build(deps): bump the dependencies group across 1 directory with 10 updates

[dependabot]

Updates the requirements on cryptography, sigstore, pykcs11, boto3, botocore, build, coverage, mypy, ruff and zizmor to permit the latest version.
Updates cryptography from 44.0.3 to 45.0.5

Changelog

Sourced from cryptography's changelog.

45.0.5 - 2025-07-02

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.1.
.. _v45-0-4:
45.0.4 - 2025-06-09

• Fixed decrypting PKCS#8 files encrypted with SHA1-RC4. (This is not considered secure, and is supported only for backwards compatibility.)

.. _v45-0-3:

45.0.3 - 2025-05-25

* Fixed decrypting PKCS#8 files encrypted with long salts (this impacts keys
  encrypted by Bouncy Castle).
* Fixed decrypting PKCS#8 files encrypted with DES-CBC-MD5. While wildly
  insecure, this remains prevalent.
.. _v45-0-2:
45.0.2 - 2025-05-17

• Fixed using mypy with cryptography on older versions of Python.

.. _v45-0-1:

45.0.1 - 2025-05-17

* Updated Windows, macOS, and Linux wheels to be compiled with OpenSSL 3.5.0.
.. _v45-0-0:
45.0.0 - 2025-05-17 (YANKED)

• Support for Python 3.7 is deprecated and will be removed in the next cryptography release.
• Updated the minimum supported Rust version (MSRV) to 1.74.0, from 1.65.0.
• Added support for serialization of PKCS#12 Java truststores in :func:~cryptography.hazmat.primitives.serialization.pkcs12.serialize_java_truststore
• Added :meth:~cryptography.hazmat.primitives.kdf.argon2.Argon2id.derive_phc_encoded and :meth:~cryptography.hazmat.primitives.kdf.argon2.Argon2id.verify_phc_encoded methods to support password hashing in the PHC string format

... (truncated)

Commits

• 3e53a23 Bump for 45.0.5 release (#13135)
• 678c0c5 prepare for 45.0.4 release (#13058)
• 5038495 backports for 45.0.3 release (#12979)
• f81c075 Backport mypy fixes for release (#12930)
• 8ea28e0 bump for 45.0.1 (#12922)
• 6784097 bump for 45 release (#12886)
• 2d9c1c9 bump MSRV to 1.74 (#12919)
• 6c18874 Bump BoringSSL, OpenSSL, AWS-LC in CI (#12918)
• 43fd312 add test vectors for upcoming explicit curve loading (#12913)
• 6bfa0a3 chore(deps): bump asn1 from 0.21.2 to 0.21.3 (#12914)
• Additional commits viewable in compare view

Updates sigstore from 3.6.2 to 3.6.4

Release notes

Sourced from sigstore's releases.

v3.6.4

Fixed

• Bumped the rfc3161-client dependency to >=1.0.3 to fix a security vulnerability (#1451)

v3.6.3

A small bug fix release.

Fixed

• Verify: Avoid hard failure if trusted root contains unsupported keytypes (as verification may succeed without that key). #1425

Changelog

Sourced from sigstore's changelog.

[3.6.4]

Fixed

• Bumped the rfc3161-client dependency to >=1.0.3 to fix a security vulnerability (#1451)

[3.6.3]

Fixed

• Verify: Avoid hard failure if trusted root contains unsupported keytypes (as verification may succeed without that key). #1425

Commits

• dd952eb chore: prep release v3.6.4 (#1452)
• 1586361 chore(deps): bump rfc3161-client to >= 1.0.3 (#1450) (#1451)
• 0f88940 Backport 1424, prepare 3.6.3 release (#1425)
• See full diff in compare view

Updates pykcs11 from 1.5.17 to 1.5.18

Release notes

Sourced from pykcs11's releases.

1.5.18 - August 2025, Ludovic Rousseau

• add CKM_EXTRACT_KEY_FROM_KEY mechanism
• add CKM_EDDSA and CK_EDDSA_PARAMS support
• C_Initialize(): allow OS locking
• PyKCS11.load() & .unload(): make the methods tread-safe
• bugfix: store CKM_CONCATENATE_BASE_AND_KEY parameter in mechanism context
• IsNum(): CKA_HW_FEATURE_TYPE is also a numeric value
• improve support for multi-part encryption/decryption
• fix some Python typing issues
• Fix issue with vendor defined (CKM_VENDOR_DEFINED) mechanisms
• fix/ignore all pylint warnings
• use pytest for running tests
• minor improvements

What's Changed

• Bump actions/upload-artifact from 3 to 4 by @​dependabot[bot] in LudovicRousseau/PyKCS11#125
• add CKM_EXTRACT_KEY_FROM_KEY mechanism by @​fuzzykat in LudovicRousseau/PyKCS11#128
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in LudovicRousseau/PyKCS11#132
• improve support for multi-part encryption/decryption by @​fuzzykat in LudovicRousseau/PyKCS11#135
• use ckbytelist as return type by @​andreastedile in LudovicRousseau/PyKCS11#136
• use CK_OBJECT_HANDLE as parameter type by @​andreastedile in LudovicRousseau/PyKCS11#137
• use CK_OBJECT_HANDLE as return type by @​andreastedile in LudovicRousseau/PyKCS11#138
• [pre-commit.ci] pre-commit autoupdate by @​pre-commit-ci[bot] in LudovicRousseau/PyKCS11#139
• add CKM_EDDSA and CK_EDDSA_PARAMS support by @​fuzzykat in LudovicRousseau/PyKCS11#141

New Contributors

• @​dependabot[bot] made their first contribution in LudovicRousseau/PyKCS11#125
• @​pre-commit-ci[bot] made their first contribution in LudovicRousseau/PyKCS11#132
• @​andreastedile made their first contribution in LudovicRousseau/PyKCS11#136

Full Changelog: LudovicRousseau/PyKCS11@1.5.17...1.5.18

Changelog

Sourced from pykcs11's changelog.

1.5.18 - August 2025, Ludovic Rousseau

• add CKM_EXTRACT_KEY_FROM_KEY mechanism
• add CKM_EDDSA and CK_EDDSA_PARAMS support
• C_Initialize(): allow OS locking
• PyKCS11.load() & .unload(): make the methods tread-safe
• bugfix: store CKM_CONCATENATE_BASE_AND_KEY parameter in mechanism context
• IsNum(): CKA_HW_FEATURE_TYPE is also a numeric value
• improve support for multi-part encryption/decryption
• fix some Python typing issues
• Fix issue with vendor defined (CKM_VENDOR_DEFINED) mechanisms
• fix/ignore all pylint warnings
• use pytest for running tests
• minor improvements

Commits

• 1f34853 Release 1.5.18
• abea61f fix load(): move os.getenv() outside of the _lock scope
• be5f5e3 fix: use self.assertRaises() in test_sign_integer
• 2177a59 add CKM_EDDSA and CK_EDDSA_PARAMS support
• 2094a49 IsNum(): CKA_HW_FEATURE_TYPE is also a numeric value
• 383425e Add information in PyKCS11Error(-2)
• 1a1bab3 dev-requirements.txt: add pytest
• 62e8b7e Makefile: use pytest to run tests
• 8eec8e3 Add run_pytest.py
• f7a9628 PyKCS11.unload(): make the method thread safe
• Additional commits viewable in compare view

Updates boto3 to 1.40.2

Commits

• ad48a21 Merge branch 'release-1.40.2'
• 0a92fe4 Bumping version to 1.40.2
• b1d3cd4 Add changelog entries from botocore
• 72d9a28 Merge branch 'release-1.40.1'
• 1c32a22 Merge branch 'release-1.40.1' into develop
• a3ffa61 Bumping version to 1.40.1
• c643766 Add changelog entries from botocore
• e2fb47b Merge branch 'release-1.40.0'
• e19cb9f Merge branch 'release-1.40.0' into develop
• 9e895ba Bumping version to 1.40.0
• Additional commits viewable in compare view

Updates botocore to 1.40.2

Commits

• 98c9921 Merge branch 'release-1.40.2'
• 89d9a61 Bumping version to 1.40.2
• 30b9a22 Update endpoints model
• 7a26dd8 Update to latest models
• 30c103c Merge pull request #3494 from andyferris/patch-1
• 37d82c4 Merge pull request #3527 from akx/bad-logging-calls
• ac5a0db Merge pull request #3533 from nateprewitt/datetime_consolidation
• bbed2c0 Add timezones to test dates
• 7ebb8b8 Consolidate datetime invocations to one place
• b0015b7 Resolve Python 3.12 .utcnow() DeprecationWarning (#3239)
• Additional commits viewable in compare view

Updates build from 1.2.2.post1 to 1.3.0

Release notes

Sourced from build's releases.

1.3.0

• Add --config-json (PR #916, fixes issue #900)
• Drop Python 3.8 (PR #891)
• Test on Python 3.14, colorful help on 3.14+ (PR #895)
• Fix ModuleNotFoundError when pip is not installed (PR #898)
• Disable use of pip install --python for debundled pip (PR #861)
• Don't pass no-wheel to virtualenv if it would warn (PR #892)
• Optimize our tests to run faster (PR #871, #872, #738)
• Allow running our tests without virtualenv (PR #911)
• Fix issues in our tests (PR #824, #918, #870, #915, #862, #863, #899, #896, #854)
• Use SPDX identifiers for our license metadata (PR #914)
• Use dependency-groups for our development (PR #880)
• Mention conda and update uv mention in README/docs (PR #842, #816, #917)

Changelog

Sourced from build's changelog.

1.3.0 (2025-08-01)

• Add --config-json (PR :pr:916, fixes issue :issue:900)
• Drop Python 3.8 (PR :pr:891)
• Test on Python 3.14, colorful help on 3.14+ (PR :pr:895)
• Fix ModuleNotFoundError when pip is not installed (PR :pr:898)
• Disable use of pip install --python for debundled pip (PR :pr:861)
• Don't pass no-wheel to virtualenv if it would warn (PR :pr:892)
• Optimize our tests to run faster (PR :pr:871, :pr:872, :pr:738)
• Allow running our tests without virtualenv (PR :pr:911)
• Fix issues in our tests (PR :pr:824, :pr:918, :pr:870, :pr:915, :pr:862, :pr:863, :pr:899, :pr:896, :pr:854)
• Use SPDX identifiers for our license metadata (PR :pr:914)
• Use dependency-groups for our development (PR :pr:880)
• Mention conda and update uv mention in README/docs (PR :pr:842, :pr:816, :pr:917)

1.2.2 (2024-09-06)

• Add editable to builder.get_requries_for_build's static types (PR :pr:764, fixes issue :issue:763)
• Include artifact attestations in our release (PR :pr:782)
• Fix typing compatibility with typed pyproject-hooks (PR :pr:788)
• Mark more tests with network (PR :pr:808)
• Add more intersphinx links to docs (PR :pr:804)
• Make uv optional for tests (PR :pr:807 and :pr:813)

1.2.1 (2024-03-28)

• Avoid error when terminal width is undetectable on Python < 3.11 (PR :pr:761)

... (truncated)

Commits

• 60e8752 chore: bump to 1.3.0 (#919)
• 807cfba feat: add --config-json (#916)
• bf54ad0 tests: fix issues with ignore
• 53852df docs: uv example
• b983371 tests: optional virtualenv
• 6cd157a Adopt PEP 639 "license" field (#914)
• bdaea36 tests: fixes for errors in CI
• 14d6508 pre-commit: bump repositories
• 59ac60e pre-commit: bump repositories
• 48ebd63 pre-commit: bump repositories
• Additional commits viewable in compare view

Updates coverage from 7.8.2 to 7.10.2

Changelog

Sourced from coverage's changelog.

Version 7.10.2 — 2025-08-03

• Fix: some code with NOP bytecodes could report missing branches that are actually executed. This is now fixed, closing issue 1999_. Python 3.9 still shows the problem.

.. _issue 1999: nedbat/coveragepy#1999

.. _changes_7-10-1:

Version 7.10.1 — 2025-07-27

• Fix: the exclusion for if TYPE_CHECKING: was wrong: it marked the branch as partial, but it should have been a line exclusion so the entire clause would be excluded. Improves issue 831_.

• Fix: changed where .pth files are written for patch = subprocess, closing issue 2006_.

.. _issue 2006: nedbat/coveragepy#2006

.. _changes_7-10-0:

Version 7.10.0 — 2025-07-24

• A new configuration option: ":ref:config_run_patch" specifies named patches to work around some limitations in coverage measurement. These patches are available:

  • patch = _exit lets coverage save its data even when :func:os._exit() <python:os._exit> is used to abruptly end the process. This closes long-standing issue 310_ as well as its duplicates: issue 312, issue 1673, issue 1845, and issue 1941.

  • patch = subprocess measures coverage in Python subprocesses created with :mod:subprocess, :func:os.system, or one of the :func:execv <python:os.execl> or :func:spawnv <python:os.spawnl> family of functions. Closes old issue 367_ and duplicate issue 378_.

  • patch = execv adjusts the :func:execv <python:os.execl> family of functions to save coverage data before ending the current program and starting the next. Not available on Windows. Closes issue 43_ after 15 years!

• The HTML report now dimly colors subsequent lines in multi-line statements.

... (truncated)

Commits

• a867852 docs: sample HTML for 7.10.2
• e7bfabe docs: prep for 7.10.2
• 5dbd736 test: this test often borks metacov, retry it
• b7430fa debug: more convenient run_trace.py
• e2039d0 refactor: less redundancy in branch_trails
• c177731 fix: see through nop bytecodes to get the right arcs. #1999
• 7a83ab0 test: don't try to make pth files when invoked from pth #2011
• 6d8b091 refactor: remove a commented-out line
• fc507ad test: add a case for an extension-less Python file parse error
• 05a6e8d test: no need for skip, we already skip windows
• Additional commits viewable in compare view

Updates mypy from 1.16.0 to 1.17.1

Changelog

Sourced from mypy's changelog.

Mypy 1.17.1

• Retain None as constraints bottom if no bottoms were provided (Stanislav Terliakov, PR 19485)
• Fix "ignored exception in hasattr" in dmypy (Stanislav Terliakov, PR 19428)
• Prevent a crash when InitVar is redefined with a method in a subclass (Stanislav Terliakov, PR 19453)

Acknowledgements

Thanks to all mypy contributors who contributed to this release:

• Alexey Makridenko
• Brian Schubert
• Chad Dombrova
• Chainfire
• Charlie Denton
• Charulata
• Christoph Tyralla
• CoolCat467
• Donal Burns
• Guy Wilson
• Ivan Levkivskyi
• johnthagen
• Jukka Lehtosalo
• Łukasz Kwieciński
• Marc Mueller
• Michael J. Sullivan
• Mikhail Golubev
• Sebastian Rittau
• Shantanu
• Stanislav Terliakov
• wyattscarpenter

I’d also like to thank my employer, Dropbox, for supporting mypy development.

Mypy 1.16

We’ve just uploaded mypy 1.16 to the Python Package Index (PyPI). Mypy is a static type checker for Python. This release includes new features and bug fixes. You can install it as follows:

python3 -m pip install -U mypy

You can read the full documentation for this release on Read the Docs.

Different Property Getter and Setter Types

Mypy now supports using different types for a property getter and setter:

class A:
    _value: int
</tr></table> 

... (truncated)

Commits

• acb2983 Bump version to 1.17.1
• 933c913 Retain None as constraints bottom if no bottoms were provided (#19485)
• 5f4428f Fix "ignored exception in hasattr" in dmypy (#19428)
• 88fdeaa Prevent a crash when InitVar is redefined with a method in a subclass (#19453)
• e44d14f Bump version to 1.17.1+dev
• 0260991 Update version string
• 3901aa2 Updates to 1.17 changelog (#19436)
• 7d13396 Initial changelog for 1.17 release (#19427)
• a182dec Combine the revealed types of multiple iteration steps in a more robust manne...
• ab4fd57 Improve the handling of "iteration dependent" errors and notes in finally cla...
• Additional commits viewable in compare view

Updates ruff from 0.11.13 to 0.12.7

Release notes

Sourced from ruff's releases.

0.12.7

Release Notes

This is a follow-up release to 0.12.6. Because of an issue in the package metadata, 0.12.6 failed to publish fully to PyPI and has been yanked. Similarly, there is no GitHub release or Git tag for 0.12.6. The contents of the 0.12.7 release are identical to 0.12.6, except for the updated metadata.

