chore(deps): Update github-actions

[cloudquery-ci]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/create-github-app-token (changelog)	action	digest	f8d387b → 1b10c78
astral-sh/uv	uses-with	patch	0.11.2 → 0.11.7	0.11.8
googleapis/release-please-action (changelog)	action	digest	16a9c90 → 5c625bf
pypa/gh-action-pypi-publish	action	digest	ed0c539 → cef2210

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

astral-sh/uv (astral-sh/uv)

v0.11.7

Compare Source

Released on 2026-04-15.

Python

• Upgrade CPython build to 2026041 including an OpenSSL security upgrade (#​19004)

Enhancements

• Elevate configuration errors to required-version mismatches (#​18977)
• Further improve TLS certificate validation messages (#​18933)
• Improve --exclude-newer hints (#​18952)

Preview features

• Fix --script handling in uv audit (#​18970)
• Fix traversal of extras in uv audit (#​18970)

Bug fixes

• De-quote workspace metadata in linehaul data (#​18966)
• Avoid installing tool workspace member dependencies as editable (#​18891)
• Emit JSON report for uv sync --check failures (#​18976)
• Filter and warn on invalid TLS certificates (#​18951)
• Fix equality comparisons for version specifiers with ~= operators (#​18960)
• Fix stale Python upgrade preview feature check in project environment construction (#​18961)
• Improve Windows path normalization (#​18945)

v0.11.6

Compare Source

Released on 2026-04-09.

This release resolves a low severity security advisory in which wheels with malformed RECORD entries could delete arbitrary files on uninstall. See GHSA-pjjw-68hj-v9mw for details.

Bug fixes

• Do not remove files outside the venv on uninstall (#​18942)
• Validate and heal wheel RECORD during installation (#​18943)
• Avoid uv cache clean errors due to Win32 path normalization (#​18856)

v0.11.5

Compare Source

Released on 2026-04-08.

Python

• Add CPython 3.13.13, 3.14.4, and 3.15.0a8 (#​18908)

Enhancements

• Fix build_system.requires error message (#​18911)
• Remove trailing path separators in path normalization (#​18915)
• Improve error messages for unsupported or invalid TLS certificates (#​18924)

Preview features

• Add exclude-newer to [[tool.uv.index]] (#​18839)
• uv audit: add context/warnings for ignored vulnerabilities (#​18905)

Bug fixes

• Normalize persisted fork markers before lock equality checks (#​18612)
• Clear junction properly when uninstalling Python versions on Windows (#​18815)
• Report error cleanly instead of panicking on TLS certificate error (#​18904)

Documentation

• Remove the legacy PIP_COMPATIBILITY.md redirect file (#​18928)
• Fix uv init example-bare --bare examples (#​18822, #​18925)

v0.11.4

Compare Source

Released on 2026-04-07.

Enhancements

• Add support for --upgrade-group (#​18266)
• Merge repeated archive URL hashes by version ID (#​18841)
• Require all direct URL hash algorithms to match (#​18842)

Bug fixes

• Avoid panics in environment finding via cycle detection (#​18828)
• Enforce direct URL hashes for pyproject.toml dependencies (#​18786)
• Error on --locked and --frozen when script lockfile is missing (#​18832)
• Fix uv export extra resolution for workspace member and conflicting extras (#​18888)
• Include conflicts defined in virtual workspace root (#​18886)
• Recompute relative exclude-newer values during uv tree --outdated (#​18899)
• Respect --exclude-newer in uv tool list --outdated (#​18861)
• Sort by comparator to break specifier ties (#​18850)
• Store relative timestamps in tool receipts (#​18901)
• Track newly-activated extras when determining conflicts (#​18852)
• Patch Cargo.lock in uv-build source distributions (#​18831)

Documentation

• Clarify that --exclude-newer compares artifact upload times (#​18830)

v0.11.3

Compare Source

Released on 2026-04-01.

Enhancements

• Add progress bar for hashing phase in uv publish (#​18752)
• Add support for ROCm 7.2 (#​18730)
• Emit abi3t tags for every abi3 version (#​18777)
• Expand uv workspace metadata with dependency information from the lock (#​18356)
• Implement support for PEP 803 (#​18767)
• Pretty-print platform in built wheel errors (#​18738)
• Publish installers to /installers/uv/latest on the mirror (#​18725)
• Show free-threaded Python in built-wheel errors (#​18740)

Preview features

• Add --ignore and --ignore-until-fixed to uv audit (#​18737)

Bug fixes

• Bump simple API cache (#​18797)
• Don't drop blake2b hashes (#​18794)
• Handle broken range request implementations (#​18780)
• Remove powerpc64-unknown-linux-gnu from release build targets (#​18800)
• Respect dependency metadata overrides in uv pip check (#​18742)
• Support debug CPython ABI tags in environment compatibility (#​18739)

Documentation

• Document false opt-out for exclude-newer-package (#​18768, #​18803)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.