chore(deps): bump the actions group across 1 directory with 8 updates

[dependabot]

Bumps the actions group with 8 updates in the / directory:

Package	From	To
prefix-dev/setup-pixi	0.9.5	0.9.6
codecov/codecov-action	6.0.0	6.0.1
github/issue-metrics	4.2.2	4.2.7
j178/prek-action	2.0.3	2.0.4
actions/upload-artifact	7.0.0	7.0.1
actions/download-artifact	7.0.0	8.0.1
pypa/gh-action-pypi-publish	1.13.0	1.14.0
zizmorcore/zizmor-action	0.5.3	0.5.6

Updates prefix-dev/setup-pixi from 0.9.5 to 0.9.6

Release notes

Sourced from prefix-dev/setup-pixi's releases.

v0.9.6

What's Changed

✨ New features

• feat: Add persist-credentials option by @​AndreasAlbertQC in prefix-dev/setup-pixi#266

⬆️ Dependency updates

• chore(deps): bump the gh-actions group with 4 updates by @​dependabot[bot] in prefix-dev/setup-pixi#261
• chore(deps): bump the gh-actions group with 5 updates by @​dependabot[bot] in prefix-dev/setup-pixi#263
• chore(deps): bump the nodejs group with 6 updates by @​dependabot[bot] in prefix-dev/setup-pixi#264

🤷🏻 Other changes

• add octo-sts by @​pavelzw in prefix-dev/setup-pixi#262

New Contributors

• @​AndreasAlbertQC made their first contribution in prefix-dev/setup-pixi#266

Full Changelog: prefix-dev/setup-pixi@v0.9.5...v0.9.6

Commits

• 5185adf feat: Add persist-credentials option (#266)
• 92596c3 chore(deps): bump the nodejs group with 6 updates (#264)
• 68a459a chore(deps): bump the gh-actions group with 5 updates (#263)
• 8ce6348 add octo-sts (#262)
• b92f010 Reference latest Pixi version in README (#260)
• 46d4c99 chore(deps): bump the gh-actions group with 4 updates (#261)
• See full diff in compare view

Updates codecov/codecov-action from 6.0.0 to 6.0.1

Release notes

Sourced from codecov/codecov-action's releases.

v6.0.1

What's Changed

• fix: prevent template injection in run: steps (VULN-1652) by @​thomasrockhu-codecov in codecov/codecov-action#1947
• chore(release): 6.0.1 by @​thomasrockhu-codecov in codecov/codecov-action#1949

Full Changelog: codecov/codecov-action@v6.0.0...v6.0.1

Changelog

Sourced from codecov/codecov-action's changelog.

v5.5.2

What's Changed

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.1..v5.5.2

v5.5.1

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in codecov/codecov-action#1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in codecov/codecov-action#1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in codecov/codecov-action#1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in codecov/codecov-action#1872
• docs: fix typo in README by @​datalater in codecov/codecov-action#1866
• Document a codecov-cli version reference example by @​webknjaz in codecov/codecov-action#1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in codecov/codecov-action#1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in codecov/codecov-action#1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

v5.5.0

What's Changed

• feat: upgrade wrapper to 0.2.4 by @​jviall in codecov/codecov-action#1864
• Pin actions/github-script by Git SHA by @​martincostello in codecov/codecov-action#1859
• fix: check reqs exist by @​joseph-sentry in codecov/codecov-action#1835
• fix: Typo in README by @​spalmurray in codecov/codecov-action#1838
• docs: Refine OIDC docs by @​spalmurray in codecov/codecov-action#1837
• build(deps): bump github/codeql-action from 3.28.17 to 3.28.18 by @​app/dependabot in codecov/codecov-action#1829

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.3..v5.5.0

v5.4.3

What's Changed

• build(deps): bump github/codeql-action from 3.28.13 to 3.28.17 by @​app/dependabot in codecov/codecov-action#1822
• fix: OIDC on forks by @​joseph-sentry in codecov/codecov-action#1823

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.4.2..v5.4.3

v5.4.2

... (truncated)

Commits

• e79a696 chore(release): 6.0.1 (#1949)
• 51e6422 fix: prevent template injection in run: steps (VULN-1652) (#1947)
• See full diff in compare view

Updates github/issue-metrics from 4.2.2 to 4.2.7

Release notes

Sourced from github/issue-metrics's releases.

