Bump advanced-security/spdx-dependency-submission-action from 0.0.1 to 0.2.0

[dependabot]

Bumps advanced-security/spdx-dependency-submission-action from 0.0.1 to 0.2.0.

Release notes

Sourced from advanced-security/spdx-dependency-submission-action's releases.

v0.2.0

What's Changed

• build: Update dist files after dependency bump by @​Copilot in advanced-security/spdx-dependency-submission-action#97
• deps: Bump the production-dependencies group with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#96
• chore: Bump eslint from 9.39.1 to 9.39.2 in the development-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#95
• deps: Bump the production-dependencies group across 1 directory with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#98
• chore: Bump eslint from 9.39.2 to 10.0.0 in the development-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#100
• deps: Bump the production-dependencies group across 1 directory with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#101
  • Convert to ES modules for @​actions/core v3 and @​actions/github v9 compatibility advanced-security/spdx-dependency-submission-action#102

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.2...v0.2.0

v0.1.2 - features and maintenance release

What's Changed

• Update CODEOWNERS to DG team by @​jhutchings1 in advanced-security/spdx-dependency-submission-action#49
• Update CODEOWNERS by @​GeekMasher in advanced-security/spdx-dependency-submission-action#54
• deps: bump actions/setup-node from 4.0.2 to 4.2.0 in the production-dependencies group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#69
• feat: Update dependabot.yml by @​GeekMasher in advanced-security/spdx-dependency-submission-action#55
• feat: Add support for running inside a matrix by overriding the default correlator identifier by @​felickz in advanced-security/spdx-dependency-submission-action#50
• deps: bump actions/setup-node from 4.2.0 to 4.3.0 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#71
• deps: bump actions/setup-node from 4.3.0 to 4.4.0 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#72
• Update README.md to use v4 for checkout and upload-artifact by @​CallMeGreg in advanced-security/spdx-dependency-submission-action#73
• conditional test - do not run on PR from fork by @​felickz in advanced-security/spdx-dependency-submission-action#74
• Bump the npm_and_yarn group across 1 directory with 5 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#77
• deps: bump actions/checkout from 4 to 5 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#79
• chore: bump the development-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#78
• chore: bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#86
• deps: bump the production-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#76
• chore: bump glob from 10.4.5 to 10.5.0 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#87
• deps: bump the production-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#85
• deps: Bump the production-dependencies group across 1 directory with 2 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#89
• chore: bump the development-dependencies group across 1 directory with 3 updates by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#82
• Fix for "workflow does not contain permissions", plus updated dist and fixed test failure with lazy loading of submission toolkit by @​aegilops in advanced-security/spdx-dependency-submission-action#90
• deps: bump @​actions/core from 1.11.1 to 2.0.1 in the production-dependencies group by @​dependabot[bot] in advanced-security/spdx-dependency-submission-action#92

New Contributors

• @​felickz made their first contribution in advanced-security/spdx-dependency-submission-action#50
• @​CallMeGreg made their first contribution in advanced-security/spdx-dependency-submission-action#73
• @​aegilops made their first contribution in advanced-security/spdx-dependency-submission-action#90

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.1...v0.1.2

v0.1.1

What's Changed

• Hotfix for PURL issues by @​GeekMasher in advanced-security/spdx-dependency-submission-action#42

Full Changelog: advanced-security/spdx-dependency-submission-action@v0.1.0...v0.1.1

... (truncated)

Commits

• 169d224 deps: Bump the production-dependencies group across 1 directory with 2 update...
• c810a02 Merge pull request #100 from advanced-security/dependabot/npm_and_yarn/main/d...
• f9ac915 chore: Bump eslint in the development-dependencies group
• 4df5384 Merge pull request #98 from advanced-security/dependabot/github_actions/main/...
• ff0db0f Merge pull request #95 from advanced-security/dependabot/npm_and_yarn/main/de...
• e99d8ce deps: Bump the production-dependencies group across 1 directory with 2 updates
• be4152f chore: Bump eslint in the development-dependencies group
• 6b8807f Merge pull request #96 from advanced-security/dependabot/npm_and_yarn/main/pr...
• c6bcfd0 Merge pull request #97 from advanced-security/copilot/sub-pr-96
• 096e79b build: Update dist files after dependency bump
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
actions/advanced-security/spdx-dependency-submission-action	169d22427d74f3faf93504e70b03eede8dab272a	🟢 6.1	Details Check Score Reason Code-Review 🟢 4 Found 2/5 approved changesets -- score normalized to 4 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 10 21 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Binary-Artifacts 🟢 10 no binaries found in the repo Security-Policy 🟢 10 security policy file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing ⚠️ 0 project is not fuzzed Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches SAST 🟢 9 SAST tool detected but not run on all commits

Scanned Files

• .github/workflows/sbom-generate-submit.yml

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (1 file)

• .github/workflows/sbom-generate-submit.yml