Bump svenstaro/upload-release-action from 2.11.4 to 2.11.5#428
Bump svenstaro/upload-release-action from 2.11.4 to 2.11.5#428dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) from 2.11.4 to 2.11.5. - [Release notes](https://github.com/svenstaro/upload-release-action/releases) - [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md) - [Commits](svenstaro/upload-release-action@b98a3b1...29e53e9) --- updated-dependencies: - dependency-name: svenstaro/upload-release-action dependency-version: 2.11.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
requested review from
elsapet,
gotbadger and
mateusz-sterczewski
as code owners
dependabot
bot
added
dependencies
![cycode-security[bot]](https://avatars.githubusercontent.com/in/39308?s=60&v=4){kind=small}
| - name: Upload files to release | ||
| if: ${{ github.event_name == 'workflow_dispatch' && inputs.publish }} | ||
| uses: svenstaro/upload-release-action@b98a3b12e86552593f3e4e577ca8a62aa2f3f22b # v2 | ||
| uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # v2 |
There was a problem hiding this comment.
❗Cycode: Insecure CI/CD pipeline configuration issue: 'GitHub workflows use uncertified CI/CD modules'.
Severity: Medium
Description
Enable this policy to be notified if your CI/CD workflows use reusable modules that are not certified by the service provider or created by a verified partner.
Cycode Remediation Guideline
Restrict - Do not allow the use of uncertified modules in this workflow, or in any workflow of this repository. After this action has been applied, the workflow cannot run anymore, and new uncertified modules cannot be used.
To do this, click on "Take Action".
Accept and Control - Map out the different modules that are used by workflows and evaluate their risk by examining their creator credibility, usage context, version etc.
To do this, use Cycode Knowledge Graph.
Avoid - Disable GitHub actions completely for this repository.
To do this from Cycode, enable the policy Excessive repository permissions for using GitHub actions and “Take Action” on its detected violations.
Tell us how you wish to proceed using one of the following commands:
| Tag | Short Description |
|---|---|
| #cycode_ignore_insecure_pipeline_violation_everywhere <reason> | Applies to this resource for this violation for all requests in your repository |
| #cycode_ignore_insecure_pipeline_violation_here <reason> | Applies to this resource for this violation in this request only |
Bumps svenstaro/upload-release-action from 2.11.4 to 2.11.5.
Release notes
Sourced from svenstaro/upload-release-action's releases.
Commits
29e53e92.11.5e701a60Update actions to Node.js 24f0ad2b8Migrate to ESM and bump GitHub Actions toolkit to latest0c75bf0Revert "Bump GitHub Actions toolkit dependencies to latest major versions"980b6b1Bump GitHub Actions toolkit dependencies to latest major versionsDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)