chore: fix dependabot alerts (#2208)

https://github.com/project-zot/zot/pull/2192
https://github.com/project-zot/zot/pull/2193
https://github.com/project-zot/zot/pull/2194
https://github.com/project-zot/zot/pull/2195
https://github.com/project-zot/zot/pull/2196
https://github.com/project-zot/zot/pull/2197
https://github.com/project-zot/zot/pull/2198
https://github.com/project-zot/zot/pull/2199
https://github.com/project-zot/zot/pull/2200
https://github.com/project-zot/zot/pull/2201
https://github.com/project-zot/zot/pull/2202
https://github.com/project-zot/zot/pull/2203
https://github.com/project-zot/zot/pull/2204
https://github.com/project-zot/zot/pull/2205
https://github.com/project-zot/zot/pull/2206
https://github.com/project-zot/zot/pull/2207

Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>

.github/workflows/benchmark.yaml

@@ -24,7 +24,7 @@ jobs:
         run: make BENCH_OUTPUT=ci-cd run-bench
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ./cache
           key: ${{ runner.os }}-gen1-benchmark

.github/workflows/build.yaml

@@ -33,7 +33,7 @@ jobs:
           go-version: 1.20.x
       - name: Cache go dependencies
         id: cache-go-dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/go/pkg/mod
@@ -42,7 +42,7 @@ jobs:
             ${{ runner.os }}-go-mod-
       - name: Cache go build output
         id: cache-go-build
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/.cache/go-build

.github/workflows/cluster.yaml

@@ -160,7 +160,7 @@ jobs:
 
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ./cache
           key: ${{ runner.os }}-gen1-benchmark-stateless-cluster

.github/workflows/codeql-analysis.yml

@@ -53,7 +53,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2.22.9
+      uses: github/codeql-action/init@v3.23.2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -64,7 +64,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2.22.9
+      uses: github/codeql-action/autobuild@v3.23.2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -77,4 +77,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2.22.9
+      uses: github/codeql-action/analyze@v3.23.2

.github/workflows/oci-conformance-action.yaml

@@ -59,7 +59,7 @@ jobs:
     - run: mkdir -p .out/ && mv {report.html,junit.xml} .out/
       if: always()
     - name: Upload test results zip as build artifact
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
       with:
         name: oci-test-results-${{ github.sha }}
         path: .out/

.github/workflows/publish.yaml

@@ -215,7 +215,7 @@ jobs:
           TRIVY_USERNAME: ${{ github.actor }}
           TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v2.22.9
+        uses: github/codeql-action/upload-sarif@v3.23.2
         with:
           sarif_file: 'trivy-results.sarif'
 

.github/workflows/scorecards.yaml

@@ -49,7 +49,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v3 # v3.0.0
+        uses: actions/upload-artifact@v4 # v3.0.0
         with:
           name: SARIF file
           path: results.sarif
@@ -57,6 +57,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v2.22.9 # v1.0.26
+        uses: github/codeql-action/upload-sarif@v3.23.2 # v1.0.26
         with:
           sarif_file: results.sarif

.github/workflows/test.yaml

@@ -24,7 +24,7 @@ jobs:
           go-version: 1.20.x
       - name: Cache go dependencies
         id: cache-go-dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/go/pkg/mod
@@ -47,7 +47,7 @@ jobs:
           AWS_ACCESS_KEY_ID: fake
           AWS_SECRET_ACCESS_KEY: fake
       - name: upload coverage
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-minimal
           path: coverage-minimal.txt
@@ -63,7 +63,7 @@ jobs:
           go-version: 1.20.x
       - name: Cache go dependencies
         id: cache-go-dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/go/pkg/mod
@@ -86,7 +86,7 @@ jobs:
           AWS_ACCESS_KEY_ID: fake
           AWS_SECRET_ACCESS_KEY: fake
       - name: upload coverage
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-extended
           path: coverage-extended.txt
@@ -102,7 +102,7 @@ jobs:
           go-version: 1.20.x
       - name: Cache go dependencies
         id: cache-go-dependencies
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: |
             ~/go/pkg/mod
@@ -119,7 +119,7 @@ jobs:
       - name: run zot privileged tests
         run: sudo env "PATH=$PATH" make privileged-test
       - name: upload coverage
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: coverage-devmode
           path: coverage-dev-*.txt
@@ -135,7 +135,7 @@ jobs:
           cache: false
           go-version: 1.20.x
       - name: download all workflow coverage files
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
       - name: merge code coverage
         run: |
           cd $GITHUB_WORKSPACE

.github/workflows/web-scan.yaml

@@ -56,7 +56,7 @@ jobs:
         env:
           FLAVOR: ${{ matrix.flavor }}
       - name: ZAP Scan Rest API
-        uses: zaproxy/action-baseline@v0.10.0
+        uses: zaproxy/action-baseline@v0.11.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           docker_name: 'owasp/zap2docker-stable'