fix: vulnerabilities (#2)

* update documentation to use <action>@v4

* Update README.md and use v4 of checkout action (actions#1437)

Update examples to use latest available checkout action v4.

* Explicit use bash for Windows (actions#1377)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Fix cache-hit output when cache missed (actions#1404)

* fix: cache-hit output

* fix: Output chache hit timing

* fix: Output chache hit timing

---------

Co-authored-by: Josh Gross <joshmgross@github.com>

* Clarify that the `restore-keys` input is a string in the docs  (actions#1434)

* Fix Description for restore-keys at Readme

As previously the restore-keys were defined as an ordered lists which is
wrong as per the issue description where the actual format is a
multi-line string with one key per line.

* Added a space between the sentence of restore-keys description

While at the PR review it's been identified there's a need for a space
between the sentence

	```
	An ordered multiline string listing the prefix-matched keys,that are
	used for restoring stale cache if no cache hit occurred for key.
	```

where it's written as "prefix-matched keys,that are" this commit will
address the review comment and introduce a space between
"prefix-matched keys, that are" and change the sentence to

	```
	An ordered multiline string listing the prefix-matched keys, that are
        used for restoring stale cache if no cache hit occurred for key.
	```

* Change restore-keys description at cache/restore/action.yml and cache/action.yml

* Add workflow file for publishing releases to immutable action package

This workflow file publishes new action releases to the immutable action package of the same name as this repo.

This is part of the Immutable Actions project which is not yet fully released to the public. First party actions like this one are part of our initial testing of this feature.

* Deprecate `save-always` input (actions#1452)

The `save-always` input added in v4 is not
working as intended due to
`post-if` expressions not supporting the input
context.
To avoid breaking users who have already added
this input to their workflows, it is being
deprecated now and will be removed
in the next major version (v5).
See actions#1315 for more details.

* Fix typo: depening -> depending (actions#1462)

Co-authored-by: Josh Gross <joshmgross@github.com>

* restore action's README now references v4 instead of v3 (actions#1445)

Co-authored-by: Josh Gross <joshmgross@github.com>

* Prepare `4.1.0` release (actions#1464)

* Restore original behavior of `cache-hit` output (actions#1467)

* Restore original behavior of `cache-hit` output

* Bump version to 4.1.1

* Add Bun example (actions#1456)

* Add Bun example

* Fix Bun Windows example

* Revise `isGhes` logic

* ran `npm run build`

* appease the linter

* added unit tests

* Bump braces from 3.0.2 to 3.0.3

Bumps [braces](https://github.com/micromatch/braces) from 3.0.2 to 3.0.3.
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

---
updated-dependencies:
- dependency-name: braces
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

* Create dependabot.yml

* Prepare release 4.1.2

* Bump actions/checkout from 3 to 4

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump actions/stale from 3 to 9

Bumps [actions/stale](https://github.com/actions/stale) from 3 to 9.
- [Release notes](https://github.com/actions/stale/releases)
- [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md)
- [Commits](actions/stale@v3...v9)

---
updated-dependencies:
- dependency-name: actions/stale
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump actions/setup-node from 3 to 4

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 3 to 4.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v3...v4)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Bump github/codeql-action from 2 to 3

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2 to 3.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v2...v3)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

* Upgrade @actions/cache to 4.0.0

* Update RELEASES.md

* Upgrade @vercel/ncc to 0.38.3

* Upgrade @actions/core to 1.11.1 and other deps

* Add licensed output

* Add reviewed licensed packages

* Add lodash to list of reviewed licenses

* Add licensed output

* Rerun CI

* Add 3.4.0 release notes

* Correct GitHub Spelling in caching-strategies.md (actions#1526)

GitHub was spelled incorrectly 3 lines under the Understanding how to choose path section

* docs: Make the "always save prime numbers" example more clear (actions#1525)

* Update force deletion docs due a recent deprecation (actions#1500)

* fix: update force deletion docs due a recent deprecation

* fix: applied josh's suggestions

---------

Co-authored-by: Josh Gross <joshmgross@github.com>

* bump @actions/cache to v4.0.1

* Update publish-immutable-actions.yml

* bump @actions/cache to v4.0.2, prep for v4.2.2 release

* add changes

* changed

* mask whole url

* debugging

* type

* artifact changes

* update cache package to mask whole sas to the end of the line

* mask

* update

* latest test before pr

* updated cache with latest changes

* updates

* new package

* update cache with main

* Update to use the latest version of the cache package to obfuscate the SAS

* Update releases.md

* Update README.md

* fix: fix

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: todgru <todgru@gmail.com>
Co-authored-by: P. Ottlinger <ottlinger@users.noreply.github.com>
Co-authored-by: Oleg A. <t0rr@mail.ru>
Co-authored-by: Josh Gross <joshmgross@github.com>
Co-authored-by: r4mimu <52129983+fchimpan@users.noreply.github.com>
Co-authored-by: Soubhik Kumar Mitra <59209034+x612skm@users.noreply.github.com>
Co-authored-by: Bassem Dghaidi <568794+Link-@users.noreply.github.com>
Co-authored-by: Joel Ambass <Jcambass@users.noreply.github.com>
Co-authored-by: mackey0225 <masaki.asano0225@gmail.com>
Co-authored-by: Eman Resu <78693624+quatquatt@users.noreply.github.com>
Co-authored-by: Jan T. Sott <git@idleberg.com>
Co-authored-by: John Wesley Walker III <81404201+jww3@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: janco-absa <janco.bester@absa.africa>
Co-authored-by: Tobbe Lundberg <tobbe@tlundberg.com>
Co-authored-by: Alessandro Sebastiani <sebbalex@users.noreply.github.com>
Co-authored-by: Rob Herley <robherley@github.com>
Co-authored-by: Salman Chishti <salmanmkc@GitHub.com>
Co-authored-by: Ben De St Paer-Gotch <nebuk89@github.com>

Author: 20 people

.github/dependabot.yml

@@ -0,0 +1,22 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      minor-actions-dependencies:
+        update-types: [minor, patch]
+  
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily" 
+    allow:
+    - dependency-type: direct
+    - dependency-type: production

.github/workflows/close-inactive-issues.yml

@@ -10,7 +10,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v3
+      - uses: actions/stale@v9
         with:
           days-before-issue-stale: 200
           days-before-issue-close: 5

.github/workflows/codeql.yml

@@ -17,19 +17,19 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
+      uses: github/codeql-action/init@v3
       # Override language selection by uncommenting this and choosing your languages
       # with:
       #   languages: go, javascript, csharp, python, cpp, java, ruby
 
     # Autobuild attempts to build any compiled languages (C/C++, C#, Go, or Java).
     # If this step fails, then you should remove it and run the build manually (see below).
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+      uses: github/codeql-action/autobuild@v3
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -43,4 +43,4 @@ jobs:
     #     make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      uses: github/codeql-action/analyze@v3

.github/workflows/publish-immutable-actions.yml

@@ -0,0 +1,20 @@
+name: 'Publish Immutable Action Version'
+
+on:
+  release:
+    types: [released]
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
+
+    steps:
+      - name: Checking out
+        uses: actions/checkout@v4
+      - name: Publish
+        id: publish
+        uses: actions/publish-immutable-action@0.0.3

.github/workflows/workflow.yml

@@ -20,9 +20,9 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Setup Node.js 20.x
-      uses: actions/setup-node@v3
+      uses: actions/setup-node@v4
       with:
         node-version: 20.x
         cache: npm
@@ -43,7 +43,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Generate files in working directory
       shell: bash
       run: __tests__/create-cache-files.sh ${{ runner.os }} test-cache
@@ -66,7 +66,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Restore cache
       uses: ./
       with:
@@ -96,7 +96,7 @@ jobs:
       https_proxy: http://squid-proxy:3128
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Generate files
       run: __tests__/create-cache-files.sh proxy test-cache
     - name: Save cache
@@ -119,7 +119,7 @@ jobs:
       https_proxy: http://squid-proxy:3128
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     - name: Restore cache
       uses: ./
       with:

.licensed.yml

@@ -13,4 +13,10 @@ allowed:
 
 reviewed:
   npm:
-  - sax
+  - sax
+  - "@protobuf-ts/plugin-framework" # Apache-2.0
+  - "@protobuf-ts/runtime" # Apache-2.0
+  - fs.realpath # ISC
+  - glob # ISC
+  - prettier # MIT
+  - lodash # MIT