Update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
actions/download-artifact	action	major	v7 → v8
actions/upload-artifact	action	major	v6 → v7
azure/login	action	major	v2 → v3
ctrf-io/github-test-reporter	action	patch	v1.0.26 → v1.0.28
dawidd6/action-send-mail	action	major	v7 → v16
docker/build-push-action	action	major	v6 → v7
docker/setup-buildx-action	action	major	v3 → v4
docker/setup-qemu-action	action	major	v3 → v4
suzuki-shunsuke/github-action-renovate-config-validator	action	major	v1.1.1 → v2.1.0
trufflesecurity/trufflehog	action	minor	v3.92.4 → v3.95.2

---

Release Notes

actions/download-artifact (actions/download-artifact)

v8.0.1

Compare Source

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in #​471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in #​472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

Compare Source

v8 - What's new

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to false.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @​actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in #​460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in #​461

Full Changelog: actions/download-artifact@v7...v8.0.0

v8

Compare Source

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

• Update the readme with direct upload details by @​danwkennedy in #​795
• Readme: bump all the example versions to v7 by @​danwkennedy in #​796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in #​797

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in #​754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in #​762
• Support direct file uploads by @​danwkennedy in #​764

New Contributors

• @​Link- made their first contribution in #​754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

azure/login (azure/login)

v3: Azure Login Action v3

Compare Source

What's Changed

• upgrade nodejs from 20 to 24 and update dependencies by @​YanaXu in Azure#578

Full Changelog: Azure/login@v2.3.0...v3

v3.0.0: Azure Login Action v3.0.0

Compare Source

What's Changed

• Upgrade nodejs from 20 to 24 and update dependencies by @​YanaXu in Azure#578

Full Changelog: Azure/login@v2.3.0...v3.0.0

v2.3.0: Azure Login Action v2.3.0

Compare Source

What's Changed

• Replace the invalid link for the GitHub Action Doc by @​MoChilia in Azure#510
• Bump braces from 3.0.2 to 3.0.3 by @​YanaXu in Azure#511
• Mention "allow-no-subscriptions" in missing subscriptionId error by @​MoChilia in Azure#512
• Log more claims for OIDC login by @​MoChilia in Azure#520
• Use --client-id for user-assigned managed identity authentication in Azure CLI v2.69.0 or later. by @​MoChilia in Azure#514

Full Changelog: Azure/login@v2.2.0...v2.3.0

v2.2.0: Azure Login Action v2.2.0

Compare Source

What's Changed

• Replace az --version with az version by @​MoChilia in Azure#450
• Update documentation for setting audience when environment is set by @​jcantosz in Azure#455
• Fix #​459: Errors when registering cloud profile for AzureStack by @​MoChilia in Azure#466
• Fix typo by @​KronosTheLate in Azure#483
• move pre cleanup to main and add pre-if and post-if by @​YanaXu in Azure#484

New Contributors

• @​jcantosz made their first contribution in Azure#455
• @​KronosTheLate made their first contribution in Azure#483

Full Changelog: Azure/login@v2.1.1...v2.2.0

v2.1.1

Compare Source

What's Changed

• Disable information output in Connect-AzAccount by @​YanaXu in Azure#448

New Contributors

• @​jiasli made their first contribution in Azure#438
• @​isra-fel made their first contribution in Azure#446

Full Changelog: Azure/login@v2.1.0...v2.1.1

v2.1.0: Azure Login Action v2.1.0

Compare Source

What's Changed

• Use @vercel/ncc to compile Azure/login by @​MoChilia in Azure#428

Full Changelog: Azure/login@v2.0.0...v2.1.0

ctrf-io/github-test-reporter (ctrf-io/github-test-reporter)

v1.0.28

Compare Source

What's Changed

• fix: remove ±0 delta indicators from report templates by @​alexshamrai in #​274

Full Changelog: ctrf-io/github-test-reporter@v1.0.27...v1.0.28

v1.0.27

Compare Source

What's Changed

• if prev reports exist show delta summary by @​Ma11hewThomas in #​240
• add delta to github report by @​Ma11hewThomas in #​241
• normalize suite by @​Ma11hewThomas in #​242
• Add commit hash by @​Ma11hewThomas in #​244
• Report added removed tests by @​Ma11hewThomas in #​245
• Upgrade node to 24 by @​alexshamrai in #​257

New Contributors

• @​alexshamrai made their first contribution in #​257

Full Changelog: ctrf-io/github-test-reporter@v1.0.26...v1.0.27

dawidd6/action-send-mail (dawidd6/action-send-mail)

v16

Compare Source

What's Changed

• Relax from check by @​felfert in #​277

Full Changelog: dawidd6/action-send-mail@v15...v16

v15

Compare Source

What's Changed

• build(deps): bump undici from 6.23.0 to 6.24.1 by @​dependabot[bot] in #​275
• node_modules: update by @​dawidd6 in #​276

Full Changelog: dawidd6/action-send-mail@v14...v15

v14

Compare Source

What's Changed

• Fix 234 by @​felfert in #​271

Full Changelog: dawidd6/action-send-mail@v13...v14

v13

Compare Source

What's Changed

• Upgrade to node24 by @​felfert in #​273

Full Changelog: dawidd6/action-send-mail@v12...v13

v12

Compare Source

Possible Breaking Change

from input now needs to be in one of those forms:

• Plain Simple Name <user@example.com>
• user@example.com

What's Changed

• build(deps): bump minimatch from 3.1.3 to 3.1.5 by @​dependabot[bot] in #​265
• Misc. fixes by @​felfert in #​267
• build(deps): bump nodemailer from 8.0.1 to 8.0.2 by @​dependabot[bot] in #​269
• node_modules: update by @​dawidd6 in #​270

New Contributors

• @​felfert made their first contribution in #​267

Full Changelog: dawidd6/action-send-mail@v11...v12

v11

Compare Source

What's Changed

• Add support for custom email headers via JSON input by @​KaSpiros in #​264

New Contributors

• @​KaSpiros made their first contribution in #​264

Full Changelog: dawidd6/action-send-mail@v10...v11

v10

Compare Source

What's Changed

• build(deps): bump nodemailer from 8.0.0 to 8.0.1 by @​dependabot[bot] in #​260
• node_modules: update by @​dawidd6 in #​261
• build(deps): bump minimatch from 3.1.2 to 3.1.3 by @​dependabot[bot] in #​262
• node_modules: update by @​dawidd6 in #​263

Full Changelog: dawidd6/action-send-mail@v9...v10

v9

Compare Source

What's Changed

• build(deps): bump nodemailer from 7.0.13 to 8.0.0 by @​dependabot[bot] in #​258
• node_modules: update by @​dawidd6 in #​259

Full Changelog: dawidd6/action-send-mail@v8...v9

v8

Compare Source

What's Changed

• build(deps): bump @​actions/core from 2.0.1 to 2.0.2 by @​dependabot[bot] in #​247
• node_modules: update by @​dawidd6 in #​248
• build(deps): bump @​actions/core from 2.0.2 to 2.0.3 by @​dependabot[bot] in #​251
• build(deps): bump @​actions/glob from 0.5.0 to 0.5.1 by @​dependabot[bot] in #​249
• build(deps): bump nodemailer from 7.0.12 to 7.0.13 by @​dependabot[bot] in #​250
• build(deps): bump @​actions/glob from 0.5.1 to 0.6.1 by @​dependabot[bot] in #​253
• build(deps): bump @​actions/core from 2.0.3 to 3.0.0 by @​dependabot[bot] in #​252
• Convert CommonJS to ESM by @​Copilot in #​255
• Run npm ci --ignore-scripts to update dependencies by @​Copilot in #​254

New Contributors

• @​Copilot made their first contribution in #​255

Full Changelog: dawidd6/action-send-mail@v7...v8

docker/build-push-action (docker/build-push-action)

v7.1.0

Compare Source

• Git context query format support by @​crazy-max in #​1505
• Bump @​docker/actions-toolkit from 0.79.0 to 0.87.0 by @​crazy-max in #​1505
• Bump brace-expansion from 1.1.12 to 1.1.13 in #​1500
• Bump fast-xml-parser from 5.4.2 to 5.5.7 in #​1489
• Bump flatted from 3.3.3 to 3.4.2 in #​1491
• Bump glob from 10.3.12 to 10.5.0 in #​1490
• Bump handlebars from 4.7.8 to 4.7.9 in #​1497
• Bump lodash from 4.17.23 to 4.18.1 in #​1510
• Bump picomatch from 4.0.3 to 4.0.4 in #​1496
• Bump undici from 6.23.0 to 6.24.1 in #​1486
• Bump vite from 7.3.1 to 7.3.2 in #​1509

Full Changelog: docker/build-push-action@v7.0.0...v7.1.0

v7.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​1470
• Remove deprecated DOCKER_BUILD_NO_SUMMARY and DOCKER_BUILD_EXPORT_RETENTION_DAYS envs by @​crazy-max in #​1473
• Remove legacy export-build tool support for build summary by @​crazy-max in #​1474
• Switch to ESM and update config/test wiring by @​crazy-max in #​1466
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​1454
• Bump @​docker/actions-toolkit from 0.62.1 to 0.79.0 in #​1453 #​1472 #​1479
• Bump minimatch from 3.1.2 to 3.1.5 in #​1463

