chore: merge next release

.github/dependabot.yaml

@@ -1,5 +1,6 @@
 # This configuration file enables Dependabot version updates.
 # https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/about-dependabot-version-updates
+# https://docs.github.com/en/code-security/reference/supply-chain-security/supported-ecosystems-and-repositories
 # https://github.com/dependabot/feedback/issues/551
 
 version: 2
@@ -8,6 +9,8 @@ updates:
   directory: /
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 3
   commit-message:
     prefix: chore
     prefix-development: chore
@@ -23,6 +26,8 @@ updates:
   directory: /
   schedule:
     interval: weekly
+  cooldown:
+    default-days: 3
   commit-message:
     prefix: chore
     prefix-development: chore
@@ -32,4 +37,25 @@ updates:
   # Add additional reviewers for PRs opened by Dependabot. For more information, see:
   # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
   # reviewers:
+  #
+
+- package-ecosystem: pre-commit
+  directory: /
+  schedule:
+    interval: weekly
+  cooldown:
+    default-days: 3
+  commit-message:
+    prefix: chore
+    prefix-development: chore
+    include: scope
+  target-branch: main
+  # Group updates into one pull request. See also:
+  # https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#groups--
+  groups:
+    pre-commit:
+      patterns: ['*']
+  # Add additional reviewers for PRs opened by Dependabot. For more information, see:
+  # https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#reviewers
+  # reviewers:
   # -

.github/workflows/_build.yaml

@@ -6,7 +6,7 @@
 #
 # Even though we run the build in a matrix to check against different platforms, due to a known
 # limitation of reusable workflows that do not support setting strategy property from the caller
-# workflow, we only generate artifacts for ubuntu-latest and Python 3.13, which can be used to
+# workflow, we only generate artifacts for ubuntu-latest and Python 3.14, which can be used to
 # create a release. For details see:
 #
 # https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations
@@ -35,7 +35,7 @@ permissions:
   contents: read
 env:
   ARTIFACT_OS: ubuntu-latest # The default OS for release.
-  ARTIFACT_PYTHON: '3.13' # The default Python version for release.
+  ARTIFACT_PYTHON: '3.14' # The default Python version for release.
 
 jobs:
   build:
@@ -51,22 +51,22 @@ jobs:
         # It is recommended to pin a Runner version specifically:
         # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners
         os: [ubuntu-latest, macos-latest, windows-latest]
-        python: ['3.10', '3.11', '3.12', '3.13']
+        python: ['3.10', '3.11', '3.12', '3.13', '3.14']
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python }}
 

.github/workflows/_generate-rebase.yaml

@@ -34,12 +34,12 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
         token: ${{ secrets.REPO_ACCESS_TOKEN }}

.github/workflows/_wiki-documentation.yaml

@@ -41,15 +41,15 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
 
     # Check out the repository's Wiki repo into the wiki/ folder. The token is required
     # only for private repositories.
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
         repository: ${{ format('{0}.wiki', github.repository) }}

.github/workflows/codeql-analysis.yaml

@@ -29,20 +29,20 @@ jobs:
       matrix:
         # Learn more about CodeQL language support at https://git.io/codeql-language-support
         language: [python, actions]
-        python: ['3.13']
+        python: ['3.14']
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
 
     - name: Checkout repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Set up Python ${{ matrix.python }}
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python }}
 
@@ -54,7 +54,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+      uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
       with:
         languages: ${{ matrix.language }}
         config-file: .github/codeql/codeql-config.yaml
@@ -67,4 +67,4 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+      uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0

.github/workflows/dependabot-automerge.yaml

@@ -1,4 +1,5 @@
 # Automatically merge Dependabot PRs upon approval.
+# https://docs.github.com/en/code-security/tutorials/secure-your-dependencies/automating-dependabot-with-github-actions#enabling-automerge-on-a-pull-request
 
 name: Automerge Dependabot PR
 on:

.github/workflows/macaron-analysis.yaml

@@ -22,13 +22,13 @@ jobs:
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
     # Check the GitHub Actions workflows in the repository for vulnerabilities.
     - name: Run Macaron action
-      uses: oracle/macaron@b31acfe389133a5587d9639063ec70cb84e7bc47 # v0.23.0
+      uses: oracle/macaron@4ddb55e3c9ef2c77b548be55c557078c4476fd9c # v0.24.0
       with:
         repo_path: ./
         policy_file: check-github-actions

.github/workflows/pr-conventional-commits.yaml

@@ -22,21 +22,21 @@
     steps:
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
     - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
-        python-version: '3.13'
+        python-version: '3.14'
 
     # Install Commitizen without using the package's Makefile: that's much faster than
     # creating a venv and installing heaps of dependencies that aren't required for this job.
     - name: Set up Commitizen
       run: |
         pip install --upgrade pip wheel
-        pip install 'commitizen ==4.13.9'
+        pip install 'commitizen ==4.16.2'
 
     # Run Commitizen to check the title of the PR which triggered this workflow, and check
     # all commit messages of the PR's branch. If any of the checks fails then this job fails.

.github/workflows/release.yaml

@@ -30,26 +30,26 @@
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
 
     - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
-        python-version: '3.13'
+        python-version: '3.14'
 
     - name: Set up Commitizen
       run: |
         pip install --upgrade pip wheel
-        pip install 'commitizen ==4.13.9'
+        pip install 'commitizen ==4.16.2'
 
     - name: Set up user
       run: |
@@ -98,20 +98,20 @@
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
     - name: Download artifact
       uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
-        name: artifact-ubuntu-latest-python-3.13
+        name: artifact-ubuntu-latest-python-3.14
         path: dist
 
     # Verify hashes by first computing hashes for the artifacts and then comparing them
@@ -126,14 +126,14 @@
 
     # Create the Release Notes using commitizen.
     - name: Set up Python
-      uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
-        python-version: '3.13'
+        python-version: '3.14'
 
     - name: Set up Commitizen
       run: |
         pip install --upgrade pip wheel
-        pip install 'commitizen ==4.13.9'
+        pip install 'commitizen ==4.16.2'
 
     - name: Create Release Notes
       run: cz changelog --dry-run "$(cz version --project)" > RELEASE_NOTES.md
@@ -199,13 +199,13 @@
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
@@ -250,7 +250,7 @@
       # Github disallows passing environment variables as arguments to a reusable
       # workflow, so we have to duplicate these values here. Related discussion
       # here: https://github.com/actions/toolkit/issues/931
-      artifact-name: artifact-ubuntu-latest-python-3.13
+      artifact-name: artifact-ubuntu-latest-python-3.14
       git-user-name: jenstroeger
       git-user-email: jenstroeger@users.noreply.github.com
     secrets:

.github/workflows/scorecards-analysis.yaml

@@ -26,13 +26,13 @@ jobs:
     steps:
 
     - name: Harden Runner
-      uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+      uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
       with:
         egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
         disable-sudo: true
 
     - name: Check out repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         persist-credentials: false
 
@@ -59,6 +59,6 @@ jobs:
 
     # Upload the results to GitHub's code scanning dashboard.
     - name: Upload to code-scanning
-      uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
+      uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
       with:
         sarif_file: results.sarif

.github/workflows/sync-with-upstream.yaml

@@ -21,7 +21,7 @@ jobs:
     steps:
 
     - name: Check out template repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         # If you decide to change the upstream template repository to a private one, uncomment
         # the following argument to pass the required token to be able to check it out.
@@ -31,7 +31,7 @@ jobs:
         path: template
 
     - name: Check out current repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         token: ${{ secrets.REPO_ACCESS_TOKEN }}
         fetch-depth: 0