Bump the gha-dependencies group across 1 directory with 4 updates

[dependabot]

Bumps the gha-dependencies group with 4 updates in the / directory: conda-incubator/setup-miniconda, actions/upload-pages-artifact, astral-sh/setup-uv and actions/upload-artifact.

Updates conda-incubator/setup-miniconda from 3 to 4

Release notes

Sourced from conda-incubator/setup-miniconda's releases.

Version 4.0.0

Breaking Changes

• #459: Upgrade action runtime to Node.js 24.x (requires runners with Node 24 support; this is the reason for the v4 major bump)
• #450: Switch action build to ESM (for @actions/exec v3)

Features and Enhancements

• #469: Add conda-init input to optionally skip conda init and document activation for restricted environments
• #482: Add channels parsing utility and URL validation
• #481: Enable stricter TypeScript checks and typing
• #480: Add more tests, increase coverage, add Codecov integration and coverage badge
• #479: Add TypeDoc-based API docs, generation and checks; configure GitHub Pages and Netlify previews

Fixes

• #465: Fix double channel configuration being applied
• #467: Speed up Windows post-run cleanup by moving the extracted packages directory instead of removing files one by one
• #470: Fix name-version-build syntax expansion and add tests
• #475: Split shell init and activation of the test environment to remove spurious warning
• #498: Skip Netlify preview for Dependabot PRs

Performance

• #486: Remove HTML index scraping for Miniconda version validation
• #487: Parallelize Windows takeown calls with Promise.all
• #488: Replace isDefaultEnvironment subprocess with local YAML reads
• #489: Replace conda config subprocesses with direct .condarc YAML writes

Tasks and Maintenance

• #444: Bump conda-incubator/setup-miniconda from 3.2.0 to 3.3.0
• #445: Bump actions/checkout from 6.0.1 to 6.0.2
• #449: Bump @​actions/exec from 2.0.0 to 3.0.0
• #456, #484, #491: Bump actions/upload-artifact
• #460: Bump actions/download-artifact from 7.0.0 to 8.0.1
• #464: Update dependencies for actions and packages
• #466: Bump @​actions/tool-cache from 2.0.2 to 4.0.0
• #473: Bump flatted from 3.2.9 to 3.4.2
• #476: Bump picomatch
• #477: Bump conda-incubator/installer from 0.1.0 to 0.1.1
• #485: Bump vite from 8.0.0 to 8.0.8
• #492: Bump actions/upload-pages-artifact from 3 to 5

... (truncated)

Changelog

Sourced from conda-incubator/setup-miniconda's changelog.

v4.0.1 (2026-04-24)

Fixes

• Fix MultipleKeysError on conda 25.11+ when a user-supplied condarc-file already declares auto_activate: now only one of auto_activate / auto_activate_base is written to .condarc, preferring whichever key the user's existing condarc uses.
• Add auto_activate to the boolean coercion set so its value is serialized as a YAML boolean when it is the chosen canonical key.
• Add local_repodata_ttl to KNOWN_CONDARC_KEYS to silence a spurious "Unrecognized condarc key" warning for a valid conda key.

Commits

• 8ee1f36 Fix MultipleKeysError when user condarc declares auto_activate (#500)
• bce0bd8 Prepare v4 release (#499)
• 78fb0ff ci(docs): skip Netlify preview for Dependabot PRs (#498)
• d32e72e Bump @​actions/core from 3.0.0 to 3.0.1 (#496)
• 3e251ae Bump actions/upload-artifact from 4 to 7 (#491)
• 7ff02ae Bump actions/upload-pages-artifact from 3 to 5 (#492)
• 65b62b8 Bump actions/deploy-pages from 4 to 5 (#494)
• 1eb4d38 Bump marocchino/sticky-pull-request-comment from 2 to 3 (#493)
• bfb6f7e Bump codecov/codecov-action from 5 to 6 (#495)
• 77236ef Merge pull request #489 from conda-incubator/perf/direct-condarc-write
• Additional commits viewable in compare view

Updates actions/upload-pages-artifact from 4 to 5

Release notes

Sourced from actions/upload-pages-artifact's releases.

v5.0.0

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#139)
• feat: add include-hidden-files input @​jonchurch (#137)

See details of all code changes since previous release.

Commits

• fc324d3 Merge pull request #139 from Tom-van-Woudenberg/patch-1
• fe9d4b7 Merge branch 'main' into patch-1
• 0ca1617 Merge pull request #137 from jonchurch/include-hidden-files
• 57f0e84 Update action.yml
• 4a90348 v7 --> hash
• 56f665a Update upload-artifact action to version 7
• f7615f5 Add include-hidden-files input
• See full diff in compare view

Updates astral-sh/setup-uv from 6 to 7

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.2.1 🌈 update known checksums up to 0.9.28

Changes

🧰 Maintenance

• chore: update known checksums for 0.9.28 @github-actions[bot] (#744)
• chore: update known checksums for 0.9.27 @github-actions[bot] (#742)
• chore: update known checksums for 0.9.26 @github-actions[bot] (#734)
• chore: update known checksums for 0.9.25 @github-actions[bot] (#733)
• chore: update known checksums for 0.9.24 @github-actions[bot] (#730)

📚 Documentation

• Clarify impact of using actions/setup-python @​eifinger (#732)

⬆️ Dependency updates

• Bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 @dependabot[bot] (#741)

v7.0.0 🌈 node24 and a lot of bugfixes

Changes

This release comes with a load of bug fixes and a speed up. Because of switching from node20 to node24 it is also a breaking change. If you are running on GitHub hosted runners this will just work, if you are using self-hosted runners make sure, that your runners are up to date. If you followed the normal installation instructions your self-hosted runner will keep itself updated.

This release also removes the deprecated input server-url which was used to download uv releases from a different server. The manifest-file input supersedes that functionality by adding a flexible way to define available versions and where they should be downloaded from.

Fixes

• The action now respects when the environment variable UV_CACHE_DIR is already set and does not overwrite it. It now also finds cache-dir settings in config files if you set them.
• Some users encountered problems that cache pruning took forever because they had some uv processes running in the background. Starting with uv version 0.8.24 this action uses uv cache prune --ci --force to ignore the running processes
• If you just want to install uv but not have it available in path, this action now respects UV_NO_MODIFY_PATH
• Some other actions also set the env var UV_CACHE_DIR. This action can now deal with that but as this could lead to unwanted behavior in some edgecases a warning is now displayed.

Improvements

If you are using minimum version specifiers for the version of uv to install for example

[tool.uv]
required-version = ">=0.8.17"

This action now detects that and directly uses the latest version. Previously it would download all available releases from the uv repo to determine the highest matching candidate for the version specifier, which took much more time.

If you are using other specifiers like 0.8.x this action still needs to download all available releases because the specifier defines an upper bound (not 0.9.0 or later) and "latest" would possibly not satisfy that.

🚨 Breaking changes

... (truncated)

Commits

• 37802ad Fetch uv from Astral's mirror by default (#809)
• 9f00d18 chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)
• fd8f376 Switch to ESM for source and test, use CommonJS for dist (#806)
• f9070de Bump deps (#805)
• cadb67b chore: update known checksums for 0.10.10 (#804)
• e06108d Use astral-sh/versions as primary version provider (#802)
• 0f6ec07 docs: replace copilot instructions with AGENTS.md (#794)
• 821e5c9 docs: add cross-client dependabot rollup skill (#793)
• 6ee6290 chore(deps): bump versions (#792)
• 9f332a1 Add riscv64 architecture support to platform detection (#791)
• Additional commits viewable in compare view

Updates actions/upload-artifact from 4 to 7

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

• Add proxy integration test by @​Link- in actions/upload-artifact#754
• Upgrade the module to ESM and bump dependencies by @​danwkennedy in actions/upload-artifact#762
• Support direct file uploads by @​danwkennedy in actions/upload-artifact#764

New Contributors

• @​Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

• Upload Artifact Node 24 support by @​salmanmkc in actions/upload-artifact#719
• fix: update @​actions/artifact for Node.js 24 punycode deprecation by @​salmanmkc in actions/upload-artifact#744
• prepare release v6.0.0 for Node.js 24 support by @​salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

v5.0.0

What's Changed

BREAKING CHANGE: this update supports Node v24.x. This is not a breaking change per-se but we're treating it as such.

• Update README.md by @​GhadimiR in actions/upload-artifact#681
• Update README.md by @​nebuk89 in actions/upload-artifact#712
• Readme: spell out the first use of GHES by @​danwkennedy in actions/upload-artifact#727
• Update GHES guidance to include reference to Node 20 version by @​patrikpolyak in actions/upload-artifact#725
• Bump @actions/artifact to v4.0.0
• Prepare v5.0.0 by @​danwkennedy in actions/upload-artifact#734

... (truncated)

Commits

• 043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
• 634250c Include changes in typespec/ts-http-runtime 0.3.5
• e454baa Readme: bump all the example versions to v7 (#796)
• 74fad66 Update the readme with direct upload details (#795)
• bbbca2d Support direct file uploads (#764)
• 589182c Upgrade the module to ESM and bump dependencies (#762)
• 47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
• 02a8460 Add proxy integration test
• b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
• e516bc8 docs: correct description of Node.js 24 support in README
• Additional commits viewable in compare view