Bump the github-action-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the github-action-dependencies group with 10 updates in the / directory:

Package	From	To
actions/checkout	4	6
actions/upload-pages-artifact	3	4
crazy-max/ghaction-github-labeler	5.0.0	5.3.0
google-github-actions/auth	2.1.3	3.0.0
google-github-actions/setup-gcloud	2	3
actions/setup-python	5	6
pypa/gh-action-pypi-publish	1.12.3	1.13.0
release-drafter/release-drafter	6.0.0	6.2.0
actions/cache	4	5
actions/upload-artifact	4	6

Updates actions/checkout from 4 to 6

Release notes

Sourced from actions/checkout's releases.

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.1

What's Changed

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

Full Changelog: actions/checkout@v4...v4.3.1

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043

... (truncated)

Changelog

Sourced from actions/checkout's changelog.

Changelog

v6.0.2

• Fix tag handling: preserve annotations and explicit fetch-tags by @​ericsciple in actions/checkout#2356

v6.0.1

• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327

v6.0.0

• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248

v5.0.1

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

v5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

v4.3.1

• Port v6 cleanup to v4 by @​ericsciple in actions/checkout#2305

v4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

... (truncated)

Commits

• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• See full diff in compare view

Updates actions/upload-pages-artifact from 3 to 4

Release notes

Sourced from actions/upload-pages-artifact's releases.

v4.0.0

What's Changed

• Potentially breaking change: hidden files (specifically dotfiles) will not be included in the artifact by @​tsusdere in actions/upload-pages-artifact#102 If you need to include dotfiles in your artifact: instead of using this action, create your own artifact according to these requirements https://github.com/actions/upload-pages-artifact?tab=readme-ov-file#artifact-validation
• Pin actions/upload-artifact to SHA by @​heavymachinery in actions/upload-pages-artifact#127

Full Changelog: actions/upload-pages-artifact@v3.0.1...v4.0.0

v3.0.1

Changelog

• Group tar's output to prevent it from messing up action logs @​SilverRainZ (#94)
• Update README.md @​uiolee (#88)
• Bump the non-breaking-changes group with 1 update @​dependabot (#92)
• Update Dependabot config to group non-breaking changes @​JamesMGreene (#91)
• Bump actions/checkout from 3 to 4 @​dependabot (#76)

See details of all code changes since previous release.

Commits

• 7b1f4a7 Merge pull request #127 from heavymachinery/pin-sha
• 4cc19c7 Pin actions/upload-artifact to SHA
• 2d163be Merge pull request #107 from KittyChiu/main
• c704843 fix: linted README
• 9605915 Merge pull request #106 from KittyChiu/kittychiu/update-readme-1
• e59cdfe Update README.md
• a2d6704 doc: updated usage section in readme
• 984864e Merge pull request #105 from actions/Jcambass-patch-1
• 45dc788 Add workflow file for publishing releases to immutable action package
• efaad07 Merge pull request #102 from actions/hidden-files
• Additional commits viewable in compare view

Updates crazy-max/ghaction-github-labeler from 5.0.0 to 5.3.0

Release notes

Sourced from crazy-max/ghaction-github-labeler's releases.

v5.3.0

• Bump @​octokit/plugin-paginate-rest from 9.2.1 to 9.2.2 in crazy-max/ghaction-github-labeler#229
• Bump @​octokit/request from 8.4.0 to 8.4.1 in crazy-max/ghaction-github-labeler#232
• Bump @​octokit/request-error from 5.1.0 to 5.1.1 in crazy-max/ghaction-github-labeler#228

Full Changelog: crazy-max/ghaction-github-labeler@v5.2.0...v5.3.0

v5.2.0

• Load yaml files using the failsafe schema option by @​pjpires in crazy-max/ghaction-github-labeler#226
• Bump cross-spawn from 7.0.3 to 7.0.6 in crazy-max/ghaction-github-labeler#223
• Bump undici from 5.28.4 to 5.28.5 in crazy-max/ghaction-github-labeler#225

Full Changelog: crazy-max/ghaction-github-labeler@v5.1.0...v5.2.0

v5.1.0

• Sanitize the color field to allow using hex codes by @​pjpires in crazy-max/ghaction-github-labeler#207
• Fix intermediate values by @​crazy-max in crazy-max/ghaction-github-labeler#218
• Bump micromatch from 4.0.5 to 4.0.8 in crazy-max/ghaction-github-labeler#215
• Bump @​actions/core from 1.10.0 to 1.11.1 in crazy-max/ghaction-github-labeler#217
• Bump @​actions/github from 5.1.1 to 6.0.0 in crazy-max/ghaction-github-labeler#205
• Bump @​babel/traverse from 7.17.9 to 7.23.2 in crazy-max/ghaction-github-labeler#206
• Bump braces from 3.0.2 to 3.0.3 in crazy-max/ghaction-github-labeler#212
• Bump ip from 2.0.0 to 2.0.1 in crazy-max/ghaction-github-labeler#208
• Bump debug from 4.1.1 to 4.3.4 in crazy-max/ghaction-github-labeler#204
• Bump tar from 6.1.11 to 6.2.1 in crazy-max/ghaction-github-labeler#210

Full Changelog: crazy-max/ghaction-github-labeler@v5.0.0...v5.1.0

Commits

• 24d110a Merge pull request #229 from crazy-max/dependabot/npm_and_yarn/octokit/plugin...
• 38fb29f chore: update generated content
• 0113fc2 chore(deps): bump @​octokit/plugin-paginate-rest from 9.2.1 to 9.2.2
• 42f774e Merge pull request #228 from crazy-max/dependabot/npm_and_yarn/octokit/reques...
• 9983992 chore(deps): bump @​octokit/request-error from 5.1.0 to 5.1.1
• 32d1878 Merge pull request #232 from crazy-max/dependabot/npm_and_yarn/octokit/reques...
• 3faa845 chore: update generated content
• 16efe04 Merge pull request #233 from crazy-max/ci-fix-codecov
• 7f6122b ci: fix test workflow
• 2ea799d chore(deps): bump @​octokit/request from 8.4.0 to 8.4.1
• Additional commits viewable in compare view

Updates google-github-actions/auth from 2.1.3 to 3.0.0

Release notes

Sourced from google-github-actions/auth's releases.

v3.0.0

What's Changed

• Bump to Node 24 and remove old parameters by @​sethvargo in google-github-actions/auth#508
• Remove hacky script by @​sethvargo in google-github-actions/auth#509
• Release: v3.0.0 by @​google-github-actions-bot in google-github-actions/auth#510

Full Changelog: google-github-actions/auth@v2...v3.0.0

v2.1.13

What's Changed

• Update deps by @​sethvargo in google-github-actions/auth#506
• Release: v2.1.13 by @​google-github-actions-bot in google-github-actions/auth#507

Full Changelog: google-github-actions/auth@v2.1.12...v2.1.13

v2.1.12

What's Changed

• Add retries for getIDToken by @​sethvargo in google-github-actions/auth#502
• Release: v2.1.12 by @​google-github-actions-bot in google-github-actions/auth#503

Full Changelog: google-github-actions/auth@v2.1.11...v2.1.12

v2.1.11

What's Changed

• Update troubleshooting docs for Python by @​sethvargo in google-github-actions/auth#488
• Add linters by @​sethvargo in google-github-actions/auth#499
• Update deps by @​sethvargo in google-github-actions/auth#500
• Release: v2.1.11 by @​google-github-actions-bot in google-github-actions/auth#501

Full Changelog: google-github-actions/auth@v2.1.10...v2.1.11

v2.1.10

What's Changed

• Declare workflow permissions by @​sethvargo in google-github-actions/auth#482
• Document that the OIDC token expires in 5min by @​sethvargo in google-github-actions/auth#483
• Release: v2.1.10 by @​google-github-actions-bot in google-github-actions/auth#484

Full Changelog: google-github-actions/auth@v2.1.9...v2.1.10

v2.1.9

What's Changed

• Use our custom boolean parsing by @​sethvargo in google-github-actions/auth#478
• Update deps by @​sethvargo in google-github-actions/auth#479
• Release: v2.1.9 by @​google-github-actions-bot in google-github-actions/auth#480

... (truncated)

Commits

• 7c6bc77 Release: v3.0.0 (#510)
• 42e4997 Remove hacky script (#509)
• 5ea4dc1 Bump to Node 24 and remove old parameters (#508)
• c200f36 Release: v2.1.13 (#507)
• 3a53be7 Update deps (#506)
• b7593ed Release: v2.1.12 (#503)
• c1ee334 Add retries for getIDToken (#502)
• 140bb51 Release: v2.1.11 (#501)
• ab3132e Update deps (#500)
• 25b96ba Add linters (#499)
• Additional commits viewable in compare view

Updates google-github-actions/setup-gcloud from 2 to 3

Release notes

Sourced from google-github-actions/setup-gcloud's releases.

v3

Floating v3 tag

v2.2.1

What's Changed

• Update deps by @​sethvargo in google-github-actions/setup-gcloud#720
• Bump to the latest actions-utils to fix the gen-readme bug by @​sethvargo in google-github-actions/setup-gcloud#721
• Release: v2.2.1 by @​google-github-actions-bot in google-github-actions/setup-gcloud#722

Full Changelog: google-github-actions/setup-gcloud@v2...v2.2.1

v2.2.0

What's Changed

• Introduce an option to skip the tool cache by @​sethvargo in google-github-actions/setup-gcloud#718
• Release: v2.2.0 by @​google-github-actions-bot in google-github-actions/setup-gcloud#719

Full Changelog: google-github-actions/setup-gcloud@v2.1.5...v2.2.0

v2.1.5

What's Changed

• security: bump undici from 5.28.5 to 5.29.0 in the npm_and_yarn group by @​dependabot[bot] in google-github-actions/setup-gcloud#711
• Update linters by @​sethvargo in google-github-actions/setup-gcloud#715
• Update deps by @​sethvargo in google-github-actions/setup-gcloud#716
• Release: v2.1.5 by @​google-github-actions-bot in google-github-actions/setup-gcloud#717

Full Changelog: google-github-actions/setup-gcloud@v2.1.4...v2.1.5

v2.1.4

What's Changed

• Revert to pinned release workflows by @​sethvargo in google-github-actions/setup-gcloud#706
• Release: v2.1.4 by @​google-github-actions-bot in google-github-actions/setup-gcloud#707

Full Changelog: google-github-actions/setup-gcloud@v2.1.3...v2.1.4

v2.1.3

What's Changed

• Allow manually running integration tests with workflow_dispatch by @​sethvargo in google-github-actions/setup-gcloud#702
• security: bump undici from 5.28.4 to 5.28.5 in the npm_and_yarn group by @​dependabot in google-github-actions/setup-gcloud#703
• Update deps by @​sethvargo in google-github-actions/setup-gcloud#704
• Release: v2.1.3 by @​google-github-actions-bot in google-github-actions/setup-gcloud#705

Full Changelog: google-github-actions/setup-gcloud@v2...v2.1.3

v2.1.2

What's Changed

... (truncated)

Commits

• aa5489c Release: v3.0.1 (#729)
• 26f734c Release: v3.0.0 (#726)
• d26df95 Update to use v3 references (#725)
• f7c2918 Do not use the tool-cache by default (#724)
• 6387e69 Bump to node24 (#723)
• See full diff in compare view

Updates actions/setup-python from 5 to 6

Release notes

Sourced from actions/setup-python's releases.

v6.0.0

What's Changed

Breaking Changes

• Upgrade to node 24 by @​salmanmkc in actions/setup-python#1164

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Enhancements:

• Add support for pip-version by @​priyagupta108 in actions/setup-python#1129
• Enhance reading from .python-version by @​krystof-k in actions/setup-python#787
• Add version parsing from Pipfile by @​aradkdj in actions/setup-python#1067

Bug fixes:

• Clarify pythonLocation behaviour for PyPy and GraalPy in environment variables by @​aparnajyothi-y in actions/setup-python#1183
• Change missing cache directory error to warning by @​aparnajyothi-y in actions/setup-python#1182
• Add Architecture-Specific PATH Management for Python with --user Flag on Windows by @​aparnajyothi-y in actions/setup-python#1122
• Include python version in PyPy python-version output by @​cdce8p in actions/setup-python#1110
• Update docs: clarification on pip authentication with setup-python by @​priya-kinthali in actions/setup-python#1156

Dependency updates:

• Upgrade idna from 2.9 to 3.7 in /tests/data by @​dependabot[bot] in actions/setup-python#843
• Upgrade form-data to fix critical vulnerabilities #182 & #183 by @​aparnajyothi-y in actions/setup-python#1163
• Upgrade setuptools to 78.1.1 to fix path traversal vulnerability in PackageIndex.download by @​aparnajyothi-y in actions/setup-python#1165
• Upgrade actions/checkout from 4 to 5 by @​dependabot[bot] in actions/setup-python#1181
• Upgrade @​actions/tool-cache from 2.0.1 to 2.0.2 by @​dependabot[bot] in actions/setup-python#1095

New Contributors

• @​krystof-k made their first contribution in actions/setup-python#787
• @​cdce8p made their first contribution in actions/setup-python#1110
• @​aradkdj made their first contribution in actions/setup-python#1067

Full Changelog: actions/setup-python@v5...v6.0.0

v5.6.0

What's Changed

• Workflow updates related to Ubuntu 20.04 by @​aparnajyothi-y in actions/setup-python#1065
• Fix for Candidate Not Iterable Error by @​aparnajyothi-y in actions/setup-python#1082
• Upgrade semver and @​types/semver by @​dependabot in actions/setup-python#1091
• Upgrade prettier from 2.8.8 to 3.5.3 by @​dependabot in actions/setup-python#1046
• Upgrade ts-jest from 29.1.2 to 29.3.2 by @​dependabot in actions/setup-python#1081

Full Changelog: actions/setup-python@v5...v5.6.0

v5.5.0

What's Changed

Enhancements:

• Support free threaded Python versions like '3.13t' by @​colesbury in actions/setup-python#973
• Enhance Workflows: Include ubuntu-arm runners, Add e2e Testing for free threaded and Upgrade @​action/cache from 4.0.0 to 4.0.3 by @​priya-kinthali in actions/setup-python#1056
• Add support for .tool-versions file in setup-python by @​mahabaleshwars in actions/setup-python#1043

Bug fixes:

• Fix architecture for pypy on Linux ARM64 by @​mayeut in actions/setup-python#1011 This update maps arm64 to aarch64 for Linux ARM64 PyPy installations.

... (truncated)

Commits

• a309ff8 Bump urllib3 from 2.6.0 to 2.6.3 in /tests/data (#1264)
• bfe8cc5 Upgrade @​actions dependencies to Node 24 compatible versions (#1259)
• 4f41a90 Bump urllib3 from 2.5.0 to 2.6.0 in /tests/data (#1253)
• 83679a8 Bump @​types/node from 24.1.0 to 24.9.1 and update macos-13 to macos-15-intel ...
• bfc4944 Bump prettier from 3.5.3 to 3.6.2 (#1234)
• 97aeb3e Bump requests from 2.32.2 to 2.32.4 in /tests/data (#1130)
• 443da59 Bump actions/publish-action from 0.3.0 to 0.4.0 & Documentation update for pi...
• cfd55ca graalpy: add graalpy early-access and windows builds (#880)
• bba65e5 Bump typescript from 5.4.2 to 5.9.3 and update docs/advanced-usage.md (#1094)
• 18566f8 Improve wording and "fix example" (remove 3.13) on testing against pre-releas...
• Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.12.3 to 1.13.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip] The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #166. At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident. The result of that discussion is posted @ pypi/warehouse#11096. Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#332). Some related bumps were contributed by @​woodruffw💰 (#359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #335.

💪 New Contributors

• @​kurtmckee made their first contribution in #335
• @​konstin made their first contribution in #378

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

v1.12.4

... (truncated)

Commits

• ed0c539 📦📌 Bump the pinned dependency tree
• 77db1b7 Merge branch PR #306, GHSA-vxmw-7h4f-hqxh fix and PR #378 into unstable/v1
• 280b3a1 Alias typing as t in imports
• e380240 Use object in place of typing.Any in annotations
• e50bff6 Deduplicate claim ref lookup
• decbc9a Hint people to subscribe to #166 for notifications
• 8208ad3 Ask not to report bugs with reusable workflow
• ff0fef5 🧪 Scope WPS202 suppression to specific files
• 1293b8c Use yamllint disable line length lint
• ed01280 Linter (different rule)
• Additional commits viewable in compare view

Updates release-drafter/release-drafter from 6.0.0 to 6.2.0

Release notes

Sourced from release-drafter/release-drafter's releases.

v6.2.0

What's Changed

New

• Add config option for history-limit (#1470) @​gjvoosten
• Add 'commits-since' configuration option for release drafts (#1451) @​slawekjaranowski

Maintenance

• build: support OIDC for npmjs publishing (#1480) @​cchanche

Documentation

• Update README.md (#1434) @​kunaljubce

Full Changelog: release-drafter/release-drafter@v6.1.1...v6.2.0

v6.1.1

What's Changed

Bug Fixes

• Honor Version Template (#1459) @​ChronosMasterOfAllTime

Documentation

• docs: Add missing action inputs to README (#1472) @​sasamuku

Full Changelog: release-drafter/release-drafter@v6.1.0...v6.1.1

v6.1.0

What's Changed

New

• Add config option for PR query limit (#1362) @​ssolbeck

Bug Fixes

• Fix: Correctly mention bot accounts in release notes (#1376) @​jamietanna
• Update only drafts with the same prerelease status (#1385) @​jaap3

Documentation

• docs: Fix Fork Link (#1412) @​Dor-bl
• Ensure support new default branch name (#1079) @​Triloworld
• update schema generation and update schema to draft 07 (#1422) @​jetersen
• fix typo: therelease (#1407) @​billykern
• Document added action outputs introduced in #1300 (#1406) @​SVNKoch

... (truncated)

Commits

• 6db134d ci: add diff for debugging unstaged files
• a9305a6 chore: fix package.json and lockfile
• 309083b chore: bump to v6.2.0
• 923fffe Add config option for history-limit (#1470)
• fa20e47 docs: typo in README.md (#1434)
• 4178e5a feat: 'commits-since' configuration option (#1451)
• 686295d build: support OIDC for npmjs publishing (#1480)
• 9928b92 setup oidc release flow
• 267d2e0 chore: bump to v6.1.1
• 60cac2b ci: disable npmjs publishing
• Additional commits viewable in compare view

Updates actions/cache from 4 to 5...

Description has been truncated

---

This change is