From da84f70bd450a4380261d74eb616a9739d0c69a4 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Mon, 10 Jun 2024 00:18:02 -0700
Subject: [PATCH 1/6] Update action versions

---
 .github/workflows/automatePR.yml  | 4 ++--
 .github/workflows/code-review.yml | 2 +-
 .github/workflows/codeql.yml      | 4 ++--
 .github/workflows/int.yml         | 4 ++--
 .github/workflows/kb-test.yml     | 2 +-
 .github/workflows/kbanalysis.yml  | 4 ++--
 .github/workflows/release.yml     | 4 ++--
 .github/workflows/scorecards.yml  | 4 ++--
 .github/workflows/test.yml        | 4 ++--
 9 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/automatePR.yml b/.github/workflows/automatePR.yml
index ab9e287f..601156b1 100644
--- a/.github/workflows/automatePR.yml
+++ b/.github/workflows/automatePR.yml
@@ -17,11 +17,11 @@ jobs:
     
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
         with:
           repository: step-security/secure-repo
     
diff --git a/.github/workflows/code-review.yml b/.github/workflows/code-review.yml
index c40f9f80..cc70c82e 100644
--- a/.github/workflows/code-review.yml
+++ b/.github/workflows/code-review.yml
@@ -11,7 +11,7 @@ jobs:
       pull-requests: read
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           disable-sudo: true
           egress-policy: block
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 62d466be..571d6038 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -41,12 +41,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml
index 5fc4494f..829150b8 100644
--- a/.github/workflows/int.yml
+++ b/.github/workflows/int.yml
@@ -15,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
         with:
           fetch-depth: 0
       - name: Set up Go 
diff --git a/.github/workflows/kb-test.yml b/.github/workflows/kb-test.yml
index c129faa6..de33fe5c 100644
--- a/.github/workflows/kb-test.yml
+++ b/.github/workflows/kb-test.yml
@@ -25,7 +25,7 @@ jobs:
             objects.githubusercontent.com:443
             golang.org:443
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up Go
diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml
index 6d846e15..19409ddc 100644
--- a/.github/workflows/kbanalysis.yml
+++ b/.github/workflows/kbanalysis.yml
@@ -22,11 +22,11 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@d0651293c4a5a52e711f25b41b05b2212f385d28
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
         with:
           repository: step-security/secure-repo
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2ec3f2b4..ef3188c2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,11 +17,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
         with:
           fetch-depth: 0
       - name: Set up Go
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 54e09afb..88a3163a 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -32,12 +32,12 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
+        uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 869959f5..99c4210d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -17,7 +17,7 @@ jobs:
       contents: read
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ebacdc22ef6c2cfb85ee5ded8f2e640f4c776dd5 # v1
+      - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
           allowed-endpoints: >
             api.github.com:443
@@ -30,7 +30,7 @@ jobs:
             objects.githubusercontent.com:443
             golang.org:443
       - name: Checkout
-        uses: actions/checkout@629c2de402a417ea7690ca6ce3f33229e27606a5 # v2
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up Go

From 5cbd9dd5320bea2d55fdf1fe35b9a0190f19d7d5 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Mon, 10 Jun 2024 00:25:06 -0700
Subject: [PATCH 2/6] Update test.yml

---
 .github/workflows/test.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 99c4210d..92f85084 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,8 +9,7 @@ on:
 
 permissions: # added using https://github.com/step-security/secure-repo
   contents: read
-concurrency:
-  group: ${{ github.workflow }}
+
 jobs:
   test:
     permissions:

From ba1b50a05d62909089fbd97e861239374f3b5355 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Mon, 10 Jun 2024 00:30:21 -0700
Subject: [PATCH 3/6] Remove KBs for deleted actions

---
 .../dev-infra/github-actions/lock-closed/action-security.yml    | 2 --
 .../actions/devbotsxyz/xcode-notarize/action-security.yml       | 2 --
 .../actions/devbotsxyz/xcode-staple/action-security.yml         | 2 --
 3 files changed, 6 deletions(-)
 delete mode 100644 knowledge-base/actions/angular/dev-infra/github-actions/lock-closed/action-security.yml
 delete mode 100644 knowledge-base/actions/devbotsxyz/xcode-notarize/action-security.yml
 delete mode 100644 knowledge-base/actions/devbotsxyz/xcode-staple/action-security.yml

