Skip to content

Bump digicert/code-signing-software-trust-action from 1.0.1 to 1.1.0 in the all-actions group#2392

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/all-actions-9c05a212de
Open

Bump digicert/code-signing-software-trust-action from 1.0.1 to 1.1.0 in the all-actions group#2392
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/github_actions/all-actions-9c05a212de

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 15, 2026

Bumps the all-actions group with 1 update: digicert/code-signing-software-trust-action.

Updates digicert/code-signing-software-trust-action from 1.0.1 to 1.1.0

Release notes

Sourced from digicert/code-signing-software-trust-action's releases.

Security hardening, reliability improvements, and test infrastructure

[v1.1.0] – Security hardening, reliability improvements, and test infrastructure

Description
This release strengthens supply chain security, improves the reliability of network and tool installation workflows, and expands the project’s automated test infrastructure. It also includes small GitHub Action interface improvements and macOS installation enhancements.

Upgrade steps

  • No special steps required
  • Update your workflow to reference v1.1.0
  • Use the corrected input name digest-alg

Breaking changes

  • None

New features

  • Enforced HTTPS for the digicert-cdn download source
  • Added SHA-256 checksum verification for downloaded binaries with fail-fast behavior on mismatch
  • Introduced retry with exponential backoff for transient network failures
  • Added new GitHub Action output for the PKCS#11 config file path
  • Expanded test infrastructure to support unit, integration, coverage, and CI runs

Bug fixes

  • Fixed typo in the digest-alg input and deprecated the incorrect parameter
  • Improved macOS DMG handling to ensure volumes are unmounted even when errors occur
  • Improved temporary and cache directory handling for better safety and clarity

Performance improvements

  • Added retry with exponential backoff to reduce failures caused by transient network issues
  • Installed macOS tools in parallel to speed up setup time
  • Improved DMG cleanup to prevent resource leaks

Other changes

  • Added secure temporary directory helper to reduce risk from insecure temporary files (CWE-377)
  • Updated and expanded dev dependencies for Jest and TypeScript testing, including jest, ts-jest, and nock
  • Expanded package.json scripts to support unit, integration, coverage, and CI test workflows

Full changelog

  • Merged PR:
Commits
  • 6687ca6 Merge pull request #28 from digicert/DOSTM-8692_macos_issue_volume_detach_fix
  • 8b17039 refactor: address Copilot review comments
  • 3e9ff73 fix: cache tool before DMG unmount to prevent ENOENT
  • 37a0322 fix: await extractDmg to prevent premature DMG unmount
  • 2739452 Merge pull request #27 from digicert/DOSTM-8692_race_condition_security_fix
  • bf8cd46 fix: resolve CWE-367 race condition in file tests
  • 1c86f97 Merge pull request #26 from digicert/DOSTM-8692_insecure_temp_directory_fix
  • 8e391a4 fix: address Copilot PR review comments
  • b3ca231 security: fix CWE-377/378 insecure temporary file creation in test files
  • 529be5c Merge pull request #24 from digicert/DOSTM-8692_test_cases_and_other_features
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump digicert/code-signing-software-trust-action
2aa86a2 
Bumps the all-actions group with 1 update: [digicert/code-signing-software-trust-action](https://github.com/digicert/code-signing-software-trust-action).


Updates `digicert/code-signing-software-trust-action` from 1.0.1 to 1.1.0
- [Release notes](https://github.com/digicert/code-signing-software-trust-action/releases)
- [Commits](digicert/code-signing-software-trust-action@v1.0.1...v1.1.0)

---
updated-dependencies:
- dependency-name: digicert/code-signing-software-trust-action
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 15, 2026
Copilot AI review requested due to automatic review settings February 15, 2026 02:07
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 15, 2026
@dependabot dependabot bot review requested due to automatic review settings February 15, 2026 02:07
@github-project-automation github-project-automation bot moved this to Backlog (Not Ready) in DevX Feb 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

DevX
Status: Backlog (Not Ready)

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants