chore(deps)(deps): bump the github-actions group across 1 directory with 3 updates

[dependabot]

Bumps the github-actions group with 3 updates in the / directory: astral-sh/setup-uv, aquasecurity/trivy-action and softprops/action-gh-release.

Updates astral-sh/setup-uv from 7.3.0 to 7.6.0

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.6.0 🌈 Fetch uv from Astral's mirror by default

Changes

We now default to download uv from releases.astral.sh. This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.

🚀 Enhancements

• Fetch uv from Astral's mirror by default @​zsol (#809)

🧰 Maintenance

• Switch to ESM for source and test, use CommonJS for dist @​eifinger (#806)
• chore: update known checksums for 0.10.10 @github-actions[bot] (#804)

⬆️ Dependency updates

• chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 @dependabot[bot] (#808)
• Bump deps @​eifinger (#805)

v7.5.0 🌈 Use astral-sh/versions as version provider

No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.

The manifest-file input was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest. However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.

This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:

https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson

By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.

---

[!TIP] The next section is only interesting for users of the manifest-file input

The manifest-file input lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.

The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:

{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}

... (truncated)

Commits

• 37802ad Fetch uv from Astral's mirror by default (#809)
• 9f00d18 chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)
• fd8f376 Switch to ESM for source and test, use CommonJS for dist (#806)
• f9070de Bump deps (#805)
• cadb67b chore: update known checksums for 0.10.10 (#804)
• e06108d Use astral-sh/versions as primary version provider (#802)
• 0f6ec07 docs: replace copilot instructions with AGENTS.md (#794)
• 821e5c9 docs: add cross-client dependabot rollup skill (#793)
• 6ee6290 chore(deps): bump versions (#792)
• 9f332a1 Add riscv64 architecture support to platform detection (#791)
• Additional commits viewable in compare view

Updates aquasecurity/trivy-action from 0.34.1 to 0.35.0

Release notes

Sourced from aquasecurity/trivy-action's releases.

v0.35.0

What's Changed

• chore(deps): Update trivy to v0.69.3 by @​aqua-bot in aquasecurity/trivy-action#519

Full Changelog: aquasecurity/trivy-action@0.34.2...0.35.0

v0.34.2

What's Changed

• feat: add YAML support for trivyignores by @​nikpivkin in aquasecurity/trivy-action#508
• chore: bump default Trivy version to v0.69.2 by @​nick-the-nuke in aquasecurity/trivy-action#513
• chore: bump Trivy version to v0.69.2 in test workflow and README by @​DmitriyLewen in aquasecurity/trivy-action#515

New Contributors

• @​nick-the-nuke made their first contribution in aquasecurity/trivy-action#513

Full Changelog: aquasecurity/trivy-action@0.34.1...0.34.2

Commits

• 57a97c7 chore(deps): Update trivy to v0.69.3 (#519)
• 97e0b38 chore: bump Trivy version to v0.69.2 in test workflow and README (#515)
• 4c61e63 chore: bump default Trivy version to v0.69.2 (#513)
• 1bd0625 Merge pull request #508 from nikpivkin/feat/pass-yaml-ignore-file
• bce3086 remove unused init-cache target
• 5a9fbb1 supress progress bar when download db
• 1615450 update trivyignores input description
• df85774 add comment about fd3
• 56c8dae remove unused variable
• 6476b93 feat: support for YAML ignore file
• See full diff in compare view

Updates softprops/action-gh-release from 2.5.0 to 2.6.1

Release notes

Sourced from softprops/action-gh-release's releases.

v2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

v2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in softprops/action-gh-release#372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in softprops/action-gh-release#760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in softprops/action-gh-release#759
• docs: clarify working_directory input by @​chenrui333 in softprops/action-gh-release#761
• ci: verify dist bundle freshness by @​chenrui333 in softprops/action-gh-release#762
• fix: clarify immutable prerelease uploads by @​chenrui333 in softprops/action-gh-release#763

v2.5.3

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2. It fixes [#639](https://github.com/softprops/action-gh-release/issues/639), [#571](https://github.com/softprops/action-gh-release/issues/571), [#280](https://github.com/softprops/action-gh-release/issues/280), [#614](https://github.com/softprops/action-gh-release/issues/614), [#311](https://github.com/softprops/action-gh-release/issues/311), [#403](https://github.com/softprops/action-gh-release/issues/403), and [#368](https://github.com/softprops/action-gh-release/issues/368). It also adds documentation clarifications for [#541](https://github.com/softprops/action-gh-release/issues/541), [#645](https://github.com/softprops/action-gh-release/issues/645), [#542](https://github.com/softprops/action-gh-release/issues/542), [#393](https://github.com/softprops/action-gh-release/issues/393), and [#411](https://github.com/softprops/action-gh-release/issues/411), where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

... (truncated)

Changelog

Sourced from softprops/action-gh-release's changelog.

2.6.1

2.6.1 is a patch release focused on restoring linked discussion thread creation when discussion_category_name is set. It fixes [#764](https://github.com/softprops/action-gh-release/issues/764), where the draft-first publish flow stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

• fix: preserve discussion category on publish by @​chenrui333 in softprops/action-gh-release#765

2.6.0

2.6.0 is a minor release centered on previous_tag support for generate_release_notes, which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range. It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync, a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉

• feat: support previous_tag for generate_release_notes by @​pocesar in softprops/action-gh-release#372

Bug fixes 🐛

• fix: recover concurrent asset metadata 404s by @​chenrui333 in softprops/action-gh-release#760

Other Changes 🔄

• docs: clarify reused draft release behavior by @​chenrui333 in softprops/action-gh-release#759
• docs: clarify working_directory input by @​chenrui333 in softprops/action-gh-release#761
• ci: verify dist bundle freshness by @​chenrui333 in softprops/action-gh-release#762
• fix: clarify immutable prerelease uploads by @​chenrui333 in softprops/action-gh-release#763

2.5.3

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2. It fixes [#639](https://github.com/softprops/action-gh-release/issues/639), [#571](https://github.com/softprops/action-gh-release/issues/571), [#280](https://github.com/softprops/action-gh-release/issues/280), [#614](https://github.com/softprops/action-gh-release/issues/614), [#311](https://github.com/softprops/action-gh-release/issues/311), [#403](https://github.com/softprops/action-gh-release/issues/403), and [#368](https://github.com/softprops/action-gh-release/issues/368). It also adds documentation clarifications for [#541](https://github.com/softprops/action-gh-release/issues/541), [#645](https://github.com/softprops/action-gh-release/issues/645), [#542](https://github.com/softprops/action-gh-release/issues/542), [#393](https://github.com/softprops/action-gh-release/issues/393), and [#411](https://github.com/softprops/action-gh-release/issues/411), where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

... (truncated)

Commits

• 153bb8e release 2.6.1
• 569deb8 fix: preserve discussion category when publishing releases (#765)
• 26e8ad2 release 2.6.0
• b959f31 fix: clarify immutable prerelease uploads (#763)
• 8a8510e ci: verify dist bundle freshness (#762)
• 438c15d docs: clarify working_directory input (#761)
• 6ca3b5d fix: recover concurrent asset metadata 404s (#760)
• 11f9176 chore: add RELEASE.md
• 1f3f350 feat: add AGENTS.md
• 37819cb docs: clarify reused draft release behavior (#759)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.