0.12.6 Release Notes

Preview features

• [flake8-commas] Add support for trailing comma checks in type parameter lists (COM812, COM819) (#19390)
• [pylint] Implement auto-fix for missing-maxsplit-arg (PLC0207) (#19387)
• [ruff] Offer fixes for RUF039 in more cases (#19065)

Bug fixes

• Support .pyi files in ruff analyze graph (#19611)
• [flake8-pyi] Preserve inline comment in ellipsis removal (PYI013) (#19399)
• [perflint] Ignore rule if target is global or nonlocal (PERF401) (#19539)
• [pyupgrade] Fix UP030 to avoid modifying double curly braces in format strings (#19378)
• [refurb] Ignore decorated functions for FURB118 (#19339)
• [refurb] Mark int and bool cases for Decimal.from_float as safe fixes (FURB164) (#19468)
• [ruff] Fix RUF033 for named default expressions (#19115)

Rule changes

• [flake8-blind-except] Change BLE001 to permit logging.critical(..., exc_info=True) (#19520)

Performance

• Add support for specifying minimum dots in detected string imports (#19538)

Contributors

• @​AlexWaygood
• @​BurntSushi
• @​CodeMan62
• @​DimitriPapadopoulos
• @​IDrokin117
• @​Luunynliny
• @​MichaReiser
• @​UnboundVariable
• @​carljm
• @​charliermarsh
• @​clockback
• @​danparizher
• @​dcreager
• @​dhruvmanila
• @​dylwil3
• @​github-actions
• @​junhsonjb
• @​mtshiba

... (truncated)

Changelog

Sourced from ruff's changelog.

0.12.7

This is a follow-up release to 0.12.6. Because of an issue in the package metadata, 0.12.6 failed to publish fully to PyPI and has been yanked. Similarly, there is no GitHub release or Git tag for 0.12.6. The contents of the 0.12.7 release are identical to 0.12.6, except for the updated metadata.

0.12.6

Preview features

• [flake8-commas] Add support for trailing comma checks in type parameter lists (COM812, COM819) (#19390)
• [pylint] Implement auto-fix for missing-maxsplit-arg (PLC0207) (#19387)
• [ruff] Offer fixes for RUF039 in more cases (#19065)

Bug fixes

• Support .pyi files in ruff analyze graph (#19611)
• [flake8-pyi] Preserve inline comment in ellipsis removal (PYI013) (#19399)
• [perflint] Ignore rule if target is global or nonlocal (PERF401) (#19539)
• [pyupgrade] Fix UP030 to avoid modifying double curly braces in format strings (#19378)
• [refurb] Ignore decorated functions for FURB118 (#19339)
• [refurb] Mark int and bool cases for Decimal.from_float as safe fixes (FURB164) (#19468)
• [ruff] Fix RUF033 for named default expressions (#19115)

Rule changes

• [flake8-blind-except] Change BLE001 to permit logging.critical(..., exc_info=True) (#19520)

Performance

• Add support for specifying minimum dots in detected string imports (#19538)

0.12.5

Preview features

• [flake8-use-pathlib] Add autofix for PTH101, PTH104, PTH105, PTH121 (#19404)
• [ruff] Support byte strings (RUF055) (#18926)

Bug fixes

• Fix unreachable panic in parser (#19183)
• [flake8-pyi] Skip fix if all Union members are None (PYI016) (#19416)
• [perflint] Parenthesize generator expressions (PERF401) (#19325)
• [pylint] Handle empty comments after line continuation (PLR2044) (#19405)

Rule changes

• [pep8-naming] Fix N802 false positives for CGIHTTPRequestHandler and SimpleHTTPRequestHandler (#19432)

0.12.4

... (truncated)

Commits

• c5ac998 Bump 0.12.7 (#19627)
• 04a8f64 Revert license and license-files changes in pyproject.toml (#19624)
• 6e00adf Bump 0.12.6 (#19622)
• 864196b Add Checker::context method, deduplicate Unicode checks (#19609)
• ae26fa0 [flake8-pyi] Preserve inline comment in ellipsis removal (PYI013) (#19399)
• 88a6799 [ty] Add flow diagram for import resolution
• 941be52 [ty] Add comments to some core resolver functions
• 13624ce [ty] Add missing ticks and use consistent quoting
• edb2f8e [ty] Reflow some long lines
• 5e6ad84 [ty] Unexport helper function
• Additional commits viewable in compare view

Updates zizmor from 1.9.0 to 1.11.0

Release notes

Sourced from zizmor's releases.

v1.11.0

New Features 🌈🔗

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱🔗

• The bot-conditions audit now supports auto-fixes for many findings (#921)
• The bot-conditions audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛🔗

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

v1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈🔗

• New audit: anonymous-definition detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • artipacked: zizmor will attempt to add persist-credentials: false to actions/checkout steps that do not already have it.

  • template-injection: zizmor will attempt to rewrite run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱🔗

• The artipacked audit now produces findings on composite action definitions, rather than just workflow definitions (#896)
• The use-trusted-publishing audit now produces findings on composite action definitions, rather than just workflow definitions (#899)
• The bot-conditions audit now detects more spoofable actor checks, including checks against well-known user IDs for bot accounts (#905)
• The template-injection and other audits now produce more precise findings when analyzing env context accesses for static-ness (#911)
• The template-injection audit now produces more precise findings when analyzing inputs context accesses (#919)
• zizmor now produces more descriptive error messages when it fails to parse a workflow or action definition (#956)
• The bot-conditions audit now returns precise spans for flagged actor checks, instead of flagging the entire if: value (#949)
• The template-injection audit now returns precise spans for flagged contexts and expressions, instead of flagging the entire script block (#958)
• The obfuscation audit now returns precise spans for flagged expressions (#969)
• The obfuscation audit now detects computed indices (e.g. inputs.foo[inputs.bar]) as a potentially obfuscatory pattern (#969)

Bug Fixes 🐛🔗

• The template-injection audit no longer crashes when attempting to evaluate the static-ness of an environment context within a composite action uses: step (#887)
• The bot-conditions audit now correctly analyzes index-style contexts, e.g. github['actor'] (#905)
• Fixed a bug where zizmor would fail to parse expressions that contained >= or <= (#916)
• Fixed a bug where zizmor would fail to parse expressions containing contexts with interstitial whitespace (#958)

Changelog

Sourced from zizmor's changelog.

1.11.0

New Features 🌈

• zizmor now has experimental support for IDE/editor integrations via zizmor --lsp; see the IDE integration documentation for more information (#984)

Enhancements 🌱

• The [bot-conditions] audit now supports auto-fixes for many findings (#921)
• The [bot-conditions] audit now produces findings on triggers other than pull_request_target (#921)

Bug Fixes 🐛

• Fixed a bug where zizmor would crash when attempting to extract subfeatures from features containing non-ASCII codepoints (#989)

1.10.0

This is a huge new release, with multiple new features, enhancements, and bugfixes!

New Features 🌈

• New audit: [anonymous-definition] detects unnamed workflows and actions. Definitions without a name: field appear anonymously in the GitHub Actions UI, making them harder to distinguish (#937)

  Many thanks to @​andrewpollack for implementing this audit!

• Auto-fix mode: zizmor now experimentally supports --fix=[MODE], which enables the brand new auto-fix mode. This mode can automatically fix a subset of zizmor's findings. For this experimental release, auto-fixes are available for findings from the following audits:

  • [artipacked]: zizmor will attempt to add #!yaml persist-credentials: false to actions/checkout steps that do not already have it.

  • [template-injection]: zizmor will attempt to rewrite #!yaml run: blocks containing ${{ foo.bar }} to use ${FOO_BAR} instead, and will add an appropriate #!yaml env: block to set FOO_BAR to the expression's evaluation.

  Read more about the new auto-fix mode in the documentation.

  Many thanks to @​mostafa for implementing this feature!

Enhancements 🌱

... (truncated)

Commits

• 1cc8f93 chore: release 1.11.0 (#993)
• 44a27e2 feat: LSP skeleton code from #607 (#984)
• 5495af9 chore(deps): bump the github-actions group with 3 updates (#990)
• 86c4489 chore(deps): bump the cargo group with 3 updates (#991)
• ac6f6e2 bugfix: repro, #988 (#989)
• b98dcb1 chore: remove descriptions from fixes (#985)
• 42862eb Add Fix for bot-conditions audit rule (#921)
• b7500d1 refactor: move audit registration into AuditRegistry (#983)
• e90af3a chore(deps): bump http-cache-reqwest to 0.16.0 (#982)
• ab905e1 chore(deps): bump http-cache-reqwest to 0.15.2 (#980)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[jku]

sigstore is now compatible with newer cryptography but something is failing in a weird way on MacOS: #1015

This failure is not specific to this PR it's happening on main as well

[jku]

I'm disabling the hsm tests on mac since I have no way of working on them -- I think it's just a test failure on the specific mac release but not sure.

This is ready for review