chore(deps): bump the actions group with 4 updates

[dependabot]

Bumps the actions group with 4 updates: step-security/harden-runner, chainguard-dev/setup-chainctl, octo-sts/action and chainguard-dev/actions.

Updates step-security/harden-runner from 2.13.0 to 2.14.1

Release notes

Sourced from step-security/harden-runner's releases.

v2.14.1

What's Changed

1. In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.

2. Fixed npm audit vulnerabilities

Full Changelog: step-security/harden-runner@v2.14.0...v2.14.1

v2.14.0

What's Changed

• Selective installation: Harden-Runner now skips installation on GitHub-hosted runners when the repository has a custom property skip_harden_runner, allowing organizations to opt out specific repos.
• Avoid double install: The action no longer installs Harden-Runner if it’s already present on a GitHub-hosted runner, which could happen when a composite action also installs it.

Full Changelog: step-security/harden-runner@v2.13.3...v2.14.0

v2.13.3

What's Changed

• Fixed an issue where process events were not uploaded in certain edge cases.

Full Changelog: step-security/harden-runner@v2.13.2...v2.13.3

v2.13.2

What's Changed

• Fixed an issue where there was a limit of 512 allowed endpoints when using block egress policy. This restriction has been removed, allowing for an unlimited number of endpoints to be configured.
• Harden Runner now automatically detects if the agent is already pre-installed on a custom VM image used by a GitHub-hosted runner. When detected, the action will skip reinstallation and use the existing agent.

Full Changelog: step-security/harden-runner@v2.13.1...v2.13.2

v2.13.1

What's Changed

• Graceful handling of HTTP errors: Improved error handling when fetching Harden Runner policies from the StepSecurity Policy Store API, ensuring more reliable execution even in case of temporary network/API issues.

• Security updates for npm dependencies: Updated vulnerable npm package dependencies to the latest secure versions.

• Faster enterprise agent downloads: The enterprise agent is now downloaded from GitHub Releases instead of packages.stepsecurity.io, improving download speed and reliability.

Full Changelog: step-security/harden-runner@v2.13.0...v2.13.1

Commits

• e3f713f Merge pull request #631 from step-security/rc-31
• 423acdd chore: fix npm audit vulnerabilities
• 0ddb86c update agent
• 20cf305 Merge pull request #622 from step-security/feature/custom-property-skip
• c51e8ee feat: skip agent install and post step on subsequent runs for GitHub-hosted r...
• e152b90 feat: skip harden-runner based on repository custom property
• ee1faec feat: replace skip-harden-runner with skip-on-custom-property input
• 1dc7c17 feat: add skip-harden-runner input to conditionally skip execution
• df199fb Merge pull request #620 from step-security/rc-29
• 03d096a update agent
• Additional commits viewable in compare view

Updates chainguard-dev/setup-chainctl from 0.3.2 to 0.5.0

Release notes

Sourced from chainguard-dev/setup-chainctl's releases.

v0.5.0

What's Changed

• fix apk.cgr.dev replacement by @​wlynch in chainguard-dev/setup-chainctl#30
• Bump step-security/harden-runner from 2.13.0 to 2.13.1 in the actions group by @​dependabot[bot] in chainguard-dev/setup-chainctl#31
• Bump step-security/harden-runner from 2.13.1 to 2.13.2 in the actions group by @​dependabot[bot] in chainguard-dev/setup-chainctl#33
• Bump actions/checkout from 5.0.0 to 5.0.1 in the actions group by @​dependabot[bot] in chainguard-dev/setup-chainctl#34
• Bump actions/checkout from 5.0.1 to 6.0.0 by @​dependabot[bot] in chainguard-dev/setup-chainctl#35
• ci: explicitly set permissions by @​imjasonh in chainguard-dev/setup-chainctl#37
• [StepSecurity] Apply security best practices by @​stepsecurity-app[bot] in chainguard-dev/setup-chainctl#39
• add CI test that exercises auth by @​imjasonh in chainguard-dev/setup-chainctl#38
• optionally install pip keyring by @​imjasonh in chainguard-dev/setup-chainctl#36
• [StepSecurity] Apply security best practices by @​stepsecurity-app[bot] in chainguard-dev/setup-chainctl#40
• check for string true rather than existence in setup-python-keyring by @​steven-rand in chainguard-dev/setup-chainctl#41
• Bump the actions group with 2 updates by @​dependabot[bot] in chainguard-dev/setup-chainctl#42
• Bump step-security/harden-runner from 2.13.3 to 2.14.0 in the actions group by @​dependabot[bot] in chainguard-dev/setup-chainctl#43

New Contributors

• @​steven-rand made their first contribution in chainguard-dev/setup-chainctl#41

Full Changelog: chainguard-dev/setup-chainctl@v0.4.0...v0.5.0

v0.4.0

What's Changed

• Bump step-security/harden-runner from 2.12.1 to 2.12.2 in the actions group by @​dependabot[bot] in chainguard-dev/setup-chainctl#24
• Bump step-security/harden-runner from 2.12.2 to 2.13.0 in the actions group by @​dependabot[bot] in chainguard-dev/setup-chainctl#25
• Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] in chainguard-dev/setup-chainctl#27
• Add apk-host variable by @​wlynch in chainguard-dev/setup-chainctl#29
• Add log grouping + error annotations by @​wlynch in chainguard-dev/setup-chainctl#28

New Contributors

• @​wlynch made their first contribution in chainguard-dev/setup-chainctl#29

Full Changelog: chainguard-dev/setup-chainctl@v0.3.2...v0.4.0

Commits

• c125f76 Bump step-security/harden-runner from 2.13.3 to 2.14.0 in the actions group (...
• c30231f Bump the actions group with 2 updates (#42)
• 1b9100b check for string true rather than existence in setup-python-keyring (#41)
• f2fe096 [StepSecurity] Apply security best practices (#40)
• 115da07 optionally install pip keyring (#36)
• a93b3f9 add CI test that exercises auth (#38)
• de77f6f [StepSecurity] Apply security best practices (#39)
• 67a753d ci: explicitly set permissions (#37)
• 461e155 Bump actions/checkout from 5.0.1 to 6.0.0 (#35)
• 59d6eb8 Bump actions/checkout from 5.0.0 to 5.0.1 in the actions group (#34)
• Additional commits viewable in compare view

Updates octo-sts/action from 1.0.0 to 1.1.1

Release notes

Sourced from octo-sts/action's releases.

v1.1.1

What's Changed

• Include response body in fetch error output. by @​wlynch in octo-sts/action#41

Full Changelog: octo-sts/action@v1.1.0...v1.1.1

v1.1.0

What's Changed

• Add logging for JWT claims for debugging. by @​wlynch in octo-sts/action#40

Full Changelog: octo-sts/action@v1.0.3...v1.1.0

v1.0.3

What's Changed

• bump node to v24 by @​cpanato in octo-sts/action#38
• Log URL in thrown fetchWithRetry error by @​wlynch in octo-sts/action#39

Full Changelog: octo-sts/action@v1.0.2...v1.0.3

v1.0.2

What's Changed

• Don't try to parse response as JSON if it is an error. by @​wlynch in octo-sts/action#37

New Contributors

• @​wlynch made their first contribution in octo-sts/action#37

Full Changelog: octo-sts/action@v1.0.1...v1.0.2

v1.0.1

What's Changed

• Add Accept header for github revoke token by @​cpanato in octo-sts/action#13
• Update trust policy, workflow and README by @​mattmoor in octo-sts/action#15
• add presubmit test by @​imjasonh in octo-sts/action#18
• fix presubmit test by @​imjasonh in octo-sts/action#19
• use PR source for action by @​imjasonh in octo-sts/action#20
• presubmit: checkout PR ref by @​imjasonh in octo-sts/action#21
• add backoff and retry to fetches by @​imjasonh in octo-sts/action#17
• This logs the SHA256 of the issued token. by @​mattmoor in octo-sts/action#12
• Allow the action to customize the domain. by @​mattmoor in octo-sts/action#28
• chore: add jitter to retries by @​meysam81 in octo-sts/action#23
• update job to use git hash in actions by @​cpanato in octo-sts/action#35
• add scopes parameter by @​cpanato in octo-sts/action#34

New Contributors

• @​cpanato made their first contribution in octo-sts/action#13
• @​meysam81 made their first contribution in octo-sts/action#23

... (truncated)

Commits

• f603d3b Include response body in fetch error output. (#41)
• 8d6ac62 Add logging for JWT claims for debugging. (#40)
• d6c70ad Log URL in thrown fetchWithRetry error (#39)
• 3d59800 bump node to v24 (#38)
• a26b0c6 Don't try to parse response as JSON if it is an error. (#37)
• e480437 add scopes parameter (#34)
• bc99912 update job to use git hash in actions (#35)
• 210248e chore: add jitter to retries (#23)
• 43a7677 Allow the action to customize the domain. (#28)
• 3622e4d This logs the SHA256 of the issued token. (#12)
• Additional commits viewable in compare view

Updates chainguard-dev/actions from 1.4.8 to 1.5.13

Release notes

Sourced from chainguard-dev/actions's releases.

v1.5.13

What's Changed

• Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /melange-build by @​dependabot[bot] in chainguard-dev/actions#697
• Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /wolfi-build-pkg by @​dependabot[bot] in chainguard-dev/actions#698
• Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /inky-build-pkg by @​dependabot[bot] in chainguard-dev/actions#696
• Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /gofmt by @​dependabot[bot] in chainguard-dev/actions#694
• Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /goimports by @​dependabot[bot] in chainguard-dev/actions#695
• Bump chainguard-dev/actions from 1.5.11 to 1.5.12 by @​dependabot[bot] in chainguard-dev/actions#693
• bump kind and k8s node versions by @​dprotaso in chainguard-dev/actions#699
• Revert "[StepSecurity] Apply security best practices" by @​cpanato in chainguard-dev/actions#700
• Bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] in chainguard-dev/actions#701

Full Changelog: chainguard-dev/actions@v1.5.12...v1.5.13

v1.5.12

What's Changed

• Bump chainguard-dev/actions from 1.5.9 to 1.5.10 in /melange-build by @​dependabot[bot] in chainguard-dev/actions#667
• Bump chainguard-dev/actions from 1.5.9 to 1.5.10 in /wolfi-build-pkg by @​dependabot[bot] in chainguard-dev/actions#668
• Bump chainguard-dev/actions from 1.5.9 to 1.5.10 in /inky-build-pkg by @​dependabot[bot] in chainguard-dev/actions#666
• Bump chainguard-dev/actions from 1.5.9 to 1.5.10 in /gofmt by @​dependabot[bot] in chainguard-dev/actions#664
• Bump chainguard-dev/actions from 1.5.9 to 1.5.10 in /goimports by @​dependabot[bot] in chainguard-dev/actions#665
• Bump chainguard-dev/actions from 1.5.9 to 1.5.10 by @​dependabot[bot] in chainguard-dev/actions#663
• add action to bump .go-version file by @​cpanato in chainguard-dev/actions#669
• Bump actions/setup-go from 6.1.0 to 6.2.0 in /setup-melange by @​dependabot[bot] in chainguard-dev/actions#682
• Bump chainguard-dev/actions from 1.5.10 to 1.5.11 in /wolfi-build-pkg by @​dependabot[bot] in chainguard-dev/actions#683
• Bump chainguard-dev/actions from 1.5.10 to 1.5.11 in /inky-build-pkg by @​dependabot[bot] in chainguard-dev/actions#680
• Bump chainguard-dev/actions from 1.5.10 to 1.5.11 in /melange-build by @​dependabot[bot] in chainguard-dev/actions#681
• Bump chainguard-dev/actions from 1.5.10 to 1.5.11 in /goimports by @​dependabot[bot] in chainguard-dev/actions#679
• Bump actions/setup-go from 6.1.0 to 6.2.0 in /boilerplate by @​dependabot[bot] in chainguard-dev/actions#677
• Bump chainguard-dev/actions from 1.5.10 to 1.5.11 in /gofmt by @​dependabot[bot] in chainguard-dev/actions#678
• Bump step-security/harden-runner from 2.13.2 to 2.14.0 by @​dependabot[bot] in chainguard-dev/actions#676
• Bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] in chainguard-dev/actions#675
• Bump octo-sts/action from 1.0.3 to 1.1.1 by @​dependabot[bot] in chainguard-dev/actions#673
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @​dependabot[bot] in chainguard-dev/actions#672
• Bump chainguard-dev/actions from 1.5.10 to 1.5.11 by @​dependabot[bot] in chainguard-dev/actions#674
• Bump actions/upload-artifact from 5.0.0 to 6.0.0 in /nodiff by @​dependabot[bot] in chainguard-dev/actions#688
• Bump actions/setup-node from 6.0.0 to 6.1.0 in /githubapp-token by @​dependabot[bot] in chainguard-dev/actions#685
• Bump actions/upload-artifact from 5.0.0 to 6.0.0 in /k8s-diag by @​dependabot[bot] in chainguard-dev/actions#686
• Bump actions/upload-artifact from 5.0.0 to 6.0.0 in /kind-diag by @​dependabot[bot] in chainguard-dev/actions#687
• Bump chainguard-dev/setup-chainctl from 0.4.0 to 0.5.0 in /setup-chainguard-terraform by @​dependabot[bot] in chainguard-dev/actions#692
• Bump chainguard-dev/setup-chainctl from 0.4.0 to 0.5.0 in /setup-chainctl by @​dependabot[bot] in chainguard-dev/actions#691
• Bump actions/setup-node from 6.1.0 to 6.2.0 in /githubapp-token by @​dependabot[bot] in chainguard-dev/actions#690
• [StepSecurity] Apply security best practices by @​stepsecurity-app[bot] in chainguard-dev/actions#689
• Bump reviewdog/action-actionlint from 1.68.0 to 1.69.1 by @​dependabot[bot] in chainguard-dev/actions#684

Full Changelog: chainguard-dev/actions@v1.5.11...v1.5.12

v1.5.11

... (truncated)

Commits

• 18e5e34 Bump actions/checkout from 6.0.1 to 6.0.2 (#701)
• 68a3bbd Revert "[StepSecurity] Apply security best practices (#689)" (#700)
• 127740c bump kind and k8s node versions (#699)
• dc3bb43 Bump chainguard-dev/actions from 1.5.11 to 1.5.12 (#693)
• be1d294 Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /gofmt (#694)
• dadd2a8 Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /goimports (#695)
• 99ee853 Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /inky-build-pkg (#696)
• a2c7828 Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /melange-build (#697)
• 7b967b8 Bump chainguard-dev/actions from 1.5.11 to 1.5.12 in /wolfi-build-pkg (#698)
• f77a7c3 Bump reviewdog/action-actionlint from 1.68.0 to 1.69.1 (#684)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions