polarify icon indicating copy to clipboard operation
polarify copied to clipboard
verified publisher icon Quantco

Bump the actions group across 1 directory with 8 updates

Open dependabot[bot] opened this issue 5 months ago • 1 comments

Bumps the actions group with 8 updates in the / directory:

Package From To
actions/checkout 4 5
actions/setup-python 5 6
actions/upload-artifact 4 5
actions/download-artifact 4 6
pypa/gh-action-pypi-publish 1.12.4 1.13.0
softprops/action-gh-release 2.2.1 2.4.1
prefix-dev/setup-pixi 0.8.3 0.9.2
codecov/codecov-action 5.4.0 5.5.1

Updates actions/checkout from 4 to 5

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: https://github.com/actions/checkout/compare/v4...v5.0.0

v4.3.0

What's Changed

New Contributors

Full Changelog: https://github.com/actions/checkout/compare/v4...v4.3.0

v4.2.2

What's Changed

Full Changelog: https://github.com/actions/checkout/compare/v4.2.1...v4.2.2

v4.2.1

What's Changed

New Contributors

Full Changelog: https://github.com/actions/checkout/compare/v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

... (truncated)

Commits

Updates actions/setup-python from 5 to 6

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Bug fixes:

Dependency updates:

New Contributors

Full Changelog: https://github.com/actions/setup-python/compare/v5...v6.0.0

v5.6.0

What's Changed

Full Changelog: https://github.com/actions/setup-python/compare/v5...v5.6.0

v5.5.0

What's Changed

Enhancements:

Bug fixes:

... (truncated)

Commits
  • e797f83 Upgrade to node 24 (#1164)
  • 3d1e2d2 Revert "Enhance cache-dependency-path handling to support files outside the w...
  • 65b0712 Clarify pythonLocation behavior for PyPy and GraalPy in environment variables...
  • 5b668cf Bump actions/checkout from 4 to 5 (#1181)
  • f62a0e2 Change missing cache directory error to warning (#1182)
  • 9322b3c Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIn...
  • fbeb884 Bump form-data to fix critical vulnerabilities #182 & #183 (#1163)
  • 03bb615 Bump idna from 2.9 to 3.7 in /tests/data (#843)
  • 36da51d Add version parsing from Pipfile (#1067)
  • 3c6f142 update documentation (#1156)
  • Additional commits viewable in compare view

Updates actions/upload-artifact from 4 to 5

Release notes

Sourced from actions/upload-artifact's releases.

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v5.0.0

v4.6.2

What's Changed

New Contributors

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.6.2

v4.6.1

What's Changed

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.6.1

v4.6.0

What's Changed

Full Changelog: https://github.com/actions/upload-artifact/compare/v4...v4.6.0

v4.5.0

What's Changed

New Contributors

... (truncated)

Commits
  • 330a01c Merge pull request #734 from actions/danwkennedy/prepare-5.0.0
  • 03f2824 Update github.dep.yml
  • 905a1ec Prepare v5.0.0
  • 2d9f9cd Merge pull request #725 from patrikpolyak/patch-1
  • 9687587 Merge branch 'main' into patch-1
  • 2848b2c Merge pull request #727 from danwkennedy/patch-1
  • 9b51177 Spell out the first use of GHES
  • cd231ca Update GHES guidance to include reference to Node 20 version
  • de65e23 Merge pull request #712 from actions/nebuk89-patch-1
  • 8747d8c Update README.md
  • Additional commits viewable in compare view

Updates actions/download-artifact from 4 to 6

Release notes

Sourced from actions/download-artifact's releases.

v6.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

New Contributors

Full Changelog: https://github.com/actions/download-artifact/compare/v5...v6.0.0

v5.0.0

What's Changed

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

  • By name: name: my-artifact → extracted to path/ (direct)
  • By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

  • By name: name: my-artifact → extracted to path/ (unchanged)
  • By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:
  • You download artifacts by name
  • You download multiple artifacts by ID
  • You already use merge-multiple: true as a workaround
⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

... (truncated)

Commits
  • 018cc2c Merge pull request #438 from actions/danwkennedy/prepare-6.0.0
  • 815651c Revert "Remove github.dep.yml"
  • bb3a066 Remove github.dep.yml
  • fa1ce46 Prepare v6.0.0
  • 4a24838 Merge pull request #431 from danwkennedy/patch-1
  • 5e3251c Readme: spell out the first use of GHES
  • abefc31 Merge pull request #424 from actions/yacaovsnc/update_readme
  • ac43a60 Update README with artifact extraction details
  • de96f46 Merge pull request #417 from actions/yacaovsnc/update_readme
  • 7993cb4 Remove migration guide for artifact download changes
  • Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.12.4 to 1.13.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip] The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #166. At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident. The result of that discussion is posted @ pypi/warehouse#11096. Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#332). Some related bumps were contributed by @​woodruffw💰 (#359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #335.

💪 New Contributors

🪞 Full Diff: https://github.com/pypa/gh-action-pypi-publish/compare/v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

GH Sponsors badge

Commits
  • ed0c539 📦📌 Bump the pinned dependency tree
  • 77db1b7 Merge branch PR #306, GHSA-vxmw-7h4f-hqxh fix and PR #378 into unstable/v1
  • 280b3a1 Alias typing as t in imports
  • e380240 Use object in place of typing.Any in annotations
  • e50bff6 Deduplicate claim ref lookup
  • decbc9a Hint people to subscribe to #166 for notifications
  • 8208ad3 Ask not to report bugs with reusable workflow
  • ff0fef5 🧪 Scope WPS202 suppression to specific files
  • 1293b8c Use yamllint disable line length lint
  • ed01280 Linter (different rule)
  • Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.2.1 to 2.4.1

Release notes

Sourced from softprops/action-gh-release's releases.

v2.4.1

What's Changed

Other Changes 🔄

Full Changelog: https://github.com/softprops/action-gh-release/compare/v2...v2.4.1

v2.4.0

What's Changed

Exciting New Features 🎉

Other Changes 🔄

Full Changelog: https://github.com/softprops/action-gh-release/compare/v2.3.4...v2.4.0

v2.3.4

What's Changed

Bug fixes 🐛

Other Changes 🔄

Full Changelog: https://github.com/softprops/action-gh-release/compare/v2...v2.3.4

v2.3.3

What's Changed

Exciting New Features 🎉

Other Changes 🔄

  • dependency updates

New Contributors

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

2.4.1

What's Changed

Other Changes 🔄

2.4.0

What's Changed

Exciting New Features 🎉

2.3.4

What's Changed

Bug fixes 🐛

Other Changes 🔄

  • dependency updates

2.3.3

What's Changed

Exciting New Features 🎉

Other Changes 🔄

  • dependency updates

2.3.2

  • fix: revert fs readableWebStream change

2.3.1

Bug fixes 🐛

... (truncated)

Commits
  • 6da8fa9 release 2.4.1
  • f38efde fix: gracefully fallback to body when body_path cannot be read (#671)
  • cec1a11 fix(util): support brace expansion globs containing commas in parseInputFiles...
  • aec2ec5 release 2.4.0
  • 4db716b feat: respect working_directory for files globs; add input and tests (#667)
  • 14820f2 chore(deps): bump the npm group with 2 updates (#668)
  • 62c96d0 release 2.3.4
  • 7dc9b8a fix(action): handle 422 already_exists race condition (#665)
  • 0f0e0b9 chore(deps): bump the npm group with 3 updates (#666)
  • 97d42c1 chore(deps): bump the npm group across 1 directory with 2 updates (#662)
  • Additional commits viewable in compare view

Updates prefix-dev/setup-pixi from 0.8.3 to 0.9.2

Release notes

Sourced from prefix-dev/setup-pixi's releases.

v0.9.2

What's Changed

✨ New features

Full Changelog: https://github.com/prefix-dev/setup-pixi/compare/v0.9.1...v0.9.2

v0.9.1

What's Changed

✨ New features

⬆️ Dependency updates

New Contributors

Full Changelog: https://github.com/prefix-dev/setup-pixi/compare/v0.9.0...v0.9.1

v0.9.0

What's Changed

⬆️ Dependency updates

🤷🏻 Other changes

Full Changelog: https://github.com/prefix-dev/setup-pixi/compare/v0.8.14...v0.9.0

v0.8.14

What's Changed

✨ New features

Full Changelog: https://github.com/prefix-dev/setup-pixi/compare/v0.8.13...v0.8.14

v0.8.13

... (truncated)

Commits
  • 28eb668 feat: Allow caching global environment(s) (#226)
  • 194d461 Add possibility to install global environments (#221)
  • 40ab261 chore(deps): bump the nodejs group with 7 updates (#223)
  • 83ecca3 chore(deps): bump actions/checkout from 4.2.2 to 5.0.0 in the gh-actions grou...
  • ba511d5 Add pypi-keyring-provider option (#220)
  • fef5c95 chore: Bump to node 24 (#219)
  • 6261849 chore(deps): bump the nodejs group with 7 updates (#218)
  • 8ca4608 feat: Replace pixi-url-bearer-token by pixi-url-headers (#217)
  • b1ab8f2 feat: Add Support for Handlebars Templates in pixi-url (#213)
  • d7951c2 test: Skip tests with secrets on fork PRs (#216)
  • Additional commits viewable in compare view

Updates codecov/codecov-action from 5.4.0 to 5.5.1

Release notes

Sourced from codecov/codecov-action's releases.

v5.5.1

What's Changed

New Contributors

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0...v5.5.1

v5.5.0

What's Changed

dependabot[bot] avatar Nov 01 '25 19:11 dependabot[bot]

Codecov Report

:white_check_mark: All modified and coverable lines are covered by tests. :white_check_mark: Project coverage is 98.10%. Comparing base (9206fa6) to head (e254440).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main      #95   +/-   ##
=======================================
  Coverage   98.10%   98.10%           
=======================================
  Files           2        2           
  Lines         211      211           
=======================================
  Hits          207      207           
  Misses          4        4

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

codecov[bot] avatar Nov 01 '25 19:11 codecov[bot]