Skip to content

chore(deps): Update GitHub Actions#25

Merged
williaby merged 1 commit into
mainfrom
renovate/github-actions
May 7, 2026
Merged

chore(deps): Update GitHub Actions#25
williaby merged 1 commit into
mainfrom
renovate/github-actions

Conversation

@williaby

@williaby williaby commented May 5, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

Summary

Why

Scheduled patch update, bug fixes and security patches with no API changes.

Changes

This PR contains the following updates:

Package Change Type Update Age Adoption Passing Confidence OpenSSF
ByronWilliamsCPA/.github 4e32cdb5cce3cc action digest
Infisical/secrets-action v1.0.7v1.0.16 action patch age adoption passing confidence OpenSSF Scorecard
actions/checkout v4.2.2v4.3.1 action minor age adoption passing confidence OpenSSF Scorecard
actions/download-artifact d3f86a1 action pinDigest OpenSSF Scorecard
actions/setup-python v5.3.0v5.6.0 action minor age adoption passing confidence OpenSSF Scorecard
actions/upload-artifact v4.5.0v4.6.2 action minor age adoption passing confidence OpenSSF Scorecard
actions/upload-artifact ea165f8 action pinDigest OpenSSF Scorecard
astral-sh/setup-uv (changelog) e4db84638f3f10 action digest OpenSSF Scorecard
astral-sh/setup-uv v6.0.1v6.8.0 action minor age adoption passing confidence OpenSSF Scorecard
codecov/codecov-action (changelog) 671740ab9fd7d1 action digest OpenSSF Scorecard
dorny/paths-filter v3.0.2v3.0.3 action patch age adoption passing confidence OpenSSF Scorecard
github/codeql-action v3.28.0v3.35.3 action minor age adoption passing confidence OpenSSF Scorecard
google-github-actions/auth v2.1.8v2.1.13 action patch age adoption passing confidence OpenSSF Scorecard
google-github-actions/setup-gcloud (changelog) aa5489ce427ad8 action digest OpenSSF Scorecard
python-semantic-release/python-semantic-release v9.15.2v9.21.1 action minor age adoption passing confidence OpenSSF Scorecard
step-security/harden-runner v2.14.0v2.19.1 action minor age adoption passing confidence OpenSSF Scorecard
step-security/harden-runner v2.12.0v2.19.1 action minor age adoption passing confidence OpenSSF Scorecard
step-security/harden-runner v2.10.1v2.19.1 action minor age adoption passing confidence OpenSSF Scorecard

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Impact

  • ✅ Patch update: bug fixes and security patches only
  • ✅ No breaking changes

Acceptance Criteria

  • All CI checks pass

Testing

  • CI gates pass (tests, lint, type checking, security scan)

Notes


Release Notes

Infisical/secrets-action (Infisical/secrets-action)

v1.0.16

Compare Source

What's Changed

New Contributors

Full Changelog: Infisical/secrets-action@v1.0.15...v1.0.16

v1.0.15

Compare Source

What's Changed

Full Changelog: Infisical/secrets-action@v1.0.14...v1.0.15

v1.0.14

Compare Source

What's Changed

Full Changelog: Infisical/secrets-action@v1.0.13...v1.0.14

v1.0.13

Compare Source

What's Changed

Full Changelog: Infisical/secrets-action@v1.0.12...v1.0.13

v1.0.12

Compare Source

What's Changed

New Contributors

Full Changelog: Infisical/secrets-action@v1.0.11...v1.0.12

v1.0.11

Compare Source

What's Changed

New Contributors

Full Changelog: Infisical/secrets-action@v1.0.10...v1.0.11

v1.0.10

Compare Source

What's Changed

New Contributors

Full Changelog: Infisical/secrets-action@v1.0.9...v1.0.10

v1.0.9

Compare Source

What's Changed

Full Changelog: Infisical/secrets-action@v1.0.8...v1.0.9

v1.0.8

Compare Source

What's Changed

New Contributors

Full Changelog: Infisical/secrets-action@v1.0.7...v1.0.8

actions/checkout (actions/checkout)

v4.3.1

Compare Source

v4.3.0

Compare Source

actions/setup-python (actions/setup-python)

v5.6.0

Compare Source

What's Changed

Full Changelog: actions/setup-python@v5...v5.6.0

v5.5.0

Compare Source

What's Changed
Enhancements:
Bug fixes:
  • Fix architecture for pypy on Linux ARM64 by @​mayeut in #​1011
    This update maps arm64 to aarch64 for Linux ARM64 PyPy installations.
Dependency updates:
New Contributors

Full Changelog: actions/setup-python@v5...v5.5.0

v5.4.0

Compare Source

What's Changed
Enhancements:
Documentation changes:
Dependency updates:
New Contributors

Full Changelog: actions/setup-python@v5...v5.4.0

actions/upload-artifact (actions/upload-artifact)

v4.6.2

Compare Source

What's Changed
  • Update to use artifact 2.3.2 package & prepare for new upload-artifact release by @​salmanmkc in #​685
New Contributors

Full Changelog: actions/upload-artifact@v4...v4.6.2

v4.6.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.6.1

v4.6.0

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v4...v4.6.0

astral-sh/setup-uv (astral-sh/setup-uv)

v6.8.0: 🌈 Add **/*.py.lock to cache-dependency-glob

Compare Source

Changes

Thanks to @​parched the default cache-dependency-glob now also find all lock files generated by uv lock --script

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v6.7.0: 🌈 New inputs restore-cache and save-cache

Compare Source

Changes

This release adds fine-grained control over the caching steps.

  • The input restore-cache (true by default) can be set to false to skip restoring the cache while still allowing to save the cache.
  • The input save-cache (true by default) can be set to false to skip saving the cache.

Skipping cache saving can be useful if you know, that you will never use this version of the cache again and don't want to waste storage space:

- name: Save cache only on main branch
  uses: astral-sh/setup-uv@v6
  with:
    enable-cache: true
    save-cache: ${{ github.ref == 'refs/heads/main' }}

🚀 Enhancements

🧰 Maintenance

⬆️ Dependency updates

v6.6.1: 🌈 Fix exclusions in cache-dependency-glob

Compare Source

Changes

Exclusions with a leading ! in the cache-dependency-glob did not work and got fixed with this release. Thank you @​KnisterPeter for raising this!

🐛 Bug fixes

🧰 Maintenance

v6.6.0: 🌈 Support for .tools-versions

Compare Source

Changes

This release adds support for asdf .tool-versions in the version-file input

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

v6.5.0: 🌈 Better error messages, bug fixes and copilot agent settings

Compare Source

Changes

This release brings better error messages in case the GitHub API is impacted, fixes a few bugs and allows to disable problem matchers for better use in Copilot Agent workspaces.

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v6.4.3: 🌈 fix relative paths starting with dots

Compare Source

🐛 Bug fixes

v6.4.2: 🌈 Interpret relative inputs as under working-directory

Compare Source

Changes

This release will interpret relative paths in inputs as relative
to the value of working-directory (default is ${{ github.workspace }}) .
This means the following configuration

- uses: astral-sh/setup-uv@v6
   with:
     working-directory: /my/path
     cache-dependency-glob: uv.lock

will look for the cache-dependency-glob under /my/path/uv.lock

🐛 Bug fixes

🧰 Maintenance

v6.4.1: 🌈 Hotfix: Ignore deps starting with uv when finding uv version

Compare Source

Changes

Thank you @​phpmypython for raising a PR to fix this issue!

🐛 Bug fixes

v6.4.0: 🌈 Add input version-file

Compare Source

Changes

You can now use the version-file input to specify a file that contains the version of uv to install.
This can either be a pyproject.toml or uv.toml file which defines a required-version or
uv defined as a dependency in pyproject.toml or requirements.txt.

- name: Install uv based on the version defined in requirements.txt
  uses: astral-sh/setup-uv@v6
  with:
    version-file: "requirements.txt"

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v6.3.1: 🌈 Do not warn when version not in manifest-file

Compare Source

Changes

This is a hotfix to change the warning messages that a version could not be found in the local manifest-file to info level.

A setup-uv release contains a version-manifest.json file with infos in all available uv releases. When a new uv version is released this is not contained in this file until the file gets updated and a new setup-uv release is made.
We will overhaul this process in the future but for now the spamming of warnings is removed.

🐛 Bug fixes

🧰 Maintenance

v6.3.0: 🌈 Use latest version from manifest-file

Compare Source

Changes

If a manifest-file is supplied the default value of the version input (latest) will get the latest version available in the manifest. That might not be the actual latest version available in the official uv repo.

🚀 Enhancements

v6.2.1: 🌈 Fix "No such file or directory version-manifest.json"

Compare Source

Changes

Release v6.2.0 contained a bug that slipped through the automated test. The action tried to look for the default version-manifest.json in the root of the repostory using this action instead of relative to the action itself.

🐛 Bug fixes

v6.2.0: 🌈 New input manifest-file

Compare Source

Changes

This release adds a new input manifest-file.

The manifest-file input allows you to specify a JSON manifest that lists available uv versions,
architectures, and their download URLs. By default, this action uses the manifest file contained
in this repository, which is automatically updated with each release of uv.

The manifest file contains an array of objects, each describing a version,
architecture, platform, and the corresponding download URL.

You can supply a custom manifest file URL to define additional versions,
architectures, or different download URLs.
This is useful if you maintain your own uv builds or want to override the default sources.

For example:

[
  {
    "version": "0.7.12-alpha.1",
    "artifactName": "uv-x86_64-unknown-linux-gnu.tar.gz",
    "arch": "x86_64",
    "platform": "unknown-linux-gnu",
    "downloadUrl": "https://release.pyx.dev/0.7.12-alpha.1/uv-x86_64-unknown-linux-gnu.tar.gz"
  },
  ...
]
- name: Use a custom manifest file
  uses: astral-sh/setup-uv@v6
  with:
    manifest-file: "https://example.com/my-custom-manifest.json"

[!WARNING]
If you have previously used server-url to use your self hosted uv binaries use this new way instead.
server-url is deprecated and will be removed in a future release

🚀 Enhancements

🧰 Maintenance

v6.1.0: 🌈

Compare Source

Changes

This release adds the input server-url which defaults to https://github.com. You can set this to a custom url to control where this action downloads the uv release from. This is useful for users of gitea and comparable solutions.

@​sebadevo pointed out that we don't invalidate the cache when the prune-cache input is changed. This leads to unnessecarily big caches. The input is now used to compute the cache key, properly invalidating the cache when it is changed.

[!NOTE]
For most users this release will invalidate the cache once.
You will see the known warning no-github-actions-cache-found-for-key
This is expected and will only appear once.

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

📚 Documentation

  • Add section to README explaining if packages are installed by setup-uv @​pirate (#​398)

⬆️ Dependency updates

dorny/paths-filter (dorny/paths-filter)

v3.0.3

Compare Source

github/codeql-action (github/codeql-action)

v3.35.3

Compare Source

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #​3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #​3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #​3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #​3852
  • Update default CodeQL bundle version to 2.25.3. #​3865

v3.35.2

Compare Source

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #​3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #​3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #​3794
  • Fixed a bug in the validat

Configuration

📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@coderabbitai

coderabbitai Bot commented May 5, 2026

Copy link
Copy Markdown

Warning

Rate limit exceeded

@williaby has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 15 minutes and 51 seconds before requesting another review.

To continue reviewing without waiting, purchase usage credits in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: d98897c2-d06a-4e62-b3d4-bf1ab178b4b8

📥 Commits

Reviewing files that changed from the base of the PR and between 58ea0a1 and d75dcaf.

📒 Files selected for processing (9)
  • .github/workflows/ci.yml
  • .github/workflows/codeql.yml
  • .github/workflows/pr-validation.yml
  • .github/workflows/publish-artifact-registry.yml
  • .github/workflows/publish.yml
  • .github/workflows/release.yml
  • .github/workflows/slsa-provenance.yml
  • .github/workflows/sonarcloud.yml
  • .github/workflows/validate-cruft.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/github-actions

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov

codecov Bot commented May 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@williaby williaby force-pushed the renovate/github-actions branch from 21a08da to d4f75cd Compare May 5, 2026 08:09
@williaby williaby force-pushed the renovate/github-actions branch from d4f75cd to d75dcaf Compare May 6, 2026 04:37
@sonarqubecloud

sonarqubecloud Bot commented May 6, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant