chore(deps): update github actions monthly minor/patch

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/attest-build-provenance	action	patch	v2.2.0 -> v2.2.3
docker/build-push-action	action	digest	ca877d9 -> 471d1dc
docker/metadata-action	action	digest	369eb59 -> 902fa8e
docker/setup-buildx-action	action	digest	6524bf6 -> b5ca514
docker/setup-qemu-action	action	digest	53851d1 -> 2910929
github/codeql-action	action	patch	v3.28.8 -> v3.28.11
ossf/scorecard-action	action	patch	v2.4.0 -> v2.4.1

---

Release Notes

actions/attest-build-provenance (actions/attest-build-provenance)

v2.2.3

Compare Source

What's Changed

• Pin actions/attest reference by commit SHA by @​bdehamer in https://github.com/actions/attest-build-provenance/pull/493

Full Changelog: actions/attest-build-provenance@v2.2.2...v2.2.3

v2.2.2

Compare Source

What's Changed

• Bump predicate action from 1.1.4 to 1.1.5 by @​bdehamer in https://github.com/actions/attest-build-provenance/pull/485
  • Bump @​actions/attest from 1.5.0 to 1.6.0 by @​bdehamer in https://github.com/actions/attest-build-provenance/pull/484
    • Update buildSLSAProvenancePredicate to populate workflow.ref field from the ref claim in the OIDC token (https://github.com/actions/toolkit/pull/1969)

Full Changelog: actions/attest-build-provenance@v2.2.1...v2.2.2

v2.2.1

Compare Source

What's Changed

• Bump undici from 5.28.4 to 5.28.5 by @​dependabot in https://github.com/actions/attest-build-provenance/pull/457
• Bump @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot in https://github.com/actions/attest-build-provenance/pull/469
• Bump @​octokit/request from 8.2.0 to 8.4.1 by @​dependabot in https://github.com/actions/attest-build-provenance/pull/478
• Bump actions/attest from 2.2.0 to 2.2.1 by @​bdehamer in https://github.com/actions/attest-build-provenance/pull/481
  • Includes @actions/attest v1.6.0

Full Changelog: actions/attest-build-provenance@v2.2.0...v2.2.1

github/codeql-action (github/codeql-action)

v3.28.11

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #​2793

See the full CHANGELOG.md for more information.

v3.28.10

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #​2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #​2768

See the full CHANGELOG.md for more information.

v3.28.9

Compare Source

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.9 - 07 Feb 2025

• Update default CodeQL bundle version to 2.20.4. #​2753

See the full CHANGELOG.md for more information.

ossf/scorecard-action (ossf/scorecard-action)

v2.4.1

Compare Source

What's Changed

• This update bumps the Scorecard version to the v5.1.1 release. For a complete list of changes, please refer to the v5.1.0 and v5.1.1 release notes.
• Publishing results now uses half the API quota as before. The exact savings depends on the repository in question.
  • use Scorecard library entrypoint instead of Cobra hooking by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1423
• Some errors were made into annotations to make them more visible
  • Make default branch error more prominent by @​jsoref in https://github.com/ossf/scorecard-action/pull/1459
• There is now an optional file_mode input which controls how repository files are fetched from GitHub. The default is archive, but git produces the most accurate results for repositories with .gitattributes files at the cost of analysis speed.
  • add input for specifying --file-mode by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1509
• The underlying container for the action is now hosted on GitHub Container Registry. There should be no functional changes.
  • 🌱 publish docker images to GitHub Container Registry by @​spencerschrock in https://github.com/ossf/scorecard-action/pull/1453

Docs

• Installation docs update by @​JeremiahAHoward in https://github.com/ossf/scorecard-action/pull/1416

New Contributors

• @​JeremiahAHoward made their first contribution in https://github.com/ossf/scorecard-action/pull/1416
• @​jsoref made their first contribution in https://github.com/ossf/scorecard-action/pull/1459
  Full Changelog: ossf/scorecard-action@v2.4.0...v2.4.1

---

Configuration

📅 Schedule: Branch creation - "on the first day of the month" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
actions/actions/attest-build-provenance	c074443f1aee8d4aeeae555aebba3282517141b2	Unknown	Unknown
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.4	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 28 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 20 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5.8	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/actions/attest-build-provenance	c074443f1aee8d4aeeae555aebba3282517141b2	Unknown	Unknown
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.4	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 28 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 20 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5.8	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/actions/attest-build-provenance	c074443f1aee8d4aeeae555aebba3282517141b2	Unknown	Unknown
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.4	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 28 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 20 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5.8	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/actions/attest-build-provenance	c074443f1aee8d4aeeae555aebba3282517141b2	Unknown	Unknown
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.4	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 28 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 20 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5.8	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/actions/attest-build-provenance	c074443f1aee8d4aeeae555aebba3282517141b2	Unknown	Unknown
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.4	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 28 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 20 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5.8	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/actions/attest-build-provenance	c074443f1aee8d4aeeae555aebba3282517141b2	Unknown	Unknown
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.4	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 28 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 20 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5.8	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/actions/attest-build-provenance	c074443f1aee8d4aeeae555aebba3282517141b2	Unknown	Unknown
actions/docker/build-push-action	471d1dc4e07e5cdedd4c2171150001c434f0b7a4	🟢 5.4	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 28 commit(s) and 11 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 2 Found 2/7 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0
actions/docker/metadata-action	902fa8ec7d6ecbf8d84d538b9b233a880e428804	🟢 5.9	Details Check Score Reason Code-Review 🟢 8 Found 5/6 approved changesets -- score normalized to 8 Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Vulnerabilities 🟢 5 5 existing vulnerabilities detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/docker/setup-buildx-action	b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2	🟢 5.8	Details Check Score Reason Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 7 Found 3/4 approved changesets -- score normalized to 7 Binary-Artifacts 🟢 10 no binaries found in the repo Maintained 🟢 10 20 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/docker/setup-qemu-action	29109295f81e9208d7d86ff1c6c12d2833863392	🟢 5.8	Details Check Score Reason Maintained 🟢 10 25 commit(s) and 6 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0 Vulnerabilities 🟢 4 6 existing vulnerabilities detected
actions/github/codeql-action/upload-sarif	6bb031afdd8eb862ea3fc1848194185e076637e5	Unknown	Unknown
actions/ossf/scorecard-action	f49aabe0b5af0936a0987cfb85d86b75731b0186	🟢 8.3	Details Check Score Reason Binary-Artifacts 🟢 10 no binaries found in the repo Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Code-Review 🟢 10 all changesets reviewed Contributors 🟢 10 project has 16 contributing companies or organizations Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Dependency-Update-Tool 🟢 10 update tool detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Maintained 🟢 10 28 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10 Packaging 🟢 10 packaging workflow detected Pinned-Dependencies 🟢 9 dependency not pinned by hash detected -- score normalized to 9 SAST 🟢 10 SAST tool is run on all commits Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected

Scanned Files

• .github/workflows/athenapdf-service-image.yaml
• .github/workflows/database-tools-image.yaml
• .github/workflows/docker-host-image.yaml
• .github/workflows/drush-alias-image.yaml
• .github/workflows/insights-scanner-image.yaml
• .github/workflows/logs-concentrator-image.yaml
• .github/workflows/logs-dispatcher-image.yaml
• .github/workflows/ossf-analysis.yaml