chore: Bump the actions group with 3 updates (#583)

Bumps the actions group with 3 updates:
[astral-sh/setup-uv](https://github.com/astral-sh/setup-uv),
[hynek/build-and-inspect-python-package](https://github.com/hynek/build-and-inspect-python-package)
and
[actions/download-artifact](https://github.com/actions/download-artifact).

Updates `astral-sh/setup-uv` from 6.8.0 to 7.1.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/astral-sh/setup-uv/releases">astral-sh/setup-uv's
releases</a>.</em></p>
<blockquote>
<h2>v7.1.2 🌈 Speed up extraction on Windows</h2>
<h2>Changes</h2>
<p><a href="https://github.com/lazka"><code>@​lazka</code></a> fixed a
bug that caused extracting uv to take up to 30s. Thank you!</p>
<h2>🐛 Bug fixes</h2>
<ul>
<li>Use tar for extracting the uv zip file on Windows too <a
href="https://github.com/lazka"><code>@​lazka</code></a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/660">#660</a>)</li>
</ul>
<h2>🧰 Maintenance</h2>
<ul>
<li>chore: update known checksums for 0.9.5 @<a
href="https://github.com/apps/github-actions">github-actions[bot]</a>
(<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/663">#663</a>)</li>
</ul>
<h2>⬆️ Dependency updates</h2>
<ul>
<li>Bump dependencies <a
href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/664">#664</a>)</li>
<li>Bump github/codeql-action from 4.30.8 to 4.30.9 @<a
href="https://github.com/apps/dependabot">dependabot[bot]</a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/652">#652</a>)</li>
</ul>
<h2>v7.1.1 🌈 Fix empty workdir detection and lowest resolution
strategy</h2>
<h2>Changes</h2>
<p>This release fixes a bug where the <code>working-directory</code>
input was not used to detect an empty work dir. It also fixes the
<code>lowest</code> resolution strategy resolving to latest when only a
lower bound was specified.</p>
<p>Special thanks to <a
href="https://github.com/tpgillam"><code>@​tpgillam</code></a> for the
first contribution!</p>
<h2>🐛 Bug fixes</h2>
<ul>
<li>Fix &quot;lowest&quot; resolution strategy with lower-bound only <a
href="https://github.com/tpgillam"><code>@​tpgillam</code></a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/649">#649</a>)</li>
<li>Use working-directory to detect empty workdir <a
href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/645">#645</a>)</li>
</ul>
<h2>🧰 Maintenance</h2>
<ul>
<li>chore: update known checksums for 0.9.4 @<a
href="https://github.com/apps/github-actions">github-actions[bot]</a>
(<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/651">#651</a>)</li>
<li>chore: update known checksums for 0.9.3 @<a
href="https://github.com/apps/github-actions">github-actions[bot]</a>
(<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/644">#644</a>)</li>
</ul>
<h2>📚 Documentation</h2>
<ul>
<li>Change version in docs to v7 <a
href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/647">#647</a>)</li>
</ul>
<h2>⬆️ Dependency updates</h2>
<ul>
<li>Bump github/codeql-action from 4.30.7 to 4.30.8 @<a
href="https://github.com/apps/dependabot">dependabot[bot]</a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/639">#639</a>)</li>
<li>Bump actions/setup-node from 5.0.0 to 6.0.0 @<a
href="https://github.com/apps/dependabot">dependabot[bot]</a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/641">#641</a>)</li>
<li>Bump eifinger/actionlint-action from 1.9.1 to 1.9.2 @<a
href="https://github.com/apps/dependabot">dependabot[bot]</a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/634">#634</a>)</li>
<li>Update lockfile with latest npm <a
href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/636">#636</a>)</li>
</ul>
<h2>v7.1.0 🌈 Support all the use cases</h2>
<h2>Changes</h2>
<p><strong>Support all the use cases!!!</strong></p>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41"><code>8585678</code></a>
Bump dependencies (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/664">#664</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/22d500a65c34c827ebc95094040adcee254e92fa"><code>22d500a</code></a>
Bump github/codeql-action from 4.30.8 to 4.30.9 (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/652">#652</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/14d557131df7147286f7ce93a5b6b0189f8e1bc3"><code>14d5571</code></a>
chore: update known checksums for 0.9.5 (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/663">#663</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/29cd2350cd44d155ed44d0eba0e1b63d07fb3b69"><code>29cd235</code></a>
Use tar for extracting the uv zip file on Windows too (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/660">#660</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/2ddd2b9cb38ad8efd50337e8ab201519a34c9f24"><code>2ddd2b9</code></a>
chore: update known checksums for 0.9.4 (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/651">#651</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/b7bf78939d77607a9ccb489e4ec4651ba1092d5c"><code>b7bf789</code></a>
Fix &quot;lowest&quot; resolution strategy with lower-bound only (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/649">#649</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/cb6c0a53d9c61608defba05145184489d20183b2"><code>cb6c0a5</code></a>
Change version in docs to v7 (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/647">#647</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/dffc6292f2060d80116faf1baee66598a67f042c"><code>dffc629</code></a>
Use working-directory to detect empty workdir (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/645">#645</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/6e346e1653b720be5aaa194026b82bdef65869c7"><code>6e346e1</code></a>
chore: update known checksums for 0.9.3 (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/644">#644</a>)</li>
<li><a
href="https://github.com/astral-sh/setup-uv/commit/3ccd0fd498ef6303a98d4125859aae05eedf6294"><code>3ccd0fd</code></a>
Bump github/codeql-action from 4.30.7 to 4.30.8 (<a
href="https://redirect.github.com/astral-sh/setup-uv/issues/639">#639</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/astral-sh/setup-uv/compare/d0cc045d04ccac9d8b7881df0226f9e82c39688e...85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41">compare
view</a></li>
</ul>
</details>
<br />

Updates `hynek/build-and-inspect-python-package` from 2.13.0 to 2.14.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/hynek/build-and-inspect-python-package/releases">hynek/build-and-inspect-python-package's
releases</a>.</em></p>
<blockquote>
<h2>v2.14.0</h2>
<h3>Changed</h3>
<ul>
<li>
<p>Update tools such that they work on Python 3.14 (which is now
<code>3.x</code> on GitHub Actions). <a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/pull/182">#182</a></p>
</li>
<li>
<p>The action now ignores <code>UV_PYTHON</code> coming from the
outside. <a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/pull/184">#184</a></p>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/hynek/build-and-inspect-python-package/blob/main/CHANGELOG.md">hynek/build-and-inspect-python-package's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<p>All notable changes to this project will be documented in this
file.</p>
<p>The format is based on <a
href="https://keepachangelog.com/en/1.0.0/">Keep a Changelog</a>, and
this project adheres to <a
href="https://semver.org/spec/v2.0.0.html">Semantic Versioning</a>.</p>
<h2><a
href="https://github.com/hynek/build-and-inspect-python-package/compare/v2.13.0...v2.14.0">2.14.0</a></h2>
<h3>Changed</h3>
<ul>
<li>
<p>Update tools such that they work on Python 3.14 (which is now
<code>3.x</code> on GitHub Actions).
<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/pull/182">#182</a></p>
</li>
<li>
<p>The action now ignores <code>UV_PYTHON</code> coming from the
outside.
<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/pull/184">#184</a></p>
</li>
</ul>
<h2><a
href="https://github.com/hynek/build-and-inspect-python-package/compare/v2.12.0...v2.13.0">2.13.0</a></h2>
<h3>Added</h3>
<ul>
<li>
<p>New output: <code>package_name</code> is the name of the built
package as stored in metadata.
<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/pull/162">#162</a></p>
</li>
<li>
<p>The package name is now part of the action summary which is helpful
when you build more than one package from a repository.
<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/pull/169">#169</a></p>
</li>
</ul>
<h3>Changed</h3>
<ul>
<li>All GitHub actions are now pinned to exact hashes for better
reproducibility and mild security improvements[^st].</li>
</ul>
<p>[^st]: Chosen prefix SHA-1 hash collision attacks <a
href="https://eprint.iacr.org/2020/014.pdf">exist</a>. Against serious
attackers, this is but security theater.</p>
<h2><a
href="https://github.com/hynek/build-and-inspect-python-package/compare/v2.11.0...v2.12.0">2.12.0</a></h2>
<h3>Changed</h3>
<ul>
<li>This release only updates the tools we use.
It's important for being able to handle packaging metadata 2.4, as
published by recent versions of Hatchling, though.
<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/pull/161">#161</a></li>
</ul>
<h2><a
href="https://github.com/hynek/build-and-inspect-python-package/compare/v2.10.0...v2.11.0">2.11.0</a></h2>
<h3>Added</h3>
<ul>
<li>New output: <code>package_version</code> is the version of the
package that was built.</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/efb823f52190ad02594531168b7a2d5790e66516"><code>efb823f</code></a>
v2.14.0</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/fea7251891c89f576dff78c33c9864b7445d1995"><code>fea7251</code></a>
Update changelog</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/f79f62d9fdbd437429dbfbce4f1ccc3ab2e0ea47"><code>f79f62d</code></a>
Unset UV_PYTHON (<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/issues/184">#184</a>)</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/5207127548554b686b6b3afe1444832b0f80d552"><code>5207127</code></a>
Group dependabot</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/2667f72f12e7caeb0185e5884fca8547fac9421e"><code>2667f72</code></a>
Update actions (<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/issues/183">#183</a>)</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/4d00193c1043014e925cd765cf6607b0c79bda8b"><code>4d00193</code></a>
Automated dependency upgrades (<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/issues/182">#182</a>)</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/946ff2ada8cc48728b28e224a508c4408eec9a05"><code>946ff2a</code></a>
Automated dependency upgrades (<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/issues/177">#177</a>)</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/bc052a7dd5b686cb5223739e993ce8bd5c95846b"><code>bc052a7</code></a>
[pre-commit.ci] pre-commit autoupdate (<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/issues/178">#178</a>)</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/a2e9b6048f871794d8c35ce9262a0b1f9d52f2d6"><code>a2e9b60</code></a>
Automated dependency upgrades (<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/issues/176">#176</a>)</li>
<li><a
href="https://github.com/hynek/build-and-inspect-python-package/commit/8dba70723d1f691f92b275a25b05e238b565b72f"><code>8dba707</code></a>
Automated dependency upgrades (<a
href="https://redirect.github.com/hynek/build-and-inspect-python-package/issues/172">#172</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/hynek/build-and-inspect-python-package/compare/c52c3a4710070b50470d903818a7b25115dcd076...efb823f52190ad02594531168b7a2d5790e66516">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/download-artifact` from 5.0.0 to 6.0.0
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/download-artifact/releases">actions/download-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v6.0.0</h2>
<h2>What's Changed</h2>
<p><strong>BREAKING CHANGE:</strong> this update supports Node
<code>v24.x</code>. This is not a breaking change per-se but we're
treating it as such.</p>
<ul>
<li>Update README for download-artifact v5 changes by <a
href="https://github.com/yacaovsnc"><code>@​yacaovsnc</code></a> in <a
href="https://redirect.github.com/actions/download-artifact/pull/417">actions/download-artifact#417</a></li>
<li>Update README with artifact extraction details by <a
href="https://github.com/yacaovsnc"><code>@​yacaovsnc</code></a> in <a
href="https://redirect.github.com/actions/download-artifact/pull/424">actions/download-artifact#424</a></li>
<li>Readme: spell out the first use of GHES by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/download-artifact/pull/431">actions/download-artifact#431</a></li>
<li>Bump <code>@actions/artifact</code> to <code>v4.0.0</code></li>
<li>Prepare <code>v6.0.0</code> by <a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a> in
<a
href="https://redirect.github.com/actions/download-artifact/pull/438">actions/download-artifact#438</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/danwkennedy"><code>@​danwkennedy</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/download-artifact/pull/431">actions/download-artifact#431</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/download-artifact/compare/v5...v6.0.0">https://github.com/actions/download-artifact/compare/v5...v6.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/download-artifact/commit/018cc2cf5baa6db3ef3c5f8a56943fffe632ef53"><code>018cc2c</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/download-artifact/issues/438">#438</a>
from actions/danwkennedy/prepare-6.0.0</li>
<li><a
href="https://github.com/actions/download-artifact/commit/815651c680ffe1c95719d0ed08aba1a2f9d5c177"><code>815651c</code></a>
Revert &quot;Remove <code>github.dep.yml</code>&quot;</li>
<li><a
href="https://github.com/actions/download-artifact/commit/bb3a066a8babc8ed7b3e4218896c548fe34e7115"><code>bb3a066</code></a>
Remove <code>github.dep.yml</code></li>
<li><a
href="https://github.com/actions/download-artifact/commit/fa1ce46bbd11b8387539af12741055a76dfdf804"><code>fa1ce46</code></a>
Prepare <code>v6.0.0</code></li>
<li><a
href="https://github.com/actions/download-artifact/commit/4a24838f3d5601fd639834081e118c2995d51e1c"><code>4a24838</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/download-artifact/issues/431">#431</a>
from danwkennedy/patch-1</li>
<li><a
href="https://github.com/actions/download-artifact/commit/5e3251c4ff5a32e4cf8dd4adaee0e692365237ae"><code>5e3251c</code></a>
Readme: spell out the first use of GHES</li>
<li><a
href="https://github.com/actions/download-artifact/commit/abefc31eafcfbdf6c5336127c1346fdae79ff41c"><code>abefc31</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/download-artifact/issues/424">#424</a>
from actions/yacaovsnc/update_readme</li>
<li><a
href="https://github.com/actions/download-artifact/commit/ac43a6070aa7db8a41e756e7a2846221edca7027"><code>ac43a60</code></a>
Update README with artifact extraction details</li>
<li><a
href="https://github.com/actions/download-artifact/commit/de96f4613b77ec03b5cf633e7c350c32bd3c5660"><code>de96f46</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/download-artifact/issues/417">#417</a>
from actions/yacaovsnc/update_readme</li>
<li><a
href="https://github.com/actions/download-artifact/commit/7993cb44e9052f2f08f9b828ae5ef3ecca7d2ac7"><code>7993cb4</code></a>
Remove migration guide for artifact download changes</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/download-artifact/compare/634f93cb2916e3fdff6788551b99b062d0335ce0...018cc2cf5baa6db3ef3c5f8a56943fffe632ef53">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: dependabot[bot]

.github/workflows/ci_workflow.yml

@@ -83,7 +83,7 @@ jobs:
       with:
         python-version: '${{ matrix.python-version }}'
     - name: Set up uv
-      uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
       with:
         version: ">=0.7"
     - name: Install tools
@@ -126,7 +126,7 @@ jobs:
       with:
         python-version: 3.x
     - name: Set up uv
-      uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+      uses: astral-sh/setup-uv@85856786d1ce8acfbcc2f13a5f3fbd6b938f9f41 # v7.1.2
       with:
         version: ">=0.7"
     - name: Install Meltano

.github/workflows/release_workflow.yml

@@ -15,7 +15,7 @@ jobs:
       with:
         fetch-depth: 0
         ref: ${{ github.ref }}
-    - uses: hynek/build-and-inspect-python-package@c52c3a4710070b50470d903818a7b25115dcd076 # v2.13.0
+    - uses: hynek/build-and-inspect-python-package@efb823f52190ad02594531168b7a2d5790e66516 # v2.14.0
       id: baipp
 
   publish:
@@ -31,7 +31,7 @@ jobs:
       id-token: write
 
     steps:
-    - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+    - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: Packages
         path: dist