chore(deps-dev): bump the gha group across 1 directory with 4 updates

[dependabot]

Bumps the gha group with 4 updates in the /packages/opentelemetry-instrumentation-replicate directory: replicate, pytest-sugar, ruff and vcrpy.

Updates replicate from 0.26.1 to 1.0.7

Release notes

Sourced from replicate's releases.

1.0.7

What's Changed

If you run replicate-python within a cog model running cog 0.14.11 or later, it is now possible to pass a REPLICATE_API_TOKEN via the context as part of a prediction request.

The Replicate() constructor will now use this context when available. This grants cog models the ability to use the Replicate client libraries, scoped to a user on a per request basis.

Full Changelog: replicate/replicate-python@1.0.6...1.0.7

1.0.6

Full Changelog: replicate/replicate-python@1.0.4...1.0.6

There was no 1.0.5 release, the release system failed and we chose not to re-use the identifier.

1.0.4

What's Changed

• Fix two bugs in the base64 file_encoding_strategy by @​aron in replicate/replicate-python#398
  • replicate.run() now correctly converts the file provided into a valid base64 encoded data URL.
  • replicate.async_run() now respects the file_encoding_strategy flag.

Full Changelog: replicate/replicate-python@1.0.3...1.0.4

1.0.3

What's Changed

• Fix a bug where replicate.run would swallow tokens (or files) at the start of a prediction's output. Thanks to @​aron in replicate/replicate-python#383

Full Changelog: replicate/replicate-python@1.0.2...1.0.3

1.0.2

What's Changed

• Configure read timeout based on wait parameter by @​aron in replicate/replicate-python#373

Full Changelog: replicate/replicate-python@1.0.1...1.0.2

1.0.1

What's Changed

• 1.0.1 candidate by @​zeke in replicate/replicate-python#368

Full Changelog: replicate/replicate-python@1.0.0...1.0.1

1.0.0

[!WARNING] Breaking changes

This 1.0.0 latest release of replicate contains breaking changes. The replicate.run() method will now return FileObjects rather than URL strings by default for models that output files.

The FileObject implements an iterable object similar to httpx.Response to make it easier to work with files and ensures that Replicate can deliver file data to the client in the most efficient manner possible.

... (truncated)

Commits

• 42ba2f7 Release 1.0.7
• 36c95a8 format and lint
• 48acf51 Update replicate/client.py
• 68551cf Linting
• 302f5da Make scope lookup case insensitive
• 52c373c Document alternative authentication
• ab9982f Support getting REPLICATE_API_TOKEN from cog context
• 9f8d753 bump to 1.0.6
• f5d53cd bump patch to 1.0.5
• 804fd1d fix(package): include py.typed marker file
• Additional commits viewable in compare view

Updates pytest-sugar from 1.0.0 to 1.1.1

Release notes

Sourced from pytest-sugar's releases.

pytest-sugar 1.1.1

Adjust signature of SugarTerminalReporter to avoid conflicts with other pytest plugins (#297 by @​TolstochenkoDaniil)

pytest-sugar 1.1.0

Add Playwright trace file detection and display support for failed tests (#296 by @​kiebak3r)

This enhancement automatically detects and displays Playwright trace.zip files with viewing commands when tests fail, making debugging easier for Playwright users.

New command-line options:

• --sugar-trace-dir: Configure the directory name for Playwright trace files (default: test-results)
• --sugar-no-trace: Disable Playwright trace file detection and display

Changelog

Sourced from pytest-sugar's changelog.

1.1.1 - 2025-08-23 ^^^^^^^^^^^^^^^^^^

Adjust signature of SugarTerminalReporter to avoid conflicts with other pytest plugins

Contributed by Daniil via [PR #297](Teemu/pytest-sugar#297)

1.1.0 - 2025-08-16 ^^^^^^^^^^^^^^^^^^

Add Playwright trace file detection and display support for failed tests. This enhancement automatically detects and displays Playwright trace.zip files with viewing commands when tests fail, making debugging easier for Playwright users.

New command-line options:

• --sugar-trace-dir: Configure the directory name for Playwright trace files (default: test-results)
• --sugar-no-trace: Disable Playwright trace file detection and display

Contributed by kie via [PR #296](Teemu/pytest-sugar#296)

Commits

• 8133503 Release pytest-sugar 1.1.1
• 6798042 Fix conflict with other Pytest plugins (#297)
• 43bbdd0 Release pytest-sugar 1.1.0
• 855d661 Feature - Playwright Support for Trace Zip Mapping (#296)
• 2a5862a Merge pull request #293 from cgoldberg/add-py313
• ca26d98 Add support for Python 3.13
• 69989eb Clarify license as BSD 3-Clause License
• 3c86a5c Merge pull request #289 from deronnax/remove-packaging-dep
• c123be0 remove 'packaging' package
• efafd9c Merge pull request #282 from penguinpee/main
• Additional commits viewable in compare view

Updates ruff from 0.14.11 to 0.14.12

Changelog

Sourced from ruff's changelog.

0.14.12

Released on 2026-01-15.

Preview features

• [flake8-blind-except] Allow more logging methods (BLE001) (#22057)
• [ruff] Respect lint.pydocstyle.property-decorators in RUF066 (#22515)

Bug fixes

• Fix configuration path in --show-settings (#22478)
• Respect fmt: skip for multiple statements on the same logical line (#22119)

Rule changes

• [pydocstyle] Update Rust crate imperative to v1.0.7 (D401) (#22519)
• [isort] Insert imports in alphabetical order (I002) (#22493)

Documentation

• Add llms.txt support for documentation (#22463)
• Use prek in documentation and CI (#22505)
• [flake8-pytest-style] Add check parameter example to PT017 docs (#22546)
• [ruff] Make example error out-of-the-box (RUF103) (#22558)
• [ruff] document RUF100 trailing comment fix behavior (#22479)

Other changes

• wasm: Require explicit logging initialization (#22587)

Contributors

• @​terror
• @​harupy
• @​Jkhall81
• @​dhruvmanila
• @​lubaskinc0de
• @​zanieb
• @​MeGaGiGaGon
• @​charliermarsh
• @​renovate
• @​dylwil3
• @​MichaReiser
• @​11happy

Commits

• See full diff in compare view

Updates vcrpy from 6.0.2 to 7.0.0

Release notes

Sourced from vcrpy's releases.

v7.0.0

What's Changed

- Drop support for python 3.8 (major version bump) - thanks @jairhenrique
- Various linting and test fixes - thanks @jairhenrique
- Bugfix for urllib2>=2.3.0 - missing version_string ([#888](https://github.com/kevin1024/vcrpy/issues/888))
- Bugfix for asyncio.run - thanks @alekeik1

New Contributors

• @​exslim made their first contribution in kevin1024/vcrpy#889
• @​alekseik1 made their first contribution in kevin1024/vcrpy#886

Changelog

Sourced from vcrpy's changelog.

Changelog

For a full list of triaged issues, bugs and PRs and what release they are targeted for please see the following link.

ROADMAP MILESTONES <https://github.com/kevin1024/vcrpy/milestones>_

All help in providing PRs to close out bug issues is appreciated. Even if that is providing a repo that fully replicates issues. We have very generous contributors that have added these to bug issues which meant another contributor picked up the bug and closed it out.

• 8.1.1

  • Fix sync requests in async contexts for HTTPX (#965) - thanks @​seowalex
  • CI: bump peter-evans/create-pull-request from 7 to 8 (#969)

• 8.1.0

  • Enable brotli decompression if available (via brotli, brotlipy or brotlicffi) (#620) - thanks @​immerrr
  • Fix aiohttp allowing both data and json arguments when one is None (#624) - thanks @​leorochael
  • Fix usage of io-like interface with VCR.py (#906) - thanks @​tito and @​kevdevg
  • Migrate to declarative Python package config (#767) - thanks @​deronnax
  • Various linting fixes - thanks @​jairhenrique
  • CI: bump actions/checkout from 5 to 6 (#955)

• 8.0.0

  • BREAKING: Drop support for Python 3.9 (major version bump) - thanks @​jairhenrique
  • BREAKING: Drop support for urllib3 < 2 - fixes CVE warnings from urllib3 1.x (#926, #880) - thanks @​jairhenrique
  • New feature: drop_unused_requests option to remove unused interactions from cassettes (#763) - thanks @​danielnsilva
  • Rewrite httpx support to patch httpcore instead of httpx (#943) - thanks @​seowalex
    • Fixes httpx.ResponseNotRead exceptions (#832, #834)
    • Fixes KeyError: 'follow_redirects' (#945)
    • Adds support for custom httpx transports
  • Fix HTTPS proxy handling - proxy address no longer ends up in cassette URIs (#809, #914) - thanks @​alga
  • Fix iscoroutinefunction deprecation warning on Python 3.14 - thanks @​kloczek
  • Only log message if response is appended - thanks @​talfus-laddus
  • Optimize urllib.parse calls - thanks @​Martin-Brunthaler
  • Fix CI for Ubuntu 24.04 - thanks @​hartwork
  • Various CI improvements: migrate to uv, update GitHub Actions - thanks @​jairhenrique
  • Various linting and test improvements - thanks @​jairhenrique and @​hartwork

• 7.0.0

  • Drop support for python 3.8 (major version bump) - thanks @​jairhenrique
  • Various linting and test fixes - thanks @​jairhenrique
  • Bugfix for urllib2>=2.3.0 - missing version_string (#888)
  • Bugfix for asyncio.run - thanks @​alekeik1

• 6.0.2

  • Ensure body is consumed only once (#846) - thanks @​sathieu
  • Permit urllib3 2.x for non-PyPy Python >=3.10
  • Fix typos in test commands - thanks @​chuckwondo
  • Several test and workflow improvements - thanks @​hartwork and @​graingert

• 6.0.1

  • Bugfix with to Tornado cassette generator (thanks @​graingert)

• 6.0.0

... (truncated)

Commits

• 3278619 Release v7.0.0
• 3fb62e0 fix: correctly handle asyncio.run when loop exists
• 8197865 build(deps): update sphinx requirement from <8 to <9
• be651bd pre-commit: Autoupdate
• a6698ed Fix aiohttp tests
• 48d0a2e Fixed missing version_string attribute when used with urllib3>=2.3.0
• 5b858b1 Fix lint
• c8d99a9 Fix ruff configuration
• ce27c63 Merge pull request #736 from kevin1024/drop-python38
• ab8944d Drop python 3.8 support
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

---

Important

Bump replicate, pytest-sugar, ruff, and vcrpy dependencies in /packages/opentelemetry-instrumentation-replicate directory.

• Dependency Updates:
  • Update replicate from 0.26.1 to 1.0.7 in pyproject.toml and uv.lock.
  • Update pytest-sugar from 1.0.0 to 1.1.1 in pyproject.toml and uv.lock.
  • Update ruff from 0.14.11 to 0.14.12 in pyproject.toml and uv.lock.
  • Update vcrpy from 6.0.2 to 7.0.0 in pyproject.toml and uv.lock.

^{This description was created by for 73024e7. You can customize this summary. It will automatically update as commits are pushed.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 73024e7 in 3 minutes and 49 seconds. Click for details.

• Reviewed 1968 lines of code in 2 files
• Skipped 0 files when reviewing.
• Skipped posting 7 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. packages/opentelemetry-instrumentation-replicate/pyproject.toml:20

• Draft comment:
  Bump 'pytest-sugar' from 1.0.0 to 1.1.1. Verify that the updated terminal reporter signature (per 1.1.1 release) does not break our instrumentation or test framework.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

2. packages/opentelemetry-instrumentation-replicate/pyproject.toml:27

• Draft comment:
  Update the 'replicate' dependency constraint from '<0.27.0' to '<1.1.0'. Ensure that the breaking API changes in replicate v1.0.7 (e.g. return type in run()) are handled in our instrumentation.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% The comment is about a dependency version change that was made in the diff. However, the comment doesn't identify a specific problem in the code - it's asking the author to "ensure" that breaking changes are handled. This is exactly the type of comment the rules say to avoid: "Do NOT ask the PR author to confirm their intention, to explain, to double-check things, to ensure the behavior is intended". The comment is speculative - it assumes there might be breaking changes that need handling, but doesn't point to actual code that needs to be fixed. If there were actual breaking changes that needed to be addressed, the comment should point to specific code that needs to change, not just ask the author to verify. Maybe the comment is valid because major version bumps (0.x to 1.x) often do contain breaking changes, and this could be important to verify. Perhaps the tool has specific knowledge about breaking changes in replicate v1.0.7 that would affect the instrumentation code. Even if there are known breaking changes in replicate v1.0.7, the comment should point to specific code in this PR that needs to be changed, not just ask the author to "ensure" things are handled. Without pointing to actual code that needs fixing, this is just a verification request which violates the rules. If the instrumentation code actually needs changes, those should be identified specifically. This comment should be deleted because it asks the PR author to "ensure" something is handled rather than pointing to specific code that needs to be changed. It's a verification/confirmation request which violates the rules for review comments.

3. packages/opentelemetry-instrumentation-replicate/pyproject.toml:28

• Draft comment:
  Increase the upper bound for 'vcrpy' from <7 to <8. Confirm that vcrpy 7.0.0 (with its breaking changes and dropped Python 3.8 support) is compatible with our environment.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is asking the author to confirm compatibility with a new version of a dependency, which is not allowed according to the rules. It does not provide a specific suggestion or point out a specific issue with the code.

4. packages/opentelemetry-instrumentation-replicate/uv.lock:1

• Draft comment:
  Lock file revision increased from 1 to 3. Ensure these auto-generated updates (hashes, upload times) are correct and solely reflect the dependency updates.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is asking the PR author to ensure that the auto-generated updates in the lock file are correct. This falls under the category of asking the author to double-check things, which is against the rules. The comment does not provide a specific suggestion or point out a specific issue.

5. packages/opentelemetry-instrumentation-replicate/uv.lock:870

• Draft comment:
  Updated 'replicate' package from 0.26.1 to 1.0.7. Double-check that our instrumentation adapts to replicate's breaking API changes (e.g. run() now returns FileObjects).
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% The comment is asking the PR author to double-check the adaptation to breaking API changes, which violates the rule against asking the author to double-check things. It does not provide a specific suggestion or ask for a specific test to be written.

6. packages/opentelemetry-instrumentation-replicate/uv.lock:995

• Draft comment:
  Bump 'ruff' from 0.14.11 to 0.14.12. Review its changelog for any linting rule modifications that might require code adjustments.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is related to a dependency change, specifically a version bump for the ruff library. The comment suggests reviewing the changelog for any linting rule modifications. According to the rules, comments on pure dependency changes or library versions should be ignored. Therefore, this comment should be removed.

7. packages/opentelemetry-instrumentation-replicate/uv.lock:1020

• Draft comment:
  Upgraded 'vcrpy' from 6.0.2 to 7.0.0. Verify that changes (including dropped support or API changes) do not negatively impact our VCR-based tests.
• Reason this comment was not posted:
  Comment did not seem useful. Confidence is useful = 0% <= threshold 50% This comment is asking the PR author to verify that the upgrade of a dependency does not negatively impact the tests. This falls under the rule of not asking the author to ensure the behavior is intended or to double-check things. Therefore, this comment should be removed.

Workflow ID: wflow_wfg4jnLA4e18hKAI

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}