Skip to content

Bump the actions group across 1 directory with 8 updates#47023

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-77aeb9a61b
Open

Bump the actions group across 1 directory with 8 updates#47023
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/actions-77aeb9a61b

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor

CI

Bumps the actions group with 8 updates in the / directory:

Package From To
actions/checkout 6.0.2 7.0.0
actions/cache 5.0.5 6.1.0
actions/setup-python 6.2.0 6.3.0
slackapi/slack-github-action 1.25.0 3.0.3
astral-sh/setup-uv 8.1.0 8.2.0
huggingface/transformers/.github/workflows/collated-reports.yml 6abd9725ee7d809dc974991f8ff6c958afb63a3a 8698b5a52598d13a4f9e7fe46457526dae967a79
huggingface/tailscale-action 7d53c9737e53934c30290b5524d1c9b4a7c98c8a 07d36e4c3b68707bd3fe070dbb96f03f993a6efd
trufflesecurity/trufflehog 3.95.5 3.95.6

Updates actions/checkout from 6.0.2 to 7.0.0

Release notes

Sourced from actions/checkout's releases.

v7.0.0

What's Changed

New Contributors

Full Changelog: actions/checkout@v6.0.3...v7.0.0

v6.0.3

What's Changed

New Contributors

Full Changelog: actions/checkout@v6...v6.0.3

Changelog

Sourced from actions/checkout's changelog.

Changelog

v7.0.0

v6.0.3

v6.0.2

v6.0.1

v6.0.0

v5.0.1

v5.0.0

v4.3.1

v4.3.0

v4.2.2

v4.2.1

... (truncated)

Commits

Updates actions/cache from 5.0.5 to 6.1.0

Release notes

Sourced from actions/cache's releases.

v6.1.0

What's Changed

Full Changelog: actions/cache@v6...v6.1.0

v6.0.0

What's Changed

Full Changelog: actions/cache@v5...v6.0.0

v5.1.0

What's Changed

Full Changelog: actions/cache@v5...v5.1.0

Changelog

Sourced from actions/cache's changelog.

Releases

How to prepare a release

[!NOTE] Relevant for maintainers with write access only.

  1. Switch to a new branch from main.
  2. Run npm test to ensure all tests are passing.
  3. Update the version in https://github.com/actions/cache/blob/main/package.json.
  4. Run npm run build to update the compiled files.
  5. Update this https://github.com/actions/cache/blob/main/RELEASES.md with the new version and changes in the ## Changelog section.
  6. Run licensed cache to update the license report.
  7. Run licensed status and resolve any warnings by updating the https://github.com/actions/cache/blob/main/.licensed.yml file with the exceptions.
  8. Commit your changes and push your branch upstream.
  9. Open a pull request against main and get it reviewed and merged.
  10. Draft a new release https://github.com/actions/cache/releases use the same version number used in package.json
    1. Create a new tag with the version number.
    2. Auto generate release notes and update them to match the changes you made in RELEASES.md.
    3. Toggle the set as the latest release option.
    4. Publish the release.
  11. Navigate to https://github.com/actions/cache/actions/workflows/release-new-action-version.yml
    1. There should be a workflow run queued with the same version number.
    2. Approve the run to publish the new version and update the major tags for this action.

Changelog

6.1.0

6.0.0

  • Updated @actions/cache to ^6.0.1, @actions/core to ^3.0.1, @actions/exec to ^3.0.0, @actions/io to ^3.0.2
  • Migrated to ESM module system
  • Upgraded Jest to v30 and test infrastructure to be ESM compatible

5.0.4

  • Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
  • Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
  • Bump fast-xml-parser to v5.5.6

5.0.3

5.0.2

... (truncated)

Commits
  • 55cc834 Merge pull request #1768 from jasongin/readonly-cache
  • d8cd72f Bump @​actions/cache to v6.1.0 - handle cache write error due to RO token
  • 2c8a9bd Merge pull request #1760 from actions/samirat/esm_migration_and_package_update
  • e9b91fd Prettier fixes
  • e4884b8 Rebuild dist
  • 10baf01 Fixed licenses
  • e39b386 Fix test mock return order
  • b692820 PR feedback
  • 6074912 Rebuild dist bundles as ESM to match type:module
  • 5a912e8 Fix lint and jest issues
  • Additional commits viewable in compare view

Updates actions/setup-python from 6.2.0 to 6.3.0

Release notes

Sourced from actions/setup-python's releases.

v6.3.0

What's Changed

Enhancement

Dependency update

Documentation

New Contributors

Full Changelog: actions/setup-python@v6...v6.3.0

Commits

Updates slackapi/slack-github-action from 1.25.0 to 3.0.3

Release notes

Sourced from slackapi/slack-github-action's releases.

