Skip to content

Bump the gh-actions group across 1 directory with 2 updates#1603

Open
dependabot[bot] wants to merge 1 commit intostagingfrom
dependabot/github_actions/staging/gh-actions-9ec2bcdee7
Open

Bump the gh-actions group across 1 directory with 2 updates#1603
dependabot[bot] wants to merge 1 commit intostagingfrom
dependabot/github_actions/staging/gh-actions-9ec2bcdee7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Feb 6, 2026
edited
Loading

Bumps the gh-actions group with 2 updates in the / directory: pypa/gh-action-pypi-publish and devops-actions/action-get-tag.

Updates pypa/gh-action-pypi-publish from 1.9.0 to 1.13.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip] The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #166. At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident. The result of that discussion is posted @ pypi/warehouse#11096. Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#332). Some related bumps were contributed by @​woodruffw💰 (#359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #335.

💪 New Contributors

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

GH Sponsors badge

v1.12.4

... (truncated)

Commits

Updates devops-actions/action-get-tag from 1.0.3 to 1.0.4

Release notes

Sourced from devops-actions/action-get-tag's releases.

Release v1.0.4

What's Changed

All dependencies up to date!

Other Changes

Dependency updates (GitHub Actions)

Dependency updates (Other)

Full Changelog: devops-actions/action-get-tag@v1.0.3...v1.0.4

Commits
  • 7121a0d build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#106)
  • c5ee410 Merge pull request #108 from devops-actions/dependabot/github_actions/github/...
  • e4492b4 Merge pull request #107 from devops-actions/dependabot/npm_and_yarn/actions/c...
  • 3334175 Merge pull request #105 from devops-actions/dependabot/github_actions/jesseho...
  • 551fe97 build(deps): bump github/codeql-action from 4.31.6 to 4.32.0
  • ebc59f1 build(deps): bump @​actions/core from 2.0.1 to 3.0.0
  • 2c354d9 build(deps): bump jessehouwing/actions-semver-checker
  • eb33e0a Merge pull request #102 from devops-actions/dependabot/npm_and_yarn/actions/c...
  • 7205823 Merge pull request #101 from devops-actions/dependabot/github_actions/actions...
  • 09ba2f1 build(deps): bump @​actions/core from 1.11.1 to 2.0.1
  • Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
Bump the gh-actions group across 1 directory with 2 updates
5327264 
Bumps the gh-actions group with 2 updates in the / directory: [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) and [devops-actions/action-get-tag](https://github.com/devops-actions/action-get-tag).


Updates `pypa/gh-action-pypi-publish` from 1.9.0 to 1.13.0
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](pypa/gh-action-pypi-publish@v1.9.0...v1.13.0)

Updates `devops-actions/action-get-tag` from 1.0.3 to 1.0.4
- [Release notes](https://github.com/devops-actions/action-get-tag/releases)
- [Commits](devops-actions/action-get-tag@v1.0.3...v1.0.4)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-version: 1.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: gh-actions
- dependency-name: devops-actions/action-get-tag
  dependency-version: 1.0.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: gh-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Feb 6, 2026
@dependabot dependabot bot requested review from a team as code owners February 6, 2026 19:05
@dependabot dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Feb 6, 2026
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Feb 6, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@greptile-apps
Copy link
Copy Markdown

greptile-apps bot commented Feb 6, 2026

Greptile Overview

Greptile Summary

This PR updates two GitHub Actions dependencies in the workflow files:

  • pypa/gh-action-pypi-publish from v1.9.0 to v1.13.0 in .github/workflows/CI_CD_actions.yml
  • devops-actions/action-get-tag from v1.0.3 to v1.0.4 in .github/workflows/release-validation.yml

Key Updates

pypa/gh-action-pypi-publish v1.13.0 includes:

  • Security fix for GHSA-vxmw-7h4f-hqxh
  • Python 3.13 runtime support
  • Enhanced diagnostic output for Trusted Publishing
  • Warnings for unsupported reusable workflow configurations
  • Hash-pinned actions/setup-python for org policy compatibility

devops-actions/action-get-tag v1.0.4 includes:

  • Dependency updates (bumped @actions/core from 1.x to 3.0.0)
  • Updated GitHub Actions dependencies

Both updates are routine dependency bumps that improve security and maintainability.

Confidence Score: 5/5

  • Safe to merge - routine dependency updates with security improvements
  • These are automated dependency updates from Dependabot that upgrade two GitHub Actions to their latest versions. The pypa/gh-action-pypi-publish update includes an important security fix (GHSA-vxmw-7h4f-hqxh) and improved diagnostics. The devops-actions/action-get-tag update brings routine dependency updates. Both actions maintain backward compatibility with existing usage patterns.
  • No files require special attention

Important Files Changed

Filename Overview
.github/workflows/CI_CD_actions.yml Updated pypa/gh-action-pypi-publish from v1.9.0 to v1.13.0, includes security fix for GHSA-vxmw-7h4f-hqxh
.github/workflows/release-validation.yml Updated devops-actions/action-get-tag from v1.0.3 to v1.0.4 with dependency updates

Sequence Diagram

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub
    participant DB as Dependabot
    participant CI as CI/CD Workflow
    participant PyPI as PyPI Registry
    
    Dev->>GH: Push tag (v**)
    GH->>CI: Trigger CI_CD_actions.yml
    CI->>CI: Run pre-commit checks
    CI->>CI: Run tests (multiple OS/Python versions)
    CI->>CI: Build documentation
    CI->>CI: Build package with hatch
    CI->>PyPI: Publish package (pypa/gh-action-pypi-publish@v1.13.0)
    Note over CI,PyPI: Updated from v1.9.0 to v1.13.0<br/>Includes security fix GHSA-vxmw-7h4f-hqxh
    
    GH->>CI: Trigger release-validation.yml
    CI->>CI: Get tag name (devops-actions/action-get-tag@v1.0.4)
    Note over CI: Updated from v1.0.3 to v1.0.4<br/>Includes @actions/core 3.0.0
    CI->>GH: Create release in pyglotaran-examples repo
    CI->>GH: Create release in pyglotaran-validation repo
Loading

greptile-apps[bot]
greptile-apps bot reviewed Feb 6, 2026
View reviewed changes
Copy link
Copy Markdown

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

2 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@s-weigand s-weigand

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@s-weigand