Full Changelog: docker/build-push-action@v6.19.2...v7.0.0

v7

Compare Source

v6.19.2

Compare Source

• Preserve port in GIT_AUTH_TOKEN host by @​crazy-max in #​1458

Full Changelog: docker/build-push-action@v6.19.1...v6.19.2

v6.19.1

Compare Source

• Derive GIT_AUTH_TOKEN host from GitHub server URL by @​crazy-max in #​1456

Full Changelog: docker/build-push-action@v6.19.0...v6.19.1

v6.19.0

Compare Source

• Scope default git auth token to github.com by @​crazy-max in #​1451
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​1396
• Bump form-data from 2.5.1 to 2.5.5 in #​1391
• Bump js-yaml from 3.14.1 to 3.14.2 in #​1429
• Bump lodash from 4.17.21 to 4.17.23 in #​1446
• Bump tmp from 0.2.3 to 0.2.4 in #​1398
• Bump undici from 5.28.4 to 5.29.0 in #​1397

Full Changelog: docker/build-push-action@v6.18.0...v6.19.0

v6.18.0

Compare Source

• Bump @​docker/actions-toolkit from 0.61.0 to 0.62.1 in #​1381

[!NOTE]
Build summary is now supported with Docker Build Cloud.

Full Changelog: docker/build-push-action@v6.17.0...v6.18.0

v6.17.0

Compare Source

• Bump @​docker/actions-toolkit from 0.59.0 to 0.61.0 by @​crazy-max in #​1364

[!NOTE]
Build record is now exported using the buildx history export command instead of the legacy export-build tool.

Full Changelog: docker/build-push-action@v6.16.0...v6.17.0

v6.16.0

Compare Source

• Handle no default attestations env var by @​crazy-max in #​1343
• Only print secret keys in build summary output by @​crazy-max in #​1353
• Bump @​docker/actions-toolkit from 0.56.0 to 0.59.0 in #​1352

Full Changelog: docker/build-push-action@v6.15.0...v6.16.0

v6.15.0

Compare Source

• Bump @​docker/actions-toolkit from 0.55.0 to 0.56.0 in #​1330

Full Changelog: docker/build-push-action@v6.14.0...v6.15.0

v6.14.0

Compare Source

• Bump @​docker/actions-toolkit from 0.53.0 to 0.55.0 in #​1324

Full Changelog: docker/build-push-action@v6.13.0...v6.14.0

v6.13.0

Compare Source

• Bump @​docker/actions-toolkit from 0.51.0 to 0.53.0 in #​1308

Full Changelog: docker/build-push-action@v6.12.0...v6.13.0

v6.12.0

Compare Source

• Bump @​docker/actions-toolkit from 0.49.0 to 0.51.0 in #​1300

Full Changelog: docker/build-push-action@v6.11.0...v6.12.0

v6.11.0

Compare Source

• Handlebar defaultContext support for build-contexts input by @​crazy-max in #​1283
• Bump @​docker/actions-toolkit from 0.46.0 to 0.49.0 in #​1281

Full Changelog: docker/build-push-action@v6.10.0...v6.11.0

v6.10.0

Compare Source

• Add call input to set method for evaluating build by @​crazy-max in #​1265
• Bump @​actions/core from 1.10.1 to 1.11.1 in #​1238
• Bump @​docker/actions-toolkit from 0.39.0 to 0.46.0 in #​1268
• Bump cross-spawn from 7.0.3 to 7.0.6 in #​1261

Full Changelog: docker/build-push-action@v6.9.0...v6.10.0

v6.9.0

Compare Source

• Bump @​docker/actions-toolkit from 0.38.0 to 0.39.0 in #​1234
• Bump path-to-regexp from 6.2.2 to 6.3.0 in #​1232

Full Changelog: docker/build-push-action@v6.8.0...v6.9.0

v6.8.0

Compare Source

• Bump @​docker/actions-toolkit from 0.37.1 to 0.38.0 in #​1230

Full Changelog: docker/build-push-action@v6.7.0...v6.8.0

v6.7.0

Compare Source

• Print info message for build summary support checks by @​crazy-max in #​1211

Full Changelog: docker/build-push-action@v6.6.1...v6.7.0

v6.6.1

Compare Source

• Bump @​docker/actions-toolkit from 0.37.0 to 0.37.1 in #​1205

Full Changelog: docker/build-push-action@v6.6.0...v6.6.1

v6.6.0

Compare Source

• Generate GitHub annotations for build checks by @​crazy-max in #​1197
• Bump @​docker/actions-toolkit from 0.35.0 to 0.37.0 in #​1196 #​1198

Full Changelog: docker/build-push-action@v6.5.0...v6.6.0

v6.5.0

Compare Source

• Bump @​docker/actions-toolkit from 0.33.0 to 0.35.0 in #​1186 #​1191

Full Changelog: docker/build-push-action@v6.4.1...v6.5.0

v6.4.1

Compare Source

• revert "Set repository and ghtoken attributes for GitHub Actions cache backend" by @​crazy-max in #​1183

Full Changelog: docker/build-push-action@v6.4.0...v6.4.1

v6.4.0

Compare Source

• Set repository and ghtoken attributes for GitHub Actions cache backend by @​crazy-max in #​1133
• Bump @​docker/actions-toolkit from 0.31.0 to 0.33.0 in #​1179

Full Changelog: docker/build-push-action@v6.3.0...v6.4.0

v6.3.0

Compare Source

• DOCKER_BUILD_RECORD_UPLOAD environment variable to enable/disable build record upload by @​crazy-max in #​1172
• DOCKER_BUILD_NO_SUMMARY has been deprecated. Set DOCKER_BUILD_SUMMARY to false instead by @​crazy-max in #​1170 #​1173
• Bump @​docker/actions-toolkit from 0.28.0 to 0.31.0 in #​1171 #​1159 #​1169

Full Changelog: docker/build-push-action@v6.2.0...v6.3.0

v6.2.0

Compare Source

• Use default retention days for build export artifact by @​crazy-max in #​1153
• Bump @​docker/actions-toolkit from 0.27.0 to 0.28.0 in #​1158

Full Changelog: docker/build-push-action@v6.1.0...v6.2.0

v6.1.0

Compare Source

• Bump @​docker/actions-toolkit from 0.26.2 to 0.27.0 in #​1149

Full Changelog: docker/build-push-action@v6.0.2...v6.1.0

v6.0.2

Compare Source

• Bump @​docker/actions-toolkit from 0.26.1 to 0.26.2 in #​1147

Full Changelog: docker/build-push-action@v6.0.1...v6.0.2

v6.0.1

Compare Source

• Bump @​docker/actions-toolkit from 0.26.0 to 0.26.1 in #​1142

Full Changelog: docker/build-push-action@v6.0.0...v6.0.1

docker/setup-buildx-action (docker/setup-buildx-action)

v4

Compare Source

v4.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​483
• Remove deprecated inputs/outputs by @​crazy-max in #​464
• Switch to ESM and update config/test wiring by @​crazy-max in #​481
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​475
• Bump @​docker/actions-toolkit from 0.63.0 to 0.79.0 in #​482 #​485
• Bump js-yaml from 4.1.0 to 4.1.1 in #​452
• Bump lodash from 4.17.21 to 4.17.23 in #​472
• Bump minimatch from 3.1.2 to 3.1.5 in #​480

Full Changelog: docker/setup-buildx-action@v3.12.0...v4.0.0

v3.12.0

Compare Source

• Deprecate install input by @​crazy-max in #​455
• Bump @​docker/actions-toolkit from 0.62.1 to 0.63.0 in #​434
• Bump brace-expansion from 1.1.11 to 1.1.12 in #​436
• Bump form-data from 2.5.1 to 2.5.5 in #​432
• Bump undici from 5.28.4 to 5.29.0 in #​435

Full Changelog: docker/setup-buildx-action@v3.11.1...v3.12.0

v3.11.1

Compare Source

• Fix keep-state not being respected by @​crazy-max in #​429

Full Changelog: docker/setup-buildx-action@v3.11.0...v3.11.1

v3.11.0

Compare Source

• Keep BuildKit state support by @​crazy-max in #​427
• Remove aliases created when installing by default by @​hashhar in #​139
• Bump @​docker/actions-toolkit from 0.56.0 to 0.62.1 in #​422 #​425

Full Changelog: docker/setup-buildx-action@v3.10.0...v3.11.0

v3.10.0

Compare Source

• Bump @​docker/actions-toolkit from 0.54.0 to 0.56.0 in #​408

Full Changelog: docker/setup-buildx-action@v3.9.0...v3.10.0

v3.9.0

Compare Source

• Bump @​docker/actions-toolkit from 0.48.0 to 0.54.0 in #​402 #​404

Full Changelog: docker/setup-buildx-action@v3.8.0...v3.9.0

v3.8.0

Compare Source

• Make cloud prefix optional to download buildx if driver is cloud by @​crazy-max in #​390
• Bump @​actions/core from 1.10.1 to 1.11.1 in #​370
• Bump @​docker/actions-toolkit from 0.39.0 to 0.48.0 in #​389
• Bump cross-spawn from 7.0.3 to 7.0.6 in #​382

Full Changelog: docker/setup-buildx-action@v3.7.1...v3.8.0

v3.7.1

Compare Source

• Switch back to uuid package by @​crazy-max in #​369

Full Changelog: docker/setup-buildx-action@v3.7.0...v3.7.1

v3.7.0

Compare Source

• Always set buildkitd-flags if opt-in by @​crazy-max in #​363
• Remove uuid package and switch to crypto by @​crazy-max in #​366
• Bump @​docker/actions-toolkit from 0.35.0 to 0.39.0 in #​362
• Bump path-to-regexp from 6.2.2 to 6.3.0 in #​354

Full Changelog: docker/setup-buildx-action@v3.6.1...v3.7.0

v3.6.1

Compare Source

• Check for malformed docker context by @​crazy-max in #​347

Full Changelog: docker/setup-buildx-action@v3.6.0...v3.6.1

v3.6.0

Compare Source

• Create temp docker context if default one has TLS data loaded before creating a container builder by @​crazy-max in #​341

Full Changelog: docker/setup-buildx-action@v3.5.0...v3.6.0

v3.5.0

Compare Source

• Bump @​docker/actions-toolkit from 0.31.0 to 0.35.0 in #​340 #​344 #​345

Full Changelog: docker/setup-buildx-action@v3.4.0...v3.5.0

v3.4.0

Compare Source

• Throw error message instead of exit code by @​crazy-max in #​315
• Bump @​docker/actions-toolkit from 0.20.0 to 0.31.0 in #​321 #​338
• Bump braces from 3.0.2 to 3.0.3 in #​329
• Bump undici from 5.28.3 to 5.28.4 in #​312
• Bump uuid from 9.0.1 to 10.0.0 in #​326

Full Changelog: docker/setup-buildx-action@v3.3.0...v3.4.0

v3.3.0

Compare Source

• Bump @​docker/actions-toolkit from 0.19.0 to 0.20.0 by @​crazy-max in #​307

Full Changelog: docker/setup-buildx-action@v3.2.0...v3.3.0

v3.2.0

Compare Source

• Rename and align config inputs by @​crazy-max in #​303
  • config to buildkitd-config
  • config-inline to buildkitd-config-inline
• Bump @​docker/actions-toolkit from 0.17.0 to 0.19.0 in #​302 #​306

[!NOTE]
config and config-inline input names are deprecated and will be removed in next major release.

Full Changelog: docker/setup-buildx-action@v3.1.0...v3.2.0

v3.1.0

Compare Source

• cache-binary input to enable/disable caching binary to GHA cache backend by @​crazy-max in #​300
• build(deps): bump @​babel/traverse from 7.17.3 to 7.23.2 in #​282
• build(deps): bump @​docker/actions-toolkit from 0.12.0 to 0.17.0 in #​281 #​284 #​299
• build(deps): bump uuid from 9.0.0 to 9.0.1 in #​271
• build(deps): bump undici from 5.26.3 to 5.28.3 in #​297

Full Changelog: docker/setup-buildx-action@v3.0.0...v3.1.0

docker/setup-qemu-action (docker/setup-qemu-action)

v4

Compare Source

v4.0.0

Compare Source

• Node 24 as default runtime (requires Actions Runner v2.327.1 or later) by @​crazy-max in #​245
• Switch to ESM and update config/test wiring by @​crazy-max in #​241
• Bump @​actions/core from 1.11.1 to 3.0.0 in #​244
• Bump @​docker/actions-toolkit from 0.67.0 to 0.77.0 in #​243
• Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1 in #​240
• Bump js-yaml from 3.14.1 to 3.14.2 in #​231
• Bump lodash from 4.17.21 to 4.17.23 in [#​238](https://re

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

This change is 

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/dawidd6/action-send-mail	d38f3f7cd391cdebfe0d38efc3998b935e951c4f	🟢 4.2	Details Check Score Reason Code-Review 🟢 4 Found 5/11 approved changesets -- score normalized to 4 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 28 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
actions/trufflesecurity/trufflehog	17456f8c7d042d8c82c9a8ca9e937231f9f42e26	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 9 binaries present in source code License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Signed-Releases 🟢 8 4 out of the last 4 releases have a total of 4 signed artifacts. Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Packaging 🟢 10 packaging workflow detected SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/shared-secret-scan.yml