Bump System.Security.Cryptography.ProtectedData from 8.0.0 to 10.0.3

---
updated-dependencies:
- dependency-name: System.Security.Cryptography.ProtectedData
  dependency-version: 10.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/build.yml

@@ -78,7 +78,7 @@ jobs:
     # Upload runner package tar.gz/zip as artifact
     - name: Publish Artifact
       if: github.event_name != 'pull_request'
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: runner-package-${{ matrix.runtime }}
         path: |
@@ -111,10 +111,10 @@ jobs:
           core.setOutput('version', version);
 
     - name: Setup Docker buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4
 
     - name: Build Docker image
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@v7
       with:
         context: ./images
         load: true

.github/workflows/docker-publish.yml

@@ -38,10 +38,10 @@ jobs:
             core.setOutput('version', runnerVersion);
 
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log into registry ${{ env.REGISTRY }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -49,7 +49,7 @@ jobs:
 
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: ./images
           platforms: |
@@ -68,7 +68,7 @@ jobs:
             org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }}
 
       - name: Generate attestation
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest-build-provenance@v4
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.build-and-push.outputs.digest }}

.github/workflows/release.yml

@@ -118,7 +118,7 @@ jobs:
     # Upload runner package tar.gz/zip as artifact.
     - name: Publish Artifact
       if: github.event_name != 'pull_request'
-      uses: actions/upload-artifact@v6
+      uses: actions/upload-artifact@v7
       with:
         name: runner-packages-${{ matrix.runtime }}
         path: |
@@ -309,10 +309,10 @@ jobs:
             core.setOutput('version', runnerVersion);
 
       - name: Setup Docker buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4
 
       - name: Log into registry ${{ env.REGISTRY }}
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -320,7 +320,7 @@ jobs:
 
       - name: Build and push Docker image
         id: build-and-push
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v7
         with:
           context: ./images
           platforms: |
@@ -339,7 +339,7 @@ jobs:
             org.opencontainers.image.description=https://github.com/actions/runner/releases/tag/v${{ steps.image.outputs.version }}
 
       - name: Generate attestation
-        uses: actions/attest-build-provenance@v3
+        uses: actions/attest-build-provenance@v4
         with:
           subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           subject-digest: ${{ steps.build-and-push.outputs.digest }}

images/Dockerfile

@@ -5,8 +5,8 @@ ARG TARGETOS
 ARG TARGETARCH
 ARG RUNNER_VERSION
 ARG RUNNER_CONTAINER_HOOKS_VERSION=0.7.0
-ARG DOCKER_VERSION=29.2.0
-ARG BUILDX_VERSION=0.31.1
+ARG DOCKER_VERSION=29.3.0
+ARG BUILDX_VERSION=0.32.1
 
 RUN apt update -y && apt install curl unzip -y
 

src/Misc/expressionFunc/hashFiles/package-lock.json

@@ -12,7 +12,7 @@
         "@actions/glob": "^0.4.0"
       },
       "devDependencies": {
-        "@stylistic/eslint-plugin": "^5.9.0",
+        "@stylistic/eslint-plugin": "^5.10.0",
         "@types/node": "^22.0.0",
         "@typescript-eslint/eslint-plugin": "^8.0.0",
         "@typescript-eslint/parser": "^8.0.0",
@@ -228,9 +228,9 @@
       }
     },
     "node_modules/@stylistic/eslint-plugin": {
-      "version": "5.9.0",
-      "resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-5.9.0.tgz",
-      "integrity": "sha512-FqqSkvDMYJReydrMhlugc71M76yLLQWNfmGq+SIlLa7N3kHp8Qq8i2PyWrVNAfjOyOIY+xv9XaaYwvVW7vroMA==",
+      "version": "5.10.0",
+      "resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-5.10.0.tgz",
+      "integrity": "sha512-nPK52ZHvot8Ju/0A4ucSX1dcPV2/1clx0kLcH5wDmrE4naKso7TUC/voUyU1O9OTKTrR6MYip6LP0ogEMQ9jPQ==",
       "dev": true,
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.9.1",
@@ -4854,9 +4854,9 @@
       }
     },
     "@stylistic/eslint-plugin": {
-      "version": "5.9.0",
-      "resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-5.9.0.tgz",
-      "integrity": "sha512-FqqSkvDMYJReydrMhlugc71M76yLLQWNfmGq+SIlLa7N3kHp8Qq8i2PyWrVNAfjOyOIY+xv9XaaYwvVW7vroMA==",
+      "version": "5.10.0",
+      "resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-5.10.0.tgz",
+      "integrity": "sha512-nPK52ZHvot8Ju/0A4ucSX1dcPV2/1clx0kLcH5wDmrE4naKso7TUC/voUyU1O9OTKTrR6MYip6LP0ogEMQ9jPQ==",
       "dev": true,
       "requires": {
         "@eslint-community/eslint-utils": "^4.9.1",

src/Misc/expressionFunc/hashFiles/package.json

@@ -35,7 +35,7 @@
     "@actions/glob": "^0.4.0"
   },
   "devDependencies": {
-    "@stylistic/eslint-plugin": "^5.9.0",
+    "@stylistic/eslint-plugin": "^5.10.0",
     "@types/node": "^22.0.0",
     "@typescript-eslint/eslint-plugin": "^8.0.0",
     "@typescript-eslint/parser": "^8.0.0",

src/Sdk/DTExpressions2/Expressions2/ExpressionParser.cs

@@ -20,7 +20,7 @@ namespace GitHub.DistributedTask.Expressions2
             IEnumerable<IFunctionInfo> functions,
             Boolean allowCaseFunction = true)
         {
-            var context = new ParseContext(expression, trace, namedValues, functions, allowCaseFunction);
+            var context = new ParseContext(expression, trace, namedValues, functions, allowCaseFunction: allowCaseFunction);
             context.Trace.Info($"Parsing expression: <{expression}>");
             return CreateTree(context);
         }

src/Sdk/Sdk.csproj

@@ -24,7 +24,7 @@
         <PackageReference Include="Microsoft.AspNet.WebApi.Client" Version="6.0.0" />
         <PackageReference Include="System.Security.Cryptography.Cng" Version="5.0.0" />
         <PackageReference Include="System.Security.Cryptography.Pkcs" Version="10.0.2" />
-        <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="8.0.0" />
+        <PackageReference Include="System.Security.Cryptography.ProtectedData" Version="10.0.3" />
         <PackageReference Include="Minimatch" Version="2.0.0" />
         <PackageReference Include="YamlDotNet.Signed" Version="5.3.0" />
         <PackageReference Include="System.Net.Http" Version="4.3.4" />

src/Test/L0/Sdk/ExpressionParserL0.cs

@@ -0,0 +1,104 @@
+using GitHub.DistributedTask.Expressions2;
+using GitHub.DistributedTask.Expressions2.Sdk;
+using GitHub.DistributedTask.ObjectTemplating;
+using System;
+using System.Collections.Generic;
+using Xunit;
+
+namespace GitHub.Runner.Common.Tests.Sdk
+{
+    /// <summary>
+    /// Regression tests for ExpressionParser.CreateTree to verify that
+    /// allowCaseFunction does not accidentally set allowUnknownKeywords.
+    /// </summary>
+    public sealed class ExpressionParserL0
+    {
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Sdk")]
+        public void CreateTree_RejectsUnrecognizedNamedValue()
+        {
+            // Regression: allowCaseFunction was passed positionally into
+            // the allowUnknownKeywords parameter, causing all named values
+            // to be silently accepted.
+            var parser = new ExpressionParser();
+            var namedValues = new List<INamedValueInfo>
+            {
+                new NamedValueInfo<ContextValueNode>("inputs"),
+            };
+
+            var ex = Assert.Throws<ParseException>(() =>
+                parser.CreateTree("github.event.repository.private", null, namedValues, null));
+
+            Assert.Contains("Unrecognized named-value", ex.Message);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Sdk")]
+        public void CreateTree_AcceptsRecognizedNamedValue()
+        {
+            var parser = new ExpressionParser();
+            var namedValues = new List<INamedValueInfo>
+            {
+                new NamedValueInfo<ContextValueNode>("inputs"),
+            };
+
+            var node = parser.CreateTree("inputs.foo", null, namedValues, null);
+
+            Assert.NotNull(node);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Sdk")]
+        public void CreateTree_CaseFunctionWorks_WhenAllowed()
+        {
+            var parser = new ExpressionParser();
+            var namedValues = new List<INamedValueInfo>
+            {
+                new NamedValueInfo<ContextValueNode>("github"),
+            };
+
+            var node = parser.CreateTree("case(github.event_name, 'push', 'Push Event')", null, namedValues, null, allowCaseFunction: true);
+
+            Assert.NotNull(node);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Sdk")]
+        public void CreateTree_CaseFunctionRejected_WhenDisallowed()
+        {
+            var parser = new ExpressionParser();
+            var namedValues = new List<INamedValueInfo>
+            {
+                new NamedValueInfo<ContextValueNode>("github"),
+            };
+
+            var ex = Assert.Throws<ParseException>(() =>
+                parser.CreateTree("case(github.event_name, 'push', 'Push Event')", null, namedValues, null, allowCaseFunction: false));
+
+            Assert.Contains("Unrecognized function", ex.Message);
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Sdk")]
+        public void CreateTree_CaseFunctionDoesNotAffectUnknownKeywords()
+        {
+            // The key regression test: with allowCaseFunction=true (default),
+            // unrecognized named values must still be rejected.
+            var parser = new ExpressionParser();
+            var namedValues = new List<INamedValueInfo>
+            {
+                new NamedValueInfo<ContextValueNode>("inputs"),
+            };
+
+            var ex = Assert.Throws<ParseException>(() =>
+                parser.CreateTree("github.ref", null, namedValues, null, allowCaseFunction: true));
+
+            Assert.Contains("Unrecognized named-value", ex.Message);
+        }
+    }
+}

src/Test/L0/Worker/ActionManifestManagerL0.cs

@@ -928,6 +928,58 @@ namespace GitHub.Runner.Common.Tests.Worker
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Load_ContainerAction_RejectsInvalidExpressionContext()
+        {
+            try
+            {
+                // Arrange
+                Setup();
+
+                var actionManifest = new ActionManifestManager();
+                actionManifest.Initialize(_hc);
+
+                // Act & Assert — github is not a valid context for container-runs-env (only inputs is allowed)
+                var ex = Assert.Throws<ArgumentException>(() =>
+                    actionManifest.Load(_ec.Object, Path.Combine(TestUtil.GetTestDataPath(), "dockerfileaction_env_invalid_context.yml")));
+
+                Assert.Contains("Failed to load", ex.Message);
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Load_ContainerAction_AcceptsValidExpressionContext()
+        {
+            try
+            {
+                // Arrange
+                Setup();
+
+                var actionManifest = new ActionManifestManager();
+                actionManifest.Initialize(_hc);
+
+                // Act — inputs is a valid context for container-runs-env
+                var result = actionManifest.Load(_ec.Object, Path.Combine(TestUtil.GetTestDataPath(), "dockerfileaction_arg_env_expression.yml"));
+
+                // Assert
+                var containerAction = result.Execution as ContainerActionExecutionDataNew;
+                Assert.NotNull(containerAction);
+                Assert.Equal("${{ inputs.entryPoint }}", containerAction.Environment[1].Value.ToString());
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
         private void Setup([CallerMemberName] string name = "")
         {
             _ecTokenSource?.Dispose();

src/Test/L0/Worker/ActionManifestManagerLegacyL0.cs

@@ -926,6 +926,58 @@ namespace GitHub.Runner.Common.Tests.Worker
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Load_ContainerAction_RejectsInvalidExpressionContext()
+        {
+            try
+            {
+                // Arrange
+                Setup();
+
+                var actionManifest = new ActionManifestManagerLegacy();
+                actionManifest.Initialize(_hc);
+
+                // Act & Assert — github is not a valid context for container-runs-env (only inputs is allowed)
+                var ex = Assert.Throws<ArgumentException>(() =>
+                    actionManifest.Load(_ec.Object, Path.Combine(TestUtil.GetTestDataPath(), "dockerfileaction_env_invalid_context.yml")));
+
+                Assert.Contains("Failed to load", ex.Message);
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Load_ContainerAction_AcceptsValidExpressionContext()
+        {
+            try
+            {
+                // Arrange
+                Setup();
+
+                var actionManifest = new ActionManifestManagerLegacy();
+                actionManifest.Initialize(_hc);
+
+                // Act — inputs is a valid context for container-runs-env
+                var result = actionManifest.Load(_ec.Object, Path.Combine(TestUtil.GetTestDataPath(), "dockerfileaction_arg_env_expression.yml"));
+
+                // Assert
+                var containerAction = result.Execution as ContainerActionExecutionData;
+                Assert.NotNull(containerAction);
+                Assert.Equal("${{ inputs.entryPoint }}", containerAction.Environment[1].Value.ToString());
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
         private void Setup([CallerMemberName] string name = "")
         {
             _ecTokenSource?.Dispose();

src/Test/L0/Worker/ActionManifestParserComparisonL0.cs

@@ -379,6 +379,40 @@ namespace GitHub.Runner.Common.Tests.Worker
             }
         }
 
+        [Fact]
+        [Trait("Level", "L0")]
+        [Trait("Category", "Worker")]
+        public void Load_BothParsersRejectInvalidExpressionContext()
+        {
+            try
+            {
+                // Arrange — regression test: both parsers must reject github context
+                // in container-runs-env (only inputs is allowed per schema)
+                Setup();
+                _ec.Object.Global.Variables.Set(Constants.Runner.Features.CompareWorkflowParser, "true");
+
+                var legacyManager = new ActionManifestManagerLegacy();
+                legacyManager.Initialize(_hc);
+                _hc.SetSingleton<IActionManifestManagerLegacy>(legacyManager);
+
+                var newManager = new ActionManifestManager();
+                newManager.Initialize(_hc);
+                _hc.SetSingleton<IActionManifestManager>(newManager);
+
+                var wrapper = new ActionManifestManagerWrapper();
+                wrapper.Initialize(_hc);
+
+                var manifestPath = Path.Combine(TestUtil.GetTestDataPath(), "dockerfileaction_env_invalid_context.yml");
+
+                // Act & Assert — both parsers should reject, wrapper should throw
+                Assert.Throws<ArgumentException>(() => wrapper.Load(_ec.Object, manifestPath));
+            }
+            finally
+            {
+                Teardown();
+            }
+        }
+
         private string GetFullExceptionMessage(Exception ex)
         {
             var messages = new List<string>();

src/Test/TestData/dockerfileaction_env_invalid_context.yml

@@ -0,0 +1,13 @@
+name: 'Action With Invalid Context'
+description: 'Docker action that uses github context in env (only inputs is allowed)'
+inputs:
+  my-input:
+    description: 'A test input'
+    required: false
+    default: 'hello'
+runs:
+  using: 'docker'
+  image: 'Dockerfile'
+  env:
+    VALID: '${{ inputs.my-input }}'
+    INVALID: '${{ github.event.repository.private }}'