Merge branch 'main' into 5.7-merge-to-main

.github/ISSUE_TEMPLATE/SlicingCrash.yaml

@@ -5,11 +5,10 @@ body:
 - type: markdown
   attributes:
     value: |      
-       ### 💥 Slicing Crash Analysis Tool 💥
-       We are taking steps to analyze an increase in reported crashes more systematically. We'll need some help with that. 😇
-       Before filling out the report below, we want you to try a special Cura 5.7 Alpha.
-       This version of Cura has an updated slicing engine that will automatically send a report to the Cura Team for analysis. 
-       #### [You can find the downloads here](https://github.com/Ultimaker/Cura/discussions/18080) #### 
+       ### ✨Try our improved Cura 5.7✨
+       Before filling out the report below, we want you to try the latest Cura 5.7 Beta. 
+       This version of Cura has become significantly more reliable and has an updated slicing engine that will automatically send a report to the Cura Team for analysis. 
+       #### [You can find the downloads here](https://github.com/Ultimaker/Cura/releases/tag/5.7.0-beta.1) #### 
        If you still encounter a crash you are still welcome to report the issue so we can use your model as a test case, you can find instructions on how to do that below.      
        
        ### Project File

.github/workflows/conan-package-resources.yml

@@ -0,0 +1,40 @@
+name: conan-package-resources
+
+on:
+  push:
+    paths:
+      - '.github/workflows/conan-package-resources.yml'
+      - 'resources/definitions/**'
+      - 'resources/extruders/**'
+      - 'resources/images/**'
+      - 'resources/intent/**'
+      - 'resources/meshes/**'
+      - 'resources/quality/**'
+      - 'resources/variants/**'
+      - 'resources/conanfile.py'
+    branches:
+      - 'main'
+      - 'CURA-*'
+      - 'PP-*'
+      - 'NP-*'
+      - '[0-9].[0-9]*'
+      - '[0-9].[0-9][0-9]*'
+
+env:
+  CONAN_LOGIN_USERNAME_CURA: ${{ secrets.CONAN_USER }}
+  CONAN_PASSWORD_CURA: ${{ secrets.CONAN_PASS }}
+
+jobs:
+  conan-recipe-version:
+    uses: ultimaker/cura-workflows/.github/workflows/conan-recipe-version.yml@main
+    with:
+      project_name: cura_resources
+
+  conan-package-export:
+    needs: [ conan-recipe-version ]
+    uses: ultimaker/cura-workflows/.github/workflows/conan-recipe-export.yml@main
+    with:
+      recipe_id_full: ${{ needs.conan-recipe-version.outputs.recipe_id_full }}
+      recipe_id_latest: ${{ needs.conan-recipe-version.outputs.recipe_id_latest }}
+      conan_recipe_root: "./resources/"
+    secrets: inherit

.github/workflows/conan-package.yml

@@ -4,12 +4,20 @@ on:
   push:
     paths:
       - 'plugins/**'
-      - 'resources/**'
       - 'cura/**'
+      - 'resources/bundled_packages/**'
+      - 'resources/i18n/**'
+      - 'resources/qml/**'
+      - 'resources/setting_visibility/**'
+      - 'resources/shaders/**'
+      - 'resources/texts/**'
+      - 'resources/themes/**'
+      - 'resources/public_key.pem'
+      - 'resources/README_resources.txt'
       - 'icons/**'
       - 'tests/**'
       - 'packaging/**'
-      - '.github/workflows/conan-*.yml'
+      - '.github/workflows/conan-package.yml'
       - '.github/workflows/notify.yml'
       - '.github/workflows/requirements-runner.txt'
       - 'requirements*.txt'
@@ -20,6 +28,7 @@ on:
       - 'main'
       - 'CURA-*'
       - 'PP-*'
+      - 'NP-*'
       - '[0-9].[0-9]*'
       - '[0-9].[0-9][0-9]*'
 

.github/workflows/installers.yml

@@ -30,6 +30,29 @@ on:
         required: true
         type: boolean
 
+  workflow_call:
+    inputs:
+      cura_conan_version:
+        default: 'cura/latest@ultimaker/testing'
+        required: true
+        type: string
+      conan_args:
+        default: ''
+        required: false
+        type: string
+      enterprise:
+        default: false
+        required: true
+        type: boolean
+      staging:
+        default: false
+        required: true
+        type: boolean
+      nightly:
+        default: false
+        required: true
+        type: boolean
+
   schedule:
     # Daily at 4:15 CET (main-branch) and 5:15 CET (release-branch)
     - cron: '15 3 * * *'
@@ -109,7 +132,7 @@ jobs:
           fetch-depth: 1
 
