Skip to content

ci: bump the actions group across 1 directory with 6 updates#10

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-c38932c242
Open

ci: bump the actions group across 1 directory with 6 updates#10
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-c38932c242

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Oct 13, 2025
edited
Loading

Copy link
Copy Markdown

Bumps the actions group with 6 updates in the / directory:

Package From To
actions/checkout 4.2.2 6.0.2
hynek/build-and-inspect-python-package 2.13.0 2.18.0
actions/download-artifact 4.3.0 8.0.1
svenstaro/upload-release-action 2.9.0 2.11.5
pypa/gh-action-pypi-publish 1.12.4 1.14.0
actions/setup-python 5.6.0 6.2.0

Updates actions/checkout from 4.2.2 to 6.0.2

Release notes

Sourced from actions/checkout's releases.

v6.0.2

What's Changed

Full Changelog: actions/checkout@v6.0.1...v6.0.2

v6.0.1

What's Changed

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

... (truncated)

Commits

Updates hynek/build-and-inspect-python-package from 2.13.0 to 2.18.0

Release notes

Sourced from hynek/build-and-inspect-python-package's releases.

v2.18.0

Added

  • New input: skip-sdist to skip building the source distribution. #228

v2.17.0

Fixed

  • The action now passes Zizmor in pedantic mode. #212

v2.16.0

Added

  • New include-free-threaded input. When set to 'true', free-threaded Python siblings (for example, 3.14t) are included in the version outputs for Python 3.14 and later, inserted inline after each matching version. #208

v2.15.0

Added

  • The Python version used to build the package can now be configured using the python-version input. #191

v2.14.0

Changed

  • Update tools such that they work on Python 3.14 (which is now 3.x on GitHub Actions). #182

  • The action now ignores UV_PYTHON coming from the outside. #184

Changelog

Sourced from hynek/build-and-inspect-python-package's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

Unreleased

2.18.0 - 2026-05-11

Added

  • New input: skip-sdist to skip building the source distribution. #228

2.17.0 - 2026-03-27

Fixed

  • The action now passes Zizmor in pedantic mode. #212

2.16.0 - 2026-03-26

Added

  • New input: include-free-threaded When set to 'true', free-threaded Python siblings (for example, 3.14t) are included in the version outputs for Python 3.14 and later, inserted inline after each matching version. #208

2.15.0 - 2026-03-19

Added

  • The Python version used to build the package can now be configured using the python-version input. #191

Changed

  • Pick Python version explictly instead of "3.x" to prevent incompatibily problems like #182 in the future.

... (truncated)

Commits

Updates actions/download-artifact from 4.3.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Full Changelog: actions/download-artifact@v7...v8.0.0

v7.0.0

v7 - What's new

[!IMPORTANT] actions/download-artifact@v7 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v6 had preliminary support for Node 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

... (truncated)

Commits
  • 3e5f45b Add regression tests for CJK characters (#471)
  • e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
  • 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
  • f258da9 Add change docs
  • ccc058e Fix linting issues
  • bd7976b Add a setting to specify what to do on hash mismatch and default it to error
  • ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
  • 15999bf Add note about package bumps
  • 974686e Bump the version to v8 and add release notes
  • fbe48b1 Update test names to make it clearer what they do
  • Additional commits viewable in compare view

Updates svenstaro/upload-release-action from 2.9.0 to 2.11.5

Release notes

Sourced from svenstaro/upload-release-action's releases.

2.11.5

Update to ESM; Bump github-related npm libraries

2.11.4

What's Changed

Bumped all NPM versions

2.11.3

Post-fix Github errors - releases created as draft when they shouldn't have been - #99

2.11.2

Solved race-condition when matrix builds try to create the same release at the same time - #147

2.11.1

Fixed input and output names for release_id

2.11.0

  • Adds a release_id output, and optional input, for uploading files to release - #136 (thanks @​alexis-opolka)

2.10.0

Adds the ability to disable duplicate check, for lower Github API usage - #142 (thanks @​colinsullivan)

2.9.1

Fixed development + CI, updated dependencies - #137

Commits
  • 29e53e9 2.11.5
  • e701a60 Update actions to Node.js 24
  • f0ad2b8 Migrate to ESM and bump GitHub Actions toolkit to latest
  • 0c75bf0 Revert "Bump GitHub Actions toolkit dependencies to latest major versions"
  • 980b6b1 Bump GitHub Actions toolkit dependencies to latest major versions
  • b98a3b1 2.11.4
  • 274af92 Merge pull request #152 from svenstaro/dependabot/npm_and_yarn/isaacs/brace-e...
  • 523bbfa Bump @​isaacs/brace-expansion from 5.0.0 to 5.0.1
  • 7f93926 2.11.3
  • d78c255 Fix releases that are created as drafts (github error) (#151)
  • Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.12.4 to 1.14.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

GH Sponsors badge

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip]

... (truncated)

Commits
  • cef2210 Merge pull request #397 from whitequark/patch-1
  • b4595e2 Enable verbose and print-hash by default.
  • e2bab26 Merge pull request #395 from him2him2/docs/fix-typos-and-grammar
  • 7495c38 docs: fix typos and grammar in README and SECURITY
  • 03f86fe Merge pull request #388 from woodruffw-forks/ww/rm-experimental
  • 4c78f1c Merge branch 'unstable/v1' into ww/rm-experimental
  • b5a6e8b deps: bump sigstore and pypi-attestations
  • a48a03e remove another experimental mention
  • 8087a88 action: remove a lingering mention of PEP 740 being experimental
  • 3317ede 🧪 Integrate actionlint via pre-commit framework
  • Additional commits viewable in compare view

Updates actions/setup-python from 5.6.0 to 6.2.0

Release notes

Sourced from actions/setup-python's releases.

v6.2.0

What's Changed

Dependency Upgrades

Full Changelog: actions/setup-python@v6...v6.2.0

v6.1.0

What's Changed

Enhancements:

Dependency and Documentation updates:

New Contributors

Full Changelog: actions/setup-python@v6...v6.1.0

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Bug fixes:

Dependency updates:

... (truncated)

Commits
  • a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
  • bfe8cc5 Upgrade @​actions dependencies to Node 24 compatible versions (#1259)
  • 4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
  • 83679a8 Bump @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
  • bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
  • 97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
  • 443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
  • cfd55ca graalpy: add graalpy early-access and windows builds (#880)
  • bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
  • 18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Oct 13, 2025
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-c38932c242 branch from 8fc58e5 to 198e72f Compare March 30, 2026 06:40
@dependabot
ci: bump the actions group across 1 directory with 6 updates
b6d71b4 
Bumps the actions group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `6.0.2` |
| [hynek/build-and-inspect-python-package](https://github.com/hynek/build-and-inspect-python-package) | `2.13.0` | `2.18.0` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4.3.0` | `8.0.1` |
| [svenstaro/upload-release-action](https://github.com/svenstaro/upload-release-action) | `2.9.0` | `2.11.5` |
| [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.12.4` | `1.14.0` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.2.0` |



Updates `actions/checkout` from 4.2.2 to 6.0.2
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@11bd719...de0fac2)

Updates `hynek/build-and-inspect-python-package` from 2.13.0 to 2.18.0
- [Release notes](https://github.com/hynek/build-and-inspect-python-package/releases)
- [Changelog](https://github.com/hynek/build-and-inspect-python-package/blob/main/CHANGELOG.md)
- [Commits](hynek/build-and-inspect-python-package@c52c3a4...d44ca7d)

Updates `actions/download-artifact` from 4.3.0 to 8.0.1
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@d3f86a1...3e5f45b)

Updates `svenstaro/upload-release-action` from 2.9.0 to 2.11.5
- [Release notes](https://github.com/svenstaro/upload-release-action/releases)
- [Changelog](https://github.com/svenstaro/upload-release-action/blob/master/CHANGELOG.md)
- [Commits](svenstaro/upload-release-action@04733e0...29e53e9)

Updates `pypa/gh-action-pypi-publish` from 1.12.4 to 1.14.0
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](pypa/gh-action-pypi-publish@76f52bc...cef2210)

Updates `actions/setup-python` from 5.6.0 to 6.2.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a26af69...a309ff8)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/download-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-python
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: hynek/build-and-inspect-python-package
  dependency-version: 2.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: pypa/gh-action-pypi-publish
  dependency-version: 1.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: svenstaro/upload-release-action
  dependency-version: 2.11.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions-c38932c242 branch from 198e72f to b6d71b4 Compare May 18, 2026 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants