chore(deps): update tools to latest versions

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

.binny.yaml

@@ -26,7 +26,7 @@ tools:
   # used for linting
   - name: golangci-lint
     version:
-      want: v2.6.1
+      want: v2.6.2
     method: github-release
     with:
       repo: golangci/golangci-lint
@@ -98,7 +98,7 @@ tools:
   # used for triggering a release
   - name: gh
     version:
-      want: v2.83.0
+      want: v2.83.1
     method: github-release
     with:
       repo: cli/cli

.github/actions/bootstrap/action.yaml

@@ -13,7 +13,7 @@ inputs:
   cache-key-prefix:
     description: "Prefix all cache keys with this value"
     required: true
-    default: "181053ac82"
+    default: "53ac821810"
   download-test-fixture-cache:
     description: "Download test fixture cache from OCI and github actions"
     required: true

.github/workflows/codeql-analysis.yml

@@ -6,6 +6,7 @@
 name: "CodeQL Security Scan"
 
 on:
+  workflow_dispatch:
   push:
     branches:
       # only run when there are pushes to the main branch (not on PRs)
@@ -20,7 +21,8 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    runs-on: ubuntu-22.04-4core-16gb
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     if: github.repository == 'anchore/syft' # only run for main repo
     permissions:
       security-events: write
@@ -47,7 +49,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee #v3.29.5
+      uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db #v3.29.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -58,7 +60,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee #v3.29.5
+      uses: github/codeql-action/autobuild@014f16e7ab1402f30e7c3329d33797e7948572db #v3.29.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -72,4 +74,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee #v3.29.5
+      uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db #v3.29.5

.github/workflows/detect-schema-changes.yaml

@@ -27,7 +27,8 @@ env:
 jobs:
   label:
     name: "Label changes"
-    runs-on: ubuntu-22.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     permissions:
       contents: read
       pull-requests: write

.github/workflows/release.yaml

@@ -13,7 +13,8 @@ on:
 jobs:
   quality-gate:
     environment: release
-    runs-on: ubuntu-24.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=tiny
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -119,7 +120,8 @@ jobs:
 
   release:
     needs: [quality-gate]
-    runs-on: ubuntu-24.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=release
     permissions:
       contents: write
       packages: write

.github/workflows/test-fixture-cache-publish.yaml

@@ -14,7 +14,8 @@ jobs:
   Publish:
     name: "Publish test fixture image cache"
     # we use this runner to get enough storage space for docker images and fixture cache
-    runs-on: ubuntu-22.04-4core-16gb
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=build/disk=large
     if: github.repository == 'anchore/syft' # only run for main repo
     permissions:
       packages: write

.github/workflows/update-anchore-dependencies.yml

@@ -12,7 +12,8 @@ permissions:
 
 jobs:
   update:
-    runs-on: ubuntu-latest
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     if: github.repository_owner == 'anchore' # only run for main repo (not forks)
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

.github/workflows/update-bootstrap-tools.yml

@@ -10,7 +10,8 @@ permissions:
 
 jobs:
   update-bootstrap-tools:
-    runs-on: ubuntu-latest
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

.github/workflows/update-cpe-dictionary-index.yml

@@ -13,7 +13,8 @@ env:
 
 jobs:
   upgrade-cpe-dictionary-index:
-    runs-on: ubuntu-latest
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     permissions:
       contents: read
       packages: write

.github/workflows/update-spdx-license-list.yaml

@@ -13,7 +13,8 @@ env:
 
 jobs:
   upgrade-spdx-license-list:
-    runs-on: ubuntu-latest
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

.github/workflows/validate-github-actions.yaml

@@ -1,6 +1,7 @@
 name: "Validate GitHub Actions"
 
 on:
+  workflow_dispatch:
   pull_request:
     paths:
       - '.github/workflows/**'
@@ -18,7 +19,8 @@ permissions:
 jobs:
   zizmor:
     name: "Lint"
-    runs-on: ubuntu-latest
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     permissions:
       contents: read
       security-events: write  # for uploading SARIF results

.github/workflows/validations.yaml

@@ -11,11 +11,11 @@ permissions:
   contents: read
 
 jobs:
-
   Static-Analysis:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Static analysis"
-    runs-on: ubuntu-24.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -27,12 +27,12 @@ jobs:
       - name: Run static analysis
         run: make static-analysis
 
-
   Unit-Test:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Unit tests"
     # we need more storage than what's on the default runner
-    runs-on: ubuntu-22.04-4core-16gb
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -46,11 +46,11 @@ jobs:
       - name: Run unit tests
         run: make unit
 
-
   Integration-Test:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Integration tests"
-    runs-on: ubuntu-24.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -67,11 +67,14 @@ jobs:
       - name: Run integration tests
         run: make integration
 
-
   Build-Snapshot-Artifacts:
     name: "Build snapshot artifacts"
-    runs-on: ubuntu-24.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=build
     steps:
+      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
+      - uses: runs-on/action@v2
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           persist-credentials: false
@@ -87,83 +90,23 @@ jobs:
       - name: Smoke test snapshot build
         run: make snapshot-smoke-test
 
-      # why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach).
-      # see https://github.com/actions/upload-artifact/issues/199 for more info
       - name: Upload snapshot artifacts
-        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v6.0.0
         with:
-          # we need to preserve the snapshot data itself as well as the task data that confirms if the
+          name: snapshot
-          # snapshot build is stale or not. Otherwise the downstream jobs will attempt to rebuild the snapshot
+          path: snapshot/
-          # even though it already exists.
+          retention-days: 30
-          path: |
-            snapshot
-            .task
-          key: snapshot-build-${{ github.run_id }}
-
-
-  Upload-Snapshot-Artifacts:
-    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
-    name: "Upload snapshot artifacts"
-    needs: [Build-Snapshot-Artifacts]
-    runs-on: ubuntu-24.04
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: Bootstrap environment
-        uses: ./.github/actions/bootstrap
-        with:
-          download-test-fixture-cache: true
-
-      - name: Download snapshot build
-        id: snapshot-cache
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
-        with:
-          path: |
-            snapshot
-            .task
-          fail-on-cache-miss: true
-          key: snapshot-build-${{ github.run_id }}
-
-      # workaround for https://github.com/actions/cache/issues/1265
-      - name: (cache-miss) Snapshot build missing
-        if: steps.snapshot-cache.outputs.cache-hit != 'true'
-        run: echo "unable to download snapshots from previous job" && false
-
-      - run: npm install @actions/artifact@2.2.2
-
-      - uses: actions/github-script@v8
-        with:
-          script: |
-            const { readdirSync } = require('fs')
-            const { DefaultArtifactClient } = require('@actions/artifact')
-            const artifact = new DefaultArtifactClient()
-            const ls = d => readdirSync(d, { withFileTypes: true })
-            const baseDir = "./snapshot"
-            const dirs = ls(baseDir).filter(f => f.isDirectory()).map(f => f.name)
-            const uploads = []
-            for (const dir of dirs) {
-              // uploadArtifact returns Promise<{id, size}>
-              uploads.push(artifact.uploadArtifact(
-                // name of the archive:
-                `${dir}`,
-                // array of all files to include:
-                ls(`${baseDir}/${dir}`).map(f => `${baseDir}/${dir}/${f.name}`),
-                // base directory to trim from entries:
-                `${baseDir}/${dir}`,
-                { retentionDays: 30 }
-              ))
-            }
-            // wait for all uploads to finish
-            Promise.all(uploads)
 
   Acceptance-Linux:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Acceptance tests (Linux)"
     needs: [Build-Snapshot-Artifacts]
-    runs-on: ubuntu-24.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
+      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
+      - uses: runs-on/action@v2
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           persist-credentials: false
@@ -173,20 +116,14 @@ jobs:
         with:
           download-test-fixture-cache: true
 
-      - name: Download snapshot build
+      - name: Download snapshot artifacts
-        id: snapshot-cache
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
-          path: |
+          name: snapshot
-            snapshot
+          path: snapshot
-            .task
-          fail-on-cache-miss: true
-          key: snapshot-build-${{ github.run_id }}
 
-      # workaround for https://github.com/actions/cache/issues/1265
+      - name: Restore binary permissions
-      - name: (cache-miss) Snapshot build missing
+        run: chmod +x snapshot/*/syft snapshot/*/*.exe 2>/dev/null || true
-        if: steps.snapshot-cache.outputs.cache-hit != 'true'
-        run: echo "unable to download snapshots from previous job" && false
 
       - name: Run comparison tests (Linux)
         run: make compare-linux
@@ -202,11 +139,11 @@ jobs:
         if: steps.install-test-image-cache.outputs.cache-hit != 'true'
         run: make install-test-cache-save
 
-
   Acceptance-Mac:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Acceptance tests (Mac)"
     needs: [Build-Snapshot-Artifacts]
+    # note: macos runners aren't supported yet for runs-on managed runners.
     runs-on: macos-latest
     steps:
       - name: Install Cosign
@@ -223,20 +160,14 @@ jobs:
           go-dependencies: false
           download-test-fixture-cache: true
 
-      - name: Download snapshot build
+      - name: Download snapshot artifacts
-        id: snapshot-cache
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
-          path: |
+          name: snapshot
-            snapshot
+          path: snapshot
-            .task
-          fail-on-cache-miss: true
-          key: snapshot-build-${{ github.run_id }}
 
-      # workaround for https://github.com/actions/cache/issues/1265
+      - name: Restore binary permissions
-      - name: (cache-miss) Snapshot build missing
+        run: chmod +x snapshot/*/syft 2>/dev/null || true
-        if: steps.snapshot-cache.outputs.cache-hit != 'true'
-        run: echo "unable to download snapshots from previous job" && false
 
       - name: Run comparison tests (Mac)
         run: make compare-mac
@@ -244,13 +175,16 @@ jobs:
       - name: Run install.sh tests (Mac)
         run: make install-test-ci-mac
 
-
   Cli-Linux:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "CLI tests (Linux)"
     needs: [Build-Snapshot-Artifacts]
-    runs-on: ubuntu-24.04
+    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
+      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
+      - uses: runs-on/action@v2
+
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           persist-credentials: false
@@ -260,42 +194,14 @@ jobs:
         with:
           download-test-fixture-cache: true
 
-      - name: Download snapshot build
+      - name: Download snapshot artifacts
-        id: snapshot-cache
+        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0
-        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
-          path: |
+          name: snapshot
-            snapshot
+          path: snapshot
-            .task
-          fail-on-cache-miss: true
-          key: snapshot-build-${{ github.run_id }}
 
-      # workaround for https://github.com/actions/cache/issues/1265
+      - name: Restore binary permissions
-      - name: (cache-miss) Snapshot build missing
+        run: chmod +x snapshot/*/syft snapshot/*/*.exe 2>/dev/null || true
-        if: steps.snapshot-cache.outputs.cache-hit != 'true'
-        run: echo "unable to download snapshots from previous job" && false
 
       - name: Run CLI Tests (Linux)
         run: make cli
-
-
-  Cleanup-Cache:
-    name: "Cleanup snapshot cache"
-    if: github.event.pull_request.head.repo.full_name == github.repository
-    runs-on: ubuntu-24.04
-    permissions:
-      actions: write
-    needs:
-      - Acceptance-Linux
-      - Acceptance-Mac
-      - Cli-Linux
-      - Upload-Snapshot-Artifacts
-    steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
-        with:
-          persist-credentials: false
-
-      - name: Delete snapshot cache
-        run: gh cache delete "snapshot-build-${{ github.run_id }}"
-        env:
-          GH_TOKEN: ${{ github.token }}