Skip to content

build(deps): bump the github-actions-dependencies group across 1 directory with 9 updates#2944

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/github_actions/github-actions-dependencies-07323ebecb
Open

build(deps): bump the github-actions-dependencies group across 1 directory with 9 updates#2944
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/github_actions/github-actions-dependencies-07323ebecb

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 10, 2026

Bumps the github-actions-dependencies group with 9 updates in the / directory:

Package From To
github/codeql-action 4 4.35.3
actions/cache 5.0.3 5.0.5
actions/setup-node 6.3.0 6.4.0
astral-sh/setup-uv 7.6.0 8.1.0
r-lib/actions 2.11.4 2.12.0
actions/upload-artifact 7.0.0 7.0.1
actions/github-script 8.0.0 9.0.0
pypa/cibuildwheel 3.4.0 3.4.1
pypa/gh-action-pypi-publish 1.13.0 1.14.0

Updates github/codeql-action from 4 to 4.35.3

Release notes

Sourced from github/codeql-action's releases.

v4.35.3

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

v4.35.2

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

v4.35.1

v4.35.0

v4.34.1

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

v4.34.0

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

v4.33.0

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

v4.32.6

  • Update default CodeQL bundle version to 2.24.3. #3548

v4.32.5

  • Repositories owned by an organization can now set up the github-codeql-disable-overlay custom repository property to disable improved incremental analysis for CodeQL. First, create a custom repository property with the name github-codeql-disable-overlay and the type "True/false" in the organization's settings. Then in the repository's settings, set this property to true to disable improved incremental analysis. For more information, see Managing custom properties for repositories in your organization. This feature is not yet available on GitHub Enterprise Server. #3507
  • Added an experimental change so that when improved incremental analysis fails on a runner — potentially due to insufficient disk space — the failure is recorded in the Actions cache so that subsequent runs will automatically skip improved incremental analysis until something changes (e.g. a larger runner is provisioned or a new CodeQL version is released). We expect to roll this change out to everyone in March. #3487
  • The minimum memory check for improved incremental analysis is now skipped for CodeQL 2.24.3 and later, which has reduced peak RAM usage. #3515
  • Reduced log levels for best-effort private package registry connection check failures to reduce noise from workflow annotations. #3516

... (truncated)

Changelog

Sourced from github/codeql-action's changelog.

4.35.3 - 01 May 2026

  • Upcoming breaking change: Add a deprecation warning for customers using CodeQL version 2.19.3 and earlier. These versions of CodeQL were discontinued on 9 April 2026 alongside GitHub Enterprise Server 3.15, and will be unsupported by the next minor release of the CodeQL Action. #3837
  • Configurations for private registries that use Cloudsmith or GCP OIDC are now accepted. #3850
  • Best-effort connection tests for private registries now use GET requests instead of HEAD for better compatibility with various registry implementations. For NuGet feeds, the test is now always performed against the service index. #3853
  • Fixed a bug where two diagnostics produced within the same millisecond could overwrite each other on disk, causing one of them to be lost. #3852
  • Update default CodeQL bundle version to 2.25.3. #3865

4.35.2 - 15 Apr 2026

  • The undocumented TRAP cache cleanup feature that could be enabled using the CODEQL_ACTION_CLEANUP_TRAP_CACHES environment variable is deprecated and will be removed in May 2026. If you are affected by this, we recommend disabling TRAP caching by passing the trap-caching: false input to the init Action. #3795
  • The Git version 2.36.0 requirement for improved incremental analysis now only applies to repositories that contain submodules. #3789
  • Python analysis on GHES no longer extracts the standard library, relying instead on models of the standard library. This should result in significantly faster extraction and analysis times, while the effect on alerts should be minimal. #3794
  • Fixed a bug in the validation of OIDC configurations for private registries that was added in CodeQL Action 4.33.0 / 3.33.0. #3807
  • Update default CodeQL bundle version to 2.25.2. #3823

4.35.1 - 27 Mar 2026

4.35.0 - 27 Mar 2026

4.34.1 - 20 Mar 2026

  • Downgrade default CodeQL bundle version to 2.24.3 due to issues with a small percentage of Actions and JavaScript analyses. #3762

4.34.0 - 20 Mar 2026

  • Added an experimental change which disables TRAP caching when improved incremental analysis is enabled, since improved incremental analysis supersedes TRAP caching. This will improve performance and reduce Actions cache usage. We expect to roll this change out to everyone in March. #3569
  • We are rolling out improved incremental analysis to C/C++ analyses that use build mode none. We expect this rollout to be complete by the end of April 2026. #3584
  • Update default CodeQL bundle version to 2.25.0. #3585

4.33.0 - 16 Mar 2026

  • Upcoming change: Starting April 2026, the CodeQL Action will skip collecting file coverage information on pull requests to improve analysis performance. File coverage information will still be computed on non-PR analyses. Pull request analyses will log a warning about this upcoming change. #3562

    To opt out of this change:

    • Repositories owned by an organization: Create a custom repository property with the name github-codeql-file-coverage-on-prs and the type "True/false", then set this property to true in the repository's settings. For more information, see Managing custom properties for repositories in your organization. Alternatively, if you are using an advanced setup workflow, you can set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using default setup: Switch to an advanced setup workflow and set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.
    • User-owned repositories using advanced setup: Set the CODEQL_ACTION_FILE_COVERAGE_ON_PRS environment variable to true in your workflow.

  • Fixed a bug which caused the CodeQL Action to fail loading repository properties if a "Multi select" repository property was configured for the repository. #3557

  • The CodeQL Action now loads custom repository properties on GitHub Enterprise Server, enabling the customization of features such as github-codeql-disable-overlay that was previously only available on GitHub.com. #3559

  • Once private package registries can be configured with OIDC-based authentication for organizations, the CodeQL Action will now be able to accept such configurations. #3563

  • Fixed the retry mechanism for database uploads. Previously this would fail with the error "Response body object should not be disturbed or locked". #3564

  • A warning is now emitted if the CodeQL Action detects a repository property whose name suggests that it relates to the CodeQL Action, but which is not one of the properties recognised by the current version of the CodeQL Action. #3570

4.32.6 - 05 Mar 2026

... (truncated)

Commits
  • 7851e55 Merge pull request #3850 from github/mbg/private-registry/cloudsmith-gcp
  • 262a15f Add generic non-printable chars test for OIDC configs
  • a6109b1 Merge pull request #3853 from github/mbg/start-proxy/improved-checks
  • 022ff3c Merge remote-tracking branch 'origin/main' into mbg/private-registry/cloudsmi...
  • 0a4d574 Add changelog entry
  • d1edf2e Improve replaces-base validation and add tests
  • facd53f Merge pull request #3859 from github/dependabot/npm_and_yarn/ava/typescript-7...
  • b779832 Fix permutations comment
  • fcf29e3 Merge pull request #3862 from github/dependabot/github_actions/dot-github/wor...
  • 1fed3e9 Merge branch 'main' into dependabot/npm_and_yarn/ava/typescript-7.0.0
  • Additional commits viewable in compare view

Updates actions/cache from 5.0.3 to 5.0.5

Release notes

Sourced from actions/cache's releases.

v5.0.5

What's Changed

Full Changelog: actions/cache@v5...v5.0.5

v5.0.4

What's Changed

New Contributors

Full Changelog: actions/cache@v5...v5.0.4

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE]
Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

  • Bump @actions/cache to v5.0.3 #1692

5.0.1

  • Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

... (truncated)

Commits
  • 27d5ce7 Merge pull request #1747 from actions/yacaovsnc/update-dependency
  • f280785 licensed changes
  • 619aeb1 npm run build generated dist files
  • bcf16c2 Update ts-http-runtime to 0.3.5
  • 6682284 Merge pull request #1738 from actions/prepare-v5.0.4
  • e340396 Update RELEASES
  • 8a67110 Add licenses
  • 1865903 Update dependencies & patch security vulnerabilities
  • 5656298 Merge pull request #1722 from RyPeck/patch-1
  • 4e380d1 Fix cache key in examples.md for bun.lock
  • Additional commits viewable in compare view

Updates actions/setup-node from 6.3.0 to 6.4.0

Release notes

Sourced from actions/setup-node's releases.

v6.4.0

What's Changed

Dependency updates:

New Contributors

Full Changelog: actions/setup-node@v6...v6.4.0

Commits

Updates astral-sh/setup-uv from 7.6.0 to 8.1.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.1.0 🌈 New input no-project

Changes

This add the a new boolean input no-project. It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

  • Add input no-project in combination with activate-environment @​eifinger (#856)

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

  • chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @dependabot[bot] (#855)

v8.0.0 🌈 Immutable releases and secure tags

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP] Use the immutable tag as a version astral-sh/setup-uv@v8.0.0 Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

... (truncated)

Commits
  • 0880764 fix: grant contents:write to validate-release job (#860)
  • 717d6ab Add a release-gate step to the release workflow (#859)
  • 5a911eb Draft commitish releases (#858)
  • 080c31e Add action-types.yml to instructions (#857)
  • b3e97d2 Add input no-project in combination with activate-environment (#856)
  • 7dd591d chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#855)
  • 1541b77 chore: update known checksums for 0.11.7 (#853)
  • cdfb2ee Refactor version resolving (#852)
  • cb84d12 chore: update known checksums for 0.11.6 (#850)
  • 1912cc6 chore: update known checksums for 0.11.5 (#845)
  • Additional commits viewable in compare view

Updates r-lib/actions from 2.11.4 to 2.12.0

Changelog

Sourced from r-lib/actions's changelog.

v2.12.0 (2026-04-29)

  • All node.js actions use node 24 now. Relatedly, all example workflows use recent versions of actions that use node 24.

  • [setup-r] now uses use-public-rspm: true by default on Linux and Windows. macOS binaries require further opt-in with use-public-rspm: always.

  • It is now possible to require actions to be pinned to a full-length commit SHA in repositories using r-lib/actions (#1070).

  • [setup-pandoc][setup-r-dependencies] now default to Pandoc version 3.8.3.

  • [setup-r-dependencies] now includes the R architecture in the cache key, so caches for macos-15 (Apple Silicon) and macos-15-intel (Rosetta/x86_64) no longer collide (#1035).

  • [setup-r] run apt-get update without -qq on Linux, to make debugging update failures easier (#1058).

Commits

Updates actions/upload-artifact from 7.0.0 to 7.0.1

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.1

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

Commits
  • 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
  • 634250c Include changes in typespec/ts-http-runtime 0.3.5
  • e454baa Readme: bump all the example versions to v7 (#796)
  • 74fad66 Update the readme with direct upload details (#795)
  • See full diff in compare view

Updates actions/github-script from 8.0.0 to 9.0.0

Release notes

Sourced from actions/github-script's releases.

v9.0.0

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.

What's Changed

New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

Commits
  • 3a2844b Merge pull request #700 from actions/salmanmkc/expose-getoctokit + prepare re...
  • ca10bbd fix: use @​octokit/core/types import for v7 compatibility
  • 86e48e2 merge: incorporate main branch changes
  • c108472 chore: rebuild dist for v9 upgrade and getOctokit factory
  • afff112 Merge pull request #712 from actions/salmanmkc/deployment-false + fix user-ag...
  • ff8117e ci: fix user-agent test to handle orchestration ID
  • 81c6b78 ci: use deployment: false to suppress deployment noise from integration tests
  • 3953caf docs: update README examples from @​v8 to @​v9, add getOctokit docs and v9 brea...
  • c17d55b ci: add getOctokit integration test job
  • a047196 test: add getOctokit integration tests via callAsyncFunction
  • Additional commits viewable in compare view

Updates pypa/cibuildwheel from 3.4.0 to 3.4.1

Release notes

Sourced from pypa/cibuildwheel's releases.

v3.4.1

  • ⚠️ Building for the experimental CPython 3.13 free-threading variant is now deprecated. That functionality will be removed in the next minor release. The enable option cpython-freethreading is therefore also deprecated. Builds specifying enable = "all" no longer select cpython-freethreading. CPython 3.14 free-threading support remains available without the enable flag. (#2787)
  • 🐛 iOS builds will no longer skip repair-wheel-command if it's defined in config (#2761)
  • 🐛 Fix bug causing uv to fail when environments define PYTHON_VERSION or UV_PYTHON, conflicting with our venvs (#2795)
  • ✨ cibuildwheel prints the selected build identifiers at the start of the build. (#2785)
  • 🔐 The GitHub Action now references other actions with a full SHA (#2744)
Changelog

Sourced from pypa/cibuildwheel's changelog.

title: Changelog

Changelog

v3.4.1

2 April 2026

  • ⚠️ Building for the experimental CPython 3.13 free-threading variant is now deprecated. That functionality will be removed in the next minor release. The enable option cpython-freethreading is therefore also deprecated. Builds specifying enable = "all" no longer select cpython-freethreading. CPython 3.14 free-threading support remains available without the enable flag. (#2787)
  • 🐛 iOS builds will no longer skip repair-wheel-command if it's defined in config (#2761)
  • 🐛 Fix bug causing uv to fail when environments define PYTHON_VERSION or UV_PYTHON, conflicting with our venvs (#2795)
  • ✨ cibuildwheel prints the selected build identifiers at the start of the build. (#2785)
  • 🔐 The GitHub Action now references other actions with a full SHA (#2744)

v3.4.0

5 March 2026

  • 🌟 You can now build wheels using uv as a build frontend. This should improve performance, especially if your project has lots of build dependencies. To use, set build-frontend to uv. (#2322)
  • ⚠️ We no longer support running on Travis CI. It may continue working but we don't run tests there anymore so we can't be sure. (#2682)
  • ✨ Improvements to building rust wheels on Android (#2650)
  • 🛠 Update Pyodide to 0.29.3 (#2719, #2733)
  • 🐛 Fix bug with the GitHub Action on Windows, where PATH was getting unnecessarily changed, causing issues with meson builds. (#2723)
  • ✨ Add support for quiet setting on build and uv from the cibuildwheel build-verbosity setting. (#2737)
  • 📚 Docs updates, including guidance on using Meson on Windows (#2718)

v3.3.1

5 January 2026

  • 🛠 Update dependencies and container pins, including updating to CPython 3.14.2. (#2708)

v3.3.0

12 November 2025

  • 🐛 Fix an incompatibility with Docker v29 (#2660)
  • ✨ Adds test-runtime option, to customise how tests on simulated/emulated environments are run (#2636)
  • ✨ Adds support for new manylinux_2_35 images on 32-bit ARM armv7l, offering better C++20 compatibility (#2656)
  • build[uv] is now supported on Android (#2587)
  • ✨ You can now install extras (such as uv) with a simple option on the GitHub Action (#2630)
  • {project} and {package} placeholders are now supported in repair-wheel-command (#2589)
  • 🛠 The versions set with dependency-versions no longer constrain packages specified by your build-system.requires. Previously, on platforms other than Linux, the constraints in this option would remain in the environment during the build. This has been tidied up make behaviour more consistent between platforms, and to prevent version conflicts. (#2583)
  • 🛠 Improve the handling of test-command on Android, enabling more options to be passed (#2590)
  • 📚 Docs improvements (#2618)

v3.2.1

... (truncated)

Commits

Updates pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

@dependabot
build(deps): bump the github-actions-dependencies group across 1 dire…
b8683aa 
…ctory with 9 updates

Bumps the github-actions-dependencies group with 9 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github/codeql-action](https://github.com/github/codeql-action) | `4` | `4.35.3` |
| [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.5` |
| [actions/setup-node](https://github.com/actions/setup-node) | `6.3.0` | `6.4.0` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `7.6.0` | `8.1.0` |
| [r-lib/actions](https://github.com/r-lib/actions) | `2.11.4` | `2.12.0` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` |
| [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` |
| [pypa/cibuildwheel](https://github.com/pypa/cibuildwheel) | `3.4.0` | `3.4.1` |
| [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.13.0` | `1.14.0` |



Updates `github/codeql-action` from 4 to 4.35.3
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](github/codeql-action@v4...v4.35.3)

Updates `actions/cache` from 5.0.3 to 5.0.5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@v5.0.3...27d5ce7)

Updates `actions/setup-node` from 6.3.0 to 6.4.0
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@53b8394...48b55a0)

Updates `astral-sh/setup-uv` from 7.6.0 to 8.1.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@37802ad...0880764)

Updates `r-lib/actions` from 2.11.4 to 2.12.0
- [Release notes](https://github.com/r-lib/actions/releases)
- [Changelog](https://github.com/r-lib/actions/blob/v2-branch/NEWS.md)
- [Commits](r-lib/actions@v2.11.4...v2.12.0)

Updates `actions/upload-artifact` from 7.0.0 to 7.0.1
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](actions/upload-artifact@bbbca2d...043fb46)

Updates `actions/github-script` from 8.0.0 to 9.0.0
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](actions/github-script@ed59741...3a2844b)

Updates `pypa/cibuildwheel` from 3.4.0 to 3.4.1
- [Release notes](https://github.com/pypa/cibuildwheel/releases)
- [Changelog](https://github.com/pypa/cibuildwheel/blob/main/docs/changelog.md)
- [Commits](pypa/cibuildwheel@ee02a15...8d2b08b)

Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](pypa/gh-action-pypi-publish@ed0c539...cef2210)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.35.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-dependencies
- dependency-name: actions/cache
  dependency-version: 5.0.5
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-dependencies
- dependency-name: actions/setup-node
  dependency-version: 6.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-dependencies
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions-dependencies
- dependency-name: r-lib/actions
  dependency-version: 2.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-dependencies
- dependency-name: actions/upload-artifact
  dependency-version: 7.0.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-dependencies
- dependency-name: actions/github-script
  dependency-version: 9.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions-dependencies
- dependency-name: pypa/cibuildwheel
  dependency-version: 3.4.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions-dependencies
- dependency-name: pypa/gh-action-pypi-publish
  dependency-version: 1.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 10, 2026
@dependabot dependabot Bot requested review from jbampton and jiayuasu as code owners May 10, 2026 04:39
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels May 10, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2026

👋 Welcome to Apache Sedona!

Thank you for opening your first pull request 🙌
We appreciate your effort to make Sedona even better.

💬 Join our Sedona Discord Server
to connect with other contributors, get feedback, and share ideas.

Great work — we're glad you're here!

jbampton
jbampton reviewed May 10, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@jbampton jbampton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed in #2873

Rebased after #2892 and now the ASF Allow list check is working and shows we have one action not yet approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jbampton jbampton jbampton left review comments

@jiayuasu jiayuasu Awaiting requested review from jiayuasu jiayuasu is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jbampton