Slack GitHub Action v3.0.3

Patch Changes

  • 66834e4: feat: add instrumentation to address error rates

Slack GitHub Action v3.0.2

Patch Changes

  • 79529d7: fix: resolve url.parse deprecation warning for webhook techniques

Slack GitHub Action v3.0.1

What's Changed

Alongside the breaking changes of @v3.0.0 and a new technique to run Slack CLI commands, we tried the wrong name to publish to the GitHub Marketplace 🐙 This action is now noted as The Slack GitHub Action in listings 🎶 ✨

🎨 Maintenance

Full Changelog: slackapi/slack-github-action@v3.0.0...v3.0.1

Slack GitHub Action v3.0.0

The @v3.0.0 release had a hiccup on publish and we recommend using @​v3.0.1 or a more recent version when updating! Oops!

🎽 Running Slack CLI commands and the active Node runtime, both included in this release 👟 ✨

⚠️ Breaking change: Node.js 24 the runtime

This major version updates the GitHub Actions required runtime to Node.js 24. Most GitHub-hosted runners already include this, but self-hosted runners may need to be updated ahead of planned deprecations of Node 20 on GitHub Actions runners.

📺 Enhancement: Run Slack CLI commands

This release introduces a new technique for running Slack CLI commands directly in GitHub Actions workflows. Use this to install the latest version (or a specific one) of the CLI and execute commands like deploy for merges to main, manifest validate with tests, and other commands.

Gather a token using the following CLI command to store with repo secrets, then get started with an example below:

$ slack auth token

🧪 Validate an app manifest on pull requests

Check that your app manifest is valid before merging changes:

🔗 https://docs.slack.dev/tools/slack-github-action/sending-techniques/running-slack-cli-commands/validate-a-manifest

- name: Validate the manifest
</tr></table> 

... (truncated)

Changelog

Sourced from slackapi/slack-github-action's changelog.

slack-github-action

3.0.3

Patch Changes

  • 66834e4: feat: add instrumentation to address error rates

3.0.2

Patch Changes

  • 79529d7: fix: resolve url.parse deprecation warning for webhook techniques
Commits
  • 45a88b9 chore: release
  • 1c0bcf0 chore: release (#606)
  • 66834e4 feat: add instrumentation to address error rates (#600)
  • 0fe0f90 build(deps): bump @​actions/github from 9.0.0 to 9.1.1 (#605)
  • c5e7059 build(deps): bump @​slack/web-api from 7.15.0 to 7.15.1 (#604)
  • 0325526 build(deps-dev): bump @​biomejs/biome from 2.4.10 to 2.4.13 (#601)
  • 900cd3e build(deps-dev): bump @​types/node from 24.12.0 to 24.12.2 (#603)
  • 53fdcff build(deps): bump @​actions/core from 3.0.0 to 3.0.1 (#602)
  • 26856cc build(deps): bump slackapi/slack-github-action from 3.0.1 to 3.0.2 (#596)
  • feba1e2 ci: skip publish step if no release is needed (#599)
  • Additional commits viewable in compare view

Updates astral-sh/setup-uv from 8.1.0 to 8.2.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.2.0 🌈 New inputs quiet and download-from-astral-mirror

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details. In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token. All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

... (truncated)

Commits
  • fac544c chore(deps): roll up dependabot updates (#903)
  • 7390f77 docs: update dependabot rollup biome guidance (#902)
  • 363c64a chore(deps): roll up dependabot updates (#901)
  • c4fcbaf chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 (#900)
  • 8e642c5 chore: update known checksums for 0.11.18 (#899)
  • a92cb43 Add quiet input to suppress info-level log output (#898)
  • e07f2ac chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 (#842)
  • bc4034e chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 (#893)
  • df42d4f chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 (#891)
  • b9c8c4c feat: add download-from-astral-mirror input (#897)
  • Additional commits viewable in compare view

Updates huggingface/transformers/.github/workflows/collated-reports.yml from 6abd972 to 8698b5a

Commits

Updates huggingface/tailscale-action from 7d53c9737e53934c30290b5524d1c9b4a7c98c8a to 07d36e4c3b68707bd3fe070dbb96f03f993a6efd

Commits

Updates trufflesecurity/trufflehog from 3.95.5 to 3.95.6

Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.95.6

What's Changed

New Contributors

Full Changelog: trufflesecurity/trufflehog@v3.95.4...v3.95.6

Commits
  • 30d5bb9 S3: surface bucket listing failures and fix multi-role object count (#5035)
  • f0739f1 close todo - embed small HTTP test fixtures (#5001)
  • 36d680a add filetype=sdist param so we get the correct response code (#4988)
  • 248ffd5 fix(dropbox): prevent long sl.u. tokens from being truncated before verificat...
  • afbdaa8 Fix: Resolve known dedup issues in notifierWorker (#5028)
  • 7bcf376 [INS-472] [INS-515] Add user detector to defaults.go, gate it behind feat fla...
  • 84a2b33 Fix Renovate lookup: update setup-captain version comment (#4999)
  • ac0805e [INS-469] Added Rev detectors to defaults.go and gated it behind feature flag...
  • d03d087 GitHub finegrain analyzer was improperly handling errors (#4498)
  • b64cefe set redacted value to last 4 characters of secret, to match how the secret ty...
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the actions group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `6.0.2` | `7.0.0` |
| [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.1.0` |
| [actions/setup-python](https://github.com/actions/setup-python) | `6.2.0` | `6.3.0` |
| [slackapi/slack-github-action](https://github.com/slackapi/slack-github-action) | `1.25.0` | `3.0.3` |
| [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `8.1.0` | `8.2.0` |
| [huggingface/transformers/.github/workflows/collated-reports.yml](https://github.com/huggingface/transformers) | `6abd9725ee7d809dc974991f8ff6c958afb63a3a` | `8698b5a52598d13a4f9e7fe46457526dae967a79` |
| [huggingface/tailscale-action](https://github.com/huggingface/tailscale-action) | `7d53c9737e53934c30290b5524d1c9b4a7c98c8a` | `07d36e4c3b68707bd3fe070dbb96f03f993a6efd` |
| [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) | `3.95.5` | `3.95.6` |



Updates `actions/checkout` from 6.0.2 to 7.0.0
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@de0fac2...9c091bb)

Updates `actions/cache` from 5.0.5 to 6.1.0
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](actions/cache@27d5ce7...55cc834)

Updates `actions/setup-python` from 6.2.0 to 6.3.0
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](actions/setup-python@a309ff8...ece7cb0)

Updates `slackapi/slack-github-action` from 1.25.0 to 3.0.3
- [Release notes](https://github.com/slackapi/slack-github-action/releases)
- [Changelog](https://github.com/slackapi/slack-github-action/blob/main/CHANGELOG.md)
- [Commits](slackapi/slack-github-action@v1.25...45a88b9)

Updates `astral-sh/setup-uv` from 8.1.0 to 8.2.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@0880764...fac544c)

Updates `huggingface/transformers/.github/workflows/collated-reports.yml` from 6abd972 to 8698b5a
- [Release notes](https://github.com/huggingface/transformers/releases)
- [Commits](6abd972...8698b5a)

Updates `huggingface/tailscale-action` from 7d53c9737e53934c30290b5524d1c9b4a7c98c8a to 07d36e4c3b68707bd3fe070dbb96f03f993a6efd
- [Release notes](https://github.com/huggingface/tailscale-action/releases)
- [Commits](huggingface/tailscale-action@7d53c97...07d36e4)

Updates `trufflesecurity/trufflehog` from 3.95.5 to 3.95.6
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](trufflesecurity/trufflehog@d411fff...30d5bb9)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 7.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/cache
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/setup-python
  dependency-version: 6.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: slackapi/slack-github-action
  dependency-version: 3.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions
- dependency-name: huggingface/transformers/.github/workflows/collated-reports.yml
  dependency-version: 8698b5a
  dependency-type: direct:production
  dependency-group: actions
- dependency-name: huggingface/tailscale-action
  dependency-version: 07d36e4c3b68707bd3fe070dbb96f03f993a6efd
  dependency-type: direct:production
  dependency-group: actions
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 2, 2026
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Thank you for your contribution 🤗!

CI Security Gate — automatic approval blocked

This PR was not automatically approved for CI because the security gate failed.

Possible reasons:

  • The PR touches 50 or more files — only PRs with fewer than 50 changed files are automatically approved
  • A changed file is outside the allowed directories (src/, tests/, docs/, utils/), has a disallowed extension (only .py, .txt, .md permitted outside tests/ and docs/), or is not .md/.yml inside docs/
  • A new high-severity security issue was detected in the changed Python files (Bandit check)

See the workflow run for the exact violations.

A maintainer can review and manually approve CI if a finding is a false positive.

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

CI recap

Dashboard: View test results in Grafana
Latest run: 28593303877
Result: success | Grafana metrics are not available yet.

@HuggingFaceDocBuilderDev

Copy link
Copy Markdown

The docs for this PR live here. All of your documentation changes will be reflected on that endpoint. The docs are available until 30 days after the last update.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant