ci: bump the ci-dependencies group with 5 updates

[dependabot]

Bumps the ci-dependencies group with 5 updates:

Package	From	To
conda-incubator/setup-miniconda	3	4
cvmfs-contrib/github-action-cvmfs	4	5
actions/upload-artifact	4	7
marocchino/sticky-pull-request-comment	2	3
pypa/cibuildwheel	3.3	3.4

Updates conda-incubator/setup-miniconda from 3 to 4

Release notes

Sourced from conda-incubator/setup-miniconda's releases.

Version 4.0.0

Breaking Changes

• #459: Upgrade action runtime to Node.js 24.x (requires runners with Node 24 support; this is the reason for the v4 major bump)
• #450: Switch action build to ESM (for @actions/exec v3)

Features and Enhancements

• #469: Add conda-init input to optionally skip conda init and document activation for restricted environments
• #482: Add channels parsing utility and URL validation
• #481: Enable stricter TypeScript checks and typing
• #480: Add more tests, increase coverage, add Codecov integration and coverage badge
• #479: Add TypeDoc-based API docs, generation and checks; configure GitHub Pages and Netlify previews

Fixes

• #465: Fix double channel configuration being applied
• #467: Speed up Windows post-run cleanup by moving the extracted packages directory instead of removing files one by one
• #470: Fix name-version-build syntax expansion and add tests
• #475: Split shell init and activation of the test environment to remove spurious warning
• #498: Skip Netlify preview for Dependabot PRs

Performance

• #486: Remove HTML index scraping for Miniconda version validation
• #487: Parallelize Windows takeown calls with Promise.all
• #488: Replace isDefaultEnvironment subprocess with local YAML reads
• #489: Replace conda config subprocesses with direct .condarc YAML writes

Tasks and Maintenance

• #444: Bump conda-incubator/setup-miniconda from 3.2.0 to 3.3.0
• #445: Bump actions/checkout from 6.0.1 to 6.0.2
• #449: Bump @​actions/exec from 2.0.0 to 3.0.0
• #456, #484, #491: Bump actions/upload-artifact
• #460: Bump actions/download-artifact from 7.0.0 to 8.0.1
• #464: Update dependencies for actions and packages
• #466: Bump @​actions/tool-cache from 2.0.2 to 4.0.0
• #473: Bump flatted from 3.2.9 to 3.4.2
• #476: Bump picomatch
• #477: Bump conda-incubator/installer from 0.1.0 to 0.1.1
• #485: Bump vite from 8.0.0 to 8.0.8
• #492: Bump actions/upload-pages-artifact from 3 to 5

... (truncated)

Changelog

Sourced from conda-incubator/setup-miniconda's changelog.

v4.0.1 (2026-04-24)

Fixes

• Fix MultipleKeysError on conda 25.11+ when a user-supplied condarc-file already declares auto_activate: now only one of auto_activate / auto_activate_base is written to .condarc, preferring whichever key the user's existing condarc uses.
• Add auto_activate to the boolean coercion set so its value is serialized as a YAML boolean when it is the chosen canonical key.
• Add local_repodata_ttl to KNOWN_CONDARC_KEYS to silence a spurious "Unrecognized condarc key" warning for a valid conda key.

Commits

• 8ee1f36 Fix MultipleKeysError when user condarc declares auto_activate (#500)
• bce0bd8 Prepare v4 release (#499)
• 78fb0ff ci(docs): skip Netlify preview for Dependabot PRs (#498)
• d32e72e Bump @​actions/core from 3.0.0 to 3.0.1 (#496)
• 3e251ae Bump actions/upload-artifact from 4 to 7 (#491)
• 7ff02ae Bump actions/upload-pages-artifact from 3 to 5 (#492)
• 65b62b8 Bump actions/deploy-pages from 4 to 5 (#494)
• 1eb4d38 Bump marocchino/sticky-pull-request-comment from 2 to 3 (#493)
• bfb6f7e Bump codecov/codecov-action from 5 to 6 (#495)
• 77236ef Merge pull request #489 from conda-incubator/perf/direct-condarc-write
• Additional commits viewable in compare view

Updates cvmfs-contrib/github-action-cvmfs from 4 to 5

Release notes

Sourced from cvmfs-contrib/github-action-cvmfs's releases.

v5.0: macos support

What's Changed

• feat: enable dependabot for github-actions ecosystem by @​wdconinc in cvmfs-contrib/github-action-cvmfs#26
• Re-enable experimental support for cvmfs on macos runners by @​vvolkl in cvmfs-contrib/github-action-cvmfs#28
• CVMFS mac support now in prod; use homebrew to install by @​vvolkl in cvmfs-contrib/github-action-cvmfs#31
• macos: move sleep into setup by @​vvolkl in cvmfs-contrib/github-action-cvmfs#32

Full Changelog: cvmfs-contrib/github-action-cvmfs@v4...v5.0

v4.1

What's Changed

• make cvmfs_http_proxy default to DIRECT (v4) by @​DrDaveD in cvmfs-contrib/github-action-cvmfs#36

Full Changelog: cvmfs-contrib/github-action-cvmfs@v4.0...v4.1

Commits

• 10197e0 Merge pull request #60 from cvmfs-contrib/cache-lists-optional
• 68fd4c7 caching of apt lists now opt-in
• 461cb9e Merge pull request #55 from cvmfs-contrib/dependabot/github_actions/actions/c...
• bc6dae3 Merge pull request #58 from cvmfs-contrib/update-deb-url
• 73c57b0 update .deb download url for release package
• 6cbe759 chore(deps): bump actions/cache from 4 to 5
• c96a881 Merge pull request #54 from cvmfs-contrib/wdconinc-patch-1
• 0392bb5 Update macOS versions in workflow matrix
• 6bcc64e Merge pull request #53 from cvmfs-contrib/dependabot/github_actions/actions/c...
• b33ddf1 chore(deps): bump actions/checkout from 5 to 6
• Additional commits viewable in compare view

Updates actions/upload-artifact from 4 to 7

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

... (truncated)

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• Additional commits viewable in compare view

Updates marocchino/sticky-pull-request-comment from 2 to 3

Release notes

Sourced from marocchino/sticky-pull-request-comment's releases.

v3.0.0

What's Changed

• Update node to 24
• Update deps

New Contributors

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.4...v3.0.0

v2.9.4

What's Changed

• build(deps-dev): Bump @​biomejs/biome from 2.0.0 to 2.0.2 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1554
• build(deps-dev): Bump @​types/node from 24.0.3 to 24.0.11 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1561
• build(deps-dev): Bump @​biomejs/biome from 2.0.4 to 2.1.1 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1562
• build(deps-dev): Bump @​types/node from 24.0.11 to 24.0.12 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1563
• build(deps-dev): Bump @​types/node from 24.0.12 to 24.0.13 by @​dependabot[bot] in marocchino/sticky-pull-request-comment#1564

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.3...v2.9.4

v2.9.3

What's Changed

• Update deps (including security issues)
• Test with vitest instead of jest
• Use biome

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.2...v2.9.3

v2.9.2

What's Changed

• Update @​octokit/graphql-schema & use biome by @​marocchino in marocchino/sticky-pull-request-comment#1517
• build(deps): Bump undici from 5.28.4 to 5.28.5 by @​dependabot in marocchino/sticky-pull-request-comment#1476
• build(deps-dev): Bump @​types/node from 22.10.7 to 22.14.0 by @​dependabot in marocchino/sticky-pull-request-comment#1515
• build(deps): Bump @​octokit/request-error from 5.0.1 to 5.1.1 by @​dependabot in marocchino/sticky-pull-request-comment#1490
• build(deps): Bump @​octokit/request from 8.1.4 to 8.4.1 by @​dependabot in marocchino/sticky-pull-request-comment#1494
• build(deps): Bump @​octokit/plugin-paginate-rest from 9.1.2 to 9.2.2 by @​dependabot in marocchino/sticky-pull-request-comment#1493

Full Changelog: marocchino/sticky-pull-request-comment@v2.9.1...v2.9.2

v2.9.1

What's Changed

• Fix test action by @​NoRePercussions in marocchino/sticky-pull-request-comment#1364
• PR Test Autocomment: Include Errors by @​NoRePercussions in marocchino/sticky-pull-request-comment#1365
• Always move ID comment to end of message by @​NoRePercussions in marocchino/sticky-pull-request-comment#1373
• Update deps

... (truncated)

Commits

• d4d6b09 📦️ Build
• 3868baa build(deps-dev): Bump typescript from 5.9.3 to 6.0.2 (#1670)
• 26f73b0 build(deps): Bump brace-expansion (#1678)
• f6e304e build(deps-dev): Bump @​biomejs/biome from 2.4.7 to 2.4.10 (#1675)
• a7709b6 build(deps-dev): Bump @​types/node from 25.5.0 to 25.5.2 (#1677)
• 0746c6f build(deps-dev): Bump rollup from 4.59.0 to 4.60.1 (#1676)
• 2a4b1c3 build(deps-dev): Bump vitest from 4.1.0 to 4.1.2 (#1674)
• 1ab42d2 build(deps): Bump picomatch from 4.0.3 to 4.0.4 (#1673)
• 5a61de7 build(deps-dev): Bump @​biomejs/biome from 2.4.6 to 2.4.7 (#1666)
• 7cb1e16 Add number_force that overrides pull_request number (#1652)
• Additional commits viewable in compare view

Updates pypa/cibuildwheel from 3.3 to 3.4

Release notes

Sourced from pypa/cibuildwheel's releases.

v3.4.0

• 🌟 You can now build wheels using uv as a build frontend. This should improve performance, especially if your project has lots of build dependencies. To use, set build-frontend to uv. (#2322)
• ⚠️ We no longer support running on Travis CI. It may continue working but we don't run tests there anymore so we can't be sure. (#2682)
• ✨ Improvements to building Rust wheels on Android (#2650)
• 🛠 Update Pyodide to 0.29.3 (#2719, #2733)
• 🐛 Fix bug with the GitHub Action on Windows, where PATH was getting unnecessarily changed, causing issues with meson builds. (#2723)
• ✨ Add support for quiet setting on build and uv from the cibuildwheel build-verbosity setting. (#2737)
• 📚 Docs updates, including guidance on using Meson on Windows (#2718)

v3.3.1

• 🛠 Update dependencies and container pins, including updating to CPython 3.14.2. (#2708)

Changelog

Sourced from pypa/cibuildwheel's changelog.

v2.23.4

16 March 2026

• 🐛 Fix HTTP 429 errors while downloading virtualenv from GitHub blob URLs – uses a https://bootstrap.pypa.io/ URL instead. (#2775)

Commits

• 8d2b08b Bump version: v3.4.1
• 54b8a01 deprecation: cp313t (#2787)
• 097806b tests: fully type the test suite (#2794)
• 643b30c fix: avoid PYTHON_VERSION breaking uv if set (#2795)
• fffe2ca chore(deps): bump j178/prek-action from 1.1.1 to 2.0.0 in the actions group (...
• 6111948 fix: zizmor "code injection via template expansion" (#2784)
• e478767 chore: remove some string types (#2798)
• caf433b [Bot] Update dependencies (#2789)
• a257a3f chore: remove remaining future annotations (#2799)
• 6df84da chore: some cleanup and checks (#2792)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

CVMFS benchmarks

Top 25 slowest-loading corrections, sorted by mean time:

Benchmark	Mean (ms)	Stddev (ms)	Rounds
test_load[JME/Run2-2017-UL-NanoAODv9/latest/jet_jerc.json.gz]	958.480	4.449	5
test_load[JME/Run2-2017-UL-NanoAODv9/latest/fatJet_jerc.json.gz]	806.858	8.757	5
test_load[JME/Run3-24Prompt-Winter24-NanoAODv14/latest/jet_jerc.json.gz]	710.413	3.049	5
test_load[JME/Run3-24CDEReprocessingFGHIPrompt-Summer24-NanoAODv15/latest/fatJet_jerc.json.gz]	639.986	3.330	5
test_load[JME/Run3-24CDEReprocessingFGHIPrompt-Summer24-NanoAODv15/latest/jet_jerc.json.gz]	636.815	3.325	5
test_load[JME/Run3-25Prompt-Winter25-NanoAODv15/latest/jet_jerc.json.gz]	433.164	1.181	5
test_load[JME/Run3-25Prompt-Winter25-NanoAODv15/latest/fatJet_jerc.json.gz]	432.592	1.734	5
test_load[JME/Run3-23CSep23-Summer23-NanoAODv12/latest/jet_jerc.json.gz]	313.531	0.666	5
test_load[JME/Run3-23CSep23-Summer23-NanoAODv12/latest/fatJet_jerc.json.gz]	312.819	0.952	5
test_load[JME/Run2-2018-UL-NanoAODv9/latest/jet_jerc.json.gz]	307.506	5.454	5
test_load[JME/Run3-22EFGSep23-Summer22EE-NanoAODv12/latest/jet_jerc.json.gz]	260.284	5.067	5
test_load[JME/Run3-22EFGSep23-Summer22EE-NanoAODv12/latest/fatJet_jerc.json.gz]	258.930	1.044	5
test_load[JME/Run2-2016preVFP-UL-NanoAODv9/latest/jet_jerc.json.gz]	239.515	0.786	5
test_load[JME/Run3-23DSep23-Summer23BPix-NanoAODv12/latest/fatJet_jerc.json.gz]	237.745	1.193	5
test_load[JME/Run3-23DSep23-Summer23BPix-NanoAODv12/latest/jet_jerc.json.gz]	237.709	0.901	5
test_load[JME/Run2-2017-UL-NanoAODv15/latest/fatJet_jerc.json.gz]	235.128	0.971	5
test_load[JME/Run2-2017-UL-NanoAODv15/latest/jet_jerc.json.gz]	234.694	0.473	5
test_load[JME/Run2-2018-UL-NanoAODv9/latest/fatJet_jerc.json.gz]	230.921	0.871	5
test_load[JME/Run2-2018-UL-NanoAODv15/latest/fatJet_jerc.json.gz]	227.125	2.211	5
test_load[JME/Run2-2018-UL-NanoAODv15/latest/jet_jerc.json.gz]	225.514	1.224	5
test_load[JME/Run3-22Prompt-Winter22-NanoAODv12/latest/fatJet_jerc.json.gz]	223.724	1.171	5
test_load[JME/Run3-22Prompt-Winter22-NanoAODv12/latest/jet_jerc.json.gz]	222.477	0.850	5
test_load[JME/Run3-22CDSep23-Summer22-NanoAODv12/latest/jet_jerc.json.gz]	217.474	1.189	5
test_load[JME/Run3-22CDSep23-Summer22-NanoAODv12/latest/fatJet_jerc.json.gz]	217.111	0.572	5
test_load[JME/Run2-2016postVFP-UL-NanoAODv9/latest/jet_jerc.json.gz]	215.669	1.279	5