Dependabot updates for week of 9 October 2023 (#2705)

* Bump mongo from 7.0.1-jammy to 7.0.2-jammy in /database Bumps mongo from 7.0.1-jammy to 7.0.2-jammy. --- updated-dependencies: - dependency-name: mongo dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump step-security/harden-runner from 2.5.1 to 2.6.0 Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.5.1 to 2.6.0. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@8ca2b8b...1b05615) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump ossf/scorecard-action from 2.2.0 to 2.3.0 Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.2.0 to 2.3.0. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@08b4669...483ef80) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump actions/setup-python from 4.7.0 to 4.7.1 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.7.0 to 4.7.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@61a6322...65d7f2d) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump aws-actions/configure-aws-credentials from 4.0.0 to 4.0.1 Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 4.0.0 to 4.0.1. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](aws-actions/configure-aws-credentials@v4.0.0...v4.0.1) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump github/codeql-action from 2.21.9 to 2.22.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.21.9 to 2.22.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@ddccb87...2cb752a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump System.IdentityModel.Tokens.Jwt from 6.32.3 to 6.33.0 in /Backend Bumps [System.IdentityModel.Tokens.Jwt](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) from 6.32.3 to 6.33.0. - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@6.32.3...v6.33.0) --- updated-dependencies: - dependency-name: System.IdentityModel.Tokens.Jwt dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump Microsoft.IdentityModel.Tokens from 6.32.3 to 6.33.0 in /Backend Bumps [Microsoft.IdentityModel.Tokens](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet) from 6.32.3 to 6.33.0. - [Release notes](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/releases) - [Changelog](https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/dev/CHANGELOG.md) - [Commits](AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet@6.32.3...v6.33.0) --- updated-dependencies: - dependency-name: Microsoft.IdentityModel.Tokens dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump react-router-dom from 6.15.0 to 6.16.0 Bumps [react-router-dom](https://github.com/remix-run/react-router/tree/HEAD/packages/react-router-dom) from 6.15.0 to 6.16.0. - [Release notes](https://github.com/remix-run/react-router/releases) - [Changelog](https://github.com/remix-run/react-router/blob/main/packages/react-router-dom/CHANGELOG.md) - [Commits](https://github.com/remix-run/react-router/commits/[email protected]/packages/react-router-dom) --- updated-dependencies: - dependency-name: react-router-dom dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * Bump @material-table/core from 6.2.4 to 6.2.11 Bumps [@material-table/core](https://github.com/material-table-core/core) from 6.2.4 to 6.2.11. - [Release notes](https://github.com/material-table-core/core/releases) - [Changelog](https://github.com/material-table-core/core/blob/master/CHANGELOG.md) - [Commits](material-table-core/core@v6.2.4...v6.2.11) --- updated-dependencies: - dependency-name: "@material-table/core" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump @mui/material from 5.14.11 to 5.14.12 Bumps [@mui/material](https://github.com/mui/material-ui/tree/HEAD/packages/mui-material) from 5.14.11 to 5.14.12. - [Release notes](https://github.com/mui/material-ui/releases) - [Changelog](https://github.com/mui/material-ui/blob/master/CHANGELOG.md) - [Commits](https://github.com/mui/material-ui/commits/v5.14.12/packages/mui-material) --- updated-dependencies: - dependency-name: "@mui/material" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump @types/redux-mock-store from 1.0.3 to 1.0.4 Bumps [@types/redux-mock-store](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/redux-mock-store) from 1.0.3 to 1.0.4. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/redux-mock-store) --- updated-dependencies: - dependency-name: "@types/redux-mock-store" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Bump react-redux from 8.1.2 to 8.1.3 Bumps [react-redux](https://github.com/reduxjs/react-redux) from 8.1.2 to 8.1.3. - [Release notes](https://github.com/reduxjs/react-redux/releases) - [Changelog](https://github.com/reduxjs/react-redux/blob/master/CHANGELOG.md) - [Commits](reduxjs/react-redux@v8.1.2...v8.1.3) --- updated-dependencies: - dependency-name: react-redux dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> * Update Python dependencies * Merge remote-tracking branch 'origin/dependabot/docker/database/mongo-7.0.2-jammy' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/github_actions/step-security/harden-runner-2.6.0' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/github_actions/ossf/scorecard-action-2.3.0' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/github_actions/actions/setup-python-4.7.1' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/github_actions/aws-actions/configure-aws-credentials-4.0.1' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/github_actions/github/codeql-action-2.22.0' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/nuget/Backend/System.IdentityModel.Tokens.Jwt-6.33.0' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/nuget/Backend/Microsoft.IdentityModel.Tokens-6.33.0' into dependabot-2023-10-09 # Conflicts: # Backend/BackendFramework.csproj * Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/react-router-dom-6.16.0' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/react-redux-8.1.3' into dependabot-2023-10-09 # Conflicts: # package-lock.json # package.json * Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/material-table/core-6.2.11' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/mui/material-5.14.12' into dependabot-2023-10-09 * Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/types/redux-mock-store-1.0.4' into dependabot-2023-10-09 * Update endpoints for building combine_deploy container * Update security scorecards allowed endpoints * Schedule dependabot for monthly updates * Update license reports * Merge branch 'master' into dependabot-2023-10-09 Co-Authored-By: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
sillsdev · Oct 9, 2023 · 6dc3e91 · 6dc3e91
1 parent 9e04eed
commit 6dc3e91
Show file tree

Hide file tree

Showing 21 changed files with 199 additions and 196 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -3,87 +3,76 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "nuget"
     directory: "/Backend.Tests"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "nuget"
     directory: "/Backend"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "docker"
     directory: "/Backend"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "docker"
     directory: "/"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "docker"
     directory: "/database"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "docker"
     directory: "/deploy"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "pip"
     directory: "/deploy"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "docker"
     directory: "/maintenance"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "pip"
     directory: "/maintenance"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
 
   - package-ecosystem: "npm"
     directory: "/"
     schedule:
-      interval: "weekly"
-      day: "sunday"
+      interval: "monthly"
       time: "12:00"
       timezone: "UTC"
diff --git a/.github/workflows/backend.yml b/.github/workflows/backend.yml
@@ -19,7 +19,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -72,7 +72,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -106,7 +106,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -129,19 +129,19 @@ jobs:
         with:
           dotnet-version: "6.0.x"
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+        uses: github/codeql-action/init@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
         with:
           languages: csharp
       - name: Autobuild
-        uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+        uses: github/codeql-action/autobuild@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
       - name: Upload artifacts if build failed
         uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
         if: ${{ failure() }}
         with:
           name: tracer-logs
           path: ${{ runner.temp }}/*.log
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+        uses: github/codeql-action/analyze@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
 
   docker_build:
     runs-on: ubuntu-22.04
@@ -150,7 +150,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           disable-file-monitoring: true

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -45,7 +45,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -63,7 +63,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+        uses: github/codeql-action/init@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -76,7 +76,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+        uses: github/codeql-action/autobuild@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
 
       # Command-line programs to run using the OS shell.
       # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -89,6 +89,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+        uses: github/codeql-action/analyze@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
         with:
           category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/combine_deploy_image.yml b/.github/workflows/combine_deploy_image.yml
@@ -16,16 +16,33 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
-          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
-
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.ecr-public.us-east-1.amazonaws.com:443
+            api.github.com:443
+            archive.ubuntu.com:80
+            auth.docker.io:443
+            cdn.dl.k8s.io:443
+            dl.k8s.io:443
+            files.pythonhosted.org:443
+            get.helm.sh:443
+            github.com:443
+            production.cloudflare.docker.com:443
+            public.ecr.aws:443
+            pypi.org:443
+            raw.githubusercontent.com:443
+            registry-1.docker.io:443
+            security.ubuntu.com:80
+            sts.us-east-1.amazonaws.com:443
       - name: Set up QEMU
         uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
       - name: Configure AWS credentials
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

diff --git a/.github/workflows/database.yml b/.github/workflows/database.yml
@@ -15,7 +15,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/deploy_qa.yml b/.github/workflows/deploy_qa.yml
@@ -21,7 +21,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -73,7 +73,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -84,7 +84,7 @@ jobs:
             sts.${{ secrets.AWS_DEFAULT_REGION }}.amazonaws.com:443
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: Configure AWS credentials
-        uses: aws-actions/[email protected].0
+        uses: aws-actions/[email protected].1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

diff --git a/.github/workflows/deploy_release.yml b/.github/workflows/deploy_release.yml
@@ -20,7 +20,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           egress-policy: block
           allowed-endpoints: >

diff --git a/.github/workflows/frontend.yml b/.github/workflows/frontend.yml
@@ -19,7 +19,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -59,7 +59,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -90,7 +90,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/maintenance.yml b/.github/workflows/maintenance.yml
@@ -15,7 +15,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block

diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml
@@ -17,7 +17,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -26,7 +26,7 @@ jobs:
             github.com:443
             pypi.org:443
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
-      - uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: 3.11
       - name: Install dependencies

diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -19,7 +19,7 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
           egress-policy: block
@@ -30,7 +30,7 @@ jobs:
             pypi.org:443
       - uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@61a6322f88396a6271a6ee3565807d608ecaddd1 # v4.7.0
+        uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 # v4.7.1
         with:
           python-version: ${{ matrix.python-version }}
       - name: Install dependencies

diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -35,30 +35,31 @@ jobs:
       # See https://docs.stepsecurity.io/harden-runner/getting-started/ for instructions on
       # configuring harden-runner and identifying allowed endpoints.
       - name: Harden Runner
-        uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
+        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
         with:
           disable-sudo: true
-          egress-policy: audit
+          egress-policy: block
           allowed-endpoints: >
             api.github.com:443
             api.osv.dev:443
-            api.securityscorecards.dev
+            api.securityscorecards.dev:443
             auth.docker.io:443
             bestpractices.coreinfrastructure.org:443
             fulcio.sigstore.dev:443
             github.com:443
             index.docker.io:443
             mcr.microsoft.com:443
-            oauth2.sigstore.dev:443
+            oss-fuzz-build-logs.storage.googleapis.com:443
             rekor.sigstore.dev:443
-            sigstore-tuf-root.storage.googleapis.com:443
+            tuf-repo-cdn.sigstore.dev:443
+            www.bestpractices.dev:443
       - name: "Checkout code"
         uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@08b4669551908b1024bb425080c797723083c031 # v2.2.0
+        uses: ossf/scorecard-action@483ef80eb98fb506c348f7d62e28055e49fe2398 # v2.3.0
         with:
           results_file: results.sarif
           results_format: sarif
@@ -88,6 +89,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@ddccb873888234080b77e9bc2d4764d5ccaaccf9 # v2.21.9
+        uses: github/codeql-action/upload-sarif@2cb752a87e96af96708ab57187ab6372ee1973ab # v2.22.0
         with:
           sarif_file: results.sarif