Skip to content

chore(deps): bump the github-actions group with 7 updates #1249

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

chore(deps): bump the github-actions group with 7 updates #1249

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 15, 2025
edited
Loading

Bumps the github-actions group with 7 updates:

Package From To
actions/checkout 3 5
actions/setup-python 5 6
astral-sh/setup-uv 3 6
CodSpeedHQ/action 3.5.0 4.0.1
uraimo/run-on-arch-action 2 3
wntrblm/nox 2024.03.02 2025.05.01
actions/download-artifact 4 5

Updates actions/checkout from 3 to 5

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v4...v4.3.0

v4.2.2

What's Changed

Full Changelog: actions/checkout@v4.2.1...v4.2.2

v4.2.1

What's Changed

New Contributors

Full Changelog: actions/checkout@v4.2.0...v4.2.1

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

V4.3.0

v4.2.2

v4.2.1

v4.2.0

v4.1.7

v4.1.6

v4.1.5

v4.1.4

v4.1.3

... (truncated)

Commits

Updates actions/setup-python from 5 to 6

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

Bug fixes:

Dependency updates:

New Contributors

Full Changelog: actions/setup-python@v5...v6.0.0

v5.6.0

What's Changed

Full Changelog: actions/setup-python@v5...v5.6.0

v5.5.0

What's Changed

Enhancements:

Bug fixes:

... (truncated)

Commits
  • e797f83 Upgrade to node 24 (#1164)
  • 3d1e2d2 Revert "Enhance cache-dependency-path handling to support files outside the w...
  • 65b0712 Clarify pythonLocation behavior for PyPy and GraalPy in environment variables...
  • 5b668cf Bump actions/checkout from 4 to 5 (#1181)
  • f62a0e2 Change missing cache directory error to warning (#1182)
  • 9322b3c Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIn...
  • fbeb884 Bump form-data to fix critical vulnerabilities #182 & #183 (#1163)
  • 03bb615 Bump idna from 2.9 to 3.7 in /tests/data (#843)
  • 36da51d Add version parsing from Pipfile (#1067)
  • 3c6f142 update documentation (#1156)
  • Additional commits viewable in compare view

Updates astral-sh/setup-uv from 3 to 6

Release notes

Sourced from astral-sh/setup-uv's releases.

v6.6.0 🌈 Support for .tools-versions

Changes

This release adds support for asdf .tool-versions in the version-file input

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

v6.2.1 🌈 Fix "No such file or directory version-manifest.json"

Changes

Release v6.2.0 contained a bug that slipped through the automated test. The action tried to look for the default version-manifest.json in the root of the repostory using this action instead of relative to the action itself.

🐛 Bug fixes

v6.0.0 🌈 activate-environment and working-directory

Changes

This version contains some breaking changes which have been gathering up for a while. Lets dive into them:

Activate environment

In previous versions using the input python-version automatically activated a venv at the repository root. This led to some unwanted side-effects, was sometimes unexpected and not flexible enough.

The venv activation is now explicitly controlled with the new input activate-environment (false by default):

- name: Install the latest version of uv and activate the environment
  uses: astral-sh/setup-uv@v6
  with:
</tr></table>

... (truncated)

Commits

Updates CodSpeedHQ/action from 3.5.0 to 4.0.1

Release notes

Sourced from CodSpeedHQ/action's releases.

v4.0.1

Release Notes

🐛 Bug Fixes

Full Runner Changelog: https://github.com/CodSpeedHQ/runner/blob/main/CHANGELOG.md

v4.0.0

💥 BREAKING

It's now required to explicitly set the runner mode to instrumentation or walltime using either:

  • the mode argument
  • or the CODSPEED_RUNNER_MODE environment variable

[!TIP] Before, this variable was automatically set to instrumentation on every runner except for CodSpeed macro runners where it was set to walltime by default.

Find more details in the instruments documentation.

Details

🚀 Features

🐛 Bug Fixes

🏗️ Refactor

Full Runner Changelog: https://github.com/CodSpeedHQ/runner/blob/main/CHANGELOG.md

v3.8.1

What's Changed

🐛 Bug Fixes

🏗️ Refactor

  • Improve conditional compilation in get_pipe_open_options by @​art049 in #100

⚙️ Internals

... (truncated)

Commits
  • 653fdc3 Release v4.0.1 🚀
  • 4da7be1 chore: bump runner version to 4.0.1
  • 172d6c5 chore: make the comment about input validation more discrete
  • d15e1ce chore: improve the release script
  • 6eeb021 Release v4.0.0 🚀
  • 74312da chore: improve the release script
  • 8a17a35 ci: add modes to the matrix
  • 8e3f02a feat: make the mode argument required
  • 97c7a6f chore: bump runner version to 4.0.0
  • 8a4cadd chore: point the changelog to the runner
  • Additional commits viewable in compare view

Updates uraimo/run-on-arch-action from 2 to 3

Release notes

Sourced from uraimo/run-on-arch-action's releases.

3.0.0

This major release fixes #160 updating QEMU to 9.2.2, please update your workflows if sporadic segmentation faults start appearing while running your pipelines. Minor fixes and improvements are also contained.

Full Changelog: uraimo/run-on-arch-action@v2.8.1...v3.0.0

2.8.1

Fixed typo in Dockerfile.

Full Changelog: uraimo/run-on-arch-action@v2.8.0...v2.8.1

2.8.0

This release explicitly adds the --platform parameter for the default Dockerfiles that now requires it.

See #155, #154, #152.

Full Changelog: uraimo/run-on-arch-action@v2.7.2...v2.8.0

2.7.2

What's Changed

New Contributors

Full Changelog: uraimo/run-on-arch-action@v2.7.1...v2.7.2

2.7.1

Fix and reduce tests, remove Fedora from failing platforms.

Full Changelog: uraimo/run-on-arch-action@v2.7.0...v2.7.1

2.7.0

What's Changed

New Contributors

Full Changelog: uraimo/run-on-arch-action@v2.6.0...v2.7.0

2.6.0

What's Changed

New Contributors 🎉

Full Changelog: uraimo/run-on-arch-action@v.2.5.1...v2.6.0

... (truncated)

Commits

Updates wntrblm/nox from 2024.03.02 to 2025.05.01

Release notes

Sourced from wntrblm/nox's releases.

2025.05.01 🌸

This is a bugfix release that primarily adds support for uv 0.7+. A few other small fixes were made.

We'd like to thank the following folks who contributed to this release:

Bugfixes:

Documentation:

Internal changes:

2025.02.09 💝

This release improves PEP 723 support, including adding dependencies to the noxfile itself ("plugins"). It adds the long-awaited "requires" option, allowing sessions to require other sessions. And it brings further improvements to the pyproject.toml support, including helpers for dependency-groups and Python version lists.

We'd like to thank the following folks who contributed to this release:

New features:

... (truncated)

Changelog

Sourced from wntrblm/nox's changelog.

2025.05.01

This is a bugfix release that primarily adds support for uv 0.7+. A few other small fixes were made.

We'd like to thank the following folks who contributed to this release:

Bugfixes:

Documentation:

Internal changes:

2025.02.09

This release improves PEP 723 support, including adding dependencies to the noxfile itself ("plugins"). It adds the long-awaited "requires" option, allowing sessions to require other sessions. And it brings further improvements to the pyproject.toml support, including helpers for dependency-groups and Python version lists.

We'd like to thank the following folks who contributed to this release:

... (truncated)

Commits
  • 2254a1e chore: bump version to 2025.05.01 (#960)
  • e0b5e33 fix: conda_install issue with newer conda (#957)
  • a58fe60 fix: support forcing Python on parametrized session (#958)
  • aa475d6 fix: add UV_PYTHON to disallowed vars (#959)
  • 1acbb4e chore: use PEP 639 license (#956)
  • 7219be7 chore(deps): bump astral-sh/setup-uv from 5 to 6 in the actions group (#952)
  • b943f95 fix: uv version is now uv self version, support UV (#955)
  • 1d52c8f Never ignore URL dependencies in PEP 723 noxfiles (#935)
  • 4e7f644 feat: show skip reason by default (#941)
  • 70df6ab fix: use Python 3.12 for action, allow 3.13, drop 3.8 from auto versions (#946)
  • Additional commits viewable in compare view

Updates actions/download-artifact from 4 to 5

Release notes

Sourced from actions/download-artifact's releases.

v5.0.0

What's Changed

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

  • By name: name: my-artifact → extracted to path/ (direct)
  • By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

  • By name: name: my-artifact → extracted to path/ (unchanged)
  • By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:
  • You download artifacts by name
  • You download multiple artifacts by ID
  • You already use merge-multiple: true as a workaround
⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist
# Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

</tr></table>

... (truncated)

Commits
  • 634f93c Merge pull request #416 from actions/single-artifact-id-download-path
  • b19ff43 refactor: resolve download path correctly in artifact download tests (mainly ...
  • e262cbe bundle dist
  • bff23f9 update docs
  • fff8c14 fix download path logic when downloading a single artifact by id
  • 448e3f8 Merge pull request #407 from actions/nebuk89-patch-1
  • 47225c4 Update README.md
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

High-level PR Summary

This PR updates multiple GitHub Actions dependencies across all workflow files. It includes upgrades for seven GitHub Actions packages: actions/checkout (v3/v4 to v5), actions/setup-python (v5 to v6), astral-sh/setup-uv (v3 to v6), CodSpeedHQ/action (v3.5.0 to v4.0.1), uraimo/run-on-arch-action (v2 to v3), wntrblm/nox (2024.03.02 to 2025.05.01), and actions/download-artifact (v4 to v5). These updates provide new features and fix bugs in the GitHub Actions used in the CI/CD pipeline.

⏱️ Estimated Review Time: 0h 15m

💡 Review Order Suggestion
Order File Path
1 .github/workflows/codspeed.yml
2 .github/workflows/lint-pr.yml
3 .github/workflows/preview-deployments.yml
4 .github/workflows/python-CI.yml
5 .github/workflows/release-CI.yml
6 .github/workflows/rust-CI.yml

Analyze latest changes

Review by RecurseML

🔍 Review performed on ffb7ebc..aabb4d0

Severity Location Issue Action
High .github/workflows/python-CI.yml:23 Invalid future version reference Dismiss
Low .github/workflows/python-CI.yml:17 Redundant comment in GitHub Actions workflow file Dismiss
✅ Files analyzed, no issues (5)

.github/workflows/release-CI.yml
.github/workflows/preview-deployments.yml
.github/workflows/rust-CI.yml
.github/workflows/codspeed.yml
.github/workflows/lint-pr.yml

Analyze latest changes

Need help? Join our Discord

@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Sep 15, 2025
@vercel
Copy link

vercel bot commented Sep 15, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
robyn Error Error Oct 20, 2025 0:03am

💡 Enable Vercel Agent with $100 free credit for automated AI reviews

recurseml[bot]
recurseml bot reviewed Sep 24, 2025
View reviewed changes
Copy link

@recurseml recurseml bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by RecurseML

🔍 Review performed on aabb4d0..aabb4d0

✨ No files to analyze

@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-8857471005 branch from aabb4d0 to 6ad25f7 Compare September 29, 2025 12:10
@dependabot
chore(deps): bump the github-actions group with 7 updates
2850e36 
Bumps the github-actions group with 7 updates:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `3` | `5` |
| [actions/setup-python](https://github.com/actions/setup-python) | `5` | `6` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `3` | `6` |
| [CodSpeedHQ/action](https://github.com/codspeedhq/action) | `3.5.0` | `4.0.1` |
| [uraimo/run-on-arch-action](https://github.com/uraimo/run-on-arch-action) | `2` | `3` |
| [wntrblm/nox](https://github.com/wntrblm/nox) | `2024.03.02` | `2025.05.01` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `4` | `5` |


Updates `actions/checkout` from 3 to 5
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3...v5)

Updates `actions/setup-python` from 5 to 6
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@v5...v6)

Updates `astral-sh/setup-uv` from 3 to 6
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@v3...v6)

Updates `CodSpeedHQ/action` from 3.5.0 to 4.0.1
- [Release notes](https://github.com/codspeedhq/action/releases)
- [Changelog](https://github.com/CodSpeedHQ/action/blob/main/CHANGELOG.md)
- [Commits](CodSpeedHQ/action@v3.5.0...v4.0.1)

Updates `uraimo/run-on-arch-action` from 2 to 3
- [Release notes](https://github.com/uraimo/run-on-arch-action/releases)
- [Commits](uraimo/run-on-arch-action@v2...v3)

Updates `wntrblm/nox` from 2024.03.02 to 2025.05.01
- [Release notes](https://github.com/wntrblm/nox/releases)
- [Changelog](https://github.com/wntrblm/nox/blob/main/CHANGELOG.md)
- [Commits](wntrblm/nox@2024.03.02...2025.05.01)

Updates `actions/download-artifact` from 4 to 5
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](actions/download-artifact@v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: actions/setup-python
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: astral-sh/setup-uv
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: CodSpeedHQ/action
  dependency-version: 4.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: uraimo/run-on-arch-action
  dependency-version: '3'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
- dependency-name: wntrblm/nox
  dependency-version: 2025.05.01
  dependency-type: direct:production
  dependency-group: github-actions
- dependency-name: actions/download-artifact
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/github_actions/github-actions-8857471005 branch from 6ad25f7 to 2850e36 Compare October 20, 2025 12:03
@coderabbitai
Copy link

coderabbitai bot commented Oct 20, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Oct 27, 2025

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Oct 27, 2025
@dependabot dependabot bot deleted the dependabot/github_actions/github-actions-8857471005 branch October 27, 2025 11:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@recurseml recurseml[bot] recurseml[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant