[S] Change in bazel/bazel[master]: Bump the github-actions group with 5 updates (https://github.com/baze...

0 views
Skip to first unread message

Copybara Service (Gerrit)

unread,
3:09 PM (1 hour ago) 3:09 PM
to bazel-...@googlegroups.com

Copybara Service uploaded new patchset

Copybara Service uploaded patch set #3 to this change.
Open in Gerrit

Related details

Attention set is empty
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: newpatchset
Gerrit-Project: bazel
Gerrit-Branch: master
Gerrit-Change-Id: I76eeb08fe178adacffb381692eb4178bcda1b291
Gerrit-Change-Number: 329770
Gerrit-PatchSet: 3
Gerrit-Owner: Copybara Service <copybara-wor...@google.com>
open
diffy

Copybara Service (Gerrit)

unread,
3:10 PM (1 hour ago) 3:10 PM
to bazel-...@googlegroups.com

Copybara Service submitted the change

Change information

Commit message:
Bump the github-actions group with 5 updates (https://github.com/bazelbuild/bazel/pull/29699)

Bumps the github-actions group with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [step-security/harden-runner](https://github.com/step-security/harden-runner) | `2.19.0` | `2.19.4` |
| [bazelbuild/continuous-integration](https://github.com/bazelbuild/continuous-integration) | `ee5ba8422a610abe834d379252881d903890d560` | `8fae15fdb0532109a35cae0ca16041fc424c0a9b` |
| [actions/labeler](https://github.com/actions/labeler) | `6.0.1` | `6.1.0` |
| [github/codeql-action](https://github.com/github/codeql-action) | `4.35.2` | `4.36.0` |
| [actions/stale](https://github.com/actions/stale) | `10.2.0` | `10.3.0` |

Updates `step-security/harden-runner` from 2.19.0 to 2.19.4
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p>
<blockquote>
<h2>v2.19.4</h2>
<h2>What's Changed</h2>
<ul>
<li>Improvements for HTTPS Monitoring for the Enterprise tier of Harden Runner</li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.19.3...v2.19.4">https://github.com/step-security/harden-runner/compare/v2.19.3...v2.19.4</a></p>
<h2>v2.19.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Default to audit mode when api-key missing with use-policy-store by <a href="https://github.com/varunsh-coder"><code>@​varunsh-coder</code></a> in <a href="https://redirect.github.com/step-security/harden-runner/pull/665">step-security/harden-runner#665</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.19.2...v2.19.3">https://github.com/step-security/harden-runner/compare/v2.19.2...v2.19.3</a></p>
<h2>v2.19.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Update the Harden Runner agent for enterprise tier to use go 1.26 and fix minor bugs.</li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.19.1...v2.19.2">https://github.com/step-security/harden-runner/compare/v2.19.1...v2.19.2</a></p>
<h2>v2.19.1</h2>
<h2>What's Changed</h2>
<ul>
<li>fix: detect ubuntu-slim runners early and bail out by <a href="https://github.com/devantler"><code>@​devantler</code></a> in <a href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li>
</ul>
<p>What the fix changes</p>
<ul>
<li>Harden-Runner will detect <code>ubuntu-slim</code> runners and exit cleanly with an informational log message, instead of post harden runner step failing on chown: invalid user: 'undefined'.</li>
</ul>
<p>What the fix does not do</p>
<ul>
<li>Jobs running on <code>ubuntu-slim</code> will not be monitored by Harden-Runner. The agent relies on kernel-level features (that require elevated capabilities).</li>
<li>Per GitHub's docs on <a href="https://docs.github.com/en/actions/reference/runners/github-hosted-runners#single-cpu-runners">single-CPU runners</a>: &quot;The container for ubuntu-slim runners runs in unprivileged mode. This means that some operations requiring elevated privileges such as mounting file systems, using Docker-in-Docker, or accessing low-level kernel features are not supported.&quot;  Those low-level kernel features are what the agent needs, so monitoring inside the unprivileged container is not feasible today.</li>
</ul>
<p>For StepSecurity enterprise customers
If your security posture requires that workflows are always monitored, you can block the use of <code>ubuntu-slim</code> via workflow run policies see the <a href="https://docs.stepsecurity.io/workflow-run-policies/policies#runner-label-policy">Runner Label Policy</a> docs. This lets you enforce that jobs only run on monitored runner types.</p>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/devantler"><code>@​devantler</code></a> made their first contribution in <a href="https://redirect.github.com/step-security/harden-runner/pull/657">step-security/harden-runner#657</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1">https://github.com/step-security/harden-runner/compare/v2.19.0...v2.19.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/step-security/harden-runner/commit/9af89fc71515a100421586dfdb3dc9c984fbf411"><code>9af89fc</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/667">#667</a> from step-security/update-agent-v1.8.6</li>
<li><a href="https://github.com/step-security/harden-runner/commit/485dce8cb5d75cda51e8bfa947de06030d080208"><code>485dce8</code></a> Update agent to v1.8.6</li>
<li><a href="https://github.com/step-security/harden-runner/commit/ab7a9404c0f3da075243ca237b5fac12c98deaa5"><code>ab7a940</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/665">#665</a> from step-security/fix/use-policy-store-default-audit</li>
<li><a href="https://github.com/step-security/harden-runner/commit/ec41b783c27ed7f0db6855a6d9970abd4572858c"><code>ec41b78</code></a> Default to audit mode when api-key missing with use-policy-store</li>
<li><a href="https://github.com/step-security/harden-runner/commit/9ca718d3bf646d6534007c269a635b3e54cadf99"><code>9ca718d</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/664">#664</a> from step-security/update-agent-v1.8.5</li>
<li><a href="https://github.com/step-security/harden-runner/commit/1dee3df8d29f4225c582eee2ddb6053ca616c0df"><code>1dee3df</code></a> Update agent to v1.8.5</li>
<li><a href="https://github.com/step-security/harden-runner/commit/a5ad31d6a139d249332a2605b85202e8c0b78450"><code>a5ad31d</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/657">#657</a> from devantler/fix/ubuntu-slim-user-env</li>
<li><a href="https://github.com/step-security/harden-runner/commit/6e928567d74554b8842dd434908da31c593ba85c"><code>6e92856</code></a> build dist and trim ubuntu-slim message</li>
<li><a href="https://github.com/step-security/harden-runner/commit/4e0504ee086374bdec7064e5c26d48af41ba6209"><code>4e0504e</code></a> Merge branch 'main' into fix/ubuntu-slim-user-env</li>
<li><a href="https://github.com/step-security/harden-runner/commit/376d25a97f3a1640ff8cbbddaa4af25948df2cf3"><code>376d25a</code></a> fix: detect ubuntu-slim runners early and bail out</li>
<li>See full diff in <a href="https://github.com/step-security/harden-runner/compare/8d3c67de8e2fe68ef647c8db1e6a09f647780f40...9af89fc71515a100421586dfdb3dc9c984fbf411">compare view</a></li>
</ul>
</details>
<br />

