chore(deps): update github-actions (#3711)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/checkout | action | digest | `b80ff79` -> `692973e` |
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v4.1.6` -> `v4.1.7` |
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v4.1.1` -> `v4.1.7` |
| [actions/setup-node](https://togithub.com/actions/setup-node) | action
| patch | `v3.8.1` -> `v3.8.2` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v3.25.7` -> `v3.25.11` |
|
[gradle/gradle-build-action](https://togithub.com/gradle/gradle-build-action)
| action | minor | `v3.3.2` -> `v3.4.2` |
|
[softprops/action-gh-release](https://togithub.com/softprops/action-gh-release)
| action | patch | `v2.0.5` -> `v2.0.6` |

---

### Release Notes

<details>
<summary>actions/checkout (actions/checkout)</summary>

###
[`v4.1.7`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v417)

[Compare
Source](https://togithub.com/actions/checkout/compare/v4.1.6...v4.1.7)

- Bump the minor-npm-dependencies group across 1 directory with 4
updates by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1739](https://togithub.com/actions/checkout/pull/1739)
- Bump actions/checkout from 3 to 4 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/checkout/pull/1697](https://togithub.com/actions/checkout/pull/1697)
- Check out other refs/\* by commit by
[@&#8203;orhantoy](https://togithub.com/orhantoy) in
[https://github.com/actions/checkout/pull/1774](https://togithub.com/actions/checkout/pull/1774)
- Pin actions/checkout's own workflows to a known, good, stable version.
by [@&#8203;jww3](https://togithub.com/jww3) in
[https://github.com/actions/checkout/pull/1776](https://togithub.com/actions/checkout/pull/1776)

</details>

<details>
<summary>actions/setup-node (actions/setup-node)</summary>

###
[`v3.8.2`](https://togithub.com/actions/setup-node/releases/tag/v3.8.2)

[Compare
Source](https://togithub.com/actions/setup-node/compare/v3.8.1...v3.8.2)

##### What's Changed

- Update semver by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) in
[https://github.com/actions/setup-node/pull/861](https://togithub.com/actions/setup-node/pull/861)
- Update temp directory creation by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/859](https://togithub.com/actions/setup-node/pull/859)
- Bump [@&#8203;babel/traverse](https://togithub.com/babel/traverse)
from 7.15.4 to 7.23.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/actions/setup-node/pull/870](https://togithub.com/actions/setup-node/pull/870)
- Add notice about binaries not being updated yet by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-node/pull/872](https://togithub.com/actions/setup-node/pull/872)
- Update toolkit cache and core by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) and
[@&#8203;seongwon-privatenote](https://togithub.com/seongwon-privatenote)
in
[https://github.com/actions/setup-node/pull/875](https://togithub.com/actions/setup-node/pull/875)

**Full Changelog**:
actions/setup-node@v3...v3.8.2

</details>

<details>
<summary>github/codeql-action (github/codeql-action)</summary>

###
[`v3.25.11`](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.10...v3.25.11)

###
[`v3.25.10`](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.9...v3.25.10)

###
[`v3.25.9`](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.8...v3.25.9)

###
[`v3.25.8`](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v3.25.7...v3.25.8)

</details>

<details>
<summary>gradle/gradle-build-action
(gradle/gradle-build-action)</summary>

###
[`v3.4.2`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.4.2)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v3.4.1...v3.4.2)

> \[!IMPORTANT]
> As of `v3` this action has been superceded by
`gradle/actions/setup-gradle`.
> Any workflow that uses `gradle/gradle-build-action@v3` will
transparently delegate to `gradle/actions/setup-gradle@v3`.
>
> Users are encouraged to update their workflows, replacing:
>
>     uses: gradle/gradle-build-action@v3
>
> with
>
>     uses: gradle/actions/setup-gradle@v3
>
> See the [setup-gradle
documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle)
for up-to-date documentation for `gradle/actions/setup-gradle`.

For release details, see
https://github.com/gradle/actions/releases/tag/v3.4.2

###
[`v3.4.1`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.4.1)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v3.4.0...v3.4.1)

> \[!IMPORTANT]
> As of `v3` this action has been superceded by
`gradle/actions/setup-gradle`.
> Any workflow that uses `gradle/gradle-build-action@v3` will
transparently delegate to `gradle/actions/setup-gradle@v3`.
>
> Users are encouraged to update their workflows, replacing:
>
>     uses: gradle/gradle-build-action@v3
>
> with
>
>     uses: gradle/actions/setup-gradle@v3
>
> See the [setup-gradle
documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle)
for up-to-date documentation for `gradle/actions/setup-gradle`.

For release details, see
https://github.com/gradle/actions/releases/tag/v3.4.1

###
[`v3.4.0`](https://togithub.com/gradle/gradle-build-action/releases/tag/v3.4.0)

[Compare
Source](https://togithub.com/gradle/gradle-build-action/compare/v3.3.2...v3.4.0)

> \[!IMPORTANT]
> As of `v3` this action has been superceded by
`gradle/actions/setup-gradle`.
> Any workflow that uses `gradle/gradle-build-action@v3` will
transparently delegate to `gradle/actions/setup-gradle@v3`.
>
> Users are encouraged to update their workflows, replacing:
>
>     uses: gradle/gradle-build-action@v3
>
> with
>
>     uses: gradle/actions/setup-gradle@v3
>
> See the [setup-gradle
documentation](https://togithub.com/gradle/actions/tree/main/setup-gradle)
for up-to-date documentation for `gradle/actions/setup-gradle`.

For release details, see
https://github.com/gradle/actions/releases/tag/v3.4.0

</details>

<details>
<summary>softprops/action-gh-release
(softprops/action-gh-release)</summary>

###
[`v2.0.6`](https://togithub.com/softprops/action-gh-release/releases/tag/v2.0.6)

[Compare
Source](https://togithub.com/softprops/action-gh-release/compare/v2.0.5...v2.0.6)

maintenance release with updated dependencies

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 4am on the first day of the
month" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40MjEuMCIsInVwZGF0ZWRJblZlciI6IjM3LjQyMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Signed-off-by: Mend Renovate <[email protected]>
Co-authored-by: Ramon Petgrave <[email protected]>

Author: renovate-bot

.github/actions/secure-builder-checkout/action.yaml

@@ -37,7 +37,7 @@ runs:
     # and has an associated release. This will require exceptions
     # for e2e tests.
     - name: Checkout the repository
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}

.github/actions/secure-project-checkout/action.yaml

@@ -40,7 +40,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout the repository
-      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       with:
         fetch-depth: ${{ inputs.fetch-depth }}
         ref: ${{ inputs.checkout-sha1 }}

.github/workflows/builder_container-based_slsa3.yml

@@ -228,7 +228,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [rng, detect-env, generate-builder]
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Checkout builder repository
         uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
         with:
@@ -372,7 +372,7 @@ jobs:
           set-executable: true
 
       - name: Checkout the source repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           fetch-depth: 1
           persist-credentials: false
@@ -598,7 +598,7 @@ jobs:
           path: "${{ needs.provenance.outputs.provenance-name }}"
 
       - name: Upload provenance new tag
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
         if: startsWith(github.ref, 'refs/tags/') && inputs.upload-tag-name == ''
         id: release-new-tags
         with:
@@ -609,7 +609,7 @@ jobs:
           draft: ${{ inputs.draft-release }}
 
       - name: Upload provenance tag name
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
         if: inputs.upload-tag-name != ''
         with:
           prerelease: ${{ inputs.prerelease }}

.github/workflows/builder_go_slsa3.yml

@@ -399,7 +399,7 @@ jobs:
           sha256: "${{ needs.provenance.outputs.go-provenance-sha256 }}"
 
       - name: Upload provenance
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
         with:
           tag_name: ${{ inputs.upload-tag-name }}
           prerelease: ${{ inputs.prerelease }}

.github/workflows/codeql-analysis.yml

@@ -55,11 +55,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+        uses: github/codeql-action/init@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -72,7 +72,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+        uses: github/codeql-action/autobuild@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
 
       # Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -85,7 +85,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@f079b8493333aace61c81488f8bd40919487bd9f # v3.25.7
+        uses: github/codeql-action/analyze@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11
 
   # NOTE: Checks that the matrix job above completes successfully.
   # This is necessary because the matrix strategy generates new jobs with

.github/workflows/e2e.create-container_based-predicate.schedule.yml

@@ -39,7 +39,7 @@ jobs:
     permissions:
       id-token: write # Needed to detect the current reusable repository and ref.
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Detect the builder ref
         id: detect
         uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main
@@ -71,7 +71,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -85,7 +85,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/e2e.detect-workflow-js.schedule.yml

@@ -33,7 +33,7 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - id: detect
         uses: ./.github/actions/detect-workflow-js
       - id: verify
@@ -70,7 +70,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -84,7 +84,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/e2e.sign-attestations.schedule.yml

@@ -33,7 +33,7 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - id: setup
         uses: ./.github/actions/sign-attestations
         with:
@@ -62,7 +62,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -76,7 +76,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/e2e.upload-folder.schedule.yml

@@ -37,7 +37,7 @@ jobs:
       sha256: ${{ steps.upload.outputs.sha256 }}
       sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }}
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: Create folder
         run: |
           set -euo pipefail
@@ -100,7 +100,7 @@ jobs:
     needs: [secure-upload-folder]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Download in new folder
         uses: ./.github/actions/secure-download-folder
@@ -180,7 +180,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -194,7 +194,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/generator_generic_slsa3.yml

@@ -285,7 +285,7 @@ jobs:
           sha256: "${{ needs.generator.outputs.provenance-sha256 }}"
 
       - name: Upload provenance
-        uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
+        uses: softprops/action-gh-release@a74c6b72af54cfa997e81df42d94703d6313a2d0 # v2.0.6
         id: release
         with:
           draft: ${{ inputs.draft-release }}