deps: Update gha

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Type	Update	Change
codecov/codecov-action	action	patch	v5.5.0 -> v5.5.1
pypa/gh-action-pypi-publish	action	minor	v1.12.4 -> v1.13.0

---

Release Notes

codecov/codecov-action (codecov/codecov-action)

v5.5.1

Compare Source

What's Changed

• fix: overwrite pr number on fork by @​thomasrockhu-codecov in #​1871
• build(deps): bump actions/checkout from 4.2.2 to 5.0.0 by @​app/dependabot in #​1868
• build(deps): bump github/codeql-action from 3.29.9 to 3.29.11 by @​app/dependabot in #​1867
• fix: update to use local app/ dir by @​thomasrockhu-codecov in #​1872
• docs: fix typo in README by @​datalater in #​1866
• Document a codecov-cli version reference example by @​webknjaz in #​1774
• build(deps): bump github/codeql-action from 3.28.18 to 3.29.9 by @​app/dependabot in #​1861
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​app/dependabot in #​1833

Full Changelog: https://github.com/codecov/codecov-action/compare/v5.5.0..v5.5.1

pypa/gh-action-pypi-publish (pypa/gh-action-pypi-publish)

v1.13.0

Compare Source

Take the 2025 Python Packaging Survey if you still haven't!

[!important]
🚨 This release includes fixes for GHSA-vxmw-7h4f-hqxh discovered by @​woodruffw💰.
We've also integrated Zizmor to catch similar issues in the future and you should too.

✨ New Stuff

@​woodruffw💰 updated the README to no longer mention the attestations feature being experimental in #​347: it's been rather stable for a year already 🎉
He also added more diagnostic output which includes printing out the GitHub Environment claim via #​371 and warning about the unsupported reusable workflows configurations #​306, when using Trusted Publishing.

[!tip]
The official support for reusable workflows is currently blocked on changes to PyPI. To get updates about progress on the action side, you may want to subscribe to #​166.
At PyCon US 2025 Sprints, @​facutuesca💰, @​miketheman💰, @​woodruffw💰 and I💰 spent several hours IRL brainstorming how to fix this and migrate projects that happen to rely on an obscure corner case with reusable workflows that temporarily allows them to function by accident.
The result of that discussion is posted @​ pypi/warehouse#11096 (comment).
Note that this is a volunteer-led effort and there is no ETA. If you need this soon, make your employer sponsor the PSF and maybe they'll be able to hire somebody for this work on Warehouse.

In addition to that, @​konstin💰 sent #​378 to pin actions/setup-python to a SHA hash. This makes pypi-publish compatible with new GitHub policies that allow organizations to mandate hash-pinning actions used in workflows.

🛠️ Internal Dependencies

@​webknjaz💰 made a bunch of updates to the action runtime which includes bumping it to Python 3.13 in #​331 and updating the dependency tree across the board. pip-with-requires-python is no longer being installed (#​332). Some related bumps were contributed by @​woodruffw💰 (#​359) and @​kurtmckee💰 sent a contributor-facing PR, bumping the linting configuration via #​335.

💪 New Contributors

• @​kurtmckee made their first contribution in #​335
• @​konstin made their first contribution in #​378

🪞 Full Diff: pypa/gh-action-pypi-publish@v1.12.4...v1.13.0

🧔‍♂️ Release Manager: @​webknjaz 🇺🇦

💬 Discuss on Bluesky 🦋, on Mastodon 🐘 and on GitHub.

---

Configuration

📅 Schedule: Branch creation - On day 15 of the month ( * * 15 * * ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.