Update workflows (#819)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.0.0` -> `v3.1.0` |
|
[actions/upload-artifact](https://togithub.com/actions/upload-artifact)
| action | patch | `v3.1.0` -> `v3.1.1` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | patch | `v2.0.0` -> `v2.0.6` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | digest | `5fb2f04` -> `37f50c2` |

---

### Release Notes

<details>
<summary>actions/checkout</summary>

###
[`v3.1.0`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v310)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.0.2...v3.1.0)

- [Use @&#8203;actions/core `saveState` and
`getState`](https://togithub.com/actions/checkout/pull/939)
- [Add `github-server-url`
input](https://togithub.com/actions/checkout/pull/922)

###
[`v3.0.2`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v302)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.0.1...v3.0.2)

- [Add input
`set-safe-directory`](https://togithub.com/actions/checkout/pull/770)

###
[`v3.0.1`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v301)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.0.0...v3.0.1)

- [Fixed an issue where checkout failed to run in container jobs due to
the new git setting
`safe.directory`](https://togithub.com/actions/checkout/pull/762)
- [Bumped various npm package
versions](https://togithub.com/actions/checkout/pull/744)

</details>

<details>
<summary>actions/upload-artifact</summary>

###
[`v3.1.1`](https://togithub.com/actions/upload-artifact/releases/tag/v3.1.1)

[Compare
Source](https://togithub.com/actions/upload-artifact/compare/v3.1.0...v3.1.1)

- Update actions/core package to latest version to remove `set-output`
deprecation warning
[#&#8203;351](https://togithub.com/actions/upload-artifact/issues/351)

</details>

<details>
<summary>ossf/scorecard-action</summary>

###
[`v2.0.6`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.6)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.5...v2.0.6)

#### What's Changed

- Fix - Broken dockerfile by
[@&#8203;naveensrinivasan](https://togithub.com/naveensrinivasan) in
[https://github.com/ossf/scorecard-action/pull/979](https://togithub.com/ossf/scorecard-action/pull/979)

**Full Changelog**:
ossf/scorecard-action@v2.0.5...v2.0.6

###
[`v2.0.5`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.5)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.4...v2.0.5)

#### What's Changed

- Remove trailing space from example by
[@&#8203;jamacku](https://togithub.com/jamacku) in
[https://github.com/ossf/scorecard-action/pull/955](https://togithub.com/ossf/scorecard-action/pull/955)
- 🌱 Bump actions/cache from 3.0.8 to 3.0.10 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/956](https://togithub.com/ossf/scorecard-action/pull/956)
- 🌱 Bump github/codeql-action from 2.1.25 to 2.1.26 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/957](https://togithub.com/ossf/scorecard-action/pull/957)
- 🌱 Bump step-security/harden-runner from 1.4.5 to 1.5.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/958](https://togithub.com/ossf/scorecard-action/pull/958)
- 🌱 Bump debian from `5cf1d98` to `b46fc4e` by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/959](https://togithub.com/ossf/scorecard-action/pull/959)
- 🌱 Bump github.com/sigstore/cosign from 1.12.1 to 1.13.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/962](https://togithub.com/ossf/scorecard-action/pull/962)
- 🌱 Upgrade to go 1.19 by
[@&#8203;naveensrinivasan](https://togithub.com/naveensrinivasan) in
[https://github.com/ossf/scorecard-action/pull/961](https://togithub.com/ossf/scorecard-action/pull/961)
- 🌱 Bump github.com/spf13/cobra from 1.5.0 to 1.6.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/967](https://togithub.com/ossf/scorecard-action/pull/967)
- 🌱 Bump golang from `c2a98a5` to `b850621` by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/966](https://togithub.com/ossf/scorecard-action/pull/966)
- 🌱 Bump golang from `b850621` to `25de7b6` by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/968](https://togithub.com/ossf/scorecard-action/pull/968)
- New release for Scorecard v4.8.0 by
[@&#8203;naveensrinivasan](https://togithub.com/naveensrinivasan) in
[https://github.com/ossf/scorecard-action/pull/969](https://togithub.com/ossf/scorecard-action/pull/969)

#### New Contributors

- [@&#8203;jamacku](https://togithub.com/jamacku) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/955](https://togithub.com/ossf/scorecard-action/pull/955)

**Full Changelog**:
ossf/scorecard-action@v2.0.4...v2.0.5

###
[`v2.0.4`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.4)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.3...v2.0.4)

Fixes
[#&#8203;856](https://togithub.com/ossf/scorecard-action/issues/856)

#### What's Changed

- 🌱 Bump github.com/caarlos0/env/v6 from 6.10.0 to 6.10.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/934](https://togithub.com/ossf/scorecard-action/pull/934)
- feat: do not run signing on pull requests by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/ossf/scorecard-action/pull/935](https://togithub.com/ossf/scorecard-action/pull/935)
- 🌱 Bump debian from 11.4-slim to 11.5-slim by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/936](https://togithub.com/ossf/scorecard-action/pull/936)
- 🌱 Bump github.com/sigstore/cosign from 1.11.1 to 1.12.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/938](https://togithub.com/ossf/scorecard-action/pull/938)
- 🌱 Bump github/codeql-action from 2.1.22 to 2.1.24 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/941](https://togithub.com/ossf/scorecard-action/pull/941)
- 🐛 Restore behavior of ignoring scorecard runtime errors by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/948](https://togithub.com/ossf/scorecard-action/pull/948)
- 🌱 Bump actions/dependency-review-action from 2.1.0 to 2.4.0
by [@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/950](https://togithub.com/ossf/scorecard-action/pull/950)
- 🌱 Bump github.com/sigstore/cosign from 1.12.0 to 1.12.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/947](https://togithub.com/ossf/scorecard-action/pull/947)
- 🌱 Bump github/codeql-action from 2.1.24 to 2.1.25 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/949](https://togithub.com/ossf/scorecard-action/pull/949)
- 🌱 Bump codecov/codecov-action from 3.1.0 to 3.1.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/ossf/scorecard-action/pull/942](https://togithub.com/ossf/scorecard-action/pull/942)
- Create v2.0.4 patch by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/952](https://togithub.com/ossf/scorecard-action/pull/952)

#### New Contributors

- [@&#8203;spencerschrock](https://togithub.com/spencerschrock) made
their first contribution in
[https://github.com/ossf/scorecard-action/pull/948](https://togithub.com/ossf/scorecard-action/pull/948)

**Full Changelog**:
ossf/scorecard-action@v2.0.3...v2.0.4

###
[`v2.0.3`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.3)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.2...v2.0.3)

Patch for fix in
[#&#8203;898](https://togithub.com/ossf/scorecard-action/issues/898)

###
[`v2.0.2`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.2)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.1...v2.0.2)

Fixes
[https://github.com/ossf/scorecard-action/issues/895](https://togithub.com/ossf/scorecard-action/issues/895)

###
[`v2.0.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.0.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.0...v2.0.1)

Fix for
[#&#8203;856](https://togithub.com/ossf/scorecard-action/issues/856)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yMy4xIiwidXBkYXRlZEluVmVyIjoiMzQuMjMuMSJ9-->

Co-authored-by: Andrew Pollock <[email protected]>

Author: renovate-bot

.github/workflows/publish-to-pypi.yaml

@@ -41,7 +41,7 @@ jobs:
         build
         --sdist --wheel --outdir dist/ .
     - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@5fb2f047e26679d7846a8370de1642ff160b9025 # v1.5.1
+      uses: pypa/gh-action-pypi-publish@37f50c210e3d2f9450da2cd423303d6a14a6e29f # v1.5.1
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
         packages_dir: dist/

.github/workflows/scorecards.yml

@@ -22,12 +22,12 @@ jobs:
       id-token: write
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@1f9a0c22da41e6ebfa534300ef656657ea2c6707 # v3.0.0
+        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@066a051e5c2c336158e3c5728cd80ccb1276afbf # v2.0.0-alpha.2
+        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6-alpha.2
         with:
           results_file: results.sarif
           results_format: sarif
@@ -42,7 +42,7 @@ jobs:
 
       # Upload the results as artifacts (optional).
       - name: "Upload artifact"
-        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.0
+        uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
         with:
           name: SARIF file
           path: results.sarif