chore(deps): update ci dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
docker/build-push-action (changelog)	action	digest	d08e5c3 → bcafcac
ghcr.io/astral-sh/uv	stage	digest	90bbb3c → b1e6993
pypa/gh-action-pypi-publish	action	minor	v1.13.0 → v1.14.0
python	final	digest	55e465c → 980c036
python	stage	digest	55e465c → 980c036
softprops/action-gh-release (changelog)	action	digest	153bb8e → 3bb1273

---

Release Notes

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.14.0

Compare Source

Audit your supply chain regularly!

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #​397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #​388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #​395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#​391) and @​webknjaz💰 added infra for using type annotations in the project (#​381).

💪 New Contributors

• @​him2him2 made their first contribution in #​395
• @​whitequark made their first contribution in #​397

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 6am on Monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[greptile-apps]

Greptile Summary

Routine Renovate dependency update bumping digest pins for docker/build-push-action, softprops/action-gh-release, python:3.14-slim-bookworm, and ghcr.io/astral-sh/uv:latest, plus a minor version bump for pypa/gh-action-pypi-publish (v1.13.0 → v1.14.0). The v1.14.0 change makes verbose and print-hash default to true, but the workflow already sets both explicitly so there is no behavioral change.

Confidence Score: 5/5

• Safe to merge — all changes are automated digest/minor-version bumps with no functional impact.
• All changes are routine Renovate-managed dependency pins. The one minor version bump (pypa/gh-action-pypi-publish v1.14.0) introduces no behavioral change because the affected defaults are already explicitly set in the workflow. No logic changes, no new permissions, no functional risk.
• No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Digest bumps for docker/build-push-action (v7), softprops/action-gh-release (v2), and a minor version bump for pypa/gh-action-pypi-publish (v1.13.0 → v1.14.0). The workflow already explicitly sets print-hash: true and verbose: true, so the v1.14.0 change making those defaults has no behavioral impact here.
Dockerfile	Digest bumps for python:3.14-slim-bookworm (both builder and runtime stages) and ghcr.io/astral-sh/uv:latest. Both stages are updated consistently to the same new Python digest.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant Docker as docker/build-push-action@bcafcac
    participant GHCR as ghcr.io (Docker registry)
    participant Release as softprops/action-gh-release@3bb1273
    participant PyPI as pypa/gh-action-pypi-publish@v1.14.0

    GH->>Docker: "Build & push image (python@980c036 + uv@b1e699)"
    Docker->>GHCR: Push multi-arch image
    GH->>Release: Create GitHub Release with artifacts
    GH->>PyPI: Publish wheel/sdist to PyPI (verbose+print-hash on by default)

Loading

_{Reviews (9): Last reviewed commit: "chore(deps): update ci dependencies" | Re-trigger Greptile}