Bump the dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the dependencies group with 7 updates in the / directory:

Package	From	To
actions/checkout	4.2.2	5.0.0
prefix-dev/setup-pixi	0.8.8	0.9.0
actions/cache	4.2.3	4.2.4
actions/download-artifact	4.3.0	5.0.0
softprops/action-gh-release	2.2.2	2.3.2
ossf/scorecard-action	2.4.1	2.4.2
github/codeql-action	97a2bfd2a3d26d458da69e548f7f859d6fca634d	f9a0f98a391397619da21c38f1ebf973bd6a55f4

Updates actions/checkout from 4.2.2 to 5.0.0

Release notes

Sourced from actions/checkout's releases.

v5.0.0

What's Changed

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226
• Prepare v5.0.0 release by @​salmanmkc in actions/checkout#2238

⚠️ Minimum Compatible Runner Version

v2.327.1
Release Notes

Make sure your runner is updated to this version or newer to use this release.

Full Changelog: actions/checkout@v4...v5.0.0

v4.3.0

What's Changed

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236
• Prepare release v4.3.0 by @​salmanmkc in actions/checkout#2237

New Contributors

• @​motss made their first contribution in actions/checkout#1971
• @​mouismail made their first contribution in actions/checkout#1977
• @​benwells made their first contribution in actions/checkout#2043
• @​nebuk89 made their first contribution in actions/checkout#2194
• @​salmanmkc made their first contribution in actions/checkout#2236

Full Changelog: actions/checkout@v4...v4.3.0

Changelog

Sourced from actions/checkout's changelog.

Changelog

V5.0.0

• Update actions checkout to use node 24 by @​salmanmkc in actions/checkout#2226

V4.3.0

• docs: update README.md by @​motss in actions/checkout#1971
• Add internal repos for checking out multiple repositories by @​mouismail in actions/checkout#1977
• Documentation update - add recommended permissions to Readme by @​benwells in actions/checkout#2043
• Adjust positioning of user email note and permissions heading by @​joshmgross in actions/checkout#2044
• Update README.md by @​nebuk89 in actions/checkout#2194
• Update CODEOWNERS for actions by @​TingluoHuang in actions/checkout#2224
• Update package dependencies by @​salmanmkc in actions/checkout#2236

v4.2.2

• url-helper.ts now leverages well-known environment variables by @​jww3 in actions/checkout#1941
• Expand unit test coverage for isGhes by @​jww3 in actions/checkout#1946

v4.2.1

• Check out other refs/* by commit if provided, fall back to ref by @​orhantoy in actions/checkout#1924

v4.2.0

• Add Ref and Commit outputs by @​lucacome in actions/checkout#1180
• Dependency updates by @​dependabot- actions/checkout#1777, actions/checkout#1872

v4.1.7

• Bump the minor-npm-dependencies group across 1 directory with 4 updates by @​dependabot in actions/checkout#1739
• Bump actions/checkout from 3 to 4 by @​dependabot in actions/checkout#1697
• Check out other refs/* by commit by @​orhantoy in actions/checkout#1774
• Pin actions/checkout's own workflows to a known, good, stable version. by @​jww3 in actions/checkout#1776

v4.1.6

• Check platform to set archive extension appropriately by @​cory-miller in actions/checkout#1732

v4.1.5

• Update NPM dependencies by @​cory-miller in actions/checkout#1703
• Bump github/codeql-action from 2 to 3 by @​dependabot in actions/checkout#1694
• Bump actions/setup-node from 1 to 4 by @​dependabot in actions/checkout#1696
• Bump actions/upload-artifact from 2 to 4 by @​dependabot in actions/checkout#1695
• README: Suggest user.email to be 41898282+github-actions[bot]@users.noreply.github.com by @​cory-miller in actions/checkout#1707

v4.1.4

• Disable extensions.worktreeConfig when disabling sparse-checkout by @​jww3 in actions/checkout#1692
• Add dependabot config by @​cory-miller in actions/checkout#1688
• Bump the minor-actions-dependencies group with 2 updates by @​dependabot in actions/checkout#1693
• Bump word-wrap from 1.2.3 to 1.2.5 by @​dependabot in actions/checkout#1643

v4.1.3

... (truncated)