       - name: Download the run info
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: linux-run-info
 
@@ -151,13 +174,13 @@ jobs:
               f.writelines(f"NIGHTLY_TIME={nightly_creation_time}\n")
 
       - name: Download linux installer jobs artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.LINUX }}-AppImage
           path: installers
 
       - name: Download linux installer jobs asc artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.LINUX }}-asc
           path: installers
@@ -175,13 +198,13 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Download win msi installer jobs artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.WIN_MSI }}-msi
           path: installers
 
       - name: Download win exe installer jobs artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.WIN_EXE }}-exe
           path: installers
@@ -199,13 +222,13 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Download MacOS (X64) dmg installer jobs artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.MAC_X64_DMG }}-dmg
           path: installers
 
       - name: Download MacOS (X64) pkg installer jobs artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.MAC_X64_PKG }}-pkg
           path: installers
@@ -223,13 +246,13 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Download MacOS (ARM-64) dmg installer jobs artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.MAC_ARM_DMG }}-dmg
           path: installers
 
       - name: Download MacOS (ARM-64) pkg installer jobs artifacts
-        uses: actions/download-artifact@v2
+        uses: actions/download-artifact@v4
         with:
           name: ${{ steps.filename.outputs.MAC_ARM_PKG }}-pkg
           path: installers

.github/workflows/printer-linter-pr-diagnose.yml

@@ -5,6 +5,9 @@ on:
     path:
       - "resources/**"
 
+permissions:
+  contents: read
+
 jobs:
   printer-linter-diagnose:
     name: Printer linter PR diagnose
@@ -18,6 +21,7 @@ jobs:
 
       - uses: technote-space/get-diff-action@v6
         with:
+          DIFF_FILTER: AMRCD
           PATTERNS: |
             resources/+(extruders|definitions)/*.def.json
             resources/+(intent|quality|variants)/**/*.inst.cfg
@@ -41,11 +45,15 @@ jobs:
         if: env.GIT_DIFF && !env.MATCHED_FILES
         run: python printer-linter/src/terminal.py --diagnose --report printer-linter-result/fixes.yml ${{ env.GIT_DIFF_FILTERED }}
 
+      - name: Check Deleted Files(s)
+        if: env.GIT_DIFF
+        run: python printer-linter/src/terminal.py --deleted --report printer-linter-result/comment.md ${{ env.GIT_DIFF_FILTERED }}
+
       - name: Save PR metadata
         run: |
           echo ${{ github.event.number }} > printer-linter-result/pr-id.txt
           echo ${{ github.event.pull_request.head.repo.full_name }} > printer-linter-result/pr-head-repo.txt
-          echo ${{ github.event.pull_request.head.ref }} > printer-linter-result/pr-head-ref.txt
+          echo ${{ github.event.pull_request.head.sha }} > printer-linter-result/pr-head-sha.txt
 
       - uses: actions/upload-artifact@v2
         with:

.github/workflows/printer-linter-pr-post.yml

@@ -6,76 +6,106 @@ on:
     types: [completed]
 
 jobs:
-  clang-tidy-results:
+  printer-linter-result:
     # Trigger the job only if the previous (insecure) workflow completed successfully
     if: ${{ github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' }}
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Download analysis results
-        uses: actions/github-script@v3.1.0
+        uses: actions/github-script@v7
         with:
           script: |
-            let artifacts = await github.actions.listWorkflowRunArtifacts({
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 run_id: ${{github.event.workflow_run.id }},
             });
-            let matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+            const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
                 return artifact.name == "printer-linter-result"
             })[0];
-            let download = await github.actions.downloadArtifact({
+            const download = await github.rest.actions.downloadArtifact({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 artifact_id: matchArtifact.id,
                 archive_format: "zip",
             });
-            let fs = require("fs");
-            fs.writeFileSync("${{github.workspace}}/printer-linter-result.zip", Buffer.from(download.data));
+            const fs = require("fs");
+            fs.writeFileSync("${{ github.workspace }}/printer-linter-result.zip", Buffer.from(download.data));
 
-      - name: Set environment variables
+      - name: Extract analysis results
         run: |
           mkdir printer-linter-result
-          unzip printer-linter-result.zip -d printer-linter-result
-          echo "pr_id=$(cat printer-linter-result/pr-id.txt)" >> $GITHUB_ENV
-          echo "pr_head_repo=$(cat printer-linter-result/pr-head-repo.txt)" >> $GITHUB_ENV
-          echo "pr_head_ref=$(cat printer-linter-result/pr-head-ref.txt)" >> $GITHUB_ENV
+          unzip -j printer-linter-result.zip -d printer-linter-result
 
-      - uses: actions/checkout@v3
+      - name: Set PR details environment variables
+        uses: actions/github-script@v7
         with:
-          repository: ${{ env.pr_head_repo }}
-          ref: ${{ env.pr_head_ref }}
+          script: |
+            const assert = require("node:assert").strict;
+            const fs = require("fs");
+            function exportVar(varName, fileName, regEx) {
+                const val = fs.readFileSync("${{ github.workspace }}/printer-linter-result/" + fileName, {
+                    encoding: "ascii"
+                }).trimEnd();
+                assert.ok(regEx.test(val), "Invalid value format for " + varName);
+                core.exportVariable(varName, val);
+            }
+            exportVar("PR_ID", "pr-id.txt", /^[0-9]+$/);
+            exportVar("PR_HEAD_REPO", "pr-head-repo.txt", /^[-./0-9A-Z_a-z]+$/);
+            exportVar("PR_HEAD_SHA", "pr-head-sha.txt", /^[0-9A-Fa-f]+$/);
+            fs.access("${{ github.workspace }}/printer-linter-result/comment.md", fs.constants.F_OK, (err) => {
+                if (err) {
+                    core.exportVariable("commentFileExists", "false");
+                } else {
+                    core.exportVariable("commentFileExists", "true");
+                }
+            });
+
+      - uses: actions/checkout@v4
+        with:
+          repository: ${{ env.PR_HEAD_REPO }}
+          ref: ${{ env.PR_HEAD_SHA }}
           persist-credentials: false
 
       - name: Redownload analysis results
-        uses: actions/github-script@v3.1.0
+        uses: actions/github-script@v7
         with:
           script: |
-            let artifacts = await github.actions.listWorkflowRunArtifacts({
+            const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 run_id: ${{github.event.workflow_run.id }},
             });
-            let matchArtifact = artifacts.data.artifacts.filter((artifact) => {
+            const matchArtifact = artifacts.data.artifacts.filter((artifact) => {
                 return artifact.name == "printer-linter-result"
             })[0];
-            let download = await github.actions.downloadArtifact({
+            const download = await github.rest.actions.downloadArtifact({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 artifact_id: matchArtifact.id,
                 archive_format: "zip",
             });
-            let fs = require("fs");
-            fs.writeFileSync("${{github.workspace}}/printer-linter-result.zip", Buffer.from(download.data));
+            const fs = require("fs");
+            fs.writeFileSync("${{ github.workspace }}/printer-linter-result.zip", Buffer.from(download.data));
 
       - name: Extract analysis results
         run: |
           mkdir printer-linter-result
-          unzip printer-linter-result.zip -d printer-linter-result
+          unzip -j printer-linter-result.zip -d printer-linter-result
+
+      - name: Run PR Comments
+        if: env.commentFileExists == 'true'
+        uses: peter-evans/create-or-update-comment@v4
+        with:
+          issue-number: ${{ env.PR_ID }}
+          body-path: 'printer-linter-result/comment.md'
 
       - name: Run clang-tidy-pr-comments action
-        uses: platisd/clang-tidy-pr-comments@bc0bb7da034a8317d54e7fe1e819159002f4cc40
+        uses: platisd/clang-tidy-pr-comments@v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           clang_tidy_fixes: printer-linter-result/fixes.yml
-          pull_request_id: ${{ env.pr_id }}
+          pull_request_id: ${{ env.PR_ID }}
           request_changes: true

.github/workflows/release-process_feature-freeze.yml

@@ -0,0 +1,32 @@
+name: Feature Freeze
+run-name: Feature freeze Cura ${{ inputs.cura_version }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      cura_version:
+        description: 'Cura version major and minor, e.g. 5.7'
+        required: true
+        type: string
+
+jobs:
+  parse-version:
+    name: Parse input version string
+    runs-on: ubuntu-latest
+    outputs:
+      package_version: ${{ steps.version_parser.outputs.major }}.${{ steps.version_parser.outputs.minor }}.0-alpha.1
+    steps:
+      - name: Parse version string
+        id: version_parser
+        uses: booxmedialtd/ws-action-parse-semver@v1.4.7
+        with:
+          input_string: ${{ inputs.cura_version }}.0
+
+  feature-freeze:
+    name: Process feature freeze
+    uses: Ultimaker/Cura-workflows/.github/workflows/cura-set-packages-versions.yml@main
+    needs: [parse-version]
+    with:
+      cura_version: ${{ needs.parse-version.outputs.package_version }}
+      create_feature_branch: true
+    secrets: inherit

.github/workflows/release-process_release-candidate.yml

@@ -0,0 +1,179 @@
+name: Prepare Release Candidate
+run-name: Release Candidate for Cura ${{ inputs.cura_version }} by @${{ github.actor }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      cura_version:
+        description: 'Cura version number, e.g. 5.7.0, 5.7.2 or 5.8.0-beta.2'
+        required: true
+        type: string
+
+jobs:
+  parse-version:
+    name: Parse input version string
+    runs-on: ubuntu-latest
+    outputs:
+      version_major: ${{ steps.version_parser.outputs.major }}
+      version_minor: ${{ steps.version_parser.outputs.minor }}
+      version_patch: ${{ steps.version_parser.outputs.patch }}
+      branch_name: ${{ steps.version_parser.outputs.major }}.${{ steps.version_parser.outputs.minor }}
+    steps:
+      - name: Parse version string
+        id: version_parser
+        uses: booxmedialtd/ws-action-parse-semver@v1.4.7
+        with:
+          input_string: ${{ inputs.cura_version }}
+
+  freeze-packages-versions:
+    name: Freeze packges versions
+    uses: Ultimaker/Cura-workflows/.github/workflows/cura-set-packages-versions.yml@main
+    needs: [parse-version]
+    with:
+      cura_version: ${{ inputs.cura_version }}
+      create_feature_branch: false
+    secrets: inherit
+
+  find-rc-tag:
+    name: Find RC tag name
+    runs-on: ubuntu-latest
+    needs: [freeze-packages-versions]
+    outputs:
+      tag_name: ${{ steps.find-available-tag-name.outputs.tag_name }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
+
+      - name: Find available tag name
+        id: find-available-tag-name
+        run: |
+          VERSION=${{ inputs.cura_version }}
+
+          RC_INDEX=0
+          while
+            RC_INDEX=$((RC_INDEX+1))
+            TAG_NAME="$VERSION-RC$RC_INDEX"
+            [[ $(git tag -l "$TAG_NAME") ]]
+          do true; done
+
+          echo "tag_name=$TAG_NAME" >> "$GITHUB_OUTPUT"
+
+  create-tags:
+    name: Create tags
+    runs-on: ubuntu-latest
+    needs: [parse-version, find-rc-tag]
+    strategy:
+      matrix:
+        repository: [Cura, Uranium, CuraEngine, cura-binary-data, fdm_materials]
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+        with:
+          repository: Ultimaker/${{ matrix.repository }}
+          ref: ${{ needs.parse-version.outputs.branch_name }}
+          token: ${{ secrets.CURA_AUTORELEASE_PAT }}
+
+      - name: Create tag
+        run: |
+          git tag ${{ needs.find-rc-tag.outputs.tag_name }}
+          git push origin tag ${{ needs.find-rc-tag.outputs.tag_name }}
+
+  create-dependencies-packages:
+    name: Create conan packages for dependencies
+    uses: ultimaker/cura-workflows/.github/workflows/conan-package-release.yml@main
+    needs: [parse-version, freeze-packages-versions]
+    strategy:
+      matrix:
+        repository: [Cura, Uranium, CuraEngine, cura-binary-data, fdm_materials]
+        include:
+          - conan_recipe_root: "."
+          - repository: Cura
+            conan_recipe_root: "resources"
+    with:
+      repository: ${{ matrix.repository }}
+      ref_name: ${{ needs.parse-version.outputs.branch_name }}
+      version: ${{ inputs.cura_version }}
+      conan_release: true
+      conan_user_channel: ultimaker/stable
+      conan_internal: false
+      conan_latest: true
+      conan_recipe_root: ${{ matrix.conan_recipe_root }}
+    secrets: inherit
+
+  create-cura-package:
+    name: Create conan package for Cura
+    uses: ultimaker/cura-workflows/.github/workflows/conan-package-release.yml@main
+    needs: [parse-version, create-dependencies-packages]
+    with:
+      repository: Cura
+      ref_name: ${{ needs.parse-version.outputs.branch_name }}
+      version: ${{ inputs.cura_version }}
+      conan_release: true
+      conan_user_channel: ultimaker/stable
+      conan_internal: false
+      conan_latest: true
+    secrets: inherit
+
+  create-installers:
+    name: Create installers
+    uses: ./.github/workflows/installers.yml
+    needs: [parse-version, create-cura-package]
+    with:
+      cura_conan_version: cura/${{ inputs.cura_version }}@/
+      enterprise: false
+      staging: false
+      nightly: false
+    secrets: inherit
+
+  create-release-draft:
+    name: Create the release draft
+    runs-on: ubuntu-latest
+    needs: [create-installers, parse-version]
+    steps:
+      - name: Checkout Cura repo
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ needs.parse-version.outputs.branch_name }}
+
+      - name: Extract changelog
+        run: python ./scripts/extract_changelog.py --version ${{ needs.parse-version.outputs.version_major }}.${{ needs.parse-version.outputs.version_minor }}.${{ needs.parse-version.outputs.version_patch }} --changelog ./resources/texts/change_log.txt > formatted_changelog.txt
+
+      - name: Get commit id for release
+        id: get-commit-id
+        uses: iawia002/get-tag-or-commit-id@v1.0.1
+        with:
+          length: 40
+
+      - name: Create release
+        uses: notpeelz/action-gh-create-release@v5.0.1
+        with:
+          target: ${{ steps.get-commit-id.outputs.id }}
+          tag: ${{ inputs.cura_version }}
+          strategy: replace
+          title: UltiMaker Cura ${{ inputs.cura_version }}
+          draft: true
+          body-source: file
+          body: formatted_changelog.txt
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4.1.7
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: Upload artifacts
+        working-directory: artifacts
+        run: |
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-linux-X64.AppImage --clobber
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-linux-X64.AppImage.asc --clobber
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-macos-ARM64.dmg --clobber
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-macos-ARM64.pkg --clobber
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-macos-X64.dmg --clobber
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-macos-X64.pkg --clobber
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-win64-X64.exe --clobber
+          gh release upload ${{ inputs.cura_version }} UltiMaker-Cura-${{ inputs.cura_version }}-win64-X64.msi --clobber
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/security_badge.yml

@@ -1,5 +1,5 @@
 # NOTE: Best to keep all of these remarks in, they might prove useful in the future.
-#       This is basically just the standard one that is sugested on 'new workflow'.
+#       This is basically just the standard one that is suggested on 'new workflow'.
 
 name: Scorecard supply-chain security
 on:
@@ -21,51 +21,42 @@ jobs:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     permissions:
-      # Needed to upload the results to code-scanning dashboard.
+      # Needed for Code scanning upload
       security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
+      # Needed for GitHub OIDC token if publish_results is true
       id-token: write
-      # Uncomment the permissions below if installing in a private repository.
-      # contents: read
-      # actions: read
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
-          # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
-          # - you want to enable the Branch-Protection check on a *public* repository, or
-          # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
-          # repo_token: ${{ secrets.SCORECARD_TOKEN }}
-
-          # Public repositories:
-          #   - Publish results to OpenSSF REST API for easy access by consumers
-          #   - Allows the repository to include the Scorecard badge.
-          #   - See https://github.com/ossf/scorecard-action#publishing-results.
-          # For private repositories:
-          #   - `publish_results` will always be set to `false`, regardless
-          #     of the value entered here.
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
           publish_results: true
 
-      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
-      # format to the repository Actions tab.
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      # Upload the results to GitHub's code scanning dashboard.
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@83a02f7883b12e0e4e1a146174f5e2292a01e601 # v2.16.4
         with:
           sarif_file: results.sarif

.github/workflows/windows.yml

@@ -50,4 +50,4 @@ jobs:
       staging: ${{ inputs.staging }}
       architecture: ${{ inputs.architecture }}
       operating_system: ${{ inputs.operating_system }}
-    secrets: inherit
+    secrets: inherit