v4.2.7

Changelog

🧰 Maintenance

• chore(deps): bump types-requests from 2.33.0.20260503 to 2.33.0.20260513 @dependabot[bot] (#764)
• chore(deps): bump the dependencies group with 3 updates @dependabot[bot] (#759)
• chore(deps): bump the dependencies group with 2 updates @dependabot[bot] (#763)
• chore(deps): bump python from 3.14-slim to 3.14.5-slim in the dependencies group @dependabot[bot] (#758)
• chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 @dependabot[bot] (#760)
• chore(deps): bump github-community-projects/ospo-reusable-workflows/.github/workflows/auto-labeler.yaml from 0.6.0 to 1.0.1 @dependabot[bot] (#762)
• chore(deps): bump github-community-projects/ospo-reusable-workflows/.github/workflows/pr-title.yaml from 0.6.0 to 1.0.1 @dependabot[bot] (#761)

See details of all code changes since previous release

v4.2.6

Changelog

🧰 Maintenance

• chore(deps): bump idna from 3.11 to 3.15 @dependabot[bot] (#756)
• chore(deps): bump the dependencies group with 4 updates @dependabot[bot] (#752)
• chore(deps): bump types-requests from 2.33.0.20260408 to 2.33.0.20260503 @dependabot[bot] (#755)
• chore(deps): bump python from 5b3879b to 7a50012 @dependabot[bot] (#751)
• chore(deps): bump the dependencies group with 2 updates @dependabot[bot] (#753)
• chore(deps): bump mypy from 1.20.2 to 2.0.0 @dependabot[bot] (#754)
• chore(deps): bump pygments from 2.19.2 to 2.20.0 @dependabot[bot] (#750)

See details of all code changes since previous release

v4.2.5

Changelog

🧰 Maintenance

• chore(deps): bump urllib3 from 2.6.3 to 2.7.0 @dependabot[bot] (#748)

See details of all code changes since previous release

v4.2.4

Changelog

🧰 Maintenance

• ci: adopt consolidated ospo-reusable-workflows release.yaml @​jmeridth (#746)

See details of all code changes since previous release

v4.2.3

Changelog

🐛 Bug Fixes

• fix: suppress uv hardlink warning with UV_LINK_MODE=copy @​zkoppert (#732)

... (truncated)

Commits

• 1e38d5e chore(deps): bump types-requests from 2.33.0.20260503 to 2.33.0.20260513 (#764)
• 00efe58 chore(deps): bump the dependencies group with 3 updates (#759)
• 2011fdf chore(deps): bump the dependencies group with 2 updates (#763)
• 4d12201 chore(deps): bump python in the dependencies group (#758)
• 14557c8 chore(deps): bump actions/dependency-review-action from 4.9.0 to 5.0.0 (#760)
• 302d1fa chore(deps): bump github-community-projects/ospo-reusable-workflows/.github/w...
• b515e4a chore(deps): bump github-community-projects/ospo-reusable-workflows/.github/w...
• 5719e05 Merge pull request #756 from github-community-projects/dependabot/uv/idna-3.15
• f838aff chore(deps): bump idna from 3.11 to 3.15
• 012a9d5 chore(deps): bump the dependencies group with 4 updates (#752)
• Additional commits viewable in compare view

Updates j178/prek-action from 2.0.3 to 2.0.4

Release notes

Sourced from j178/prek-action's releases.

v2.0.4

What's Changed

• Update known versions for prek 0.3.12 by @​j178 in j178/prek-action#131
• Update known versions for prek 0.3.13 by @​j178 in j178/prek-action#132
• Update known versions for prek 0.4.0 by @​j178 in j178/prek-action#133

Full Changelog: j178/prek-action@v2...v2.0.4

Commits

• bdca6f1 Update actions/setup-node action to v6.4.0 (#137)
• 3230ac7 Update dependency vitest to v4.1.5 (#134)
• 9a332a1 Update pre-commit hook biomejs/pre-commit to v2.4.13 (#136)
• 8b56901 Update known versions for prek 0.4.0 (#133)
• 4a83041 Update known versions for prek 0.3.13 (#132)
• fe60983 Update known versions for prek 0.3.12 (#131)
• 6f2f302 Update pre-commit hook biomejs/pre-commit to v2.4.12 (#130)
• See full diff in compare view

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

• Update the readme with direct upload details by @​danwkennedy in actions/upload-artifact#795
• Readme: bump all the example versions to v7 by @​danwkennedy in actions/upload-artifact#796
• Include changes in typespec/ts-http-runtime 0.3.5 by @​yacaovsnc in actions/upload-artifact#797

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits

• See full diff in compare view

Updates actions/download-artifact from 7.0.0 to 8.0.1

Release notes

Sourced from actions/download-artifact's releases.

v8.0.1

What's Changed

• Support for CJK characters in the artifact name by @​danwkennedy in actions/download-artifact#471
• Add a regression test for artifact name + content-type mismatches by @​danwkennedy in actions/download-artifact#472

Full Changelog: actions/download-artifact@v8...v8.0.1

v8.0.0

v8 - What's new

[!IMPORTANT] actions/download-artifact@v8 has been migrated to an ESM module. This should be transparent to the caller but forks might need to make significant changes.

[!IMPORTANT] Hash mismatches will now error by default. Users can override this behavior with a setting change (see below).

Direct downloads

To support direct uploads in actions/upload-artifact, the action will no longer attempt to unzip all downloaded files. Instead, the action checks the Content-Type header ahead of unzipping and skips non-zipped files. Callers wishing to download a zipped file as-is can also set the new skip-decompress parameter to true.

Enforced checks (breaking)

A previous release introduced digest checks on the download. If a download hash didn't match the expected hash from the server, the action would log a warning. Callers can now configure the behavior on mismatch with the digest-mismatch parameter. To be secure by default, we are now defaulting the behavior to error which will fail the workflow run.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Don't attempt to un-zip non-zipped downloads by @​danwkennedy in actions/download-artifact#460
• Add a setting to specify what to do on hash mismatch and default it to error by @​danwkennedy in actions/download-artifact#461

Full Changelog: actions/download-artifact@v7...v8.0.0

Commits

• 3e5f45b Add regression tests for CJK characters (#471)
• e6d03f6 Add a regression test for artifact name + content-type mismatches (#472)
• 70fc10c Merge pull request #461 from actions/danwkennedy/digest-mismatch-behavior
• f258da9 Add change docs
• ccc058e Fix linting issues
• bd7976b Add a setting to specify what to do on hash mismatch and default it to error
• ac21fcf Merge pull request #460 from actions/danwkennedy/download-no-unzip
• 15999bf Add note about package bumps
• 974686e Bump the version to v8 and add release notes
• fbe48b1 Update test names to make it clearer what they do
• Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

• @​him2him2 made their first contribution in #395
• @​whitequark made their first contribution in #397

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

Commits

• cef2210 Merge pull request #397 from whitequark/patch-1
• b4595e2 Enable verbose and print-hash by default.
• e2bab26 Merge pull request #395 from him2him2/docs/fix-typos-and-grammar
• 7495c38 docs: fix typos and grammar in README and SECURITY
• 03f86fe Merge pull request #388 from woodruffw-forks/ww/rm-experimental
• 4c78f1c Merge branch 'unstable/v1' into ww/rm-experimental
• b5a6e8b deps: bump sigstore and pypi-attestations
• a48a03e remove another experimental mention
• 8087a88 action: remove a lingering mention of PEP 740 being experimental
• 3317ede 🧪 Integrate actionlint via pre-commit framework
• Additional commits viewable in compare view

Updates zizmorcore/zizmor-action from 0.5.3 to 0.5.6

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.5.6

• 1.25.2 is now available via the action
• 1.25.2 is now the default version of zizmor used by the action

v0.5.5

This is a no-op release.

v0.5.4

• 1.25.0 is now available via the action
• 1.25.0 is now the default version of zizmor used by the action

Commits

• 5f14fd0 Sync zizmor versions (#114)
• a16621b Bump pins in README (#112)
• 1c03e04 chore(deps): bump github/codeql-action from 4.35.2 to 4.35.3 in the github-ac...
• b572f7b Sync zizmor versions (#111)
• 06928c5 chore(deps): bump github/codeql-action in the github-actions group (#109)
• 5ea8b96 docs: Update link to GitHub docs (#108)
• 849ac26 chore(deps): bump the github-actions group with 2 updates (#106)
• 814f977 Bump pins in README (#103)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions