Simple tool that allows you to detect imposter commits in GitHub Actions workflows.

By Chainguard
Last update: Jul 10, 2023
Comments: 12

clank

clank is a simple tool that allows you to detect imposter commits in GitHub Actions workflows.

This is primarily a proof-of-concept - our aim is to upstream this check to OpenSSF Scorecards.

The name is inspired by https://github.com/sethvargo/ratchet.

Installation

$ go install github.com/chainguard-dev/clank@latest

Usage

$ clank [ path/to/workflow/dir | URL ]

Examples:

By path:

$ clank ./testdata
testdata/push.yaml
+---------------------------------------------------------------------+--------+-------+-------------------------+
|                                 REF                                 | STATUS | LINES |         DETAILS         |
+---------------------------------------------------------------------+--------+-------+-------------------------+
| actions://actions/checkout@main                                     | OK     | [10]  |                         |
| actions://actions/checkout@c7d749a2d57b4b375d1ebcd17cfbfb60c676f18e | ERROR  | [7]   | SHA not present in repo |
+---------------------------------------------------------------------+--------+-------+-------------------------+

By URL:

$ clank https://github.com/sigstore/cosign
/var/folders/83/j7crs0zj5g9_nj3wb9hql9hh0000gn/T/clank-3841068745/sigstore/cosign/.github/workflows/build.yaml
+-------------------------------------------------------------------------------+--------+-------+---------+
|                                      REF                                      | STATUS | LINES | DETAILS |
+-------------------------------------------------------------------------------+--------+-------+---------+
| actions://sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65  | OK     | [46]  |         |
| actions://actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568           | OK     | [48]  |         |
| actions://ko-build/setup-ko@ace48d793556083a76f1e3e6068850c1f4a369aa          | OK     | [54]  |         |
| actions://google-github-actions/auth@ef5d53e30bbcd8d0836f4288f5e50ff3e086997d | OK     | [57]  |         |
| actions://actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c           | OK     | [44]  |         |
+-------------------------------------------------------------------------------+--------+-------+---------+

/var/folders/83/j7crs0zj5g9_nj3wb9hql9hh0000gn/T/clank-3841068745/sigstore/cosign/.github/workflows/codeql-analysis.yml
+---------------------------------------------------------------------------------+--------+-------+---------+
|                                       REF                                       | STATUS | LINES | DETAILS |
+---------------------------------------------------------------------------------+--------+-------+---------+
| actions://actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568             | OK     | [63]  |         |
| actions://github/codeql-action/init@32dc499307d133bb5085bae78498c0ac2cf762d5    | OK     | [70]  |         |
| actions://github/codeql-action/analyze@32dc499307d133bb5085bae78498c0ac2cf762d5 | OK     | [78]  |         |
| actions://actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c             | OK     | [50]  |         |
| actions://actions/cache@69d9d449aced6a2ede0bc19182fadc3a0a42d2b0                | OK     | [53]  |         |
+---------------------------------------------------------------------------------+--------+-------+---------+

...

Authentication

clank looks for an access token to be passed in via the GITHUB_TOKEN environment variable. This token is used to fetch content and compute diffs.

While clank can be used against public repos without a token, you may run into rate limiting without it.

The easiest way to get a token is to run:

$ export GITHUB_TOKEN=`gh auth token`
$ clank ./testdata

Download

clank.zip

Comments(12)

1

Bump actions/checkout from 3.5.0 to 3.5.2
Bumps actions/checkout from 3.5.0 to 3.5.2.
Release notes

Sourced from actions/checkout's releases.
v3.5.2

What's Changed
- Fix: Use correct API url / endpoint in GHES by @fhammerl in actions/checkout#1289 based on #1286 by @1newsr
Full Changelog: https://github.com/actions/checkout/compare/v3.5.1...v3.5.2

v3.5.1

What's Changed
- Improve checkout performance on Windows runners by upgrading @actions/github dependency by @BrettDong in actions/checkout#1246
New Contributors
- @BrettDong made their first contribution in actions/checkout#1246
- @fhammerl made their first contribution in actions/checkout#1284
Full Changelog: https://github.com/actions/checkout/compare/v3.5.0...v3.5.1
Changelog

Sourced from actions/checkout's changelog.
Changelog

v3.5.2
- Fix api endpoint for GHES
v3.5.1
- Fix slow checkout on Windows
v3.5.0
- Add new public key for known_hosts
v3.4.0
v3.3.0
- Implement branch list using callbacks from exec function
- Add in explicit reference to private checkout options
- [Fix comment typos (that got added in #770)](actions/checkout#1057)
v3.2.0
v3.1.0
- Use @actions/core saveState and getState
- Add github-server-url input
v3.0.2
- Add input set-safe-directory
v3.0.1
- Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory
- Bumped various npm package versions
v3.0.0
- Update to node 16
v2.3.1
- Fix default branch resolution for .wiki and when using SSH
v2.3.0
... (truncated)
Commits
- 8e5e7e5 Release v3.5.2 (#1291)
- eb35239 Fix: convert baseUrl to serverApiUrl 'formatted' (#1289)
- 83b7061 Release v3.5.1 (#1284)
- 40a16eb Improve checkout performance on Windows runners by upgrading @actions/github ...
- See full diff in compare view
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
> **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
2

Bump actions/checkout from 3.3.0 to 3.4.0
Bumps actions/checkout from 3.3.0 to 3.4.0.
Release notes

Sourced from actions/checkout's releases.
v3.4.0

What's Changed
- Upgrade codeql actions to v2 by @Link- in actions/checkout#1209
- Upgrade dependencies by @Link- in actions/checkout#1210
- Backfill changelog and bump actions/io by @cory-miller in actions/checkout#1225
New Contributors
- @Link- made their first contribution in actions/checkout#1209
Full Changelog: https://github.com/actions/checkout/compare/v3.3.0...v3.4.0
Changelog

Sourced from actions/checkout's changelog.
Changelog

v3.4.0
v3.3.0
- Implement branch list using callbacks from exec function
- Add in explicit reference to private checkout options
- [Fix comment typos (that got added in #770)](actions/checkout#1057)
v3.2.0
v3.1.0
- Use @actions/core saveState and getState
- Add github-server-url input
v3.0.2
- Add input set-safe-directory
v3.0.1
- Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory
- Bumped various npm package versions
v3.0.0
- Update to node 16
v2.3.1
- Fix default branch resolution for .wiki and when using SSH
v2.3.0
- Fallback to the default branch
v2.2.0
- Fetch all history for all tags and branches when fetch-depth=0
v2.1.1
- Changes to support GHES (here and here)
... (truncated)
Commits
- 24cb908 Bump @actions/io to v1.1.3 (#1225)
- 27135e3 Upgrade dependencies (#1210)
- 7b18718 Upgrade codeql actions to v2 (#1209)
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
3

Bump github.com/fatih/color from 1.14.1 to 1.15.0
Bumps github.com/fatih/color from 1.14.1 to 1.15.0.
Release notes

Sourced from github.com/fatih/color's releases.
v1.15.0

What's Changed
- windows: enable virtual terminal processing, fixes #169 by @martinlindhe in fatih/color#186
- ci: update dependencies by @fatih in fatih/color#191
- Bump golang.org/x/sys from 0.5.0 to 0.6.0 by @dependabot in fatih/color#189
- Refactor color_windows.go by @pellared in fatih/color#188
New Contributors
- @martinlindhe made their first contribution in fatih/color#186
Full Changelog: https://github.com/fatih/color/compare/v1.14.1...v1.15.0
Commits
- 12126ed Merge pull request #188 from pellared/patch-1
- 770038b Merge branch 'main' into patch-1
- c5d9a2b Merge pull request #189 from fatih/dependabot/go_modules/golang.org/x/sys-0.6.0
- 1ceb746 Bump golang.org/x/sys from 0.5.0 to 0.6.0
- 66a1b89 Merge pull request #191 from fatih/update-ci-deps
- 3228f5a ci: update dependencies
- 0226ec9 Refactor color_windows.go
- d080a5b Merge pull request #186 from martinlindhe/main
- 02ab2ea windows: enable virtual terminal processing, fixes #169
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
4

Bump github.com/sethvargo/ratchet from 0.3.1 to 0.4.0
Bumps github.com/sethvargo/ratchet from 0.3.1 to 0.4.0.
Release notes

Sourced from github.com/sethvargo/ratchet's releases.
v0.4.0

Changelog
- f36399bd82e114cb60ff6bc22bd8bc276a9a47be: Update releasing config (@sethvargo)
- 05cbd8f7aded3e20bc2ebf3c4c2a44d3d3b1813a: Fix bad comment (@sethvargo)
- 341751135d44f57c5ecf4e7bc369af35ed12adb8: Update dependencies and templates (@sethvargo)
- fbe90fcd12b08e65cc989b8749f39a1c3b526ac9: add support for Drone (#40) (@ajayk)
- 9a80a8716df6393d7eec72505f8200aa089b466d: Add list of parsers to help output (#44) (@sethvargo)
- 5e13c628e4dad08445d9dd224819ad541e946291: Update all deps (#45) (@sethvargo)
- 4c346f77c87e664ee0c35515e80d1d63e04abbe4: Cleanup README (@sethvargo)
Commits
- 4c346f7 Cleanup README
- 5e13c62 Update all deps (#45)
- 9a80a87 Add list of parsers to help output (#44)
- fbe90fc add support for Drone (#40)
- 3417511 Update dependencies and templates
- 05cbd8f Fix bad comment
- f36399b Update releasing config
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
5

Bump golang.org/x/oauth2 from 0.10.0 to 0.11.0
Bumps golang.org/x/oauth2 from 0.10.0 to 0.11.0.
Commits
- 2e4a4e2 go.mod: update golang.org/x dependencies
- ac6658e all: update go version to 1.18
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
6

Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0
Bumps golang.org/x/oauth2 from 0.9.0 to 0.10.0.
Commits
- ec5679f go.mod: update golang.org/x dependencies
- 989acb1 all: update dependencies to their latest versions
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
7

Bump golang.org/x/oauth2 from 0.8.0 to 0.9.0
Bumps golang.org/x/oauth2 from 0.8.0 to 0.9.0.
Commits
- 2323c81 go.mod: update golang.org/x dependencies
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
8

Bump actions/checkout from 3.5.2 to 3.5.3
Bumps actions/checkout from 3.5.2 to 3.5.3.
Release notes

Sourced from actions/checkout's releases.
v3.5.3

What's Changed
- Fix: Checkout Issue in self hosted runner due to faulty submodule check-ins by @megamanics in actions/checkout#1196
- Fix typos found by codespell by @DimitriPapadopoulos in actions/checkout#1287
- Add support for sparse checkouts by @dscho and @dfdez in actions/checkout#1369
- Release v3.5.3 by @TingluoHuang in actions/checkout#1376
New Contributors
- @megamanics made their first contribution in actions/checkout#1196
- @DimitriPapadopoulos made their first contribution in actions/checkout#1287
- @dfdez made their first contribution in actions/checkout#1369
Full Changelog: https://github.com/actions/checkout/compare/v3...v3.5.3
Changelog

Sourced from actions/checkout's changelog.
Changelog

v3.5.3
v3.5.2
- Fix api endpoint for GHES
v3.5.1
- Fix slow checkout on Windows
v3.5.0
- Add new public key for known_hosts
v3.4.0
v3.3.0
- Implement branch list using callbacks from exec function
- Add in explicit reference to private checkout options
- [Fix comment typos (that got added in #770)](actions/checkout#1057)
v3.2.0
v3.1.0
- Use @actions/core saveState and getState
- Add github-server-url input
v3.0.2
- Add input set-safe-directory
v3.0.1
- Fixed an issue where checkout failed to run in container jobs due to the new git setting safe.directory
- Bumped various npm package versions
v3.0.0
- Update to node 16
v2.3.1
... (truncated)
Commits
- c85c95e Release v3.5.3 (#1376)
- d106d46 Add support for sparse checkouts (#1369)
- f095bcc Fix typos found by codespell (#1287)
- 47fbe2d Fix: Checkout fail in self-hosted runners when faulty submodule are checked-i...
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
9

Bump golangci/golangci-lint-action from 3.5.0 to 3.6.0
Bumps golangci/golangci-lint-action from 3.5.0 to 3.6.0.
Release notes

Sourced from golangci/golangci-lint-action's releases.
v3.6.0

What's Changed
- docs: fix example by @yuki0920 in golangci/golangci-lint-action#762
- doc: Add custom configuration file path to args by @Aisuko in golangci/golangci-lint-action#767
- feat: add install-mode by @ldez in golangci/golangci-lint-action#768
- feat: support out-format as args by @jrehwaldt in golangci/golangci-lint-action#769
- fix: out-format by @ldez in golangci/golangci-lint-action#770
New Contributors
- @yuki0920 made their first contribution in golangci/golangci-lint-action#762
- @Aisuko made their first contribution in golangci/golangci-lint-action#767
- @ldez made their first contribution in golangci/golangci-lint-action#768
- @jrehwaldt made their first contribution in golangci/golangci-lint-action#769
Full Changelog: https://github.com/golangci/golangci-lint-action/compare/v3.5.0...v3.6.0
Commits
- 639cd34 tests: increase timeout
- 569abaa fix: out-format (#770)
- c57cc43 build(deps-dev): bump typescript from 5.0.4 to 5.1.3 (#764)
- 322510a feat: support out-format as args (#769)
- 185e7a2 feat: add install-mode (#768)
- 5be60c7 docs: improve args examples
- 825a50d chore: update workflow and doc
- 8c13ec4 doc: Add custom configuration file path to args (#767)
- 416b5d0 build(deps-dev): bump @typescript-eslint/parser from 5.59.7 to 5.59.8 (#765)
- 66a6080 build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.59.7 to 5.59.8 ...
- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
10

Bump golangci/golangci-lint-action from 3.4.0 to 3.5.0
Bumps golangci/golangci-lint-action from 3.4.0 to 3.5.0.
Release notes

Sourced from golangci/golangci-lint-action's releases.
v3.5.0

What's Changed
- build(deps-dev): bump eslint from 8.32.0 to 8.33.0 by @dependabot in golangci/golangci-lint-action#659
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.48.2 to 5.49.0 by @dependabot in golangci/golangci-lint-action#661
- build(deps-dev): bump eslint-plugin-simple-import-sort from 9.0.0 to 10.0.0 by @dependabot in golangci/golangci-lint-action#662
- build(deps-dev): bump @vercel/ncc from 0.36.0 to 0.36.1 by @dependabot in golangci/golangci-lint-action#660
- build(deps-dev): bump @typescript-eslint/parser from 5.48.2 to 5.49.0 by @dependabot in golangci/golangci-lint-action#663
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.49.0 to 5.50.0 by @dependabot in golangci/golangci-lint-action#665
- build(deps-dev): bump @typescript-eslint/parser from 5.49.0 to 5.50.0 by @dependabot in golangci/golangci-lint-action#666
- build(deps-dev): bump typescript from 4.9.4 to 4.9.5 by @dependabot in golangci/golangci-lint-action#667
- build(deps): bump @types/node from 18.11.18 to 18.11.19 by @dependabot in golangci/golangci-lint-action#668
- doc: add quote aroung go version by @vaughany in golangci/golangci-lint-action#670
- build(deps-dev): bump @typescript-eslint/parser from 5.50.0 to 5.51.0 by @dependabot in golangci/golangci-lint-action#671
- build(deps-dev): bump prettier from 2.8.3 to 2.8.4 by @dependabot in golangci/golangci-lint-action#673
- build(deps): bump @types/node from 18.11.19 to 18.13.0 by @dependabot in golangci/golangci-lint-action#674
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.50.0 to 5.51.0 by @dependabot in golangci/golangci-lint-action#675
- build(deps): bump @actions/cache from 3.1.2 to 3.1.3 by @dependabot in golangci/golangci-lint-action#672
- build(deps-dev): bump @typescript-eslint/parser from 5.51.0 to 5.52.0 by @dependabot in golangci/golangci-lint-action#678
- build(deps): bump @types/node from 18.13.0 to 18.14.0 by @dependabot in golangci/golangci-lint-action#679
- build(deps-dev): bump eslint from 8.33.0 to 8.34.0 by @dependabot in golangci/golangci-lint-action#680
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.51.0 to 5.52.0 by @dependabot in golangci/golangci-lint-action#681
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.52.0 to 5.53.0 by @dependabot in golangci/golangci-lint-action#684
- build(deps-dev): bump eslint from 8.34.0 to 8.35.0 by @dependabot in golangci/golangci-lint-action#685
- build(deps): bump @types/node from 18.14.0 to 18.14.2 by @dependabot in golangci/golangci-lint-action#688
- build(deps-dev): bump @typescript-eslint/parser from 5.52.0 to 5.53.0 by @dependabot in golangci/golangci-lint-action#687
- build(deps): bump @actions/cache from 3.1.3 to 3.1.4 by @dependabot in golangci/golangci-lint-action#686
- build(deps): bump @types/node from 18.14.2 to 18.14.6 by @dependabot in golangci/golangci-lint-action#691
- build(deps-dev): bump @typescript-eslint/parser from 5.53.0 to 5.54.0 by @dependabot in golangci/golangci-lint-action#692
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.53.0 to 5.54.0 by @dependabot in golangci/golangci-lint-action#693
- build(deps-dev): bump eslint-config-prettier from 8.6.0 to 8.7.0 by @dependabot in golangci/golangci-lint-action#694
- build(deps-dev): bump eslint from 8.35.0 to 8.36.0 by @dependabot in golangci/golangci-lint-action#699
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.54.0 to 5.54.1 by @dependabot in golangci/golangci-lint-action#700
- build(deps): bump @types/node from 18.14.6 to 18.15.1 by @dependabot in golangci/golangci-lint-action#701
- docs/build: update to setup-go@v4 by @caarlos0 in golangci/golangci-lint-action#704
- build(deps-dev): bump typescript from 4.9.5 to 5.0.2 by @dependabot in golangci/golangci-lint-action#705
- build(deps): bump @types/node from 18.15.1 to 18.15.3 by @dependabot in golangci/golangci-lint-action#706
- build(deps): bump @actions/http-client from 2.0.1 to 2.1.0 by @dependabot in golangci/golangci-lint-action#697
- build(deps-dev): bump prettier from 2.8.4 to 2.8.5 by @dependabot in golangci/golangci-lint-action#707
- build(deps): bump @actions/cache from 3.1.4 to 3.2.1 by @dependabot in golangci/golangci-lint-action#698
- build(deps-dev): bump eslint-config-prettier from 8.7.0 to 8.8.0 by @dependabot in golangci/golangci-lint-action#709
- build(deps): bump @types/node from 18.15.3 to 18.15.10 by @dependabot in golangci/golangci-lint-action#710
- build(deps-dev): bump prettier from 2.8.5 to 2.8.7 by @dependabot in golangci/golangci-lint-action#711
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.54.1 to 5.56.0 by @dependabot in golangci/golangci-lint-action#712
- build(deps-dev): bump @typescript-eslint/parser from 5.54.0 to 5.56.0 by @dependabot in golangci/golangci-lint-action#713
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.56.0 to 5.57.0 by @dependabot in golangci/golangci-lint-action#718
- build(deps-dev): bump typescript from 5.0.2 to 5.0.3 by @dependabot in golangci/golangci-lint-action#717
- build(deps-dev): bump eslint from 8.36.0 to 8.37.0 by @dependabot in golangci/golangci-lint-action#719
- build(deps-dev): bump @typescript-eslint/parser from 5.56.0 to 5.57.0 by @dependabot in golangci/golangci-lint-action#720
- build(deps): bump @types/node from 18.15.10 to 18.15.11 by @dependabot in golangci/golangci-lint-action#721
- build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.57.0 to 5.57.1 by @dependabot in golangci/golangci-lint-action#722
... (truncated)
Commits
- 5f1fec7 build(deps-dev): bump @typescript-eslint/parser from 5.59.6 to 5.59.7 (#758)
- 601007b build(deps): bump @types/node from 20.2.3 to 20.2.5 (#756)
- d2a913e build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.59.6 to 5.59.7 ...
- 7233bd7 build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.59.5 to 5.59.6 ...
- 687f029 build(deps): bump @types/node from 20.1.4 to 20.2.3 (#755)
- f9990cd build(deps-dev): bump @typescript-eslint/parser from 5.59.5 to 5.59.6 (#754)
- f30aa51 build(deps-dev): bump eslint from 8.40.0 to 8.41.0 (#753)
- 6b21f58 build(deps-dev): bump @typescript-eslint/eslint-plugin from 5.59.2 to 5.59.5 ...
- 535ed3a build(deps): bump @types/semver from 7.3.13 to 7.5.0 (#748)
- 0078ef0 build(deps-dev): bump @typescript-eslint/parser from 5.59.1 to 5.59.5 (#750)
- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
11

Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0
Bumps golang.org/x/oauth2 from 0.7.0 to 0.8.0.
Commits
- 839de22 google: don't check for IsNotExist for well-known file
- 0690208 go.mod: update golang.org/x dependencies
- 451d5d6 internal: remove repeated definite articles
- cfe200d oauth2: parse RFC 6749 error response
- See full diff in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
12