Updates `bazelbuild/continuous-integration` from ee5ba8422a610abe834d379252881d903890d560 to 8fae15fdb0532109a35cae0ca16041fc424c0a9b
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/bazelbuild/continuous-integration/blob/master/docs/release-playbook.md">bazelbuild/continuous-integration's changelog</a>.</em></p>
<blockquote>
<h1>Bazel Release Playbook</h1>
<p>This is the guide to conducting a Bazel release. This is especially relevant for
release managers, but will be of interest to anyone who is curious about the
release process.</p>
<h2>Preface</h2>
<blockquote>
<p>For future reference and release managers - the release manager playbook should
be treated like an IKEA manual. That means: Do not try to be smart, optimize /
skip / reorder steps, otherwise chaos will ensue. Just follow it and the end
result will be.. well, a usable piece of furniture, or a Bazel release
(depending on the manual).</p>
<p>Like aviation and workplace safety regulations, the playbook is written in the
tears and blood of broken Bazelisks, pipelines, releases and Git branches.
Assume that every step is exactly there for a reason, even if it might not be
obvious. If you follow them to the letter, they are not error prone. Errors
have only happened in the past, when a release manager thought it's ok to
follow them by spirit instead. ;)</p>
<p>-- <a href="https://github.com/philwo"><code>@​philwo</code></a></p>
</blockquote>
<h2>One-time setup</h2>
<p>These steps only have to be performed once, ever.</p>
<ul>
<li>Make sure you are a member of the Bazel <a href="https://github.com/orgs/bazelbuild/teams/release-managers/members">Release Managers</a> team on GitHub.</li>
<li>Make sure you are a member of the Bazel <a href="https://buildkite.com/organizations/bazel-trusted/teams/release-managers/members">release-managers</a>
group on BuildKite.  If that link does not work for you, ask one of the Buildkite org admins to add you to
the group.</li>
<li>Set up github ssh key if you haven't already.
<ul>
<li><a href="https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/">https://help.github.com/articles/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent/</a></li>
</ul>
</li>
<li>Generate a new identifier for Google's internal Git mirror: <a href="https://bazel.googlesource.com/new-password">https://bazel.googlesource.com/new-password</a> (and paste the code in your shell).</li>
<li>Log in to the Gerrit UI to create an account: <a href="[]
</ul>
<h2>Preparing a new release</h2>
<ol>
<li><a href="https://github.com/bazelbuild/bazel/milestones/new">Create a release blockers milestone</a> named &quot;X.Y.Z release blockers&quot; (case-sensitive), where we keep track of issues that must be resolved before the release goes out.
<ul>
<li>Set the (tentative) release date.</li>
<li>Add this description: <code>Issues that need to be resolved before the X.Y.Z release.</code>.</li>
<li>Refer to <a href="https://github.com/bazelbuild/bazel/milestone/38">this example</a></li>
</ul>
</li>
<li><a href="https://github.com/bazelbuild/bazel/issues/new?assignees=&amp;labels=release%2Cteam-OSS%2CP1%2Ctype%3A+process&amp;template=release.md&amp;title=Release+X.Y+-+%24MONTH+%24YEAR">Create a release tracking issue</a> to keep the community updated about the progress of the release. <a href="https://redirect.github.com/bazelbuild/bazel/issues/16159">See example</a>. Pin this issue.</li>
<li>Create the branch for the release. The branch should always be named <code>release-X.Y.Z</code> (the <code>.Z</code> part is important). Cherry-pick PRs will be sent against this branch.
<ul>
<li>The actual creation of the branch can be done via the GitHub UI or via the command line. For minor and patch releases, create the branch from the previous release tag, if possible. How we choose the base commit of the branch depends on the type of the release:</li>
<li>For patch releases (<code>X.Y.Z</code> where <code>Z&gt;0</code>), the base commit should simply be <code>X.Y.(Z-1)</code>.</li>
<li>For minor releases (<code>X.Y.0</code> where <code>Y&gt;0</code>), the base commit should typically be <code>X.(Y-1).&lt;current max Z&gt;</code>.</li>
<li>For major releases (<code>X.0.0</code>), the base commit is some &quot;healthy&quot; commit on the main branch.
<ul>
<li>This means that there's an extra step involved in preparing the release -- &quot;cutting&quot; the release branch, so to speak. For this, check the <a href="https://buildkite.com/bazel/bazel-with-downstream-projects-bazel">Bazel@HEAD+Downstream pipeline</a>. The branch cut should happen on a green commit there; if the pipeline is persistently red, work with the Green Team to resolve it first and delay the branch cut as needed.</li>
<li>A first release candidate should immediately be created after the release branch is created. See <a href="https://github.com/bazelbuild/continuous-integration/blob/master/docs/#create-a-release-candidate">create a release candidate</a> below.</li>
</ul>
</li>
</ul>
</li>
</ol>
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/github/codeql-action/commit/7211b7c8077ea37d8641b6271f6a365a22a5fbfa"><code>7211b7c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3927">#3927</a> from github/update-v4.36.0-ebc2d9e2b</li>
<li><a href="https://github.com/github/codeql-action/commit/7740f2fb21add1d46278215acea47540db22f022"><code>7740f2f</code></a> Update changelog for v4.36.0</li>
<li><a href="https://github.com/github/codeql-action/commit/ebc2d9e2bc247eec51bee8d4df806c4030eb0761"><code>ebc2d9e</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3926">#3926</a> from github/update-bundle/codeql-bundle-v2.25.5</li>
<li><a href="https://github.com/github/codeql-action/commit/d1f74b777c95c777bf4f42ce4b250bc916e745c7"><code>d1f74b7</code></a> Add changelog note</li>
<li><a href="https://github.com/github/codeql-action/commit/2dc40cec39bdc63d3561d74fa6100cebb0418ff4"><code>2dc40ce</code></a> Update default bundle to codeql-bundle-v2.25.5</li>
<li><a href="https://github.com/github/codeql-action/commit/84498526a009a99c875e83ef4821a8ba52de7c22"><code>8449852</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3910">#3910</a> from github/henrymercer/repo-size-diff-check</li>
<li><a href="https://github.com/github/codeql-action/commit/72ac23c6d16b29fbe801e87e3439941558c53094"><code>72ac23c</code></a> Update excluded required check list</li>
<li><a href="https://github.com/github/codeql-action/commit/c5297a28a2c3e6a8062041b58858bd7117cebe37"><code>c5297a2</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3919">#3919</a> from github/henrymercer/workflow-concurrency</li>
<li><a href="https://github.com/github/codeql-action/commit/8ffeae7d05bc1b914a009d197e64e4f5c9e14503"><code>8ffeae7</code></a> CI: Automatically cancel non-generated workflows</li>
<li><a href="https://github.com/github/codeql-action/commit/f3f52bf568dc44a1069faafa538caa6b1fec40c9"><code>f3f52bf</code></a> Revert <code>getErrorMessage</code> import</li>
<li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/95e58e9a2cdfd71adc6e0353d5c52f41a045d225...7211b7c8077ea37d8641b6271f6a365a22a5fbfa">compare view</a></li>
</ul>
</details>
<br />

