Bump svenstaro/upload-release-action from 2.11.4 to 2.11.5#428
Bump svenstaro/upload-release-action from 2.11.4 to 2.11.5#428dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
requested review from
elsapet,
gotbadger and
mateusz-sterczewski
as code owners
dependabot
Bot
added
dependencies
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| - name: Upload files to release | ||
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }} | ||
| uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2 | ||
| uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2 |
There was a problem hiding this comment.
❗Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium
Description
Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.
Cycode Remediation Guideline
Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_insecure_pipeline_violation_everywhere <reason> | Applies to this resource for this violation for all requests in your repository |
| #cycode_ignore_insecure_pipeline_violation_here <reason> | Applies to this resource for this violation in this request only |
dependabot
Bot
force-pushed
the
dependabot/github_actions/svenstaro/upload-release-action-2.11.5
branch
2 times, most recently
from
f73700f to
79719a1
Compare
Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.11.4 to 2.11.5. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](svenstaro/upload-release-action@b98a3b1...29e53e9) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-version: 2.11.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/svenstaro/upload-release-action-2.11.5
branch
from
79719a1 to
c6756a5
Compare
Bumps svenstaro/upload-release-action from 2.11.4 to 2.11.5.
Release notes
Sourced from svenstaro/upload-release-action's releases.
Commits
29e53e92.11.5e701a60Update actions to Node.js 24f0ad2b8Migrate to ESM and bump GitHub Actions toolkit to latest0c75bf0Revert "Bump GitHub Actions toolkit dependencies to latest major versions"980b6b1Bump GitHub Actions toolkit dependencies to latest major versions