Bump the github-actions group with 4 updates

[dependabot]

Bumps the github-actions group with 4 updates: actions/checkout, actions/download-artifact, sigstore/gh-action-sigstore-python and zizmorcore/zizmor-action.

Updates actions/checkout from 5.0.0 to 6.0.1

Release notes

Sourced from actions/checkout's releases.

v6.0.1

What's Changed

• Update all references from v5 and v4 to v6 by @​ericsciple in actions/checkout#2314
• Add worktree support for persist-credentials includeIf by @​ericsciple in actions/checkout#2327
• Clarify v6 README by @​ericsciple in actions/checkout#2328

Full Changelog: actions/checkout@v6...v6.0.1

v6.0.0

What's Changed

• Update README to include Node.js 24 support details and requirements by @​salmanmkc in actions/checkout#2248
• Persist creds to a separate file by @​ericsciple in actions/checkout#2286
• v6-beta by @​ericsciple in actions/checkout#2298
• update readme/changelog for v6 by @​ericsciple in actions/checkout#2311

Full Changelog: actions/checkout@v5.0.0...v6.0.0

v6-beta

What's Changed

Updated persist-credentials to store the credentials under $RUNNER_TEMP instead of directly in the local git config.

This requires a minimum Actions Runner version of v2.329.0 to access the persisted credentials for Docker container action scenarios.

v5.0.1

What's Changed

• Port v6 cleanup to v5 by @​ericsciple in actions/checkout#2301

Full Changelog: actions/checkout@v5...v5.0.1

Commits

• 8e8c483 Clarify v6 README (#2328)
• 033fa0d Add worktree support for persist-credentials includeIf (#2327)
• c2d88d3 Update all references from v5 and v4 to v6 (#2314)
• 1af3b93 update readme/changelog for v6 (#2311)
• 71cf226 v6-beta (#2298)
• 069c695 Persist creds to a separate file (#2286)
• ff7abcd Update README to include Node.js 24 support details and requirements (#2248)
• See full diff in compare view

Updates actions/download-artifact from 5 to 6

Release notes

Sourced from actions/download-artifact's releases.

v6.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README for download-artifact v5 changes by @​yacaovsnc in actions/download-artifact#417
• Update README with artifact extraction details by @​yacaovsnc in actions/download-artifact#424
• Readme: spell out the first use of GHES by @​danwkennedy in actions/download-artifact#431
• Bump @actions/artifact to v4.0.0
• Prepare v6.0.0 by @​danwkennedy in actions/download-artifact#438

New Contributors

• @​danwkennedy made their first contribution in actions/download-artifact#431

Full Changelog: actions/download-artifact@v5...v6.0.0

Commits

• 018cc2c Merge pull request #438 from actions/danwkennedy/prepare-6.0.0
• 815651c Revert "Remove github.dep.yml"
• bb3a066 Remove github.dep.yml
• fa1ce46 Prepare v6.0.0
• 4a24838 Merge pull request #431 from danwkennedy/patch-1
• 5e3251c Readme: spell out the first use of GHES
• abefc31 Merge pull request #424 from actions/yacaovsnc/update_readme
• ac43a60 Update README with artifact extraction details
• de96f46 Merge pull request #417 from actions/yacaovsnc/update_readme
• 7993cb4 Remove migration guide for artifact download changes
• Additional commits viewable in compare view

Updates sigstore/gh-action-sigstore-python from 3.0.1 to 3.2.0

Release notes

Sourced from sigstore/gh-action-sigstore-python's releases.

v3.2.0

gh-action-sigstore-python action now manages the used Python version internally, improving reliability.

Changed

• Manage Python version internally (#242, #258)
• Dependency updates

v3.1.0

gh-action-sigstore-python is now compatible with Rekor v2 transparency log (but produced signature bundles still contain Rekor v1 entries by default).

Changed

• The action now uses sigstore-python 4.1. All other dependencies are also updated (#220)

Fixed

• Fixed incompatibility with Python 3.14 by upgrading dependencies (#225)

Added

• rekor-version argument was added to control the Rekor transparency log version when signing. The default version in the gh-action-sigstore-python 3.x series will remain 1 (except when using staging: true). (#228)

Changelog

Sourced from sigstore/gh-action-sigstore-python's changelog.

[3.2.0]

gh-action-sigstore-python now manages the used Python version internally, improving reliability.

Changed

• Manage Python version internally (#242, #258)
• Dependency updates

[3.1.0]

gh-action-sigstore-python is now compatible with Rekor v2 transparency log (but produced signature bundles still contain Rekor v1 entries by default).

Changed

• The action now uses sigstore-python 4.1. All other dependencies are also updated (#220)

Fixed

• Fixed incompatibility with Python 3.14 by upgrading dependencies (#225)

Added

• rekor-version argument was added to control the Rekor transparency log version when signing. The default version in the gh-action-sigstore-python 3.x series will remain 1 (except when using staging: true). (#228)

Commits

• a5caf34 build(deps): bump actions/checkout in the actions group (#265)
• 7b8cfcb build(deps): bump the actions group with 2 updates (#264)
• 270f433 build(deps-dev): bump ruff in the python-dependencies group (#263)
• 034c8bf build(deps): bump actions/setup-python in the actions group (#260)
• 5483fa8 Fix .python-version lookup (#258)
• f962baa build(deps): bump github/codeql-action in the actions group (#259)
• 225a312 build(deps): bump astral-sh/setup-uv in the actions group (#253)
• b7c02b3 build(deps): bump actions/checkout in the actions group (#251)
• 52bad44 build(deps-dev): bump ruff in the python-dependencies group (#252)
• 68eceea build(deps): bump certifi in the python-dependencies group (#250)
• Additional commits viewable in compare view

Updates zizmorcore/zizmor-action from 0.2.0 to 0.3.0

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.3.0

What's Changed

• README: fix troubleshooting link by @​woodruffw in zizmorcore/zizmor-action#50
• README: add a troubleshooting section about Advanced Security by @​woodruffw in zizmorcore/zizmor-action#51
• feat: Support a config option by @​naokihaba in zizmorcore/zizmor-action#56

New Contributors

• @​naokihaba made their first contribution in zizmorcore/zizmor-action#56

Full Changelog: zizmorcore/zizmor-action@v0.2.0...v0.3.0

Commits

• e639db9 remove mise.toml (#57)
• f4409e3 feat: Support a config option (#56)
• 1aba86d chore(deps): bump github/codeql-action in the github-actions group (#54)
• da5ac40 README: add a troubleshooting section about Advanced Security (#51)
• cc28a58 README: fix troubleshooting link (#50)
• c323c83 chore(deps): bump zizmorcore/zizmor-action from 0.1.2 to 0.2.0 in the github-...
• 0696496 chore(deps): bump github/codeql-action in the github-actions group (#48)
• 8735394 docs: bump action pins (#46)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions