ci(deps): bump the actions-minor group across 1 directory with 3 updates

[dependabot]

Bumps the actions-minor group with 3 updates in the / directory: zizmorcore/zizmor-action, rossjrw/pr-preview-action and pypa/gh-action-pypi-publish.

Updates zizmorcore/zizmor-action from 0.3.0 to 0.4.1

Release notes

Sourced from zizmorcore/zizmor-action's releases.

v0.4.1

This version fixes an error in the 0.4.0 release that prevented non-relative use of the action.

What's Changed

• Fix version file path by @​woodruffw in zizmorcore/zizmor-action#83

Full Changelog: zizmorcore/zizmor-action@v0.4.0...v0.4.1

v0.4.0

This new version of zizmor-action brings two major changes:

• The new fail-on-no-inputs option can be used to control whether zizmor-action fails if no inputs were collected by zizmor. The default remains true, reflecting the pre-existing behavior.

• The action's use of the official zizmor Docker images is now fully hash-checked internally, preventing accidental or malicious modification to the images. This also means that subsequent releases of zizmor will induce a release of this action, rather than the action always picking up the latest version by default.

What's Changed

• docs: extended permissions required for internal repos by @​AntoineSebert in zizmorcore/zizmor-action#61
• docs: clarify description of "token" to indicate it is only used for online audits by @​rmuir in zizmorcore/zizmor-action#63
• Hash-check zizmor Docker images by @​woodruffw in zizmorcore/zizmor-action#68
• Add fail-on-no-inputs option by @​woodruffw in zizmorcore/zizmor-action#67

New Contributors

• @​AntoineSebert made their first contribution in zizmorcore/zizmor-action#61
• @​rmuir made their first contribution in zizmorcore/zizmor-action#63

Full Changelog: zizmorcore/zizmor-action@v0.3.0...v0.4.0

Commits

• 1356984 Fix version file path (#83)
• 72469cf Bump pins in README (#80)
• 3aa7e2f Add fail-on-no-inputs tests (#79)
• 92fc377 Sync zizmor versions (#78)
• 5aff8ef Add fail-on-no-inputs option (#67)
• 4d497b9 Sync zizmor versions (#75)
• 5fa0711 Fix sync-zizmor-versions (#69)
• c823f2c Hash-check zizmor Docker images (#68)
• 706c51b chore(deps): bump github/codeql-action in the github-actions group (#66)
• cb3d8e8 chore(deps): bump actions/checkout in the github-actions group (#65)
• Additional commits viewable in compare view

Updates rossjrw/pr-preview-action from 1.6.3 to 1.8.0

Release notes

Sourced from rossjrw/pr-preview-action's releases.

v1.8.0

Features

• Add option to add QR code to comment by @​lredoban in rossjrw/pr-preview-action#98
  • New input parameter qr-code, default false, that toggles the behaviour and can also be used to set the QR code provider
  • qr.rossjrw.com (https://github.com/rossjrw/qrcode-worker) created as the default QR code provider

Bugfixes

• Adjusted the timeouts for the wait-for-pages-deployment option - re-increased time for Pages build to start from 90s to 180s

v1.7.3

Bugfixes

• Enable GitHub API requests to work with GHES by @​Googlom in rossjrw/pr-preview-action#126

v1.7.2

Bugfixes

• Adjusted the timeouts for the wait-for-pages-deployment option
  • Wait for Pages build to start: 180s -> 90s
  • Wait for Pages build to complete: 180s -> 1800s

v1.7.1

Bugfixes

• Increased the timeouts for the wait-for-pages-deployment option, suggested by @​eliodinino
  • Wait for Pages build to start: 60s -> 180s
  • Wait for Pages build to complete: 60s -> 180s

v1.7.0

Features

• Support passing through overrides for the commit author by @​FasterSpeeding in rossjrw/pr-preview-action#32
  • Adds two new input parameters: git-config-name and git-config-email
• Add customisable commit messages for deploy and destroy actions by @​bengeois in rossjrw/pr-preview-action#120
  • Adds two new input parameters: deploy-commit-message and remove-commit-message
• Add option to wait for deploy to finish by @​rossjrw in rossjrw/pr-preview-action#121, reported by @​vincerubinetti in #25
  • Adds a new input parameter: wait-for-pages-deployment, boolean, default false (may be true in a future version)

Internal changes

• Add automated integration testing by @​rossjrw in rossjrw/pr-preview-action#122

Commits

• 5fd5f8e Reincrease page build start timeout
• b4a20f5 Update preview image
• 74401f0 Use QR code internally
• 8d0e59d Merge pull request #98 from lredoban/qr-code
• 66ce60d Tweak intro to mention important setup stuff
• bd0daee Finalise QR code format
• c739ba4 Merge pull request #126 from Googlom/patch-1
• cd90b2d Move comment tests to unit
• 4ccf5d2 Update API URL to use GITHUB_API_URL variable
• 384a0af use GITHUB_API_URL
• Additional commits viewable in compare view

Updates pypa/gh-action-pypi-publish from 1.12.2 to 1.13.0

Release notes

Sourced from pypa/gh-action-pypi-publish's releases.

v1.13.0

[!important] 🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰. We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #347: it's been rather stable for a year already 🎉 He also added more diagnostic output which includes printing out the GitHub Environment claim via #371 and warning about the unsupported reusable workflows configurations #306, when using Trusted Publishing.

[!tip] The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #166. At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident. The result of that discussion is posted @ pypi/warehouse#11096. Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#332). Some related bumps were contributed by @​woodruffw💰 (#359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #335.

💪 New Contributors

• @​kurtmckee made their first contribution in #335
• @​konstin made their first contribution in #378

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

v1.12.4

... (truncated)

Commits

• ed0c539 📦📌 Bump the pinned dependency tree
• 77db1b7 Merge branch PR #306, GHSA-vxmw-7h4f-hqxh fix and PR #378 into unstable/v1
• 280b3a1 Alias typing as t in imports
• e380240 Use object in place of typing.Any in annotations
• e50bff6 Deduplicate claim ref lookup
• decbc9a Hint people to subscribe to #166 for notifications
• 8208ad3 Ask not to report bugs with reusable workflow
• ff0fef5 🧪 Scope WPS202 suppression to specific files
• 1293b8c Use yamllint disable line length lint
• ed01280 Linter (different rule)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, github-actions. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[github-actions]

PR Preview Action v1.8.0
🚀 View preview at https://JacobCoffee.github.io/litestar-scribble/pr-preview/pr-6/
Built to branch gh-pages at 2026-01-19 16:33 UTC. Preview will be ready when the GitHub Pages deployment is complete.