chore(deps): update github actions

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
actions/checkout (changelog)	action	digest	08c6903 -> 93cb6ef
actions/create-github-app-token (changelog)	action	digest	6701853 -> 29824e6
actions/setup-node (changelog)	action	digest	2028fbc -> 395ad32
actions/setup-python (changelog)	action	digest	e797f83 -> 83679a8
jupyter-server/jupyter_releaser (changelog)	action	digest	6accaa3 -> 8a519e3
jupyterlab/maintainer-tools (changelog)	action	digest	d72f5cb -> d734fad
qltysh/qlty-action	action	digest	92420f3 -> c1d9ae5

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

📝 Walkthrough

Walkthrough

Multiple GitHub Actions workflow files had their external action pins updated to newer commit SHAs (notably actions/checkout, jupyterlab/maintainer-tools/.github/actions/base-setup, actions/setup-node, qlty-action/install, and jupyter-server/jupyter_releaser). Changes are limited to replacing commit hashes across build, CI, and release workflows; no workflow inputs, control flow, tests, or exported/public interfaces were modified.

Possibly related PRs

• chore(deps): update github actions #33 — earlier/adjacent workflow pin updates touching the same base-setup action SHA.

Suggested reviewers

• saltenasl
• Artmann
• andyjakubowski
• jamesbhobbs

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title accurately reflects the main changeset: updating GitHub Actions dependencies across multiple workflows. Clear and concise.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.56%. Comparing base (4eede54) to head (3731938).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #70   +/-   ##
=======================================
  Coverage   69.56%   69.56%           
=======================================
  Files          13       13           
  Lines         253      253           
  Branches       28       28           
=======================================
  Hits          176      176           
  Misses         73       73           
  Partials        4        4           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between a349898 and 44933d6.

📒 Files selected for processing (6)

• .github/workflows/build.yml (3 hunks)
• .github/workflows/check-release.yml (2 hunks)
• .github/workflows/ci.yml (6 hunks)
• .github/workflows/prep-release.yml (1 hunks)
• .github/workflows/publish-release.yml (2 hunks)
• .github/workflows/update-integration-tests.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: check_release
• GitHub Check: build

🔇 Additional comments (10)

.github/workflows/prep-release.yml (1)

32-32: Action SHA update verified for consistency.

The base-setup action is correctly updated with proper version tag alignment. This aligns with updates across other workflows.

.github/workflows/build.yml (3)

19-19: Checkout action SHA correctly updated with version alignment.

SHA 93cb6ef maps to v5, matching the inline version comment.

---

22-22: Base-setup action SHA consistent across all references.

Both instances use SHA 7a3e704 with v1 tag maintained.

Also applies to: 96-96

---

187-187: Check-links action shares same SHA as base-setup.

Both reference 7a3e704, suggesting they're from the same release commit. Verify this is intentional behavior by the maintainer-tools project.

.github/workflows/publish-release.yml (2)

29-29: Checkout and base-setup actions maintain version consistency.

SHAs align with previously reviewed updates across other workflows.

Also applies to: 39-39

---

41-41: Verify create-github-app-token SHA is valid for v2.

SHA 7e473ef for v2 should be cross-checked against GitHub's official action repository to confirm it corresponds to an expected v2 release.

.github/workflows/update-integration-tests.yml (1)

32-32: All action SHAs correctly updated with maintained version tags.

Consistent with updates across other workflows: checkout v5, base-setup and update-snapshots both v1 with shared SHA 7a3e704.

Also applies to: 72-72, 83-83

.github/workflows/check-release.yml (1)

20-20: Action SHAs align with coordinated updates across the repository.

Checkout v5 and base-setup v1 follow the established pattern from other workflows.

Also applies to: 31-31

.github/workflows/ci.yml (2)

26-26: Checkout actions consistently updated across all jobs.

All 6 instances of actions/checkout correctly point to SHA 93cb6ef with v5 tag.

Also applies to: 45-45, 69-69, 93-93, 116-116, 131-131

---

48-48: Base-setup actions consistently pinned across all jobs.

All instances use SHA 7a3e704 with v1 tag—consistent with other workflow files.

Also applies to: 72-72, 96-96, 118-118, 134-134

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

Script executed:

#!/bin/bash
# Read the CI workflow file to see the full context
cat -n .github/workflows/ci.yml | head -50

Repository: deepnote/jupyterlab-deepnote

---

<shell_result>
Repository: deepnote/jupyterlab-deepnote
Exit code: 0

stdout:

     1	name: CI
     2	
     3	on:
     4	  push:
     5	    branches:
     6	      - main
     7	  pull_request:
     8	
     9	concurrency:
    10	  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
    11	  cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
    12	
    13	permissions:
    14	  contents: read
    15	  pull-requests: read
    16	  packages: read
    17	
    18	jobs:
    19	  qlty:
    20	    name: Qlty Check
    21	    runs-on: ubuntu-latest
    22	    timeout-minutes: 3
    23	
    24	    steps:
    25	      - name: Checkout code
    26	        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
    27	        with:
    28	          fetch-depth: 0
    29	
    30	      - name: Install qlty
    31	        uses: qltysh/qlty-action/install@c1d9ae56aba737dfb3c83921007a2610f1dad51c
    32	
    33	      - name: Run qlty check
    34	        run: qlty check
    35	
    36	      - name: Run qlty code smells analysis
    37	        run: qlty smells
    38	
    39	  lint-and-format:
    40	    name: Lint & Format
    41	    runs-on: ubuntu-latest
    42	    timeout-minutes: 15
    43	    steps:
    44	      - name: Checkout
    45	        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
    46	
    47	      - name: Base Setup
    48	        uses: jupyterlab/maintainer-tools/.github/actions/base-setup@7a3e70473eff6cce4988f449decedc61d1304379 # v1
    49	
    50	      - name: Install dependencies

</shell_result>

---

qltysh/qlty-action GitHub repository commit c1d9ae56aba737dfb3c83921007a2610f1dad51c

---

<web_search_result>
I couldn't find any public GitHub commit with hash c1d9ae56aba737dfb3c83921007a2610f1dad51c in the qltysh/qlty-action repository. The repository’s public page (commit history and tags) shows recent activity but that specific commit hash does not appear. [1]

If you want, I can (a) open the repository’s full commit history and look again, (b) check whether that commit exists on another branch or a fork, or (c) fetch the raw commit URL you gave and show the page contents — which one do you prefer? [1]

Sources:
[1] qltysh/qlty-action (GitHub repository).
</web_search_result>

---

qltysh/qlty-action install action GitHub

---

<web_search_result>
You can install the Qlty CLI in a GitHub Actions workflow using the reusable install action at qltysh/qlty-action/install. Example (use the latest tag, e.g. v2):

• uses: qltysh/qlty-action/install@v2

A minimal workflow example:

• uses: actions/checkout@v3
• uses: qltysh/qlty-action/install@v2
• run: qlty --version # verify installation
  (Then run qlty commands like qlty check, qlty fmt, or upload coverage with qltysh/qlty-action/coverage.)

Sources: qlty-action README (actions list and install action). [1] Qlty CI docs (GitHub Actions integration / coverage example). [2]

Sources:
[1] https://github.com/qltysh/qlty-action — README / Actions list.
[2] https://docs.qlty.sh/coverage/ci — CI integration (GitHub Actions example).
</web_search_result>

---

Based on my verification, I have found that:

1. Missing version comment is confirmed: Other actions in the same file (lines 26, 45, 48) all have version comments (e.g., # v5, # v1), while line 31 lacks one.

2. SHA verification issue is real: The SHA c1d9ae56aba737dfb3c83921007a2610f1dad51c does not appear in the public qltysh/qlty-action repository's commit history.

3. Best practice violation: Official documentation for qltysh/qlty-action recommends using semantic version tags (e.g., @v2) rather than commit SHAs.

The original review comment is valid and identifies genuine issues. Here is the rewritten comment:

---

Add version tag comment and verify action reference.

Line 31 lacks a version comment unlike other actions in this workflow (see lines 26, 45, 48 with # v5, # v1, etc.). Additionally, the referenced SHA c1d9ae56aba737dfb3c83921007a2610f1dad51c does not appear in the public qltysh/qlty-action repository. Consider using a semantic version tag (e.g., @v2) with a corresponding comment for consistency and maintainability.

🤖 Prompt for AI Agents

.github/workflows/ci.yml around line 31: the action reference uses a raw SHA
without the version comment used elsewhere and the SHA does not match the public
repo; replace the SHA with the appropriate semantic version tag (e.g., @v2) and
add a trailing inline comment like "# v2" to match the other entries, and verify
the chosen tag exists in the qltysh/qlty-action repository before committing.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/ci.yml (1)

31-31: qlty-action reference lacks version comment and requires SHA verification.

Line 31 omits the version comment pattern used consistently elsewhere (lines 26, 45, 69, 93, 116, 131 all include # v5 or # v1). Additionally, the SHA c1d9ae5... was previously flagged as not appearing in the public qltysh/qlty-action repository.

Verify the qlty-action SHA validity and add an appropriate version comment (e.g., # v2) to match the pattern.

#!/bin/bash
# Verify qlty-action SHA exists and is accessible
gh api repos/qltysh/qlty-action/commits/c1d9ae56aba737dfb3c83921007a2610f1dad51c --jq '.sha' 2>/dev/null || echo "SHA not found in public repo"

# Check latest tags/releases to identify correct version
gh api repos/qltysh/qlty-action/releases --jq '.[0:5] | .[] | "\(.tag_name): \(.target_commitish)"'

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 9a68fdb and 5ab7043.

📒 Files selected for processing (6)

• .github/workflows/build.yml (3 hunks)
• .github/workflows/check-release.yml (1 hunks)
• .github/workflows/ci.yml (6 hunks)
• .github/workflows/prep-release.yml (1 hunks)
• .github/workflows/publish-release.yml (2 hunks)
• .github/workflows/update-integration-tests.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build
• GitHub Check: check_release

🔇 Additional comments (10)

.github/workflows/prep-release.yml (1)

32-32: Action SHA updates are consistent and properly annotated.

Both external action references have been updated with version comments intact. Changes align with the PR objectives.

Also applies to: 36-36

.github/workflows/ci.yml (2)

26-26: Checkout action updates are consistent and properly annotated.

All six instances of actions/checkout have been updated to SHA 93cb6efe... with the # v5 version comment preserved.

Also applies to: 45-45, 69-69, 93-93, 116-116, 131-131

---

48-48: Base-setup action updates are consistent and properly annotated.

All five instances of jupyterlab/maintainer-tools base-setup have been updated to SHA d734fad... with the # v1 version comment preserved.

Also applies to: 72-72, 96-96, 118-118, 134-134

.github/workflows/update-integration-tests.yml (1)

32-32: Action SHA updates are consistent and properly annotated.

All three external actions (checkout, base-setup, update-snapshots) have been updated with version comments intact. Both maintainer-tools actions correctly reference the same SHA.

Also applies to: 72-72, 83-83

.github/workflows/build.yml (3)

19-19: Checkout and base-setup updates are consistent.

Both actions updated with version comments preserved.

Also applies to: 22-22

---

185-187: Check-links job action updates are consistent.

All three actions (checkout, base-setup, check-links) properly updated with version comments.

---

96-96: No compatibility concerns with actions/setup-python v6.

The v6 upgrade is compatible with this workflow. The only breaking change is the Node.js runtime upgrade (20→24), which requires runner v2.327.1+ but does not affect Python installation, caching, or downstream steps. Python 3.9 installation works without issues, and the workflow's standard invocation pattern remains fully supported.

.github/workflows/check-release.yml (2)

20-20: Checkout, base-setup, and check-release updates are consistent.

All actions properly updated with version comments. Consistent with other workflow files.

Also applies to: 31-31, 34-34

---

23-23: Review always-auth removal in actions/setup-node v6.

v6 has breaking changes:

• The always-auth input was removed (npm deprecated it). Remove any with: always-auth: true/false from the workflow.
• Automatic dependency caching is now npm-only; if using other package managers or explicit cache configuration, verify it's still set up correctly.
• Registry authentication via NODE_AUTH_TOKEN and registry-url/scope inputs remains compatible—no changes needed there.

Node 22.x installation and basic NPM operations work without issues on v6.

.github/workflows/publish-release.yml (1)

29-29: Action updates are consistent and properly annotated.

Checkout, base-setup, create-github-app-token, and releaser actions all properly updated with version comments. Changes align with PR objectives.

Also applies to: 39-39, 41-41, 49-49, 60-60

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

actions/setup-node v6 breaking changes compared to v5

💡 Result:

Summary of breaking changes from actions/setup-node v5 → v6:

• Automatic caching behavior changed:

  • v5: enabled automatic package-manager detection and caching by default when no explicit cache input provided. [1][2]
  • v6: automatic caching is limited to npm only (caching for yarn/pnpm is disabled by default and must be configured explicitly). You can control this with the package-manager-cache input. [1][3]

• Removal of deprecated input:

  • v6 removes the always-auth input (it was deprecated). Remove any uses of always-auth to avoid warnings/errors. [3]

Sources:

• Release notes (v5, v6) — actions/setup-node releases. [1][2]
• README / documentation (caching details and removed inputs). [3]

References:
[1] actions/setup-node release v5.0.0.
[2] actions/setup-node release v6.0.0.
[3] actions/setup-node README / documentation on caching and inputs.

---

🏁 Script executed:

cat -n .github/workflows/publish-release.yml

Repository: deepnote/jupyterlab-deepnote

Length of output: 3182

---

Remove always-auth: true — no longer supported in actions/setup-node v6.

Line 37 uses the deprecated always-auth input, which was removed in v6. This will cause the setup-node step to fail or emit errors. Remove line 37. The registry-url and scope inputs (lines 35–36) work correctly in v6, and Node 22.x is fully supported.

🤖 Prompt for AI Agents

In .github/workflows/publish-release.yml around lines 32–37, the
actions/setup-node step is using the removed always-auth input (line 37); remove
the always-auth: true line so the workflow uses setup-node v6 correctly while
keeping registry-url and scope inputs on lines 35–36 unchanged; ensure no other
references to always-auth remain in the file and commit the updated workflow.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (2)

.github/workflows/ci.yml (1)

31-31: Unresolved from prior review: Add version tag comment and verify action reference.

Line 31 lacks a version comment unlike other actions in this workflow, and the referenced SHA does not appear in the qltysh/qlty-action public repository. Consider switching to a semantic version tag (e.g., @v2) with a version comment for consistency and maintainability.

.github/workflows/publish-release.yml (1)

32-37: Unresolved from prior review: Remove always-auth: true — deprecated in actions/setup-node v6.

Line 37 uses the deprecated always-auth input, removed in v6. This will cause workflow failures. Remove the line; registry-url and scope inputs function correctly in v6.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Disabled knowledge base sources:

• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 5ab7043 and 3731938.

📒 Files selected for processing (6)

• .github/workflows/build.yml (3 hunks)
• .github/workflows/check-release.yml (1 hunks)
• .github/workflows/ci.yml (6 hunks)
• .github/workflows/prep-release.yml (1 hunks)
• .github/workflows/publish-release.yml (2 hunks)
• .github/workflows/update-integration-tests.yml (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: check_release
• GitHub Check: build

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove always-auth: true — deprecated in actions/setup-node v6.

Line 29 uses the always-auth input, which was removed in v6. This will cause workflow failures. Remove the line; the cache, node-version, registry-url, and scope inputs function correctly in v6.

Apply this diff to remove the deprecated input:

       - name: Setup Node.js
         uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
         with:
           cache: 'npm'
           node-version: ${{ env.NODE_VERSION }}
           registry-url: 'https://npm.pkg.github.com'
           scope: '@deepnote'
-          always-auth: true

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
	with:
	cache: 'npm'
	node-version: ${{ env.NODE_VERSION }}
	registry-url: 'https://npm.pkg.github.com'
	scope: '@deepnote'
	always-auth: true
	uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
	with:
	cache: 'npm'
	node-version: ${{ env.NODE_VERSION }}
	registry-url: 'https://npm.pkg.github.com'
	scope: '@deepnote'

🤖 Prompt for AI Agents

.github/workflows/check-release.yml around lines 23 to 29: the workflow uses
actions/setup-node v6 but includes the deprecated input always-auth: true which
will cause failures; remove the line containing always-auth: true so the step
only passes cache, node-version, registry-url and scope inputs supported by v6.