build(deps): bump the actions group across 1 directory with 5 updates

[dependabot]

Bumps the actions group with 5 updates in the / directory:

Package	From	To
actions/checkout	6.0.0	6.0.1
astral-sh/setup-uv	7.1.4	7.1.5
actions/upload-pages-artifact	3.0.1	4.0.0
sigstore/gh-action-sigstore-python	3.1.0	3.2.0
softprops/action-gh-release	2.4.2	2.5.0

Updates actions/checkout from 6.0.0 to 6.0.1

Release notes

Sourced from actions/checkout's releases.

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

Commits

• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• See full diff in compare view

Updates astral-sh/setup-uv from 7.1.4 to 7.1.5

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.1.5 🌈 allow setting cache-local-path without enable-cache: true

Changes

astral-sh/setup-uv#612 fixed a faulty behavior where this action set UV_CACHE_DIR even though enable-cache was false. It also fixed the cases were the cache dir is already configured in a settings file like pyproject.toml or UV_CACHE_DIR was already set. Here the action shouldn't overwrite or set UV_CACHE_DIR.

These fixes introduced an unwanted behavior: You can still set cache-local-path but this action didn't do anything. This release fixes that.

You can now use cache-local-path to automatically set UV_CACHE_DIR even when enable-cache is false (or gets set to false by default e.g. on self-hosted runners)

- name: This is now possible
  uses: astral-sh/setup-uv@v7
  with:
    enable-cache: false
    cache-local-path: "/path/to/cache"

🐛 Bug fixes

• allow cache-local-path w/o enable-cache @​eifinger (#707)

🧰 Maintenance

• set biome files.maxSize to 2MiB @​eifinger (#708)
• chore: update known checksums for 0.9.16 @github-actions[bot] (#706)
• chore: update known checksums for 0.9.15 @github-actions[bot] (#704)
• chore: use npm ci --ignore-scripts everywhere @​woodruffw (#699)
• chore: update known checksums for 0.9.14 @github-actions[bot] (#700)
• chore: update known checksums for 0.9.13 @github-actions[bot] (#694)
• chore: update known checksums for 0.9.12 @github-actions[bot] (#693)
• chore: update known checksums for 0.9.11 @github-actions[bot] (#688)

⬆️ Dependency updates

• Bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 @dependabot[bot] (#695)
• bump dependencies @​eifinger (#709)
• Bump github/codeql-action from 4.30.9 to 4.31.6 @dependabot[bot] (#698)
• Bump zizmorcore/zizmor-action from 0.2.0 to 0.3.0 @dependabot[bot] (#696)
• Bump eifinger/actionlint-action from 1.9.2 to 1.9.3 @dependabot[bot] (#690)

Commits

• ed21f2f Bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 (#695)
• 93202d8 bump dependencies (#709)
• 5ce0900 set biome files.maxSize to 2MiB (#708)
• 4180991 allow cache-local-path w/o enable-cache (#707)
• 0439606 Bump github/codeql-action from 4.30.9 to 4.31.6 (#698)
• 7dd56c1 chore: update known checksums for 0.9.16 (#706)
• 9c12bae chore: update known checksums for 0.9.15 (#704)
• 64f7f4e chore: use npm ci --ignore-scripts everywhere (#699)
• 5ae467f chore: update known checksums for 0.9.14 (#700)
• 06e4edb Bump zizmorcore/zizmor-action from 0.2.0 to 0.3.0 (#696)
• Additional commits viewable in compare view

Updates actions/upload-pages-artifact from 3.0.1 to 4.0.0

Release notes

Sourced from actions/upload-pages-artifact's releases.

v4.0.0

What's Changed

• Potentially breaking change: hidden files (specifically dotfiles) will not be included in the artifact by @​tsusdere in actions/upload-pages-artifact#102 If you need to include dotfiles in your artifact: instead of using this action, create your own artifact according to these requirements https://github.com/actions/upload-pages-artifact?tab=readme-ov-file#artifact-validation
• Pin actions/upload-artifact to SHA by @​heavymachinery in actions/upload-pages-artifact#127

Full Changelog: actions/upload-pages-artifact@v3.0.1...v4.0.0

Commits

• 7b1f4a7 Merge pull request #127 from heavymachinery/pin-sha
• 4cc19c7 Pin actions/upload-artifact to SHA
• 2d163be Merge pull request #107 from KittyChiu/main
• c704843 fix: linted README
• 9605915 Merge pull request #106 from KittyChiu/kittychiu/update-readme-1
• e59cdfe Update README.md
• a2d6704 doc: updated usage section in readme
• 984864e Merge pull request #105 from actions/Jcambass-patch-1
• 45dc788 Add workflow file for publishing releases to immutable action package
• efaad07 Merge pull request #102 from actions/hidden-files
• Additional commits viewable in compare view

Updates sigstore/gh-action-sigstore-python from 3.1.0 to 3.2.0

Release notes

Sourced from sigstore/gh-action-sigstore-python's releases.

v3.2.0

gh-action-sigstore-python action now manages the used Python version internally, improving reliability.

Changed

• Manage Python version internally (#242, #258)
• Dependency updates

Changelog

Sourced from sigstore/gh-action-sigstore-python's changelog.

Changelog

All notable changes to gh-action-sigstore-python will be documented in this file.

The format is based on Keep a Changelog.

All versions prior to 3.0.0 are untracked.

[Unreleased]

[3.2.0]

gh-action-sigstore-python now manages the used Python version internally, improving reliability.

Changed

• Manage Python version internally (#242, #258)
• Dependency updates

[3.1.0]

gh-action-sigstore-python is now compatible with Rekor v2 transparency log (but produced signature bundles still contain Rekor v1 entries by default).

Changed

• The action now uses sigstore-python 4.1. All other dependencies are also updated (#220)

Fixed

• Fixed incompatibility with Python 3.14 by upgrading dependencies (#225)

Added

• rekor-version argument was added to control the Rekor transparency log version when signing. The default version in the gh-action-sigstore-python 3.x series will remain 1 (except when using staging: true). (#228)

[3.0.1]

Changed

• The minimum Python version supported by this action is now 3.9 (#155)

... (truncated)

Commits

• a5caf34 build(deps): bump actions/checkout in the actions group (#265)
• 7b8cfcb build(deps): bump the actions group with 2 updates (#264)
• 270f433 build(deps-dev): bump ruff in the python-dependencies group (#263)
• 034c8bf build(deps): bump actions/setup-python in the actions group (#260)
• 5483fa8 Fix .python-version lookup (#258)
• f962baa build(deps): bump github/codeql-action in the actions group (#259)
• 225a312 build(deps): bump astral-sh/setup-uv in the actions group (#253)
• b7c02b3 build(deps): bump actions/checkout in the actions group (#251)
• 52bad44 build(deps-dev): bump ruff in the python-dependencies group (#252)
• 68eceea build(deps): bump certifi in the python-dependencies group (#250)
• Additional commits viewable in compare view

Updates softprops/action-gh-release from 2.4.2 to 2.5.0

Release notes

Sourced from softprops/action-gh-release's releases.

v2.5.0

What's Changed

Exciting New Features 🎉

• feat: mark release as draft until all artifacts are uploaded by @​dumbmoron in softprops/action-gh-release#692

Other Changes 🔄

• chore(deps): bump the npm group across 1 directory with 5 updates by @​dependabot[bot] in softprops/action-gh-release#697
• chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the github-actions group by @​dependabot[bot] in softprops/action-gh-release#689

New Contributors

• @​dumbmoron made their first contribution in softprops/action-gh-release#692

Full Changelog: softprops/action-gh-release@v2.4.2...v2.5.0

Changelog

Sourced from softprops/action-gh-release's changelog.

2.5.0

What's Changed

Exciting New Features 🎉

• feat: mark release as draft until all artifacts are uploaded by @​dumbmoron in softprops/action-gh-release#692

Other Changes 🔄

• dependency updates

2.4.2

What's Changed

Exciting New Features 🎉

• feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in softprops/action-gh-release#684

Other Changes 🔄

• dependency updates

2.4.1

What's Changed

Other Changes 🔄

• fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in softprops/action-gh-release#672
• fix: gracefully fallback to body when body_path cannot be read by @​Copilot in softprops/action-gh-release#671

2.4.0

What's Changed

Exciting New Features 🎉

• feat(action): respect working_directory for files globs by @​stephenway in softprops/action-gh-release#667

2.3.4

What's Changed

Bug fixes 🐛

• fix(action): handle 422 already_exists race condition by @​stephenway in softprops/action-gh-release#665

Other Changes 🔄

... (truncated)

Commits

• a06a81a release 2.5.0
• 7da8983 feat: mark release as draft until all artifacts are uploaded (#692)
• 8797328 chore(deps): bump actions/checkout in the github-actions group (#689)
• 1bfc62a chore(deps): bump the npm group across 1 directory with 5 updates (#697)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

PR Preview Action v1.6.3
🚀 View preview at https://JacobCoffee.github.io/debug-toolbar/pr-preview/pr-22/
Built to branch gh-pages at 2025-12-08 08:07 UTC. Preview will be ready when the GitHub Pages deployment is complete.