Updates `actions/stale` from 10.2.0 to 10.3.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a href="https://github.com/actions/stale/releases">actions/stale's releases</a>.</em></p>
<blockquote>
<h2>v10.3.0</h2>
<h2>What's Changed</h2>
<h3>Bug Fix</h3>
<ul>
<li>Enhancement: ignore stale labeling events by <a href="https://github.com/shamoon"><code>@​shamoon</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1311">actions/stale#1311</a></li>
</ul>
<h3>Dependency Updates</h3>
<ul>
<li>Upgrade dependencies (<code>@​actions/core</code>, <code>@​octokit/plugin-retry</code>, <a href="https://github.com/typescript-eslint"><code>@​typescript-eslint</code></a>) by <a href="https://github.com/Copilot"><code>@​Copilot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1335">actions/stale#1335</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/shamoon"><code>@​shamoon</code></a> made their first contribution in <a href="https://redirect.github.com/actions/stale/pull/1311">actions/stale#1311</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a href="https://github.com/actions/stale/compare/v10...v10.3.0">https://github.com/actions/stale/compare/v10...v10.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/actions/stale/commit/eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899"><code>eb5cf3a</code></a> chore: upgrade dependencies and bump version to 10.3.0 (<a href="https://redirect.github.com/actions/stale/issues/1335">#1335</a>)</li>
<li><a href="https://github.com/actions/stale/commit/db5d06a4c82d5e94513c09c406638111df61f63e"><code>db5d06a</code></a> Enhancement: ignore stale labeling events (<a href="https://redirect.github.com/actions/stale/issues/1311">#1311</a>)</li>
<li>See full diff in <a href="https://github.com/actions/stale/compare/b5d41d4e1d5dceea10e7104786b73624c18a190f...eb5cf3af3ac0a1aa4c9c45633dd1ae542a27a899">compare view</a></li>
</ul>
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions

</details>

Closes #29699.
PiperOrigin-RevId: 926183737
Change-Id: I76eeb08fe178adacffb381692eb4178bcda1b291
Files:
  • M .github/workflows/cherry-picker.yml
  • M .github/workflows/community-review-labeler.yml
  • M .github/workflows/labeler.yml
  • M .github/workflows/release-helper.yml
  • M .github/workflows/remove-labels.yml
  • M .github/workflows/scorecard.yml
  • M .github/workflows/stale.yml
Change size: S
Delta: 7 files changed, 16 insertions(+), 16 deletions(-)
Branch: refs/heads/master
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
open
diffy
Reply all
Reply to author
Forward
0 new messages