Bump the actions group across 1 directory with 3 updates

[dependabot]

Bumps the actions group with 3 updates in the / directory: actions/setup-python, github/codeql-action and astral-sh/setup-uv.

Updates actions/setup-python from 4 to 5

Release notes

Sourced from actions/setup-python's releases.

v5.0.0

What's Changed

In scope of this release, we update node version runtime from node16 to node20 (actions/setup-python#772). Besides, we update dependencies to the latest versions.

Full Changelog: actions/setup-python@v4.8.0...v5.0.0

v4.9.1

What's Changed

• Add workflow file for publishing releases to immutable action package by @​aparnajyothi-y in actions/setup-python#1084

Full Changelog: actions/setup-python@v4...v4.9.1

v4.9.0

What's Changed

• Upgrade actions/cache to 4.0.3 by @​priya-kinthali in actions/setup-python#1073 In scope of this release we updated actions/cache package to ensure continued support and compatibility, as older versions of the package are now deprecated. For more information please refer to the toolkit/cache.

Full Changelog: actions/setup-python@v4.8.0...v4.9.0

v4.8.0

What's Changed

In scope of this release we added support for GraalPy (actions/setup-python#694). You can use this snippet to set up GraalPy:

steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v4 
  with:
    python-version: 'graalpy-22.3' 
- run: python my_script.py

Besides, the release contains such changes as:

• Trim python version when reading from file by @​FerranPares in actions/setup-python#628
• Use non-deprecated versions in examples by @​jeffwidman in actions/setup-python#724
• Change deprecation comment to past tense by @​jeffwidman in actions/setup-python#723
• Bump @​babel/traverse from 7.9.0 to 7.23.2 by @​dependabot in actions/setup-python#743
• advanced-usage.md: Encourage the use actions/checkout@v4 by @​cclauss in actions/setup-python#729
• Examples now use checkout@v4 by @​simonw in actions/setup-python#738
• Update actions/checkout to v4 by @​dmitry-shibanov in actions/setup-python#761

New Contributors

• @​FerranPares made their first contribution in actions/setup-python#628
• @​timfel made their first contribution in actions/setup-python#694
• @​jeffwidman made their first contribution in actions/setup-python#724

Full Changelog: actions/setup-python@v4...v4.8.0

... (truncated)

Commits

• a26af69 Bump ts-jest from 29.1.2 to 29.3.2 (#1081)
• 30eafe9 Bump prettier from 2.8.8 to 3.5.3 (#1046)
• 5d95bc1 Bump semver and @​types/semver (#1091)
• 6ed2c67 Fix for Candidate Not Iterable Error (#1082)
• e348410 Remove Ubuntu 20.04 from workflows due to deprecation from 2025-04-15 (#1065)
• 8d9ed9a Add e2e Testing for free threaded and Bump @​action/cache from 4.0.0 to 4.0.3 ...
• 19e4675 Add support for .tool-versions file in setup-python (#1043)
• 6fd11e1 Bump @​actions/glob from 0.4.0 to 0.5.0 (#1015)
• 9e62be8 Support free threaded Python versions like '3.13t' (#973)
• 6ca8e85 Bump @​vercel/ncc from 0.38.1 to 0.38.3 (#1016)
• Additional commits viewable in compare view

Updates github/codeql-action from 3.28.16 to 3.28.17

Release notes

Sourced from github/codeql-action's releases.

v3.28.17

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

See the full CHANGELOG.md for more information.

Changelog

Sourced from github/codeql-action's changelog.

CodeQL Action Changelog

See the releases page for the relevant changes to the CodeQL CLI and language packs.

[UNRELEASED]

No user facing changes.

3.28.17 - 02 May 2025

• Update default CodeQL bundle version to 2.21.2. #2872

3.28.16 - 23 Apr 2025

• Update default CodeQL bundle version to 2.21.1. #2863

3.28.15 - 07 Apr 2025

• Fix bug where the action would fail if it tried to produce a debug artifact with more than 65535 files. #2842

3.28.14 - 07 Apr 2025

• Update default CodeQL bundle version to 2.21.0. #2838

3.28.13 - 24 Mar 2025

No user facing changes.

3.28.12 - 19 Mar 2025

• Dependency caching should now cache more dependencies for Java build-mode: none extractions. This should speed up workflows and avoid inconsistent alerts in some cases.
• Update default CodeQL bundle version to 2.20.7. #2810

3.28.11 - 07 Mar 2025

• Update default CodeQL bundle version to 2.20.6. #2793

3.28.10 - 21 Feb 2025

• Update default CodeQL bundle version to 2.20.5. #2772
• Address an issue where the CodeQL Bundle would occasionally fail to decompress on macOS. #2768

3.28.9 - 07 Feb 2025

• Update default CodeQL bundle version to 2.20.4. #2753

3.28.8 - 29 Jan 2025

• Enable support for Kotlin 2.1.10 when running with CodeQL CLI v2.20.3. #2744

... (truncated)

Commits

• 60168ef Merge pull request #2886 from github/update-v3.28.17-97a2bfd2a
• 0d5a311 Update changelog for v3.28.17
• 97a2bfd Merge pull request #2872 from github/update-bundle/codeql-bundle-v2.21.2
• 9aba20e Merge branch 'main' into update-bundle/codeql-bundle-v2.21.2
• 81a9508 Merge pull request #2876 from github/henrymercer/fix-diff-informed-multiple-a...
• 1569f4c Disable diff-informed queries in code scanning config tests
• 62fbeb6 Merge branch 'main' into henrymercer/fix-diff-informed-multiple-analyze
• f122d1d Address test failures from computing temporary directory too early
• 083772a Do not fail diff informed analyses when analyze is run twice in the same job
• 5db14d0 Merge branch 'main' into update-bundle/codeql-bundle-v2.21.2
• Additional commits viewable in compare view

Updates astral-sh/setup-uv from 5.4.2 to 6.0.1

Release notes

Sourced from astral-sh/setup-uv's releases.

v6.0.1 🌈 Fix default cache dependency glob

Changes

The new default in v6 used illegal patterns and therefore didn't match requirements files. This is now fixed.

🐛 Bug fixes

• Fix default cache dependency glob @​eifinger (#388)

🧰 Maintenance

• chore: update known checksums for 0.6.17 @github-actions[bot] (#384)

⬆️ Dependency updates

• Bump dependencies @​eifinger (#389)

v6.0.0 🌈 activate-environment and working-directory

Changes

This version contains some breaking changes which have been gathering up for a while. Lets dive into them:

• Activate environment
• Working Directory
• Default cache-dependency-glob
• Use default cache dir on self hosted runners

Activate environment

In previous versions using the input python-version automatically activated a venv at the repository root. This led to some unwanted side-effects, was sometimes unexpected and not flexible enough.

The venv activation is now explicitly controlled with the new input activate-environment (false by default):

- name: Install the latest version of uv and activate the environment
  uses: astral-sh/setup-uv@v6
  with:
    activate-environment: true
- run: uv pip install pip

The venv gets created by the uv venv command so the python version is controlled by the python-version input or the files pyproject.toml, uv.toml, .python-version in the working-directory.

Working Directory

The new input working-directory controls where we look for pyproject.toml, uv.toml and .python-version files which are used to determine the version of uv and python to install.

It can also be used to control where the venv gets created.

... (truncated)

Commits

• 6b9c606 Bump dependencies (#389)
• ef6bcdf Fix default cache dependency glob (#388)
• 9a31171 chore: update known checksums for 0.6.17 (#384)
• c7f87aa bump to v6 in README (#382)
• aadfaf0 Change default cache-dependency-glob (#352)
• a0f9da6 No default UV_CACHE_DIR on selfhosted runners (#380)
• ec4c691 new inputs activate-environment and working-directory (#381)
• aa12905 chore: update known checksums for 0.6.16 (#378)
• fcaddda chore: update known checksums for 0.6.15 (#377)
• fb3a0a9 log info on venv activation (#375)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions