chore(deps): update github-actions (#2140)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| actions/checkout | action | digest | `8e5e7e5` -> `96f5310` |
| [actions/checkout](https://togithub.com/actions/checkout) | action |
patch | `v3.5.2` -> `v3.5.3` |
| [actions/setup-go](https://togithub.com/actions/setup-go) | action |
patch | `v4.0.0` -> `v4.0.1` |
| actions/setup-java | action | digest | `5ffc13f` -> `87c1c70` |
| [github/codeql-action](https://togithub.com/github/codeql-action) |
action | patch | `v2.3.3` -> `v2.3.6` |
|
[sigstore/cosign-installer](https://togithub.com/sigstore/cosign-installer)
| action | patch | `v3.0.3` -> `v3.0.5` |

---

### ⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the
Dependency Dashboard for more information.

---

### Release Notes

<details>
<summary>actions/checkout</summary>

###
[`v3.5.3`](https://togithub.com/actions/checkout/blob/HEAD/CHANGELOG.md#v353)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.5.2...v3.5.3)

- [Fix: Checkout fail in self-hosted runners when faulty submodule are
checked-in](https://togithub.com/actions/checkout/pull/1196)
- [Fix typos found by
codespell](https://togithub.com/actions/checkout/pull/1287)
- [Add support for sparse
checkouts](https://togithub.com/actions/checkout/pull/1369)

</details>

<details>
<summary>actions/setup-go</summary>

###
[`v4.0.1`](https://togithub.com/actions/setup-go/releases/tag/v4.0.1)

[Compare
Source](https://togithub.com/actions/setup-go/compare/v4.0.0...v4.0.1)

##### What's Changed

- Update documentation for `v4` by
[@&#8203;dsame](https://togithub.com/dsame) in
[https://github.com/actions/setup-go/pull/354](https://togithub.com/actions/setup-go/pull/354)
- Fix glob bug in the package.json scripts section by
[@&#8203;IvanZosimov](https://togithub.com/IvanZosimov) in
[https://github.com/actions/setup-go/pull/359](https://togithub.com/actions/setup-go/pull/359)
- Bump `xml2js` dependency by
[@&#8203;dmitry-shibanov](https://togithub.com/dmitry-shibanov) in
[https://github.com/actions/setup-go/pull/370](https://togithub.com/actions/setup-go/pull/370)
- Bump `@actions/cache` dependency to v3.2.1 by
[@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) in
[https://github.com/actions/setup-go/pull/374](https://togithub.com/actions/setup-go/pull/374)

##### New Contributors

- [@&#8203;nikolai-laevskii](https://togithub.com/nikolai-laevskii) made
their first contribution in
[https://github.com/actions/setup-go/pull/374](https://togithub.com/actions/setup-go/pull/374)

**Full Changelog**:
actions/setup-go@v4...v4.0.1

</details>

<details>
<summary>github/codeql-action</summary>

###
[`v2.3.6`](https://togithub.com/github/codeql-action/compare/v2.3.5...v2.3.6)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.5...v2.3.6)

###
[`v2.3.5`](https://togithub.com/github/codeql-action/compare/v2.3.4...v2.3.5)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.4...v2.3.5)

###
[`v2.3.4`](https://togithub.com/github/codeql-action/compare/v2.3.3...v2.3.4)

[Compare
Source](https://togithub.com/github/codeql-action/compare/v2.3.3...v2.3.4)

</details>

<details>
<summary>sigstore/cosign-installer</summary>

###
[`v3.0.5`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.0.5)

[Compare
Source](https://togithub.com/sigstore/cosign-installer/compare/v3.0.4...v3.0.5)

#### What's Changed

- download cosign releases from GitHub rather than GCS by
[@&#8203;bobcallaway](https://togithub.com/bobcallaway) in
[https://github.com/sigstore/cosign-installer/pull/126](https://togithub.com/sigstore/cosign-installer/pull/126)

**Full Changelog**:
sigstore/cosign-installer@v3.0.4...v3.0.5

###
[`v3.0.4`](https://togithub.com/sigstore/cosign-installer/releases/tag/v3.0.4)

[Compare
Source](https://togithub.com/sigstore/cosign-installer/compare/v3.0.3...v3.0.4)

- Include fix for
[https://github.com/sigstore/cosign-installer/pull/124](https://togithub.com/sigstore/cosign-installer/pull/124)
- changes download URL for `cosign` binary to github.com instead of GCS

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "every weekend" (UTC), Automerge - At
any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/slsa-framework/slsa-github-generator).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNS40OC4yIiwidXBkYXRlZEluVmVyIjoiMzUuMTEwLjAiLCJ0YXJnZXRCcmFuY2giOiJtYWluIn0=-->

Signed-off-by: Renovate Bot <[email protected]>

Author: renovate-bot

.github/actions/generate-builder/action.yml

@@ -75,7 +75,7 @@ runs:
         override: ${{ inputs.allow-private-repository }}
 
     - name: Set up Go environment
-      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         go-version: ${{ inputs.go-version }}
 

.github/actions/secure-builder-checkout/action.yaml

@@ -37,7 +37,7 @@ runs:
     # and has an associated release. This will require exceptions
     # for e2e tests.
     - name: Checkout the repository
-      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       with:
         repository: ${{ inputs.repository }}
         ref: ${{ inputs.ref }}

.github/actions/secure-project-checkout-go/action.yml

@@ -56,7 +56,7 @@ runs:
         fi
 
     - name: Set up Go environment
-      uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
+      uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
       with:
         go-version: ${{ inputs.go-version }}
         go-version-file: ${{ inputs.go-version-file }}

.github/actions/secure-project-checkout/action.yaml

@@ -35,7 +35,7 @@ runs:
   using: "composite"
   steps:
     - name: Checkout the repository
-      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       with:
         fetch-depth: ${{ inputs.fetch-depth }}
         # Different from default actions/checkout which defaults to `true`.

.github/workflows/builder_container-based_slsa3.yml

@@ -228,7 +228,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [rng, detect-env, generate-builder]
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Checkout builder repository
         uses: slsa-framework/slsa-github-generator/.github/actions/secure-builder-checkout@main
         with:
@@ -372,7 +372,7 @@ jobs:
           set-executable: true
 
       - name: Checkout the source repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           fetch-depth: 1
           persist-credentials: false

.github/workflows/codeql-analysis.yml

@@ -55,11 +55,11 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        uses: github/codeql-action/init@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -72,7 +72,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        uses: github/codeql-action/autobuild@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
 
       # Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -85,7 +85,7 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@29b1f65c5e92e24fe6b6647da1eaabe529cec70f # v2.3.3
+        uses: github/codeql-action/analyze@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6
 
   # NOTE: Checks that the matrix job above completes successfully.
   # This is necessary because the matrix strategy generates new jobs with

.github/workflows/e2e.create-container_based-predicate.schedule.yml

@@ -39,7 +39,7 @@ jobs:
     permissions:
       id-token: write # Needed to detect the current reusable repository and ref.
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Detect the builder ref
         id: detect
         uses: slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@main
@@ -71,7 +71,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -85,7 +85,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/e2e.detect-workflow-js.schedule.yml

@@ -33,7 +33,7 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: detect
         uses: ./.github/actions/detect-workflow-js
       - id: verify
@@ -70,7 +70,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -84,7 +84,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/e2e.sign-attestations.schedule.yml

@@ -33,7 +33,7 @@ jobs:
       id-token: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - id: setup
         uses: ./.github/actions/sign-attestations
         with:
@@ -62,7 +62,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -76,7 +76,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main

.github/workflows/e2e.upload-folder.schedule.yml

@@ -37,7 +37,7 @@ jobs:
       sha256: ${{ steps.upload.outputs.sha256 }}
       sha256-noroot: ${{ steps.upload-noroot.outputs.sha256 }}
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
       - name: Create folder
         run: |
           set -euo pipefail
@@ -100,7 +100,7 @@ jobs:
     needs: [secure-upload-folder]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
 
       - name: Download in new folder
         uses: ./.github/actions/secure-download-folder
@@ -180,7 +180,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main
@@ -194,7 +194,7 @@ jobs:
       contents: read
       issues: write
     steps:
-      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
         with:
           repository: slsa-framework/example-package
           ref: main