dependabot[bot] opened a new pull request, #2873: URL: https://github.com/apache/sedona/pull/2873
Bumps the github-actions-dependencies group with 7 updates: | Package | From | To | | --- | --- | --- | | [actions/cache](https://github.com/actions/cache) | `5.0.3` | `5.0.5` | | [actions/setup-node](https://github.com/actions/setup-node) | `6.3.0` | `6.4.0` | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `7.6.0` | `8.1.0` | | [actions/upload-artifact](https://github.com/actions/upload-artifact) | `7.0.0` | `7.0.1` | | [actions/github-script](https://github.com/actions/github-script) | `8.0.0` | `9.0.0` | | [pypa/cibuildwheel](https://github.com/pypa/cibuildwheel) | `3.4.0` | `3.4.1` | | [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) | `1.13.0` | `1.14.0` | Updates `actions/cache` from 5.0.3 to 5.0.5 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases";>actions/cache's releases</a>.</em></p> <blockquote> <h2>v5.0.5</h2> <h2>What's Changed</h2> <ul> <li>Update ts-http-runtime dependency by <a href="https://github.com/yacaovsnc";><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1747";>actions/cache#1747</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.5";>https://github.com/actions/cache/compare/v5...v5.0.5</a></p> <h2>v5.0.4</h2> <h2>What's Changed</h2> <ul> <li>Add release instructions and update maintainer docs by <a href="https://github.com/Link";><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1696";>actions/cache#1696</a></li> <li>Potential fix for code scanning alert no. 52: Workflow does not contain permissions by <a href="https://github.com/Link";><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1697";>actions/cache#1697</a></li> <li>Fix workflow permissions and cleanup workflow names / formatting by <a href="https://github.com/Link";><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1699";>actions/cache#1699</a></li> <li>docs: Update examples to use the latest version by <a href="https://github.com/XZTDean";><code>@XZTDean</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1690";>actions/cache#1690</a></li> <li>Fix proxy integration tests by <a href="https://github.com/Link";><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1701";>actions/cache#1701</a></li> <li>Fix cache key in examples.md for bun.lock by <a href="https://github.com/RyPeck";><code>@RyPeck</code></a> in <a href="https://redirect.github.com/actions/cache/pull/1722";>actions/cache#1722</a></li> <li>Update dependencies & patch security vulnerabilities by <a href="https://github.com/Link";><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/cache/pull/1738";>actions/cache#1738</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/XZTDean";><code>@XZTDean</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1690";>actions/cache#1690</a></li> <li><a href="https://github.com/RyPeck";><code>@RyPeck</code></a> made their first contribution in <a href="https://redirect.github.com/actions/cache/pull/1722";>actions/cache#1722</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.4";>https://github.com/actions/cache/compare/v5...v5.0.4</a></p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md";>actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h2>How to prepare a release</h2> <blockquote> <p>[!NOTE]<br /> Relevant for maintainers with write access only.</p> </blockquote> <ol> <li>Switch to a new branch from <code>main</code>.</li> <li>Run <code>npm test</code> to ensure all tests are passing.</li> <li>Update the version in <a href="https://github.com/actions/cache/blob/main/package.json";><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li> <li>Run <code>npm run build</code> to update the compiled files.</li> <li>Update this <a href="https://github.com/actions/cache/blob/main/RELEASES.md";><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a> with the new version and changes in the <code>## Changelog</code> section.</li> <li>Run <code>licensed cache</code> to update the license report.</li> <li>Run <code>licensed status</code> and resolve any warnings by updating the <a href="https://github.com/actions/cache/blob/main/.licensed.yml";><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a> file with the exceptions.</li> <li>Commit your changes and push your branch upstream.</li> <li>Open a pull request against <code>main</code> and get it reviewed and merged.</li> <li>Draft a new release <a href="https://github.com/actions/cache/releases";>https://github.com/actions/cache/releases</a> use the same version number used in <code>package.json</code> <ol> <li>Create a new tag with the version number.</li> <li>Auto generate release notes and update them to match the changes you made in <code>RELEASES.md</code>.</li> <li>Toggle the set as the latest release option.</li> <li>Publish the release.</li> </ol> </li> <li>Navigate to <a href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml";>https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a> <ol> <li>There should be a workflow run queued with the same version number.</li> <li>Approve the run to publish the new version and update the major tags for this action.</li> </ol> </li> </ol> <h2>Changelog</h2> <h3>5.0.4</h3> <ul> <li>Bump <code>minimatch</code> to v3.1.5 (fixes ReDoS via globstar patterns)</li> <li>Bump <code>undici</code> to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)</li> <li>Bump <code>fast-xml-parser</code> to v5.5.6</li> </ul> <h3>5.0.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33";>https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <h3>5.0.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.3 <a href="https://redirect.github.com/actions/cache/pull/1692";>#1692</a></li> </ul> <h3>5.0.1</h3> <ul> <li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via <code>@actions/[email protected]</code> <a href="https://redirect.github.com/actions/cache/pull/1685";>#1685</a></li> </ul> <h3>5.0.0</h3> <blockquote> <p>[!IMPORTANT] <code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>.</p> </blockquote> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/cache/commit/27d5ce7f107fe9357f9df03efb73ab90386fccae";><code>27d5ce7</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1747";>#1747</a> from actions/yacaovsnc/update-dependency</li> <li><a href="https://github.com/actions/cache/commit/f280785d7b6e1884c7d12b9136eb0f4a1574fcfd";><code>f280785</code></a> licensed changes</li> <li><a href="https://github.com/actions/cache/commit/619aeb1606e195be0b36fd0ff68dcf1aff6b65a7";><code>619aeb1</code></a> npm run build generated dist files</li> <li><a href="https://github.com/actions/cache/commit/bcf16c2893940a4899761e55c7ac3c1cf88a04f6";><code>bcf16c2</code></a> Update ts-http-runtime to 0.3.5</li> <li><a href="https://github.com/actions/cache/commit/668228422ae6a00e4ad889ee87cd7109ec5666a7";><code>6682284</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1738";>#1738</a> from actions/prepare-v5.0.4</li> <li><a href="https://github.com/actions/cache/commit/e34039626f957d3e3e50843d15c1b20547fc90e2";><code>e340396</code></a> Update RELEASES</li> <li><a href="https://github.com/actions/cache/commit/8a671105293e81530f1af99863cdf94550aba1a6";><code>8a67110</code></a> Add licenses</li> <li><a href="https://github.com/actions/cache/commit/1865903e1b0cb750dda9bc5c58be03424cc62830";><code>1865903</code></a> Update dependencies & patch security vulnerabilities</li> <li><a href="https://github.com/actions/cache/commit/565629816435f6c0b50676926c9b05c254113c0c";><code>5656298</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1722";>#1722</a> from RyPeck/patch-1</li> <li><a href="https://github.com/actions/cache/commit/4e380d19e192ace8e86f23f32ca6fdec98a673c6";><code>4e380d1</code></a> Fix cache key in examples.md for bun.lock</li> <li>Additional commits viewable in <a href="https://github.com/actions/cache/compare/v5.0.3...27d5ce7f107fe9357f9df03efb73ab90386fccae";>compare view</a></li> </ul> </details> <br /> Updates `actions/setup-node` from 6.3.0 to 6.4.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/setup-node/releases";>actions/setup-node's releases</a>.</em></p> <blockquote> <h2>v6.4.0</h2> <h2>What's Changed</h2> <h3>Dependency updates:</h3> <ul> <li>Upgrade <a href="https://github.com/actions";><code>@actions</code></a> dependencies by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1525";>actions/setup-node#1525</a></li> <li>Update Node.js versions in versions.yml and bump package to v6.4.0 by <a href="https://github.com/priya-kinthali";><code>@priya-kinthali</code></a> in <a href="https://redirect.github.com/actions/setup-node/pull/1533";>actions/setup-node#1533</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Copilot";><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/actions/setup-node/pull/1525";>actions/setup-node#1525</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/setup-node/compare/v6...v6.4.0";>https://github.com/actions/setup-node/compare/v6...v6.4.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/setup-node/commit/48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e";><code>48b55a0</code></a> Update Node.js versions in versions.yml and bump package to v6.4.0 (<a href="https://redirect.github.com/actions/setup-node/issues/1533";>#1533</a>)</li> <li><a href="https://github.com/actions/setup-node/commit/ab72c7e7eba0eaa11f8cab0f5679243900c2cac9";><code>ab72c7e</code></a> Upgrade <a href="https://github.com/actions";><code>@actions</code></a> dependencies (<a href="https://redirect.github.com/actions/setup-node/issues/1525";>#1525</a>)</li> <li>See full diff in <a href="https://github.com/actions/setup-node/compare/53b83947a5a98c8d113130e565377fae1a50d02f...48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e";>compare view</a></li> </ul> </details> <br /> Updates `astral-sh/setup-uv` from 7.6.0 to 8.1.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/setup-uv/releases";>astral-sh/setup-uv's releases</a>.</em></p> <blockquote> <h2>v8.1.0 🌈 New input <code>no-project</code></h2> <h2>Changes</h2> <p>This add the a new boolean input <code>no-project</code>. It only makes sense to use in combination with <code>activate-environment: true</code> and will append <code>--no project</code> to the <code>uv venv</code> call. This is for example useful <a href="https://redirect.github.com/astral-sh/setup-uv/issues/854";>if you have a pyproject.toml file with parts unparseable by uv</a></p> <h2>🚀 Enhancements</h2> <ul> <li>Add input no-project in combination with activate-environment <a href="https://github.com/eifinger";><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/856";>#856</a>)</li> </ul> <h2>🧰 Maintenance</h2> <ul> <li>fix: grant contents:write to validate-release job <a href="https://github.com/eifinger";><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/860";>#860</a>)</li> <li>Add a release-gate step to the release workflow <a href="https://github.com/zanieb";><code>@zanieb</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/859";>#859</a>)</li> <li>Draft commitish releases <a href="https://github.com/eifinger";><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/858";>#858</a>)</li> <li>Add action-types.yml to instructions <a href="https://github.com/eifinger";><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/857";>#857</a>)</li> <li>chore: update known checksums for 0.11.7 @<a href="https://github.com/apps/github-actions";>github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/853";>#853</a>)</li> <li>Refactor version resolving <a href="https://github.com/eifinger";><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/852";>#852</a>)</li> <li>chore: update known checksums for 0.11.6 @<a href="https://github.com/apps/github-actions";>github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/850";>#850</a>)</li> <li>chore: update known checksums for 0.11.5 @<a href="https://github.com/apps/github-actions";>github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/845";>#845</a>)</li> <li>chore: update known checksums for 0.11.4 @<a href="https://github.com/apps/github-actions";>github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/843";>#843</a>)</li> <li>Add a release workflow <a href="https://github.com/zanieb";><code>@zanieb</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/839";>#839</a>)</li> <li>chore: update known checksums for 0.11.3 @<a href="https://github.com/apps/github-actions";>github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/836";>#836</a>)</li> </ul> <h2>📚 Documentation</h2> <ul> <li>Update ignore-nothing-to-cache documentation <a href="https://github.com/eifinger";><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/833";>#833</a>)</li> <li>Pin setup-uv docs to v8 <a href="https://github.com/eifinger";><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/829";>#829</a>)</li> </ul> <h2>⬆️ Dependency updates</h2> <ul> <li>chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @<a href="https://github.com/apps/dependabot";>dependabot[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/855";>#855</a>)</li> </ul> <h2>v8.0.0 🌈 Immutable releases and secure tags</h2> <h1>This is the first immutable release of <code>setup-uv</code> 🥳</h1> <p>All future releases are also immutable, if you want to know more about what this means checkout <a href="https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases";>the docs</a>.</p> <p>This release also has two breaking changes</p> <h2>New format for <code>manifest-file</code></h2> <p>The previously deprecated way of defining a custom version manifest to control which <code>uv</code> versions are available and where to download them from got removed. The functionality is still there but you have to use the <a href="https://github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format";>new format</a>.</p> <h2>No more major and minor tags</h2> <p>To increase <strong>security</strong> even more we will <strong>stop publishing minor tags</strong>. You won't be able to use <code>@v8</code> or <code>@v8.0</code> any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to <a href="https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/";>tj-actions</a>.</p> <blockquote> <p>[!TIP] Use the immutable tag as a version <code>astral-sh/[email protected]</code> Or even better the githash <code>astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57</code></p> </blockquote> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/astral-sh/setup-uv/commit/08807647e7069bb48b6ef5acd8ec9567f424441b";><code>0880764</code></a> fix: grant contents:write to validate-release job (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/860";>#860</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/717d6aba0f15312f509f5c4999e34d71ecbab8a9";><code>717d6ab</code></a> Add a release-gate step to the release workflow (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/859";>#859</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/5a911eb3a3983b5e650f2dad95c1ce698ca94378";><code>5a911eb</code></a> Draft commitish releases (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/858";>#858</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/080c31e04cd7155b0ca676d08c7bc260a4476a23";><code>080c31e</code></a> Add action-types.yml to instructions (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/857";>#857</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/b3e97d2ba1a1eed7e9d1f8456dd06c3b725bc3a6";><code>b3e97d2</code></a> Add input no-project in combination with activate-environment (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/856";>#856</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/7dd591db9557f680290587fcc578372813b9ff64";><code>7dd591d</code></a> chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/855";>#855</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/1541b7762698877904805605192ecd63d0e4787a";><code>1541b77</code></a> chore: update known checksums for 0.11.7 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/853";>#853</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/cdfb2ee6dde255817c739680168ad81e184c4bfb";><code>cdfb2ee</code></a> Refactor version resolving (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/852";>#852</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/cb84d12dc6a0d495b82fcae14fa4559b90698660";><code>cb84d12</code></a> chore: update known checksums for 0.11.6 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/850";>#850</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/1912cc65f2e839707d7a16f2372f30b57d35fd80";><code>1912cc6</code></a> chore: update known checksums for 0.11.5 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/845";>#845</a>)</li> <li>Additional commits viewable in <a href="https://github.com/astral-sh/setup-uv/compare/37802adc94f370d6bfd71619e3f0bf239e1f3b78...08807647e7069bb48b6ef5acd8ec9567f424441b";>compare view</a></li> </ul> </details> <br /> Updates `actions/upload-artifact` from 7.0.0 to 7.0.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases";>actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.1</h2> <h2>What's Changed</h2> <ul> <li>Update the readme with direct upload details by <a href="https://github.com/danwkennedy";><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/795";>actions/upload-artifact#795</a></li> <li>Readme: bump all the example versions to v7 by <a href="https://github.com/danwkennedy";><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/796";>actions/upload-artifact#796</a></li> <li>Include changes in typespec/ts-http-runtime 0.3.5 by <a href="https://github.com/yacaovsnc";><code>@yacaovsnc</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/797";>actions/upload-artifact#797</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v7...v7.0.1";>https://github.com/actions/upload-artifact/compare/v7...v7.0.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/043fb46d1a93c77aae656e7c1c64a875d1fc6a0a";><code>043fb46</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/797";>#797</a> from actions/yacaovsnc/update-dependency</li> <li><a href="https://github.com/actions/upload-artifact/commit/634250c1388765ea7ed0f053e636f1f399000b94";><code>634250c</code></a> Include changes in typespec/ts-http-runtime 0.3.5</li> <li><a href="https://github.com/actions/upload-artifact/commit/e454baaac2be505c9450e11b8f3215c6fc023ce8";><code>e454baa</code></a> Readme: bump all the example versions to v7 (<a href="https://redirect.github.com/actions/upload-artifact/issues/796";>#796</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/74fad66b98a6d799dc004d3353ccd0e6f6b2530e";><code>74fad66</code></a> Update the readme with direct upload details (<a href="https://redirect.github.com/actions/upload-artifact/issues/795";>#795</a>)</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f...043fb46d1a93c77aae656e7c1c64a875d1fc6a0a";>compare view</a></li> </ul> </details> <br /> Updates `actions/github-script` from 8.0.0 to 9.0.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/github-script/releases";>actions/github-script's releases</a>.</em></p> <blockquote> <h2>v9.0.0</h2> <p><strong>New features:</strong></p> <ul> <li><strong><code>getOctokit</code> factory function</strong> — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See <a href="https://github.com/actions/github-script#creating-additional-clients-with-getoctokit";>Creating additional clients with <code>getOctokit</code></a> for details and examples.