Bump actions/setup-go from 4.0.1 to 4.1.0
Bumps actions/setup-go from 4.0.1 to 4.1.0.
Release notes

Sourced from actions/setup-go's releases.
v4.1.0

What's Changed

In scope of this release, slow installation on Windows was fixed by @dsame in actions/setup-go#393 and OS version was added to primaryKey for Ubuntu runners to avoid conflicts (actions/setup-go#383)

This release also includes the following changes:
- Remove implicit dependencies by @nikolai-laevskii in actions/setup-go#378
- Update action.yml by @mkelly in actions/setup-go#379
- Added a description that go-version should be specified as a string type by @n3xem in actions/setup-go#367
- Add note about YAML parsing versions by @dmitry-shibanov in actions/setup-go#382
- Automatic update of configuration files from 05/23/2023 by @github-actions in actions/setup-go#377
- Bump tough-cookie and @azure/ms-rest-js by @dependabot in actions/setup-go#392
- Bump word-wrap from 1.2.3 to 1.2.4 by @dependabot in actions/setup-go#397
- Bump semver from 6.3.0 to 6.3.1 by @dependabot in actions/setup-go#396
New Contributors
- @mkelly made their first contribution in actions/setup-go#379
- @n3xem made their first contribution in actions/setup-go#367
Full Changelog: https://github.com/actions/setup-go/compare/v4...v4.1.0
Commits
- 93397be Fix Install on Windows is very slow (#393)
- 27eec5b Merge pull request #396 from actions/dependabot/npm_and_yarn/semver-6.3.1
- ecfc77a Merge pull request #397 from actions/dependabot/npm_and_yarn/word-wrap-1.2.4
- 1b80a11 Bump word-wrap from 1.2.3 to 1.2.4
- b1c3434 Fix licensing for Semver 6.3.1
- 0bb97b1 Rebuild after updating Semver
- 4220624 Bump semver from 6.3.0 to 6.3.1
- db8764c Bump tough-cookie and @azure/ms-rest-js (#392)
- 08b314a Merge pull request #383 from akv-platform/issue-368
- 4e0b6c7 Limit to Linux only
- Additional commits viewable in compare view
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:
- @dependabot rebase will rebase this PR
- @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
- @dependabot merge will merge this PR after your CI passes on it
- @dependabot squash and merge will squash and merge this PR after your CI passes on it
- @dependabot cancel merge will cancel a previously requested merge and block automerging
- @dependabot reopen will reopen this PR if it is closed
- @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
- @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Simple tool that allows you to detect imposter commits in GitHub Actions workflows.

clank

Installation

Usage

Examples:

Authentication

Download

Comments(12)

Bump actions/checkout from 3.5.0 to 3.5.2

v3.5.2

What's Changed

v3.5.1

What's Changed

New Contributors

Changelog

v3.5.2

v3.5.1

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.2

v3.0.1

v3.0.0

v2.3.1

v2.3.0

Bump actions/checkout from 3.3.0 to 3.4.0

v3.4.0

What's Changed

New Contributors

Changelog

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.2

v3.0.1

v3.0.0

v2.3.1

v2.3.0

v2.2.0

v2.1.1

Bump github.com/fatih/color from 1.14.1 to 1.15.0

v1.15.0

What's Changed

New Contributors

Bump github.com/sethvargo/ratchet from 0.3.1 to 0.4.0

v0.4.0

Changelog

Bump golang.org/x/oauth2 from 0.10.0 to 0.11.0

Bump golang.org/x/oauth2 from 0.9.0 to 0.10.0

Bump golang.org/x/oauth2 from 0.8.0 to 0.9.0

Bump actions/checkout from 3.5.2 to 3.5.3

v3.5.3

What's Changed

New Contributors

Changelog

v3.5.3

v3.5.2

v3.5.1

v3.5.0

v3.4.0

v3.3.0

v3.2.0

v3.1.0

v3.0.2

v3.0.1

v3.0.0

v2.3.1

Bump golangci/golangci-lint-action from 3.5.0 to 3.6.0

v3.6.0

What's Changed

New Contributors

Bump golangci/golangci-lint-action from 3.4.0 to 3.5.0

v3.5.0

What's Changed

Bump golang.org/x/oauth2 from 0.7.0 to 0.8.0

Bump actions/setup-go from 4.0.1 to 4.1.0

v4.1.0