Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 in the dependencies group #264

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 6, 2025
Merged

chore(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 in the dependencies group #264

merged 1 commit into from
Oct 6, 2025

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Oct 6, 2025

Bumps the dependencies group with 1 update: ossf/scorecard-action.

Updates ossf/scorecard-action from 2.4.2 to 2.4.3

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.3

What's Changed

This update bumps the Scorecard version to the v5.3.0 release. For a complete list of changes, please refer to the Scorecard v5.3.0 release notes.

Documentation

Other

New Contributors

Full Changelog: ossf/scorecard-action@v2.4.2...v2.4.3

Commits
  • 4eaacf0 bump docker to ghcr v2.4.3 (#1587)
  • 42e3a01 🌱 Bump the github-actions group with 3 updates (#1585)
  • 88c07ac 🌱 Bump github.com/sigstore/cosign/v2 from 2.5.2 to 2.6.0 (#1579)
  • 6c690f2 Bump github.com/ossf/scorecard/v5 from v5.2.1 to v5.3.0 (#1586)
  • 92083b5 📖 Fix recommended command to test the image in development (#1583)
  • 7975ea6 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
  • 0d1a743 🌱 Bump github.com/spf13/cobra from 1.9.1 to 1.10.1 (#1575)
  • 46e6e0c 🌱 Bump the github-actions group with 2 updates (#1580)
  • c3f1350 🌱 Improve printing options (#1584)
  • 43e475b 🌱 Bump golang.org/x/net from 0.42.0 to 0.44.0 (#1578)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump ossf/scorecard-action in the dependencies group
30929ec 
Bumps the dependencies group with 1 update: [ossf/scorecard-action](https://github.com/ossf/scorecard-action).


Updates `ossf/scorecard-action` from 2.4.2 to 2.4.3
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](ossf/scorecard-action@05b42c6...4eaacf0)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 6, 2025
@dependabot dependabot bot requested a review from a team as a code owner October 6, 2025 05:11
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 6, 2025
@coderabbitai coderabbitai
Copy link

coderabbitai bot commented Oct 6, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Free review on us!

CodeRabbit is offering free reviews until Wed Oct 08 2025 to showcase some of the refinements we've made.

Comment @coderabbitai help to get the list of available commands and usage tips.

@fossabot fossabot
Copy link

fossabot bot commented Oct 6, 2025
edited
Loading

✓ Safe to upgrade

I recommend merging this upgrade because this is a minor patch update of a CI/CD security workflow dependency that introduces one new feature and one bug fix with no breaking changes or compatibility issues. The action is used exclusively for automated security posture monitoring via OpenSSF Scorecard analysis, and the semver-patch update from the official OSSF repository shows widespread community adoption with no critical issues reported for this version.

What we checked

  • GitHub Action version updated from 2.4.2 to 2.4.3 (commit hash 4eaacf0543bb3f2c246792bd56e8cdeffafb205a) - this is the only file affected by the upgrade [1]
  • This is a newly added workflow file with standard OSSF Scorecard configuration - no existing usage patterns to break, reducing upgrade risk [2]
  • Multiple Apache Commons projects are updating to version 2.4.3, indicating widespread community adoption and confidence in this version [3]
  • Official OSSF Scorecard Action maintained by the Open Source Security Foundation - reputable source with no critical issues reported for version 2.4.3 [4]

Dependency Usage

This GitHub Action is used exclusively in the project's CI/CD security workflow to perform OpenSSF Scorecard analysis, which assesses supply-chain security practices by evaluating repository health indicators like branch protection, dependency updates, and vulnerability management. The action runs on a weekly schedule and on pushes to the main branch, publishing security assessment results to GitHub's code scanning dashboard and generating a public scorecard badge. This is a DevOps infrastructure dependency that enables automated security posture monitoring rather than supporting application business logic.

Changes

The ossf/scorecard-action dependency receives documentation improvements clarifying required GITHUB_TOKEN permissions for private repositories and fixes to the development testing command. The update also adds proper top-level token permissions to workflows, improving security posture for repositories using this action.

View 3 more changes
References (4)

[1]: GitHub Action version updated from 2.4.2 to 2.4.3 (commit hash 4eaacf0543bb3f2c246792bd56e8cdeffafb205a) - this is the only file affected by the upgrade

js-sdk/.github/workflows/scorecard.yml

Line 42 in 30929ec

uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3

[2]: This is a newly added workflow file with standard OSSF Scorecard configuration - no existing usage patterns to break, reducing upgrade risk
https://github.com/openfga/js-sdk/blob/30929ec8c2449ba04333aa2b39aa220dd2e1d79c/.github/workflows/scorecard.yml

[3]: Multiple Apache Commons projects are updating to version 2.4.3, indicating widespread community adoption and confidence in this version (source link)

[4]: Official OSSF Scorecard Action maintained by the Open Source Security Foundation - reputable source with no critical issues reported for version 2.4.3 (source link)

fossabot analyzed this PR using dependency research.

@rhamzeh rhamzeh added this pull request to the merge queue Oct 6, 2025
Merged via the queue into main with commit 1fbf310 Oct 6, 2025
19 checks passed
@rhamzeh rhamzeh deleted the dependabot/github_actions/dependencies-6ca8c082f8 branch October 6, 2025 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rhamzeh rhamzeh rhamzeh approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rhamzeh
Morty Proxy This is a proxified and sanitized view of the page, visit original site.