Commits

• 08c6903 Prepare v5.0.0 release (#2238)
• 9f26565 Update actions checkout to use node 24 (#2226)
• 08eba0b Prepare release v4.3.0 (#2237)
• 631c7dc Update package dependencies (#2236)
• 8edcb1b Update CODEOWNERS for actions (#2224)
• 09d2aca Update README.md (#2194)
• 85e6279 Adjust positioning of user email note and permissions heading (#2044)
• 009b9ae Documentation update - add recommended permissions to Readme (#2043)
• cbb7224 Update README.md (#1977)
• 3b9b8c8 docs: update README.md (#1971)
• See full diff in compare view

Updates prefix-dev/setup-pixi from 0.8.8 to 0.9.0

Release notes

Sourced from prefix-dev/setup-pixi's releases.

v0.9.0

What's Changed

⬆️ Dependency updates

• chore(deps): bump the nodejs group with 7 updates by @​dependabot[bot] in prefix-dev/setup-pixi#218

🤷🏻 Other changes

• chore: Bump to node 24 by @​pavelzw in prefix-dev/setup-pixi#219

Full Changelog: prefix-dev/setup-pixi@v0.8.14...v0.9.0

v0.8.14

What's Changed

✨ New features

• feat: Replace pixi-url-bearer-token by pixi-url-headers by @​ytausch in prefix-dev/setup-pixi#217

Full Changelog: prefix-dev/setup-pixi@v0.8.13...v0.8.14

v0.8.13

What's Changed

✨ New features

• feat: Allow specifying inputs as environment variables by @​ytausch in prefix-dev/setup-pixi#214
• feat: Add Support for Handlebars Templates in pixi-url by @​ytausch in prefix-dev/setup-pixi#213

🤷🏻 Other changes

• test: Enable failure tests by @​ytausch in prefix-dev/setup-pixi#215
• test: Skip tests with secrets on fork PRs by @​ytausch in prefix-dev/setup-pixi#216

Full Changelog: prefix-dev/setup-pixi@v0.8.12...v0.8.13

v0.8.12

What's Changed

🐛 Bug fixes

• fix: Multiple invokations of setup-pixi by @​pavelzw in prefix-dev/setup-pixi#211

Full Changelog: prefix-dev/setup-pixi@v0.8.11...v0.8.12

v0.8.11

What's Changed

... (truncated)

Commits

• fef5c95 chore: Bump to node 24 (#219)
• 6261849 chore(deps): bump the nodejs group with 7 updates (#218)
• 8ca4608 feat: Replace pixi-url-bearer-token by pixi-url-headers (#217)
• b1ab8f2 feat: Add Support for Handlebars Templates in pixi-url (#213)
• d7951c2 test: Skip tests with secrets on fork PRs (#216)
• 4522f64 feat: Allow specifying inputs as environment variables (#214)
• a8c5cac test: Enable failure tests (#215)
• 307e5e5 fix: Multiple invokations of setup-pixi (#211)
• 273e480 feat: Add pixi-url-bearer-token to authenticate when downloading from `pixi...
• c690703 Bump softprops/action-gh-release from 2.2.2 to 2.3.2 in the gh-actions group ...
• Additional commits viewable in compare view

Updates actions/cache from 4.2.3 to 4.2.4

Release notes

Sourced from actions/cache's releases.

v4.2.4

What's Changed

• Update README.md by @​nebuk89 in actions/cache#1620
• Upgrade @actions/cache to 4.0.5 and move @protobuf-ts/plugin to dev depdencies by @​Link- in actions/cache#1634
• Prepare release 4.2.4 by @​Link- in actions/cache#1636

New Contributors

• @​nebuk89 made their first contribution in actions/cache#1620

Full Changelog: actions/cache@v4...v4.2.4

Changelog

Sourced from actions/cache's changelog.

Releases

4.2.4

• Bump @actions/cache to v4.0.5

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

• Bump @actions/cache to v4.0.2

4.2.1

• Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

We are deprecating some versions of this action. We recommend upgrading to version v4 or v3 as soon as possible before February 1st, 2025. (Upgrade instructions below).

If you are using pinned SHAs, please use the SHAs of versions v4.2.0 or v3.4.0

If you do not upgrade, all workflow runs using any of the deprecated actions/cache will fail.

Upgrading to the recommended versions will not break your workflows.

4.1.2

• Add GitHub Enterprise Cloud instances hostname filters to inform API endpoint choices - #1474
• Security fix: Bump braces from 3.0.2 to 3.0.3 - #1475

4.1.1

• Restore original behavior of cache-hit output - #1467

4.1.0

• Ensure cache-hit output is set when a cache is missed - #1404
• Deprecate save-always input - #1452

4.0.2

• Fixed restore fail-on-cache-miss not working.

... (truncated)

Commits

• 0400d5f Merge pull request #1636 from actions/Link-/release-4.2.4
• 374a27f Prepare release 4.2.4
• 358a730 Merge pull request #1634 from actions/Link-/optimise-deps
• 2ee706e Fix with another approach
• 94f7b5d Fix bundle exec
• c36116c Fix the workflow to use licensed from source
• 320fe7d Update the licensed workflow to use the latest version
• d81cc47 Add licensed output
• de24398 Add licensed output
• e7b6a9c @​protobuf-ts/plugin to dev dependencies
• Additional commits viewable in compare view

Updates actions/download-artifact from 4.3.0 to 5.0.0

Release notes

Sourced from actions/download-artifact's releases.

v5.0.0

What's Changed

• Update README.md by @​nebuk89 in actions/download-artifact#407
• BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @​GrantBirki in actions/download-artifact#416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

• By name: name: my-artifact → extracted to path/ (direct)
• By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

• By name: name: my-artifact → extracted to path/ (unchanged)
• By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

• You download artifacts by name
• You download multiple artifacts by ID
• You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist
# Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

</tr></table> 

... (truncated)

Commits

• 634f93c Merge pull request #416 from actions/single-artifact-id-download-path
• b19ff43 refactor: resolve download path correctly in artifact download tests (mainly ...
• e262cbe bundle dist
• bff23f9 update docs
• fff8c14 fix download path logic when downloading a single artifact by id
• 448e3f8 Merge pull request #407 from actions/nebuk89-patch-1
• 47225c4 Update README.md
• See full diff in compare view

Updates softprops/action-gh-release from 2.2.2 to 2.3.2

Release notes

Sourced from softprops/action-gh-release's releases.

v2.3.2

• fix: revert fs readableWebStream change

v2.3.1

What's Changed

Bug fixes 🐛

• fix: fix file closing issue by @​WailGree in softprops/action-gh-release#629

New Contributors

• @​WailGree made their first contribution in softprops/action-gh-release#629

Full Changelog: softprops/action-gh-release@v2.3.0...v2.3.1

v2.3.0

• Migrate from jest to vitest
• Replace mime with mime-types
• Bump to use node 24
• Dependency updates

Full Changelog: softprops/action-gh-release@v2.2.2...v2.3.0

Changelog

Sourced from softprops/action-gh-release's changelog.

2.3.2

• fix: revert fs readableWebStream change

2.3.1

Bug fixes 🐛

• fix: fix file closing issue by @​WailGree in softprops/action-gh-release#629

2.3.0

• Migrate from jest to vitest
• Replace mime with mime-types
• Bump to use node 24
• Dependency updates

2.2.2

What's Changed

Bug fixes 🐛

• fix: updating release draft status from true to false by @​galargh in softprops/action-gh-release#316

Other Changes 🔄

• chore: simplify ref_type test by @​steinybot in softprops/action-gh-release#598
• fix(docs): clarify the default for tag_name by @​muzimuzhi in softprops/action-gh-release#599
• test(release): add unit tests when searching for a release by @​rwaskiewicz in softprops/action-gh-release#603
• dependency updates

2.2.1

What's Changed

Bug fixes 🐛

• fix: big file uploads by @​xen0n in softprops/action-gh-release#562

Other Changes 🔄

• chore(deps): bump @​types/node from 22.10.1 to 22.10.2 by @​dependabot in softprops/action-gh-release#559
• chore(deps): bump @​types/node from 22.10.2 to 22.10.5 by @​dependabot in softprops/action-gh-release#569
• chore: update error and warning messages for not matching files in files field by @​ytimocin in softprops/action-gh-release#568

2.2.0

What's Changed

Exciting New Features 🎉

... (truncated)

Commits

• 72f2c25 release 2.3.2
• 552dc55 fix: revert fs:readableWebStream change (#632)
• f3cad8b release 2.3.1
• 07a2257 fix: fix file closing issue (#629)
• d5382d3 release 2.3.0
• a0e2122 feat: migrate from jest to vitest (#626)
• 8836085 chore: replace mime with mime-types (#624)
• 8646335 chore: bump node to 20.19.2
• 46b2847 chore(deps): bump the npm group across 1 directory with 5 updates (#623)
• 37fd9d0 chore(deps): bump undici from 5.28.5 to 5.29.0 (#621)
• Additional commits viewable in compare view

Updates ossf/scorecard-action from 2.4.1 to 2.4.2

Release notes

Sourced from ossf/scorecard-action's releases.

v2.4.2

What's Changed

This update bumps the Scorecard version to the v5.2.1 release. For a complete list of changes, please refer to the Scorecard v5.2.0 and v5.2.1 release notes.

Full Changelog: ossf/scorecard-action@v2.4.1...v2.4.2

Commits

• 05b42c6 🌱 bump docker to ghcr v2.4.2 (#1548)
• b225da6 Bump github.com/ossf/scorecard/v5 from v5.2.0 to v5.2.1 (#1550)
• 9399f6f 🌱 Bump the docker-images group across 1 directory with 2 updates (#1...
• e1daa8c 🌱 Bump the github-actions group across 1 directory with 5 updates (#...
• 9fe6511 🌱 Bump golang.org/x/net from 0.39.0 to 0.40.0 (#1542)
• 25b9cd9 🌱 Bump github.com/ossf/scorecard/v5 from v5.1.1 to v5.2.0 (#1547)
• 18cc9b8 🌱 Bump golang.org/x/net from 0.38.0 to 0.39.0 (#1536)
• db78142 🌱 Bump the github-actions group with 2 updates (#1538)
• de386ed 🌱 Bump golang from 1.24.1 to 1.24.2 in the docker-images group (#1534)
• 5b7cedb 🌱 Bump github.com/sigstore/cosign/v2 from 2.4.3 to 2.5.0 (#1537)
• Additional commits viewable in compare view

Updates github/codeql-action from 97a2bfd2a3d26d458da69e548f7f859d6fca634d to f9a0f98a391397619da21c38f1ebf973bd6a55f4

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.30.0 - 01 Sep 2025

No user facing changes.

3.29.11 - 21 Aug 2025

• Update default CodeQL bundle version to 2.22.4. #3044

3.29.10 - 18 Aug 2025

No user facing changes.

3.29.9 - 12 Aug 2025

No user facing changes.

3.29.8 - 08 Aug 2025

• Fix an issue where the Action would autodetect unsupported languages such as HTML. #3015

3.29.7 - 07 Aug 2025

This release rolls back 3.29.6 to address issues with language autodetection. It is identical to 3.29.5.

3.29.6 - 07 Aug 2025

• The cleanup-level input to the analyze Action is now deprecated. The CodeQL Action has written a limited amount of intermediate results to the database since version 2.2.5, and now automatically manages cleanup. #2999
• Update default CodeQL bundle version to 2.22.3. #3000

3.29.5 - 29 Jul 2025

• Update default CodeQL bundle version to 2.22.2. #2986

3.29.4 - 23 Jul 2025

No user facing changes.

3.29.3 - 21 Jul 2025

No user facing changes.

3.29.2 - 30 Jun 2025

... (truncated)

Commits

• f9a0f98 Merge pull request #3068 from github/mergeback/v3.30.0-to-main-2d92b76c
• 9fde809 Merge pull request #3066 from github/henrymercer/update-dependencies
• 8eac8cc Rebuild
• 31c155d Update changelog and version after v3.30.0
• 2d92b76 Merge pull request #3067 from github/update-v3.30.0-92eada825
• 390daaf Update changelog for v3.30.0
• 92eada8 Merge pull request #3033 from github/mbg/ci/rollback-release
• 872a6a4 Add pull-requests: write permission
• 0983948 Update del
• 943116b Use url.pathToFileURL instead of file-url
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

(benchmark 17411202374 / attempt 1)
Base results / Our results / Change

Model	Size	Dump Time	Load Time
sklearn rf 20M	23.4 MiB / 3.0 MiB / 7.67 x	0.01 s / 0.03 s / 2.17 x	0.02 s / 0.03 s / 1.44 x
sklearn rf 20M lzma	6.5 MiB / 2.0 MiB / 3.21 x	10.10 s / 0.86 s / 0.08 x	0.42 s / 0.15 s / 0.36 x
sklearn rf 200M	238.8 MiB / 30.8 MiB / 7.75 x	0.14 s / 0.22 s / 1.61 x	0.22 s / 0.37 s / 1.69 x
sklearn rf 200M lzma	48.8 MiB / 14.8 MiB / 3.29 x	75.19 s / 15.03 s / 0.20 x	3.26 s / 1.18 s / 0.36 x
sklearn rf 1G	1302.2 MiB / 168.0 MiB / 7.75 x	0.84 s / 1.14 s / 1.36 x	1.28 s / 1.93 s / 1.50 x
sklearn rf 1G lzma	262.4 MiB / 99.1 MiB / 2.65 x	414.24 s / 88.78 s / 0.21 x	16.77 s / 6.95 s / 0.41 x
sklearn gb 2M	2.5 MiB / 1.1 MiB / 2.16 x	0.02 s / 0.23 s / 9.37 x	0.03 s / 0.21 s / 7.54 x
sklearn gb 2M lzma	0.6 MiB / 0.2 MiB / 3.76 x	0.78 s / 0.38 s / 0.49 x	0.07 s / 0.23 s / 3.33 x
lgbm gbdt 2M	2.6 MiB / 1.0 MiB / 2.78 x	0.05 s / 0.18 s / 3.97 x	0.01 s / 0.11 s / 13.75 x
lgbm gbdt 2M lzma	0.9 MiB / 0.5 MiB / 1.90 x	0.93 s / 0.38 s / 0.40 x	0.06 s / 0.12 s / 2.07 x
lgbm gbdt 5M	5.3 MiB / 1.9 MiB / 2.81 x	0.09 s / 0.35 s / 3.79 x	0.02 s / 0.18 s / 10.51 x
lgbm gbdt 5M lzma	1.7 MiB / 0.8 MiB / 1.96 x	2.29 s / 0.76 s / 0.33 x	0.11 s / 0.23 s / 2.11 x
lgbm gbdt 20M	22.7 MiB / 7.6 MiB / 3.00 x	0.38 s / 1.47 s / 3.90 x	0.07 s / 0.73 s / 10.02 x
lgbm gbdt 20M lzma	6.3 MiB / 3.0 MiB / 2.09 x	13.37 s / 3.54 s / 0.26 x	0.41 s / 0.88 s / 2.16 x
lgbm gbdt 100M	101.1 MiB / 33.0 MiB / 3.06 x	1.85 s / 6.72 s / 3.63 x	0.35 s / 50.75 s / 145.51 x
lgbm gbdt 100M lzma	25.6 MiB / 10.6 MiB / 2.41 x	59.35 s / 18.56 s / 0.31 x	1.66 s / 3.85 s / 2.31 x
lgbm rf 10M	10.9 MiB / 3.2 MiB / 3.46 x	0.17 s / 0.42 s / 2.45 x	0.03 s / 0.27 s / 10.00 x
lgbm rf 10M lzma	0.7 MiB / 0.4 MiB / 1.86 x	1.25 s / 0.60 s / 0.48 x	0.08 s / 0.30 s / 3.62 x

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.