build(deps): bump the actions group with 6 updates

[dependabot]

Bumps the actions group with 6 updates:

Package	From	To
actions/cache	5	5.0.4
hustcer/setup-nu	3.22	3.23
actions/upload-pages-artifact	4	5
cross-platform-actions/action	0.32.0	1.0.0
PyO3/maturin-action	1.50.1	1.51.0
pypa/gh-action-pypi-publish	1.13.0	1.14.0

Updates actions/cache from 5 to 5.0.4

Release notes

Sourced from actions/cache's releases.

v5.0.4

What's Changed

• Add release instructions and update maintainer docs by @​Link- in actions/cache#1696
• Potential fix for code scanning alert no. 52: Workflow does not contain permissions by @​Link- in actions/cache#1697
• Fix workflow permissions and cleanup workflow names / formatting by @​Link- in actions/cache#1699
• docs: Update examples to use the latest version by @​XZTDean in actions/cache#1690
• Fix proxy integration tests by @​Link- in actions/cache#1701
• Fix cache key in examples.md for bun.lock by @​RyPeck in actions/cache#1722
• Update dependencies & patch security vulnerabilities by @​Link- in actions/cache#1738

New Contributors

• @​XZTDean made their first contribution in actions/cache#1690
• @​RyPeck made their first contribution in actions/cache#1722

Full Changelog: actions/cache@v5...v5.0.4

v5.0.3

What's Changed

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

Full Changelog: actions/cache@v5...v5.0.3

v.5.0.2

v5.0.2

What's Changed

When creating cache entries, 429s returned from the cache service will not be retried.

v5.0.1

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1.

If you are using self-hosted runners, ensure they are updated before upgrading.

---

v5.0.1

What's Changed

• fix: update @​actions/cache for Node.js 24 punycode deprecation by @​salmanmkc in actions/cache#1685
• prepare release v5.0.1 by @​salmanmkc in actions/cache#1686

v5.0.0

What's Changed

... (truncated)

Changelog

Sourced from actions/cache's changelog.

5.0.4

• Bump minimatch to v3.1.5 (fixes ReDoS via globstar patterns)
• Bump undici to v6.24.1 (WebSocket decompression bomb protection, header validation fixes)
• Bump fast-xml-parser to v5.5.6

5.0.3

• Bump @actions/cache to v5.0.5 (Resolves: https://github.com/actions/cache/security/dependabot/33)
• Bump @actions/core to v2.0.3

5.0.2

• Bump @actions/cache to v5.0.3 #1692

5.0.1

• Update @azure/storage-blob to ^12.29.1 via @actions/cache@5.0.1 #1685

5.0.0

[!IMPORTANT] actions/cache@v5 runs on the Node.js 24 runtime and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

4.3.0

• Bump @actions/cache to v4.1.0

4.2.4

• Bump @actions/cache to v4.0.5

4.2.3

• Bump @actions/cache to v4.0.3 (obfuscates SAS token in debug logs for cache entries)

4.2.2

• Bump @actions/cache to v4.0.2

4.2.1

• Bump @actions/cache to v4.0.1

4.2.0

TLDR; The cache backend service has been rewritten from the ground up for improved performance and reliability. actions/cache now integrates with the new cache service (v2) APIs.

The new service will gradually roll out as of February 1st, 2025. The legacy service will also be sunset on the same date. Changes in these release are fully backward compatible.

... (truncated)

Commits

• cdf6c1f Merge pull request #1695 from actions/Link-/prepare-5.0.3
• a1bee22 Add review for the @​actions/http-client license
• 4695763 Add licensed output
• dc73bb9 Upgrade dependencies and address security warnings
• See full diff in compare view

Updates hustcer/setup-nu from 3.22 to 3.23

Release notes

Sourced from hustcer/setup-nu's releases.

v3.23

[3.23] - 2026-03-19

Features

• Add nu/build.nu for assets building (#206)

Deps

• Upgrade globby,@​biomejs/biome & lefthook
• Upgrade lefthook,cspell,@​biomejs/biome,undici & @actions/*
• Upgrade undici to 7.19.0
• Upgrade @​actions/core,@​actions/tool-cache,undici,lefthook & semver (#205)
• Upgrade undici,@​biomejs/biome,@​types/node & lefthook
• Upgrade globby, @​biomejs/biome & cspell (#212)
• Upgrade @​biomejs/biome,lefthook & undici

Changelog

Sourced from hustcer/setup-nu's changelog.

Changelog

All notable changes to this project will be documented in this file.

[3.23] - 2026-03-19

Features

• Add nu/build.nu for assets building (#206)

Deps

• Upgrade globby,@​biomejs/biome & lefthook
• Upgrade lefthook,cspell,@​biomejs/biome,undici & @actions/*
• Upgrade undici to 7.19.0
• Upgrade @​actions/core,@​actions/tool-cache,undici,lefthook & semver (#205)
• Upgrade undici,@​biomejs/biome,@​types/node & lefthook
• Upgrade globby, @​biomejs/biome & cspell (#212)
• Upgrade @​biomejs/biome,lefthook & undici

[3.22] - 2025-12-13

Bug Fixes

• Added input validation for plugin registration to prevent injection vulnerabilities (#195)

Features

• Add strict input validation and robust plugin registration; improve target selection and caching (#190)
• Support proxies (#194)

Miscellaneous Tasks

• Update .lefthook/pre-push/sync.nu
• Update README.md
• Bump actions/checkout from 5 to 6 (#191)
• Drop 0.88.1 check
• Update README
• Update lefthook.yml
• Upgrade runner os from macos-13 to macos-15
• Update dist & format code

Deps

• Upgrade @​octokit/rest,lefthook,@​types/node, and @​biomejs/biome
• Upgrade pnpm to v10
• Upgrade @​biomejs/biome,cspell & lefthook
• Upgrade globby, @​biomejs/biome & cspell
• Upgrade @​biomejs/biome,lefthook & cspell (#193)
• Upgrade @​actions/core & lefthook

... (truncated)

Commits

• 92c296b fix: Try to fix nu release script
• 80e1ad3 update CHANGELOG.md for v3.23
• 95a863f Bump to v3.23
• 00b77ac deps: Upgrade @​biomejs/biome,lefthook & undici
• 51f0fb9 Add Nu 0.111.0 to workflows
• b66b096 chore: Test install nushell-pro SKILL
• b025b69 deps: Upgrade globby, @​biomejs/biome & cspell (#212)
• 8f2e5e5 deps: Upgrade undici,@​biomejs/biome,@​types/node & lefthook
• 928c8f8 feat: Add nu/build.nu for assets building (#206)
• 26a0b4c deps: Upgrade @​actions/core,@​actions/tool-cache,undici,lefthook & semver (#205)
• Additional commits viewable in compare view

Updates actions/upload-pages-artifact from 4 to 5

Release notes

Sourced from actions/upload-pages-artifact's releases.

v5.0.0

Changelog

• Update upload-artifact action to version 7 @​Tom-van-Woudenberg (#139)
• feat: add include-hidden-files input @​jonchurch (#137)

See details of all code changes since previous release.

Commits

• fc324d3 Merge pull request #139 from Tom-van-Woudenberg/patch-1
• fe9d4b7 Merge branch 'main' into patch-1
• 0ca1617 Merge pull request #137 from jonchurch/include-hidden-files
• 57f0e84 Update action.yml
• 4a90348 v7 --> hash
• 56f665a Update upload-artifact action to version 7
• f7615f5 Add include-hidden-files input
• See full diff in compare view

Updates cross-platform-actions/action from 0.32.0 to 1.0.0

Release notes

Sourced from cross-platform-actions/action's releases.

Cross Platform Action 1.0.0

Fixed

• Fix #108: Fix file ownership on Haiku after rsync, resolving git safe.directory errors

Changed

• Breaking: Update the requirement of Node for running this action from version 20 to 24.

Removed

• Breaking: Remove support for running on macOS runners. Only Linux runners (e.g. ubuntu-latest) are now supported. This was deprecated in v0.25.0.
• Breaking: Remove the Xhyve hypervisor and the hypervisor input parameter. QEMU is now the only supported hypervisor. These were deprecated in v0.25.0.

Changelog

Sourced from cross-platform-actions/action's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[Unreleased]

Added

• Add support for DragonFly BSD (#19)
• Add support for MidnightBSD (#102)

[1.0.0] - 2026-04-12

Fixed

• Fix #108: Fix file ownership on Haiku after rsync, resolving git safe.directory errors

Changed

• Breaking: Update the requirement of Node for running this action from version 20 to 24.

Removed

• Breaking: Remove support for running on macOS runners. Only Linux runners (e.g. ubuntu-latest) are now supported. This was deprecated in v0.25.0.
• Breaking: Remove the Xhyve hypervisor and the hypervisor input parameter. QEMU is now the only supported hypervisor. These were deprecated in v0.25.0.

[0.32.0] - 2025-12-21

Added

• Add support for OmniOS

[0.31.0] - 2025-12-15

Added

• Add support for FreeBSD 15.0 (#114)

Fixed

• Fix empty hostname (#113)

[0.30.0] - 2025-11-04

Added

• Document how to report a security vulnerability
• Add support for OpenBSD 7.8 (#112)

Security

• Fix potential code injection in the GitHub release workflow (#GHSA-928q-63gf-mc2x)

[0.29.0] - 2025-07-22

Added

• Add support for FreeBSD 14.3 (#106, freebsd-builder#9)

... (truncated)

Commits

• 2331563 Release 1.0.0
• 1631483 Assert that the release script is running on master
• 47af1ea Add release script
• ca9a0a1 Add a check that the committed dist files match the source code
• d5b5b85 Merge pull request #128 from cross-platform-actions/dependabot/npm_and_yarn/t...
• 3d0f9f6 Fix error in the release CI workflow
• a7e29cd Remove the hypervisor action parameter
• cd600e1 Remove support for macOS
• db3b320 Merge pull request #134 from mr-raj12/fix/108-haiku-file-ownership
• 5292216 Add e2e test for Haiku file ownership after rsync
• Additional commits viewable in compare view

Updates PyO3/maturin-action from 1.50.1 to 1.51.0

Release notes

Sourced from PyO3/maturin-action's releases.

v1.51.0

What's Changed

• Initial Android build support by @​messense in PyO3/maturin-action#426
• Support native riscv64 builds on manylinux 2_39 by @​weiji14 in PyO3/maturin-action#429

New Contributors

• @​weiji14 made their first contribution in PyO3/maturin-action#429

Full Changelog: PyO3/maturin-action@v1.50.1...v1.51.0

Commits

• e83996d Bump version to 1.51.0
• 36eb3d0 Update versions-manifest.json (#435)
• bd90123 Update versions-manifest.json (#434)
• ef46725 Bump brace-expansion (#433)
• 72c5fe1 Bump actions/setup-node from 6.2.0 to 6.3.0 (#432)
• 9450741 Bump docker/setup-qemu-action from 3.7.0 to 4.0.0 (#430)
• d8dc7d4 Bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#431)
• 0bca1d2 Bump picomatch from 4.0.3 to 4.0.4 (#428)
• 3f475a4 Support native riscv64 builds on manylinux 2_39 (#429)
• 5f46978 Bump flatted from 3.3.3 to 3.4.2 (#427)
• Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.13.0 to 1.14.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.14.0

✨ What's Changed

The main change in this release is that verbose and print-hash inputs are now on by default. This was contributed by @​whitequark💰 in #397.

📝 Docs

@​woodruffw💰 updated the mentions of PEP 740 to stop implying that it might be experimental (it hasn't been for quite a while!) in #388 and @​him2him2💰 brushed up some grammar in the README and SECURITY docs via #395.

🛠️ Internal Updates

@​woodruffw💰 bumped sigstore and pypi-attestations in the lock file (#391) and @​webknjaz💰 added infra for using type annotations in the project (#381).

💪 New Contributors

• @​him2him2 made their first contribution in #395
• @​whitequark made their first contribution in #397

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.13.0...v1.14.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

🙏 Special Thanks to @​facutuesca💰 and @​woodruffw💰 for helping maintain this project when I can't!

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

Commits

• cef2210 Merge pull request #397 from whitequark/patch-1
• b4595e2 Enable verbose and print-hash by default.
• e2bab26 Merge pull request #395 from him2him2/docs/fix-typos-and-grammar
• 7495c38 docs: fix typos and grammar in README and SECURITY
• 03f86fe Merge pull request #388 from woodruffw-forks/ww/rm-experimental
• 4c78f1c Merge branch 'unstable/v1' into ww/rm-experimental
• b5a6e8b deps: bump sigstore and pypi-attestations
• a48a03e remove another experimental mention
• 8087a88 action: remove a lingering mention of PEP 740 being experimental
• 3317ede 🧪 Integrate actionlint via pre-commit framework
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.60%. Comparing base (a2c2ab7) to head (5a72545).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #305   +/-   ##
=======================================
  Coverage   92.60%   92.60%           
=======================================
  Files          26       26           
  Lines        4339     4339           
=======================================
  Hits         4018     4018           
  Misses        321      321           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.