Update workflows (#898)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://togithub.com/actions/checkout) | action |
minor | `v3.1.0` -> `v3.2.0` |
| [ossf/scorecard-action](https://togithub.com/ossf/scorecard-action) |
action | minor | `v2.0.6` -> `v2.1.2` |
|
[pypa/gh-action-pypi-publish](https://togithub.com/pypa/gh-action-pypi-publish)
| action | patch | `v1.6.1` -> `v1.6.4` |

---

### Release Notes

<details>
<summary>actions/checkout</summary>

###
[`v3.2.0`](https://togithub.com/actions/checkout/releases/tag/v3.2.0)

[Compare
Source](https://togithub.com/actions/checkout/compare/v3.1.0...v3.2.0)

#### What's Changed

- Add GitHub Action to perform release by
[@&#8203;rentziass](https://togithub.com/rentziass) in
[https://github.com/actions/checkout/pull/942](https://togithub.com/actions/checkout/pull/942)
- Fix status badge by
[@&#8203;ScottBrenner](https://togithub.com/ScottBrenner) in
[https://github.com/actions/checkout/pull/967](https://togithub.com/actions/checkout/pull/967)
- Replace datadog/squid with ubuntu/squid Docker image by
[@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1002](https://togithub.com/actions/checkout/pull/1002)
- Wrap pipeline commands for submoduleForeach in quotes by
[@&#8203;jokreliable](https://togithub.com/jokreliable) in
[https://github.com/actions/checkout/pull/964](https://togithub.com/actions/checkout/pull/964)
- Update [@&#8203;actions/io](https://togithub.com/actions/io) to 1.1.2
by [@&#8203;cory-miller](https://togithub.com/cory-miller) in
[https://github.com/actions/checkout/pull/1029](https://togithub.com/actions/checkout/pull/1029)
- Upgrading version to 3.2.0 by
[@&#8203;vmjoseph](https://togithub.com/vmjoseph) in
[https://github.com/actions/checkout/pull/1039](https://togithub.com/actions/checkout/pull/1039)

#### New Contributors

- [@&#8203;ScottBrenner](https://togithub.com/ScottBrenner) made their
first contribution in
[https://github.com/actions/checkout/pull/967](https://togithub.com/actions/checkout/pull/967)
- [@&#8203;cory-miller](https://togithub.com/cory-miller) made their
first contribution in
[https://github.com/actions/checkout/pull/1002](https://togithub.com/actions/checkout/pull/1002)
- [@&#8203;jokreliable](https://togithub.com/jokreliable) made their
first contribution in
[https://github.com/actions/checkout/pull/964](https://togithub.com/actions/checkout/pull/964)
- [@&#8203;vmjoseph](https://togithub.com/vmjoseph) made their first
contribution in
[https://github.com/actions/checkout/pull/1039](https://togithub.com/actions/checkout/pull/1039)

**Full Changelog**:
actions/checkout@v3...v3.2.0

</details>

<details>
<summary>ossf/scorecard-action</summary>

###
[`v2.1.2`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.2)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.1...v2.1.2)

#### What's Changed

##### Fixes

- 🌱 Bump scorecard dependency to v4.10.2 to remove a CODEOWNERS printf
statement. by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/1054](https://togithub.com/ossf/scorecard-action/pull/1054)

**Full Changelog**:
ossf/scorecard-action@v2.1.1...v2.1.2

###
[`v2.1.1`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.1)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.1.0...v2.1.1)

#### Scorecard version

This release use [Scorecard's
v4.10.1](https://togithub.com/ossf/scorecard/releases/tag/v4.10.1)

**Full Changelog**:
ossf/scorecard-action@v2.1.0...v2.1.1

###
[`v2.1.0`](https://togithub.com/ossf/scorecard-action/releases/tag/v2.1.0)

[Compare
Source](https://togithub.com/ossf/scorecard-action/compare/v2.0.6...v2.1.0)

#### What's Changed

##### Scorecard version

This release uses [scorecard
v4.10.0](https://togithub.com/ossf/scorecard/releases/tag/v4.10.0).

##### Improvements

- Docker build workflow by
[@&#8203;naveensrinivasan](https://togithub.com/naveensrinivasan) in
[https://github.com/ossf/scorecard-action/pull/981](https://togithub.com/ossf/scorecard-action/pull/981)
- Use root user in distroless to support GitHub Actions by
[@&#8203;spencerschrock](https://togithub.com/spencerschrock) in
[https://github.com/ossf/scorecard-action/pull/994](https://togithub.com/ossf/scorecard-action/pull/994)
- Disable pull_request_target by
[@&#8203;laurentsimon](https://togithub.com/laurentsimon) in
[https://github.com/ossf/scorecard-action/pull/1031](https://togithub.com/ossf/scorecard-action/pull/1031)

##### Documentation

- Add PAT section explaining risks by
[@&#8203;olivekl](https://togithub.com/olivekl) in
[https://github.com/ossf/scorecard-action/pull/1024](https://togithub.com/ossf/scorecard-action/pull/1024)
- Make the badge text easier to copy by
[@&#8203;rajbos](https://togithub.com/rajbos) in
[https://github.com/ossf/scorecard-action/pull/1026](https://togithub.com/ossf/scorecard-action/pull/1026)

#### New Contributors

- [@&#8203;joycebrum](https://togithub.com/joycebrum) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/984](https://togithub.com/ossf/scorecard-action/pull/984)
- [@&#8203;rajbos](https://togithub.com/rajbos) made their first
contribution in
[https://github.com/ossf/scorecard-action/pull/1026](https://togithub.com/ossf/scorecard-action/pull/1026)

**Full Changelog**:
ossf/scorecard-action@v2.0.6...v2.1.0

</details>

<details>
<summary>pypa/gh-action-pypi-publish</summary>

###
[`v1.6.4`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.4)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.3...v1.6.4)

#### oh, boi! again?

This is the last one tonight, promise! It fixes this embarrassing bug
that was actually caught by the CI but got overlooked due to the lack of
sleep.
TL;DR GH passed `$HOME` from the external env into the container and
that tricked the Python's `site` module to think that the home directory
is elsewhere, adding non-existent paths to the env vars. See
[#&#8203;115](https://togithub.com/pypa/gh-action-pypi-publish/issues/115).

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.3...v1.6.4

###
[`v1.6.3`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.3)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.2...v1.6.3)

### Another Release!? Why?

In
[https://github.com/pypa/gh-action-pypi-publish/issues/112#issuecomment-1340133013](https://togithub.com/pypa/gh-action-pypi-publish/issues/112#issuecomment-1340133013),
it was discovered that passing a `$PATH` variable even breaks the
shebang. So this version adds more safeguards to make sure it keeps
working with a fully broken `$PATH`.

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.2...v1.6.3

###
[`v1.6.2`](https://togithub.com/pypa/gh-action-pypi-publish/releases/tag/v1.6.2)

[Compare
Source](https://togithub.com/pypa/gh-action-pypi-publish/compare/v1.6.1...v1.6.2)

#### What's Fixed

- Made the `$PATH` and `$PYTHONPATH` environment variables resilient to
broken values passed from the host runner environment, which previously
allowed the users to accidentally break the container's internal runtime
as reported in
[https://github.com/pypa/gh-action-pypi-publish/issues/112](https://togithub.com/pypa/gh-action-pypi-publish/issues/112)

#### Internal Maintenance Improvements

- Added a devpi-based smoke-test GitHub Actions CI/CD workflow by
[@&#8203;sesdaile-varmour](https://togithub.com/sesdaile-varmour) in
[https://github.com/pypa/gh-action-pypi-publish/pull/111](https://togithub.com/pypa/gh-action-pypi-publish/pull/111)

#### New Contributors

- [@&#8203;sesdaile-varmour](https://togithub.com/sesdaile-varmour) made
their first contribution in
[https://github.com/pypa/gh-action-pypi-publish/pull/111](https://togithub.com/pypa/gh-action-pypi-publish/pull/111)

**Full Diff**:
pypa/gh-action-pypi-publish@v1.6.1...v1.6.2

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "before 6am on monday" in timezone
Australia/Sydney, Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config help](https://togithub.com/renovatebot/renovate/discussions) if
that's undesired.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/google/osv.dev).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuNzMuMyJ9-->

Author: renovate-bot

.github/workflows/publish-to-pypi.yaml

@@ -43,7 +43,7 @@ jobs:
         build
         --sdist --wheel --outdir dist/ .
     - name: Publish distribution to PyPI
-      uses: pypa/gh-action-pypi-publish@5d1679fa6b895587c6eb10c3fe82205b440a580e # v1.6.1
+      uses: pypa/gh-action-pypi-publish@c7f29f7adef1a245bd91520e94867e5c6eedddcc # v1.6.4
       with:
         password: ${{ secrets.PYPI_API_TOKEN }}
         packages_dir: dist/

.github/workflows/scorecards.yml

@@ -22,12 +22,12 @@ jobs:
       id-token: write
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@99c53751e09b9529366343771cc321ec74e9bd3d # v2.0.6-alpha.2
+        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2-alpha.2
         with:
           results_file: results.sarif
           results_format: sarif