ci: bump the ci-updates group across 1 directory with 5 updates

[dependabot]

Bumps the ci-updates group with 5 updates in the / directory:

Package	From	To
actions/cache	5.0.4	5.0.5
astral-sh/setup-uv	7.6.0	8.0.0
fossas/fossa-action	1.8.0	1.9.0
act10ns/slack	2.1.0	2.2.0
pypa/gh-action-pypi-publish	1.13.0	1.14.0

Updates actions/cache from 5.0.4 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

• Update ts-http-runtime dependency by @​yacaovsnc in actions/cache#1747

Full Changelog: actions/cache@v5...v5.0.5

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

1. Switch to a new branch from main.
2. Run npm test to ensure all tests are passing.
3. Update the version in https://github.com/actions/cache/blob/main/package.json.
4. Run npm run build to update the compiled files.
5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
6. Run licensed cache to update the license report.
7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
8. Commit your changes and push your branch upstream.
9. Open a pull request against main and get it reviewed and merged.
10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits

• 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
• f280785 licensed changes
• 619aeb1 npm run build generated dist files
• bcf16c2 Update ts-http-runtime to 0.3.5
• See full diff in compare view

Updates astral-sh/setup-uv from 7.6.0 to 8.0.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.0.0 🌈 Immutable releases and secure tags

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP] Use the immutable tag as a version astral-sh/setup-uv@v8.0.0 Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

• Remove update-major-minor-tags workflow @​eifinger (#826)
• Remove deprecrated custom manifest @​eifinger (#813)

🧰 Maintenance

• Shortcircuit latest version from manifest @​eifinger (#828)
• Simplify inputs.ts @​eifinger (#827)
• Bump release-drafter to v7.1.1 @​eifinger (#825)
• Refactor inputs @​eifinger (#823)
• Replace inline compile args with tsconfig @​eifinger (#824)
• chore: update known checksums for 0.11.2 @github-actions[bot] (#821)
• chore: update known checksums for 0.11.1 @github-actions[bot] (#817)
• chore: update known checksums for 0.11.0 @github-actions[bot] (#815)
• Fix latest-version workflow check @​eifinger (#812)
• chore: update known checksums for 0.10.11/0.10.12 @github-actions[bot] (#811)

Commits

• cec2083 Shortcircuit latest version from manifest (#828)
• 4dd8ab4 Simplify inputs.ts (#827)
• 7fdbe7c Remove update-major-minor-tags workflow (#826)
• 485abd0 Bump release-drafter to v7.1.1 (#825)
• f82eb19 Refactor inputs (#823)
• 868d1f7 Replace inline compile args with tsconfig (#824)
• 447e6d0 chore: update known checksums for 0.11.2 (#821)
• 5c62c59 chore: update known checksums for 0.11.1 (#817)
• e1a7373 chore: update known checksums for 0.11.0 (#815)
• 8970931 Remove deprecrated custom manifest (#813)
• Additional commits viewable in compare view

Updates fossas/fossa-action from 1.8.0 to 1.9.0

Release notes

Sourced from fossas/fossa-action's releases.

v1.9.0

What's Changed

• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in fossas/fossa-action#245
• Bump @​actions/tool-cache from 3.0.1 to 4.0.0 by @​dependabot[bot] in fossas/fossa-action#267
• Bump undici from 6.23.0 to 6.24.1 by @​spatten in fossas/fossa-action#275
• Add CI workflow to auto-rebuild dist by @​spatten in fossas/fossa-action#276
• Bump actions/upload-artifact from 4 to 7 by @​dependabot[bot] in fossas/fossa-action#272
• Add CodeRabbit configuration by @​chad-fossa in fossas/fossa-action#271
• Bump @​types/node from 25.2.0 to 25.2.1 by @​dependabot[bot] in fossas/fossa-action#269

New Contributors

• @​chad-fossa made their first contribution in fossas/fossa-action#271

Full Changelog: fossas/fossa-action@v1.8.0...v1.9.0

Commits

• ff70fe9 Bump @​types/node from 25.2.0 to 25.2.1 (#269)
• 266ac4f Add CodeRabbit configuration (#271)
• ad09c5f Bump actions/upload-artifact from 4 to 7 (#272)
• 0bdc47f Add CI workflow to auto-rebuild dist (#276)
• b74b788 Bump undici from 6.23.0 to 6.24.1 (#275)
• c9be25a Bump @​actions/tool-cache from 3.0.1 to 4.0.0 (#267)
• edcc582 Bump actions/checkout from 5 to 6 (#245)
• See full diff in compare view

Updates act10ns/slack from 2.1.0 to 2.2.0

Release notes

Sourced from act10ns/slack's releases.

v2.2.0

What's New

Features

• Multiple channels — channel input now accepts multiple channels separated by spaces or commas
• Blocks-only mode — new blocks_only config option to send only blocks without the legacy attachment
• Workflow-level status — documented pattern for reporting multi-job workflow status
• Template variables reference — full table of all supported Handlebars template variables in README

Bug Fixes

• Filter unnamed steps — steps without an explicit id (auto-generated hex hashes) are now filtered out (#131)
• Retry on failure — webhook send retries up to 3 times with linear backoff on transient errors (#196)
• Sanitize template data — user-controlled data (commit messages, PR titles) containing Handlebars syntax no longer causes runtime errors (#259)
• Warn on missing config — emits a warning when a custom config file path is specified but not found (#267)
• Stale dist — jobInputs and all recent features now included in bundled dist (#278)

Infrastructure

• Node.js 24 runtime (previously Node.js 20) (#284)
• Auto-rebuild dist — CI workflow automatically rebuilds dist/ on merge to master
• Security dependency updates — cross-spawn, minimatch, flatted, picomatch, handlebars, axios, js-yaml

Documentation

• Added CLAUDE.md for contributor guidance
• Updated README with corrected examples, current GitHub docs URLs, and copyright year

Commits

• d96404e Rebuild dist [skip ci]
• e108fcc Merge pull request #301 from act10ns/dependabot/npm_and_yarn/multi-75e6bc5210
• ffe143e Bump js-yaml
• 9b6eafd Rebuild dist [skip ci]
• 27d94b3 Merge pull request #286 from act10ns/dependabot/npm_and_yarn/axios-1.14.0
• cc49177 Merge pull request #285 from act10ns/dependabot/npm_and_yarn/handlebars-4.7.9
• 689dfe0 Rebuild dist [skip ci]
• 6972e9c Merge pull request #289 from act10ns/dependabot/npm_and_yarn/picomatch-2.3.2
• 9e39a0b Merge pull request #288 from act10ns/dependabot/npm_and_yarn/flatted-3.4.2
• c73e9b2 Merge pull request #287 from act10ns/dependabot/npm_and_yarn/minimatch-3.1.5
• Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

• @​him2him2 made their first contribution in #395
• @​whitequark made their first contribution in #397

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

Commits

• cef2210 Merge pull request #397 from whitequark/patch-1
• b4595e2 Enable verbose and print-hash by default.
• e2bab26 Merge pull request #395 from him2him2/docs/fix-typos-and-grammar
• 7495c38 docs: fix typos and grammar in README and SECURITY
• 03f86fe Merge pull request #388 from woodruffw-forks/ww/rm-experimental
• 4c78f1c Merge branch 'unstable/v1' into ww/rm-experimental
• b5a6e8b deps: bump sigstore and pypi-attestations
• a48a03e remove another experimental mention
• 8087a88 action: remove a lingering mention of PEP 740 being experimental
• 3317ede 🧪 Integrate actionlint via pre-commit framework
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Coverage report

This PR does not seem to contain any modification to coverable code.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.