chore(deps): update tools to latest versions

Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>

.binny.yaml

@@ -26,7 +26,7 @@ tools:
   # used for linting
   - name: golangci-lint
     version:
-      want: v2.6.2
+      want: v2.6.1
     method: github-release
     with:
       repo: golangci/golangci-lint

.github/actions/bootstrap/action.yaml

@@ -13,7 +13,7 @@ inputs:
   cache-key-prefix:
     description: "Prefix all cache keys with this value"
     required: true
-    default: "53ac821810"
+    default: "181053ac82"
   download-test-fixture-cache:
     description: "Download test fixture cache from OCI and github actions"
     required: true

.github/workflows/codeql-analysis.yml

@@ -6,7 +6,6 @@
 name: "CodeQL Security Scan"
 
 on:
-  workflow_dispatch:
   push:
     branches:
       # only run when there are pushes to the main branch (not on PRs)
@@ -21,8 +20,7 @@ permissions:
 jobs:
   analyze:
     name: Analyze
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-22.04-4core-16gb
-    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     if: github.repository == 'anchore/syft' # only run for main repo
     permissions:
       security-events: write
@@ -49,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@014f16e7ab1402f30e7c3329d33797e7948572db #v3.29.5
+      uses: github/codeql-action/init@0499de31b99561a6d14a36a5f662c2a54f91beee #v3.29.5
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -60,7 +58,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@014f16e7ab1402f30e7c3329d33797e7948572db #v3.29.5
+      uses: github/codeql-action/autobuild@0499de31b99561a6d14a36a5f662c2a54f91beee #v3.29.5
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -74,4 +72,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@014f16e7ab1402f30e7c3329d33797e7948572db #v3.29.5
+      uses: github/codeql-action/analyze@0499de31b99561a6d14a36a5f662c2a54f91beee #v3.29.5

.github/workflows/detect-schema-changes.yaml

@@ -27,8 +27,7 @@ env:
 jobs:
   label:
     name: "Label changes"
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-22.04
-    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     permissions:
       contents: read
       pull-requests: write

.github/workflows/release.yaml

@@ -13,8 +13,7 @@ on:
 jobs:
   quality-gate:
     environment: release
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-24.04
-    runs-on: runs-on=${{ github.run_id }}/runner=tiny
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -120,8 +119,7 @@ jobs:
 
   release:
     needs: [quality-gate]
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-24.04
-    runs-on: runs-on=${{ github.run_id }}/runner=release
     permissions:
       contents: write
       packages: write

.github/workflows/test-fixture-cache-publish.yaml

@@ -14,8 +14,7 @@ jobs:
   Publish:
     name: "Publish test fixture image cache"
     # we use this runner to get enough storage space for docker images and fixture cache
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-22.04-4core-16gb
-    runs-on: runs-on=${{ github.run_id }}/runner=build/disk=large
     if: github.repository == 'anchore/syft' # only run for main repo
     permissions:
       packages: write

.github/workflows/update-anchore-dependencies.yml

@@ -12,8 +12,7 @@ permissions:
 
 jobs:
   update:
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-latest
-    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     if: github.repository_owner == 'anchore' # only run for main repo (not forks)
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

.github/workflows/update-bootstrap-tools.yml

@@ -10,8 +10,7 @@ permissions:
 
 jobs:
   update-bootstrap-tools:
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-latest
-    runs-on: runs-on=${{ github.run_id }}/runner=small
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

.github/workflows/update-cpe-dictionary-index.yml

@@ -13,8 +13,7 @@ env:
 
 jobs:
   upgrade-cpe-dictionary-index:
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-latest
-    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     permissions:
       contents: read
       packages: write

.github/workflows/update-spdx-license-list.yaml

@@ -13,8 +13,7 @@ env:
 
 jobs:
   upgrade-spdx-license-list:
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-latest
-    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0

.github/workflows/validate-github-actions.yaml

@@ -1,7 +1,6 @@
 name: "Validate GitHub Actions"
 
 on:
-  workflow_dispatch:
   pull_request:
     paths:
       - '.github/workflows/**'
@@ -19,8 +18,7 @@ permissions:
 jobs:
   zizmor:
     name: "Lint"
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-latest
-    runs-on: runs-on=${{ github.run_id }}/runner=small-arm
     permissions:
       contents: read
       security-events: write  # for uploading SARIF results

.github/workflows/validations.yaml

@@ -11,11 +11,11 @@ permissions:
     contents: read
 
 jobs:
+
   Static-Analysis:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Static analysis"
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-24.04
-    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -27,12 +27,12 @@ jobs:
       - name: Run static analysis
         run: make static-analysis
 
+
   Unit-Test:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Unit tests"
     # we need more storage than what's on the default runner
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-22.04-4core-16gb
-    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -46,11 +46,11 @@ jobs:
       - name: Run unit tests
         run: make unit
 
+
   Integration-Test:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Integration tests"
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-24.04
-    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
@@ -67,14 +67,11 @@ jobs:
       - name: Run integration tests
         run: make integration
 
+
   Build-Snapshot-Artifacts:
     name: "Build snapshot artifacts"
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-24.04
-    runs-on: runs-on=${{ github.run_id }}/runner=build
     steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
-      - uses: runs-on/action@v2
-
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           persist-credentials: false
@@ -90,23 +87,26 @@ jobs:
       - name: Smoke test snapshot build
         run: make snapshot-smoke-test
 
+      # why not use actions/upload-artifact? It is very slow (3 minutes to upload ~600MB of data, vs 10 seconds with this approach).
+      # see https://github.com/actions/upload-artifact/issues/199 for more info
       - name: Upload snapshot artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 #v6.0.0
+        uses: actions/cache/save@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
-          name: snapshot
+          # we need to preserve the snapshot data itself as well as the task data that confirms if the
-          path: snapshot/
+          # snapshot build is stale or not. Otherwise the downstream jobs will attempt to rebuild the snapshot
-          retention-days: 30
+          # even though it already exists.
+          path: |
+            snapshot
+            .task
+          key: snapshot-build-${{ github.run_id }}
 
-  Acceptance-Linux:
+
+  Upload-Snapshot-Artifacts:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
-    name: "Acceptance tests (Linux)"
+    name: "Upload snapshot artifacts"
     needs: [Build-Snapshot-Artifacts]
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-24.04
-    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
-      - uses: runs-on/action@v2
-
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           persist-credentials: false
@@ -116,14 +116,77 @@ jobs:
         with:
           download-test-fixture-cache: true
 
-      - name: Download snapshot artifacts
+      - name: Download snapshot build
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0
+        id: snapshot-cache
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
-          name: snapshot
+          path: |
-          path: snapshot
+            snapshot
+            .task
+          fail-on-cache-miss: true
+          key: snapshot-build-${{ github.run_id }}
 
-      - name: Restore binary permissions
+      # workaround for https://github.com/actions/cache/issues/1265
-        run: chmod +x snapshot/*/syft snapshot/*/*.exe 2>/dev/null || true
+      - name: (cache-miss) Snapshot build missing
+        if: steps.snapshot-cache.outputs.cache-hit != 'true'
+        run: echo "unable to download snapshots from previous job" && false
+
+      - run: npm install @actions/artifact@2.2.2
+
+      - uses: actions/github-script@v8
+        with:
+          script: |
+            const { readdirSync } = require('fs')
+            const { DefaultArtifactClient } = require('@actions/artifact')
+            const artifact = new DefaultArtifactClient()
+            const ls = d => readdirSync(d, { withFileTypes: true })
+            const baseDir = "./snapshot"
+            const dirs = ls(baseDir).filter(f => f.isDirectory()).map(f => f.name)
+            const uploads = []
+            for (const dir of dirs) {
+              // uploadArtifact returns Promise<{id, size}>
+              uploads.push(artifact.uploadArtifact(
+                // name of the archive:
+                `${dir}`,
+                // array of all files to include:
+                ls(`${baseDir}/${dir}`).map(f => `${baseDir}/${dir}/${f.name}`),
+                // base directory to trim from entries:
+                `${baseDir}/${dir}`,
+                { retentionDays: 30 }
+              ))
+            }
+            // wait for all uploads to finish
+            Promise.all(uploads)
+
+  Acceptance-Linux:
+    # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
+    name: "Acceptance tests (Linux)"
+    needs: [Build-Snapshot-Artifacts]
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Bootstrap environment
+        uses: ./.github/actions/bootstrap
+        with:
+          download-test-fixture-cache: true
+
+      - name: Download snapshot build
+        id: snapshot-cache
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
+        with:
+          path: |
+            snapshot
+            .task
+          fail-on-cache-miss: true
+          key: snapshot-build-${{ github.run_id }}
+
+      # workaround for https://github.com/actions/cache/issues/1265
+      - name: (cache-miss) Snapshot build missing
+        if: steps.snapshot-cache.outputs.cache-hit != 'true'
+        run: echo "unable to download snapshots from previous job" && false
 
       - name: Run comparison tests (Linux)
         run: make compare-linux
@@ -139,11 +202,11 @@ jobs:
         if: steps.install-test-image-cache.outputs.cache-hit != 'true'
         run: make install-test-cache-save
 
+
   Acceptance-Mac:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "Acceptance tests (Mac)"
     needs: [Build-Snapshot-Artifacts]
-    # note: macos runners aren't supported yet for runs-on managed runners.
     runs-on: macos-latest
     steps:
       - name: Install Cosign
@@ -160,14 +223,20 @@ jobs:
           go-dependencies: false
           download-test-fixture-cache: true
 
-      - name: Download snapshot artifacts
+      - name: Download snapshot build
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0
+        id: snapshot-cache
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
-          name: snapshot
+          path: |
-          path: snapshot
+            snapshot
+            .task
+          fail-on-cache-miss: true
+          key: snapshot-build-${{ github.run_id }}
 
-      - name: Restore binary permissions
+      # workaround for https://github.com/actions/cache/issues/1265
-        run: chmod +x snapshot/*/syft 2>/dev/null || true
+      - name: (cache-miss) Snapshot build missing
+        if: steps.snapshot-cache.outputs.cache-hit != 'true'
+        run: echo "unable to download snapshots from previous job" && false
 
       - name: Run comparison tests (Mac)
         run: make compare-mac
@@ -175,16 +244,13 @@ jobs:
       - name: Run install.sh tests (Mac)
         run: make install-test-ci-mac
 
+
   Cli-Linux:
     # Note: changing this job name requires making the same update in the .github/workflows/release.yaml pipeline
     name: "CLI tests (Linux)"
     needs: [Build-Snapshot-Artifacts]
-    # Runner definition: workflows/.github/runs-on.yml
+    runs-on: ubuntu-24.04
-    runs-on: runs-on=${{ github.run_id }}/runner=small
     steps:
-      # required for magic-cache from runs-on to function with artifact upload/download (see https://runs-on.com/caching/magic-cache/#actionsupload-artifact-compatibility)
-      - uses: runs-on/action@v2
-
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
         with:
           persist-credentials: false
@@ -194,14 +260,42 @@ jobs:
         with:
           download-test-fixture-cache: true
 
-      - name: Download snapshot artifacts
+      - name: Download snapshot build
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 #v6.0.0
+        id: snapshot-cache
+        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 #v4.3.0
         with:
-          name: snapshot
+          path: |
-          path: snapshot
+            snapshot
+            .task
+          fail-on-cache-miss: true
+          key: snapshot-build-${{ github.run_id }}
 
-      - name: Restore binary permissions
+      # workaround for https://github.com/actions/cache/issues/1265
-        run: chmod +x snapshot/*/syft snapshot/*/*.exe 2>/dev/null || true
+      - name: (cache-miss) Snapshot build missing
+        if: steps.snapshot-cache.outputs.cache-hit != 'true'
+        run: echo "unable to download snapshots from previous job" && false
 
       - name: Run CLI Tests (Linux)
         run: make cli
+
+
+  Cleanup-Cache:
+    name: "Cleanup snapshot cache"
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    runs-on: ubuntu-24.04
+    permissions:
+      actions: write
+    needs:
+      - Acceptance-Linux
+      - Acceptance-Mac
+      - Cli-Linux
+      - Upload-Snapshot-Artifacts
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Delete snapshot cache
+        run: gh cache delete "snapshot-build-${{ github.run_id }}"
+        env:
+          GH_TOKEN: ${{ github.token }}