</li> <li><strong>Orchestration ID in user-agent</strong> — The <code>ACTIONS_ORCHESTRATION_ID</code> environment variable is automatically appended to the user-agent string for request tracing.</li> </ul> <p><strong>Breaking changes:</strong></p> <ul> <li><strong><code>require('@actions/github')</code> no longer works in scripts.</strong> The upgrade to <code>@actions/github</code> v9 (ESM-only) means <code>require('@actions/github')</code> will fail at runtime. If you previously used patterns like <code>const { getOctokit } = require('@actions/github')</code> to create secondary clients, use the new injected <code>getOctokit</code> function instead — it's available directly in the script context with no imports needed.</li> <li><code>getOctokit</code> is now an injected function parameter. Scripts that declare <code>const getOctokit = ...</code> or <code>let getOctokit = ...</code> will get a <code>SyntaxError</code> because JavaScript does not allow <code>const</code>/<code>let</code> redeclaration of function parameters. Use the injected <code>getOctokit</code> directly, or use <code>var getOctokit = ...</code> if you need to redeclare it.</li> <li>If your script accesses other <code>@actions/github</code> internals beyond the standard <code>github</code>/<code>octokit</code> client, you may need to update those references for v9 compatibility.</li> </ul> <h2>What's Changed</h2> <ul> <li>Add ACTIONS_ORCHESTRATION_ID to user-agent string by <a href="https://github.com/Copilot";><code>@Copilot</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/695";>actions/github-script#695</a></li> <li>ci: use deployment: false for integration test environments by <a href="https://github.com/salmanmkc";><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/712";>actions/github-script#712</a></li> <li>feat!: add getOctokit to script context, upgrade <code>@actions/github</code> v9, <code>@octokit/core</code> v7, and related packages by <a href="https://github.com/salmanmkc";><code>@salmanmkc</code></a> in <a href="https://redirect.github.com/actions/github-script/pull/700";>actions/github-script#700</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Copilot";><code>@Copilot</code></a> made their first contribution in <a href="https://redirect.github.com/actions/github-script/pull/695";>actions/github-script#695</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/github-script/compare/v8.0.0...v9.0.0";>https://github.com/actions/github-script/compare/v8.0.0...v9.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/github-script/commit/3a2844b7e9c422d3c10d287c895573f7108da1b3";><code>3a2844b</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/700";>#700</a> from actions/salmanmkc/expose-getoctokit + prepare re...</li> <li><a href="https://github.com/actions/github-script/commit/ca10bbdd1a7739de09e99a200c7a59f5d73a4079";><code>ca10bbd</code></a> fix: use <code>@octokit/core/</code>types import for v7 compatibility</li> <li><a href="https://github.com/actions/github-script/commit/86e48e20ac85c970ed1f96e718fd068173948b7b";><code>86e48e2</code></a> merge: incorporate main branch changes</li> <li><a href="https://github.com/actions/github-script/commit/c1084728b5b935ec4ddc1e4cee877b01797b3ff9";><code>c108472</code></a> chore: rebuild dist for v9 upgrade and getOctokit factory</li> <li><a href="https://github.com/actions/github-script/commit/afff112e4f8b57c718168af75b89ce00bc8d091d";><code>afff112</code></a> Merge pull request <a href="https://redirect.github.com/actions/github-script/issues/712";>#712</a> from actions/salmanmkc/deployment-false + fix user-ag...</li> <li><a href="https://github.com/actions/github-script/commit/ff8117e5b78c415f814f39ad6998f424fee7b817";><code>ff8117e</code></a> ci: fix user-agent test to handle orchestration ID</li> <li><a href="https://github.com/actions/github-script/commit/81c6b7876079abe10ff715951c9fc7b3e1ab389d";><code>81c6b78</code></a> ci: use deployment: false to suppress deployment noise from integration tests</li> <li><a href="https://github.com/actions/github-script/commit/3953caf8858d318f37b6cc53a9f5708859b5a7b7";><code>3953caf</code></a> docs: update README examples from <a href="https://github.com/v8";><code>@v8</code></a> to <a href="https://github.com/v9";><code>@v9</code></a>, add getOctokit docs and v9 brea...</li> <li><a href="https://github.com/actions/github-script/commit/c17d55b90dcdb3d554d0027a6c180a7adc2daf78";><code>c17d55b</code></a> ci: add getOctokit integration test job</li> <li><a href="https://github.com/actions/github-script/commit/a047196d9a02fe92098771cafbb98c2f1814e408";><code>a047196</code></a> test: add getOctokit integration tests via callAsyncFunction</li> <li>Additional commits viewable in <a href="https://github.com/actions/github-script/compare/ed597411d8f924073f98dfc5c65a23a2325f34cd...3a2844b7e9c422d3c10d287c895573f7108da1b3";>compare view</a></li> </ul> </details> <br /> Updates `pypa/cibuildwheel` from 3.4.0 to 3.4.1 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/cibuildwheel/releases";>pypa/cibuildwheel's releases</a>.</em></p> <blockquote> <h2>v3.4.1</h2> <ul> <li>⚠️ Building for the experimental CPython 3.13 free-threading variant is now deprecated. That functionality will be removed in the next minor release. The <a href="https://cibuildwheel.pypa.io/en/stable/options/#enable";><code>enable</code></a> option <code>cpython-freethreading</code> is therefore also deprecated. Builds specifying <code>enable = "all"</code> no longer select <code>cpython-freethreading</code>. CPython 3.14 free-threading support remains available without the <code>enable</code> flag. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2787";>#2787</a>)</li> <li>🐛 iOS builds will no longer skip <code>repair-wheel-command</code> if it's defined in config (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2761";>#2761</a>)</li> <li>🐛 Fix bug causing <code>uv</code> to fail when environments define PYTHON_VERSION or UV_PYTHON, conflicting with our venvs (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2795";>#2795</a>)</li> <li>✨ cibuildwheel prints the selected build identifiers at the start of the build. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2785";>#2785</a>)</li> <li>🔐 The GitHub Action now references other actions with a full SHA (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2744";>#2744</a>)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/pypa/cibuildwheel/blob/main/docs/changelog.md";>pypa/cibuildwheel's changelog</a>.</em></p> <blockquote> <hr /> <h2>title: Changelog</h2> <h1>Changelog</h1> <h3>v3.4.1</h3> <p><em>2 April 2026</em></p> <ul> <li>⚠️ Building for the experimental CPython 3.13 free-threading variant is now deprecated. That functionality will be removed in the next minor release. The <a href="https://cibuildwheel.pypa.io/en/stable/options/#enable";><code>enable</code></a> option <code>cpython-freethreading</code> is therefore also deprecated. Builds specifying <code>enable = "all"</code> no longer select <code>cpython-freethreading</code>. CPython 3.14 free-threading support remains available without the <code>enable</code> flag. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2787";>#2787</a>)</li> <li>🐛 iOS builds will no longer skip <code>repair-wheel-command</code> if it's defined in config (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2761";>#2761</a>)</li> <li>🐛 Fix bug causing <code>uv</code> to fail when environments define PYTHON_VERSION or UV_PYTHON, conflicting with our venvs (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2795";>#2795</a>)</li> <li>✨ cibuildwheel prints the selected build identifiers at the start of the build. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2785";>#2785</a>)</li> <li>🔐 The GitHub Action now references other actions with a full SHA (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2744";>#2744</a>)</li> </ul> <h3>v3.4.0</h3> <p><em>5 March 2026</em></p> <ul> <li>🌟 You can now build wheels using <code>uv</code> as a build frontend. This should improve performance, especially if your project has lots of build dependencies. To use, set <a href="https://cibuildwheel.pypa.io/en/stable/options/#build-frontend";><code>build-frontend</code></a> to <code>uv</code>. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2322";>#2322</a>)</li> <li>⚠️ We no longer support running on Travis CI. It may continue working but we don't run tests there anymore so we can't be sure. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2682";>#2682</a>)</li> <li>✨ Improvements to building rust wheels on Android (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2650";>#2650</a>)</li> <li>🛠 Update Pyodide to 0.29.3 (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2719";>#2719</a>, <a href="https://redirect.github.com/pypa/cibuildwheel/issues/2733";>#2733</a>)</li> <li>🐛 Fix bug with the GitHub Action on Windows, where PATH was getting unnecessarily changed, causing issues with meson builds. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2723";>#2723</a>)</li> <li>✨ Add support for quiet setting on <code>build</code> and <code>uv</code> from the cibuildwheel <code>build-verbosity</code> setting. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2737";>#2737</a>)</li> <li>📚 Docs updates, including guidance on using Meson on Windows (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2718";>#2718</a>)</li> </ul> <h3>v3.3.1</h3> <p><em>5 January 2026</em></p> <ul> <li>🛠 Update dependencies and container pins, including updating to CPython 3.14.2. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2708";>#2708</a>)</li> </ul> <h3>v3.3.0</h3> <p><em>12 November 2025</em></p> <ul> <li>🐛 Fix an incompatibility with Docker v29 (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2660";>#2660</a>)</li> <li>✨ Adds <code>test-runtime</code> option, to customise how tests on simulated/emulated environments are run (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2636";>#2636</a>)</li> <li>✨ Adds support for new <code>manylinux_2_35</code> images on 32-bit ARM <code>armv7l</code>, offering better C++20 compatibility (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2656";>#2656</a>)</li> <li>✨ <code>build[uv]</code> is now supported on Android (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2587";>#2587</a>)</li> <li>✨ You can now install extras (such as <code>uv</code>) with a simple option on the GitHub Action (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2630";>#2630</a>)</li> <li>✨ <code>{project}</code> and <code>{package}</code> placeholders are now supported in <code>repair-wheel-command</code> (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2589";>#2589</a>)</li> <li>🛠 The versions set with <code>dependency-versions</code> no longer constrain packages specified by your <code>build-system.requires</code>. Previously, on platforms other than Linux, the constraints in this option would remain in the environment during the build. This has been tidied up make behaviour more consistent between platforms, and to prevent version conflicts. (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2583";>#2583</a>)</li> <li>🛠 Improve the handling of <code>test-command</code> on Android, enabling more options to be passed (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2590";>#2590</a>)</li> <li>📚 Docs improvements (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2618";>#2618</a>)</li> </ul> <h3>v3.2.1</h3> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/cibuildwheel/commit/8d2b08b68458a16aeb24b64e68a09ab1c8e82084";><code>8d2b08b</code></a> Bump version: v3.4.1</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/54b8a010d0e3b9d46d00af867716f4f8661b39ae";><code>54b8a01</code></a> deprecation: cp313t (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2787";>#2787</a>)</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/097806b6b1bd3cdd7b139ac63b20f85f76d72082";><code>097806b</code></a> tests: fully type the test suite (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2794";>#2794</a>)</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/643b30c796cbdb68e5364c4e6bdd210e836bda49";><code>643b30c</code></a> fix: avoid PYTHON_VERSION breaking uv if set (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2795";>#2795</a>)</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/fffe2ca07d4e0898a2b87bd9172a66dc0b3d3796";><code>fffe2ca</code></a> chore(deps): bump j178/prek-action from 1.1.1 to 2.0.0 in the actions group (...</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/611194896a33e5c3b9f664e9c08336a24aed1dd0";><code>6111948</code></a> fix: zizmor "code injection via template expansion" (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2784";>#2784</a>)</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/e478767d76bd66b189a4c7be9b86b307d5db238f";><code>e478767</code></a> chore: remove some string types (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2798";>#2798</a>)</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/caf433b1371556dcd693666e03b28d8f3f2a1110";><code>caf433b</code></a> [Bot] Update dependencies (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2789";>#2789</a>)</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/a257a3f78932d0ef69997304a2840f3515c1a966";><code>a257a3f</code></a> chore: remove remaining future annotations (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2799";>#2799</a>)</li> <li><a href="https://github.com/pypa/cibuildwheel/commit/6df84da3e7028a2cb008ae762b20ee9b481cf898";><code>6df84da</code></a> chore: some cleanup and checks (<a href="https://redirect.github.com/pypa/cibuildwheel/issues/2792";>#2792</a>)</li> <li>Additional commits viewable in <a href="https://github.com/pypa/cibuildwheel/compare/ee02a1537ce3071a004a6b08c41e72f0fdc42d9a...8d2b08b68458a16aeb24b64e68a09ab1c8e82084";>compare view</a></li> </ul> </details> <br /> Updates `pypa/gh-action-pypi-publish` from 1.13.0 to 1.14.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/pypa/gh-action-pypi-publish/releases";>pypa/gh-action-pypi-publish's releases</a>.</em></p> <blockquote> <h2>v1.14.0</h2> <!-- raw HTML omitted --> <h2>✨ What's Changed</h2> <p>The main change in this release is that <code>verbose</code> and <code>print-hash</code> inputs are now on by default. This was contributed by <a href="https://github.com/whitequark";><code>@whitequark</code></a><a href="https://github.com/sponsors/whitequark";>💰</a> in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/397";>#397</a>.</p> <h2>📝 Docs</h2> <p><a href="https://github.com/woodruffw";><code>@woodruffw</code></a><a href="https://github.com/sponsors/woodruffw";>💰</a> updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/388";>#388</a> and <a href="https://github.com/him2him2";><code>@him2him2</code></a><a href="https://github.com/sponsors/him2him2";>💰</a> brushed up some grammar in the README and SECURITY docs via <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/395";>#395</a>.</p> <h2>🛠️ Internal Updates</h2> <p><a href="https://github.com/woodruffw";><code>@woodruffw</code></a><a href="https://github.com/sponsors/woodruffw";>💰</a> bumped <code>sigstore</code> and <code>pypi-attestations</code> in the lock file (<a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/391";>#391</a>) and <a href="https://github.com/webknjaz";><code>@webknjaz</code></a><a href="https://github.com/sponsors/webknjaz";>💰</a> added infra for using type annotations in the project (<a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/381";>#381</a>).</p> <h2>💪 New Contributors</h2> <ul> <li><a href="https://github.com/him2him2";><code>@him2him2</code></a> made their first contribution in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/395";>#395</a></li> <li><a href="https://github.com/whitequark";><code>@whitequark</code></a> made their first contribution in <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/397";>#397</a></li> </ul> <p><strong>🪞 Full Diff</strong>: <a href="https://github.com/pypa/gh-action-pypi-publish/compare/v1.13.0...v1.14.0";>https://github.com/pypa/gh-action-pypi-publish/compare/v1.13.0...v1.14.0</a></p> <p><strong>🧔♂️ Release Manager:</strong> <a href="https://github.com/sponsors/webknjaz";><code>@webknjaz</code></a> <a href="https://stand-with-ukraine.pp.ua";>🇺🇦</a></p> <p><strong>🙏 Special Thanks</strong> to <a href="https://github.com/facutuesca";><code>@facutuesca</code></a><a href="https://github.com/sponsors/facutuesca";>💰</a> and <a href="https://github.com/woodruffw";><code>@woodruffw</code></a><a href="https://github.com/sponsors/woodruffw";>💰</a> for helping maintain this project when <a href="https://github.com/sponsors/webknjaz";>I</a> can't!</p> <p><strong>💬 Discuss</strong> <a href="https://bsky.app/profile/webknjaz.me/post/3mivwsz3qzk2e";>on Bluesky 🦋</a>, <a href="https://mastodon.social/@webknjaz/116363779997051422";>on Mastodon 🐘</a> and <a href="https://github.com/pypa/gh-action-pypi-publish/discussions/404";>on GitHub</a>.</p> <p><a href="https://github.com/sponsors/webknjaz";><img src="https://img.shields.io/badge/%40webknjaz-transparent?logo=githubsponsors&logoColor=%23EA4AAA&label=Sponsor&color=2a313c"; alt="GH Sponsors badge" /></a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/cef221092ed1bacb1cc03d23a2d87d1d172e277b";><code>cef2210</code></a> Merge pull request <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/397";>#397</a> from whitequark/patch-1</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/b4595e2555a031e2fd6f0bbded4e7918eaa2724e";><code>b4595e2</code></a> Enable <code>verbose</code> and <code>print-hash</code> by default.</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/e2bab26859796ee5c3bf97b8f394ce1e6570e906";><code>e2bab26</code></a> Merge pull request <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/395";>#395</a> from him2him2/docs/fix-typos-and-grammar</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/7495c384ec7a0240a28e568e7ffc60af1629585d";><code>7495c38</code></a> docs: fix typos and grammar in README and SECURITY</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/03f86fee9ac21f854951f5c6e2a02c2a1324aec7";><code>03f86fe</code></a> Merge pull request <a href="https://redirect.github.com/pypa/gh-action-pypi-publish/issues/388";>#388</a> from woodruffw-forks/ww/rm-experimental</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/4c78f1c53c55c528d8abd83df933ae92bd4c1d8c";><code>4c78f1c</code></a> Merge branch 'unstable/v1' into ww/rm-experimental</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/b5a6e8ba2611ad0c810f383eed9e6629eb0b3b2f";><code>b5a6e8b</code></a> deps: bump sigstore and pypi-attestations</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/a48a03e758da35722b0d159dae23e0440d0fcce2";><code>a48a03e</code></a> remove another experimental mention</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/8087a88a46924f78608905d7841a170e749524ce";><code>8087a88</code></a> action: remove a lingering mention of PEP 740 being experimental</li> <li><a href="https://github.com/pypa/gh-action-pypi-publish/commit/3317ede93a4981d0fc490510c6fcf8bf0e92ed05";><code>3317ede</code></a> 🧪 Integrate actionlint via pre-commit framework</li> <li>Additional commits viewable in <a href="https://github.com/pypa/gh-action-pypi-publish/compare/ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e...cef221092ed1bacb1cc03d23a2d87d1d172e277b";>compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
