build(deps): bump the dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates in the / directory:

Package	From	To
actions/checkout	5	6
astral-sh/setup-uv	6.6.1	7.1.4
actions/upload-artifact	4	5
actions/download-artifact	5	6
sigstore/gh-action-sigstore-python	3.0.1	3.1.0
zizmorcore/zizmor-action	0.1.2	0.3.0

Updates actions/checkout from 5 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

Commits

• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• See full diff in compare view

Updates astral-sh/setup-uv from 6.6.1 to 7.1.4

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.1.4 🌈 Fix libuv closing bug on Windows

Changes

This release fixes the bug Assertion failed: !(handle->flags & UV_HANDLE_CLOSING) on Windows runners

🐛 Bug fixes

• Wait 50ms before exit to fix libuv bug @​eifinger (#689)

🧰 Maintenance

• chore: update known checksums for 0.9.10 @github-actions[bot] (#681)
• chore: update known checksums for 0.9.9 @github-actions[bot] (#679)

v7.1.3 🌈 Support act

Changes

This bug fix release adds support for https://github.com/nektos/act It was previously broken because of a too new undici version and TS transpilation target.

Compatibility with act is now automatically tested.

🐛 Bug fixes

• use old undici and ES2022 target for act support @​eifinger (#678)

🧰 Maintenance

• chore: update known checksums for 0.9.8 @github-actions[bot] (#677)
• chore: update known checksums for 0.9.7 @github-actions[bot] (#671)
• chore: update known checksums for 0.9.6 @github-actions[bot] (#670)

📚 Documentation

• Correct description of cache-dependency-glob @​allanlewis (#676)

v7.1.2 🌈 Speed up extraction on Windows

Changes

@​lazka fixed a bug that caused extracting uv to take up to 30s. Thank you!

🐛 Bug fixes

• Use tar for extracting the uv zip file on Windows too @​lazka (#660)

🧰 Maintenance

• chore: update known checksums for 0.9.5 @github-actions[bot] (#663)

⬆️ Dependency updates

... (truncated)

Commits

• 1e862df Wait 50ms before exit to fix libuv bug (#689)
• d7d33e1 chore: update known checksums for 0.9.10 (#681)
• 486d0b8 chore: update known checksums for 0.9.9 (#679)
• 5a7eac6 use old undici and ES2022 target for act support (#678)
• b49dc9e chore: update known checksums for 0.9.8 (#677)
• 30ce38e Correct description of cache-dependency-glob (#676)
• 0d20755 chore: update known checksums for 0.9.7 (#671)
• 8491d1d chore: update known checksums for 0.9.6 (#670)
• 8585678 Bump dependencies (#664)
• 22d500a Bump github/codeql-action from 4.30.8 to 4.30.9 (#652)
• Additional commits viewable in compare view

Updates actions/upload-artifact from 4 to 5

Release notes

Sourced from actions/upload-artifact's releases.

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

New Contributors

• @​GhadimiR made their first contribution in actions/upload-artifact#681
• @​nebuk89 made their first contribution in actions/upload-artifact#712
• @​danwkennedy made their first contribution in actions/upload-artifact#727
• @​patrikpolyak made their first contribution in actions/upload-artifact#725

Full Changelog: actions/upload-artifact@v4...v5.0.0

v4.6.2

What's Changed

• Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in actions/upload-artifact#685

New Contributors

• @​salmanmkc made their first contribution in actions/upload-artifact#685

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

What's Changed

• Update to use artifact 2.2.2 package by @​yacaovsnc in actions/upload-artifact#673

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

What's Changed

• Expose env vars to control concurrency and timeout by @​yacaovsnc in actions/upload-artifact#662

Full Changelog: actions/upload-artifact@v4...v4.6.0

v4.5.0

What's Changed

• fix: deprecated Node.js version in action by @​hamirmahal in actions/upload-artifact#578
• Add new artifact-digest output by @​bdehamer in actions/upload-artifact#656

New Contributors

• @​hamirmahal made their first contribution in actions/upload-artifact#578

... (truncated)

Commits

• 330a01c Merge pull request #734 from actions/danwkennedy/prepare-5.0.0
• 03f2824 Update github.dep.yml
• 905a1ec Prepare v5.0.0
• 2d9f9cd Merge pull request #725 from patrikpolyak/patch-1
• 9687587 Merge branch 'main' into patch-1
• 2848b2c Merge pull request #727 from danwkennedy/patch-1
• 9b51177 Spell out the first use of GHES
• cd231ca Update GHES guidance to include reference to Node 20 version
• de65e23 Merge pull request #712 from actions/nebuk89-patch-1
• 8747d8c Update README.md
• Additional commits viewable in compare view

Updates actions/download-artifact from 5 to 6

Release notes

Sourced from actions/download-artifact's releases.

v6.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in actions/download-artifact#417
• Update README with artifact extraction details by @​yacaovsnc in actions/download-artifact#424
• Readme: spell out the first use of GHES by @​danwkennedy in actions/download-artifact#431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in actions/download-artifact#438

New Contributors

• @​danwkennedy made their first contribution in actions/download-artifact#431

Full Changelog: actions/download-artifact@v5...v6.0.0

Commits

• 018cc2c Merge pull request #438 from actions/danwkennedy/prepare-6.0.0
• 815651c Revert "Remove github.dep.yml"
• bb3a066 Remove github.dep.yml
• fa1ce46 Prepare v6.0.0
• 4a24838 Merge pull request #431 from danwkennedy/patch-1
• 5e3251c Readme: spell out the first use of GHES
• abefc31 Merge pull request #424 from actions/yacaovsnc/update_readme
• ac43a60 Update README with artifact extraction details
• de96f46 Merge pull request #417 from actions/yacaovsnc/update_readme
• 7993cb4 Remove migration guide for artifact download changes
• Additional commits viewable in compare view

Updates sigstore/gh-action-sigstore-python from 3.0.1 to 3.1.0

Release notes

Sourced from sigstore/gh-action-sigstore-python's releases.

v3.1.0

gh-action-sigstore-python is now compatible with Rekor v2 transparency log (but produced signature bundles still contain Rekor v1 entries by default).

Changed

• The action now uses sigstore-python 4.1. All other dependencies are also updated (#220)

Fixed

• Fixed incompatibility with Python 3.14 by upgrading dependencies (#225)

Added

• rekor-version argument was added to control the Rekor transparency log version when signing. The default version in the gh-action-sigstore-python 3.x series will remain 1 (except when using staging: true). (#228)

Changelog

Sourced from sigstore/gh-action-sigstore-python's changelog.

Changelog

All notable changes to gh-action-sigstore-python will be documented in this file.

The format is based on Keep a Changelog.

All versions prior to 3.0.0 are untracked.

[Unreleased]

[3.1.0]

gh-action-sigstore-python is now compatible with Rekor v2 transparency log (but produced signature bundles still contain Rekor v1 entries by default).

Changed

• The action now uses sigstore-python 4.1. All other dependencies are also updated (#220)

Fixed

• Fixed incompatibility with Python 3.14 by upgrading dependencies (#225)

Added

• rekor-version argument was added to control the Rekor transparency log version when signing. The default version in the gh-action-sigstore-python 3.x series will remain 1 (except when using staging: true). (#228)

[3.0.1]

Changed

• The minimum Python version supported by this action is now 3.9 (#155)
• The action's Python dependencies are now fully pinned to specific versions (#165)

Fixed

• The rfc3161-client dependency has been upgrades to 1.0.3 to resolve a security vulnerability (#182)

[3.0.0]

... (truncated)

Commits

• f832326 Prepare 3.1.0 release (#230)
• 3385d3a build(deps): bump astral-sh/setup-uv in the actions group (#232)
• 35fff1e Add rekor-version argument (#228)
• be60bbe build(deps): bump github/codeql-action in the actions group (#231)
• 72e7431 Actually upgrade dependencies (#225)
• ccdc279 ci, action: address zizmor findings, bump versions (#222)
• 709f8a4 build(deps): bump sigstore from 3.6.3 to 4.0.0 (#220)
• 5ce4031 requirements: Include main.in contents within dev.in (#221)
• ea888ad build(deps): bump the actions group with 3 updates (#218)
• 17565e2 build(deps): bump the python-dependencies group with 6 updates (#219)
• Additional commits viewable in compare view

Updates zizmorcore/zizmor-action from 0.1.2 to 0.3.0

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.3.0

What's Changed

• README: fix troubleshooting link by @​woodruffw in zizmorcore/zizmor-action#50
• README: add a troubleshooting section about Advanced Security by @​woodruffw in zizmorcore/zizmor-action#51
• feat: Support a config option by @​naokihaba in zizmorcore/zizmor-action#56

New Contributors

• @​naokihaba made their first contribution in zizmorcore/zizmor-action#56

Full Changelog: zizmorcore/zizmor-action@v0.2.0...v0.3.0

v0.2.0

What's Changed

• feat: add support for color input by @​birjj in zizmorcore/zizmor-action#37
• Adding option for GitHub annotations by @​abdelq in zizmorcore/zizmor-action#45

New Contributors

• @​birjj made their first contribution in zizmorcore/zizmor-action#37
• @​abdelq made their first contribution in zizmorcore/zizmor-action#45

Full Changelog: zizmorcore/zizmor-action@v0.1.2...v0.2.0

Commits

• e639db9 remove mise.toml (#57)
• f4409e3 feat: Support a config option (#56)
• 1aba86d chore(deps): bump github/codeql-action in the github-actions group (#54)
• da5ac40 README: add a troubleshooting section about Advanced Security (#51)
• cc28a58 README: fix troubleshooting link (#50)
• c323c83 chore(deps): bump zizmorcore/zizmor-action from 0.1.2 to 0.2.0 in the github-...
• 0696496 chore(deps): bump github/codeql-action in the github-actions group (#48)
• 8735394 docs: bump action pins (#46)
• e673c39 Adding option for GitHub annotations (#45)
• 2d5a33f chore: add missing license (#44)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions