From ba1d33c8e8801596eb47e521a750ab838bc8f3fc Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Dec 2025 02:02:26 +0000
Subject: [PATCH 1/3] chore(deps): bump the actions group across 1 directory
 with 5 updates

Bumps the actions group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout) | `1` | `6` |
| [actions/cache](https://github.com/actions/cache) | `4` | `5` |
| [actions/upload-artifact](https://github.com/actions/upload-artifact) | `5` | `6` |
| [actions/download-artifact](https://github.com/actions/download-artifact) | `6` | `7` |
| [scientific-python/upload-nightly-action](https://github.com/scientific-python/upload-nightly-action) | `0.6.2` | `0.6.3` |



Updates `actions/checkout` from 1 to 6
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v1...v6)

Updates `actions/cache` from 4 to 5
- [Release notes](https://github.com/actions/cache/releases)
- [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md)
- [Commits](https://github.com/actions/cache/compare/v4...v5)

Updates `actions/upload-artifact` from 5 to 6
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/v5...v6)

Updates `actions/download-artifact` from 6 to 7
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](https://github.com/actions/download-artifact/compare/v6...v7)

Updates `scientific-python/upload-nightly-action` from 0.6.2 to 0.6.3
- [Release notes](https://github.com/scientific-python/upload-nightly-action/releases)
- [Commits](https://github.com/scientific-python/upload-nightly-action/compare/b36e8c0c10dbcfd2e05bf95f17ef8c14fd708dbf...5748273c71e2d8d3a61f3a11a16421c8954f9ecf)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/cache
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/upload-artifact
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: actions/download-artifact
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
- dependency-name: scientific-python/upload-nightly-action
  dependency-version: 0.6.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/ci.yml        | 4 ++--
 .github/workflows/nightlies.yml | 6 +++---
 .github/workflows/pip.yml       | 6 +++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index c5a200e32e..bc3679908e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -296,7 +296,7 @@ jobs:
 
     - name: Valgrind cache
       if: matrix.valgrind
-      uses: actions/cache@v4
+      uses: actions/cache@v5
       id: cache-valgrind
       with:
         path: valgrind
@@ -778,7 +778,7 @@ jobs:
     timeout-minutes: 90
 
     steps:
-    - uses: actions/checkout@v1  # v1 is required to run inside docker
+    - uses: actions/checkout@v6  # v1 is required to run inside docker
 
     - name: Install requirements
       run: |
diff --git a/.github/workflows/nightlies.yml b/.github/workflows/nightlies.yml
index ad4a351521..9b4f933e4e 100644
--- a/.github/workflows/nightlies.yml
+++ b/.github/workflows/nightlies.yml
@@ -33,7 +33,7 @@ jobs:
           nox -s build
           nox -s build_global
 
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v6
         with:
           name: Packages
           path: dist/*
@@ -44,7 +44,7 @@ jobs:
     needs: [build_wheel]
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/download-artifact@v6
+      - uses: actions/download-artifact@v7
         with:
           name: Packages
           path: dist
@@ -53,7 +53,7 @@ jobs:
         run: ls -lha dist/*.whl
 
       - name: Upload wheel to Anaconda Cloud as nightly
-        uses: scientific-python/upload-nightly-action@b36e8c0c10dbcfd2e05bf95f17ef8c14fd708dbf # 0.6.2
+        uses: scientific-python/upload-nightly-action@5748273c71e2d8d3a61f3a11a16421c8954f9ecf # 0.6.3
         with:
           artifacts_path: dist
           anaconda_nightly_upload_token: ${{ secrets.ANACONDA_ORG_UPLOAD_TOKEN }}
diff --git a/.github/workflows/pip.yml b/.github/workflows/pip.yml
index 8df91a00fa..b7555a5a71 100644
--- a/.github/workflows/pip.yml
+++ b/.github/workflows/pip.yml
@@ -72,13 +72,13 @@ jobs:
       run: twine check dist/*
 
     - name: Save standard package
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: standard
         path: dist/pybind11-*
 
     - name: Save global package
-      uses: actions/upload-artifact@v5
+      uses: actions/upload-artifact@v6
       with:
         name: global
         path: dist/*global-*
@@ -100,7 +100,7 @@ jobs:
 
     steps:
     # Downloads all to directories matching the artifact names
-    - uses: actions/download-artifact@v6
+    - uses: actions/download-artifact@v7
 
     - name: Generate artifact attestation for sdist and wheel
       uses: actions/attest-build-provenance@v3

From b974df8c72900991738bbac4a970b7714ed354dd Mon Sep 17 00:00:00 2001
From: "Ralf W. Grosse-Kunstleve" <rgrossekunst@nvidia.com>
Date: Sun, 21 Dec 2025 18:59:35 -0800
Subject: [PATCH 2/3] Reset install-classic actions/checkout to @v1

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bc3679908e..0d2d91613c 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -778,7 +778,7 @@ jobs:
     timeout-minutes: 90
 
     steps:
-    - uses: actions/checkout@v6  # v1 is required to run inside docker
+    - uses: actions/checkout@v1  # v1 is required to run inside docker
 
     - name: Install requirements
       run: |

From 62ac4f8adea21afc8bb091681951bbeded437263 Mon Sep 17 00:00:00 2001
From: "Ralf W. Grosse-Kunstleve" <rgrossekunst@nvidia.com>
Date: Sun, 21 Dec 2025 19:08:35 -0800
Subject: [PATCH 3/3] Pin actions/checkout@v1 to SHA, switch dependabot to
 monthly

Pin the i386/debian container checkout to SHA to prevent dependabot
from updating it (v1 is required for that container). Remove the
non-working ignore block and change schedule from weekly to monthly.
---
 .github/dependabot.yml   | 6 +-----
 .github/workflows/ci.yml | 3 ++-
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 22c34bd74d..8b13673c14 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -4,12 +4,8 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "weekly"
+      interval: "monthly"
     groups:
       actions:
         patterns:
           - "*"
-    ignore:
-      - dependency-name: actions/checkout
-        versions:
-          - "<5"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 0d2d91613c..86eea68059 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -778,7 +778,8 @@ jobs:
     timeout-minutes: 90
 
     steps:
-    - uses: actions/checkout@v1  # v1 is required to run inside docker
+    # v1 required for i386/debian container; pinned to SHA to prevent dependabot updates
+    - uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9  # v1
 
     - name: Install requirements
       run: |