build(deps): bump the actions group across 1 directory with 5 updates

[dependabot]

Bumps the actions group with 5 updates in the / directory:

Package	From	To
cargo-bins/cargo-binstall	1.17.9	1.18.1
astral-sh/setup-uv	8.0.0	8.1.0
cross-platform-actions/action	0.32.0	1.0.0
PyO3/maturin-action	1.50.1	1.51.0
pypa/gh-action-pypi-publish	1.13.0	1.14.0

Updates cargo-bins/cargo-binstall from 1.17.9 to 1.18.1

Release notes

Sourced from cargo-bins/cargo-binstall's releases.

v1.18.1

Binstall is a tool to fetch and install Rust-based executables as binaries. It aims to be a drop-in replacement for cargo install in most cases. Install it today with cargo install cargo-binstall, from the binaries below, or if you already have it, upgrade with cargo binstall cargo-binstall.

In this release:

Remove GITHUB_TOKEN and GH_TOKEN when fallback to installing from source using cargo-install (#2533)

This reduces the risk of leaks of tokens for users who pass the GITHUN_TOKEN or GH_TOKEN environment variables to cargo-binstall to avoid GitHub API rate limits.

v1.18.0

Binstall is a tool to fetch and install Rust-based executables as binaries. It aims to be a drop-in replacement for cargo install in most cases. Install it today with cargo install cargo-binstall, from the binaries below, or if you already have it, upgrade with cargo binstall cargo-binstall.

In this release:

• feat: support cargo:token and cargo:token-from-stdout auth for private registries (#2526 #2528)

Other changes:

• Upgrade dependencies

Commits

• dc19f1e release: cargo-binstall v1.18.1 (#2535)
• 94bc68e chore(binstalk): release v0.28.73 (#2534)
• 0d65135 binstalk: Remove GITHUB_TOKEN and GH_TOKEN when installing from source (#2533)
• f8ce4d5 release: cargo-binstall v1.18.0 (#2532)
• 7ef7b56 chore: release (#2524)
• 4d6e1bd dep: Upgrade transitive dependencies (#2529)
• 6ed12bb feat: support cargo:token-from-stdout in private registries (#2528)
• c3664f9 feat: support cargo:token auth for private registries (#2526)
• b6c5417 build(deps): bump the deps group with 2 updates (#2525)
• d882212 dep: Upgrade transitive dependencies (#2523)
• See full diff in compare view

Updates astral-sh/setup-uv from 8.0.0 to 8.1.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.1.0 🌈 New input no-project

Changes

This add the a new boolean input no-project. It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#860)
• Add a release-gate step to the release workflow @​zanieb (#859)
• Draft commitish releases @​eifinger (#858)
• Add action-types.yml to instructions @​eifinger (#857)
• chore: update known checksums for 0.11.7 @github-actions[bot] (#853)
• Refactor version resolving @​eifinger (#852)
• chore: update known checksums for 0.11.6 @github-actions[bot] (#850)
• chore: update known checksums for 0.11.5 @github-actions[bot] (#845)
• chore: update known checksums for 0.11.4 @github-actions[bot] (#843)
• Add a release workflow @​zanieb (#839)
• chore: update known checksums for 0.11.3 @github-actions[bot] (#836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#833)
• Pin setup-uv docs to v8 @​eifinger (#829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @dependabot[bot] (#855)

Commits

• 0880764 fix: grant contents:write to validate-release job (#860)
• 717d6ab Add a release-gate step to the release workflow (#859)
• 5a911eb Draft commitish releases (#858)
• 080c31e Add action-types.yml to instructions (#857)
• b3e97d2 Add input no-project in combination with activate-environment (#856)
• 7dd591d chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 (#855)
• 1541b77 chore: update known checksums for 0.11.7 (#853)
• cdfb2ee Refactor version resolving (#852)
• cb84d12 chore: update known checksums for 0.11.6 (#850)
• 1912cc6 chore: update known checksums for 0.11.5 (#845)
• Additional commits viewable in compare view

Updates cross-platform-actions/action from 0.32.0 to 1.0.0

Release notes

Sourced from cross-platform-actions/action's releases.

Cross Platform Action 1.0.0

Fixed

• Fix #108: Fix file ownership on Haiku after rsync, resolving git safe.directory errors

Changed

• Breaking: Update the requirement of Node for running this action from version 20 to 24.

Removed

• Breaking: Remove support for running on macOS runners. Only Linux runners (e.g. ubuntu-latest) are now supported. This was deprecated in v0.25.0.
• Breaking: Remove the Xhyve hypervisor and the hypervisor input parameter. QEMU is now the only supported hypervisor. These were deprecated in v0.25.0.

Changelog

Sourced from cross-platform-actions/action's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

• Add support for DragonFly BSD (#19)
• Add support for MidnightBSD (#102)

[1.0.0] - 2026-04-12

Fixed

• Fix #108: Fix file ownership on Haiku after rsync, resolving git safe.directory errors

Changed

• Breaking: Update the requirement of Node for running this action from version 20 to 24.

Removed

• Breaking: Remove support for running on macOS runners. Only Linux runners (e.g. ubuntu-latest) are now supported. This was deprecated in v0.25.0.
• Breaking: Remove the Xhyve hypervisor and the hypervisor input parameter. QEMU is now the only supported hypervisor. These were deprecated in v0.25.0.

[0.32.0] - 2025-12-21

Added

• Add support for OmniOS

[0.31.0] - 2025-12-15

Added

• Add support for FreeBSD 15.0 (#114)

Fixed

• Fix empty hostname (#113)

[0.30.0] - 2025-11-04

Added

• Document how to report a security vulnerability
• Add support for OpenBSD 7.8 (#112)

Security

• Fix potential code injection in the GitHub release workflow (#GHSA-928q-63gf-mc2x)

[0.29.0] - 2025-07-22

Added

• Add support for FreeBSD 14.3 (#106, freebsd-builder#9)

... (truncated)

Commits

• 2331563 Release 1.0.0
• 1631483 Assert that the release script is running on master
• 47af1ea Add release script
• ca9a0a1 Add a check that the committed dist files match the source code
• d5b5b85 Merge pull request #128 from cross-platform-actions/dependabot/npm_and_yarn/t...
• 3d0f9f6 Fix error in the release CI workflow
• a7e29cd Remove the hypervisor action parameter
• cd600e1 Remove support for macOS
• db3b320 Merge pull request #134 from mr-raj12/fix/108-haiku-file-ownership
• 5292216 Add e2e test for Haiku file ownership after rsync
• Additional commits viewable in compare view

Updates PyO3/maturin-action from 1.50.1 to 1.51.0

Release notes

Sourced from PyO3/maturin-action's releases.

v1.51.0

What's Changed

• Initial Android build support by @​messense in PyO3/maturin-action#426
• Support native riscv64 builds on manylinux 2_39 by @​weiji14 in PyO3/maturin-action#429

New Contributors

• @​weiji14 made their first contribution in PyO3/maturin-action#429

Full Changelog: PyO3/maturin-action@v1.50.1...v1.51.0

Commits

• e83996d Bump version to 1.51.0
• 36eb3d0 Update versions-manifest.json (#435)
• bd90123 Update versions-manifest.json (#434)
• ef46725 Bump brace-expansion (#433)
• 72c5fe1 Bump actions/setup-node from 6.2.0 to 6.3.0 (#432)
• 9450741 Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#430)
• d8dc7d4 Bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#431)
• 0bca1d2 Bump picomatch from 4.0.3 to 4.0.4 (#428)
• 3f475a4 Support native riscv64 builds on manylinux 2_39 (#429)
• 5f46978 Bump flatted from 3.3.3 to 3.4.2 (#427)
• Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

• @​him2him2 made their first contribution in #395
• @​whitequark made their first contribution in #397

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

Commits

• cef2210 Merge pull request #397 from whitequark/patch-1
• b4595e2 Enable verbose and print-hash by default.
• e2bab26 Merge pull request #395 from him2him2/docs/fix-typos-and-grammar
• 7495c38 docs: fix typos and grammar in README and SECURITY
• 03f86fe Merge pull request #388 from woodruffw-forks/ww/rm-experimental
• 4c78f1c Merge branch 'unstable/v1' into ww/rm-experimental
• b5a6e8b deps: bump sigstore and pypi-attestations
• a48a03e remove another experimental mention
• 8087a88 action: remove a lingering mention of PEP 740 being experimental
• 3317ede 🧪 Integrate actionlint via pre-commit framework
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.63%. Comparing base (f9d96fc) to head (3ed9118).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #147   +/-   ##
=======================================
  Coverage   99.63%   99.63%           
=======================================
  Files          22       22           
  Lines        2733     2733           
=======================================
  Hits         2723     2723           
  Misses         10       10           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.