diff --git a/knowledge-base/actions/angular/dev-infra/github-actions/lock-closed/action-security.yml b/knowledge-base/actions/angular/dev-infra/github-actions/lock-closed/action-security.yml
deleted file mode 100644
index 051053cd..00000000
--- a/knowledge-base/actions/angular/dev-infra/github-actions/lock-closed/action-security.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-name: 'Lock Closed Issues' # angular/dev-infra/github-actions/lock-closed
-# GITHUB_TOKEN not used
diff --git a/knowledge-base/actions/devbotsxyz/xcode-notarize/action-security.yml b/knowledge-base/actions/devbotsxyz/xcode-notarize/action-security.yml
deleted file mode 100644
index 08a07874..00000000
--- a/knowledge-base/actions/devbotsxyz/xcode-notarize/action-security.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-name: 'Xcode Notarize' # devbotsxyz/xcode-notarize
-# GITHUB_TOKEN not used
diff --git a/knowledge-base/actions/devbotsxyz/xcode-staple/action-security.yml b/knowledge-base/actions/devbotsxyz/xcode-staple/action-security.yml
deleted file mode 100644
index 62790b12..00000000
--- a/knowledge-base/actions/devbotsxyz/xcode-staple/action-security.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-name: 'Xcode Staple' # devbotsxyz/xcode-staple
-# GITHUB_TOKEN not used

From 2e2bf0174efd71bfd9cc64a90035f4405b056378 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Mon, 10 Jun 2024 00:46:02 -0700
Subject: [PATCH 4/6] Update actions

---
 .github/workflows/codeql.yml     | 2 +-
 .github/workflows/int.yml        | 4 ++--
 .github/workflows/kb-test.yml    | 2 +-
 .github/workflows/kbanalysis.yml | 2 +-
 .github/workflows/release.yml    | 4 ++--
 .github/workflows/scorecards.yml | 2 +-
 .github/workflows/test.yml       | 8 +++++---
 7 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index 571d6038..e540ccc3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -46,7 +46,7 @@ jobs:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
diff --git a/.github/workflows/int.yml b/.github/workflows/int.yml
index 829150b8..d1210f38 100644
--- a/.github/workflows/int.yml
+++ b/.github/workflows/int.yml
@@ -19,11 +19,11 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
       - name: Set up Go 
-        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: 1.17
       - name: Configure AWS Credentials
diff --git a/.github/workflows/kb-test.yml b/.github/workflows/kb-test.yml
index de33fe5c..5819dc6a 100644
--- a/.github/workflows/kb-test.yml
+++ b/.github/workflows/kb-test.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up Go
-        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: 1.17
       - name: Run coverage
diff --git a/.github/workflows/kbanalysis.yml b/.github/workflows/kbanalysis.yml
index 19409ddc..30b021ad 100644
--- a/.github/workflows/kbanalysis.yml
+++ b/.github/workflows/kbanalysis.yml
@@ -26,7 +26,7 @@ jobs:
         with:
           egress-policy: audit
 
-      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+      - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           repository: step-security/secure-repo
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ef3188c2..50e2bc1d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -21,11 +21,11 @@ jobs:
         with:
           egress-policy: audit
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           fetch-depth: 0
       - name: Set up Go
-        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: 1.17
       
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 88a3163a..7b2f0977 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -37,7 +37,7 @@ jobs:
           egress-policy: audit
 
       - name: "Checkout code"
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           persist-credentials: false
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 92f85084..f8b28310 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -29,15 +29,17 @@ jobs:
             objects.githubusercontent.com:443
             golang.org:443
       - name: Checkout
-        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 #v4.1.6
+        uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Set up Go
-        uses: actions/setup-go@37335c7bb261b353407cff977110895fa0b4f7d8 # v2.1.3
+        uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
         with:
           go-version: 1.17
       - name: Run coverage
         run: go test ./...  -coverpkg=./... -race -coverprofile=coverage.txt -covermode=atomic
         env:
           PAT: ${{ secrets.GITHUB_TOKEN }}
-      - uses: codecov/codecov-action@f32b3a3741e1053eb607407145bc9619351dc93b # v2
+      - uses: codecov/codecov-action@125fc84a9a348dbcf27191600683ec096ec9021c # v4.4.1
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}

From b9cc96e01010861163790a707df18eac9db6e434 Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Mon, 10 Jun 2024 00:49:04 -0700
Subject: [PATCH 5/6] Update test.yml

---
 .github/workflows/test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f8b28310..bfc8dc68 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -20,6 +20,7 @@ jobs:
         with:
           allowed-endpoints: >
             api.github.com:443
+            cli.codecov.io:443
             codecov.io:443
             uploader.codecov.io:443
             github.com:443

From e2e8b07a05106d44af974e651f00b02f31dd8daa Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Mon, 10 Jun 2024 00:53:03 -0700
Subject: [PATCH 6/6] Update test.yml

---
 .github/workflows/test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index bfc8dc68..3ca6a98c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -18,6 +18,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
         with:
+          egress-policy: audit
           allowed-endpoints: >
             api.github.com:443
             cli.codecov.io:443