <[email protected]>
Signed-off-by: Ian Lewis <[email protected]>
Co-authored-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

changing the update-dist workflow to use the `pr_number` input as an env
variable to avoid [script
injection](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#good-practices-for-mitigating-script-injection-attacks).

Our workflows are only invokable by our trusted maintainers so we should
be okay. This is just an extra hardening measure.

Open issue
actions/runner#1070 (comment)

## Testing

I confirmed the issue by invoking the workflow with `650 && echo SCRIPT
INJECTION`, and it did also do the extra `echo` command.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101350247/job/25018333703#step:3:36

after invoking the workflow again with this PR's version, the problem is
mitigated.
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101495332/job/25018812710#step:3:8
-
https://github.com/slsa-framework/slsa-verifier/actions/runs/9101516757/job/25018888519#step:3:7

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>

Followup to slsa-framework#760

Fix the .github/workflows/update-actions-dist-post-commit.yml workflow
to also signoff commit

# Testing

- [x] Invoked this PR's branch copy of the workflow against slsa-framework#717, and it
did signoff the commit.
-
slsa-framework@9670f76

Signed-off-by: Ramon Petgrave <[email protected]>
Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>

Signed-off-by: Ramon Petgrave <[email protected]>