build(deps): bump the actions group across 1 directory with 2 updates

[dependabot]

Bumps the actions group with 2 updates in the / directory: pypa/cibuildwheel and actions/download-artifact.

Updates pypa/cibuildwheel from 3.0 to 3.1

Release notes

Sourced from pypa/cibuildwheel's releases.

v3.1.0

• 🌟 CPython 3.14 wheels are now built by default - without the "cpython-prerelease" enable set. It's time to build and upload these wheels to PyPI! This release includes CPython 3.14.0rc1, which is guaranteed to be ABI compatible with the final release. (#2507) Free-threading is no longer experimental in 3.14, so you have to skip it explicitly with 'cp31?t-*' if you don't support it yet. (#2503)
• 🌟 Adds the ability to build wheels for Android! Set the platform option to android on Linux or macOS to try it out! (#2349)
• 🌟 Adds Pyodide 0.28, which builds 3.13 wheels (#2487)
• ✨ Support for 32-bit manylinux_2_28 (now a consistent default) and manylinux_2_34 added (#2500)
• 🛠 Improved summary, will also use markdown summary output on GHA (#2469)
• 🛠 The riscv64 images now have a working default (as they are now part of pypy/manylinux), but are still experimental (and behind an enable) since you can't push them to PyPI yet (#2506)
• 🛠 Fixed a typo in the 3.9 MUSL riscv64 identifier (cp39-musllinux_ricv64 -> cp39-musllinux_riscv64) (#2490)
• 🛠 Mistyping --only now shows the correct possibilities, and even suggests near matches on Python 3.14+ (#2499)
• 🛠 Only support one output from the repair step on linux like other platforms; auditwheel fixed this over four years ago! (#2478)
• 🛠 We now use pattern matching extensively (#2434)
• 📚 We now have platform maintainers for our special platforms and interpreters! (#2481)

v3.0.1

• 🛠 Updates CPython 3.14 prerelease to 3.14.0b3 (#2471)
• ✨ Adds a CPython 3.14 prerelease iOS build (only when prerelease builds are enabled) (#2475)

Changelog

Sourced from pypa/cibuildwheel's changelog.

v2.23.1

15 March 2025

• ⚠️ Added warnings when the shorthand values manylinux1, manylinux2010, manylinux_2_24, and musllinux_1_1 are used to specify the images in linux builds. The shorthand to these (unmaintainted) images will be removed in v3.0. If you want to keep using these images, explicitly opt-in using the full image URL, which can be found in this file. (#2312)
• 🛠 Dependency updates, including a manylinux update which fixes an issue with rustup. (#2315)

Commits

• 352e013 Bump version: v3.1.3
• c463e56 tests: another iOS flaky spot (#2539)
• 8c5c738 docs(project): add Falcon to working examples (#2538)
• feeb399 tests: add flaky test handling (#2527)
• 60b9cc9 fix: never call pip directly (#2537)
• e2c7102 chore: remove some GraalPy Windows workarounds. (#2501)
• 9e4e50b Bump version: v3.1.2
• 8ef9414 [pre-commit.ci] pre-commit autoupdate (#2532)
• 1953c04 Adding @​mhsmith as platform maintainer for Android (#2516)
• 46a6d27 Bump iOS support package versions. (#2530)
• Additional commits viewable in compare view

Updates actions/download-artifact from 4 to 5

Release notes

Sourced from actions/download-artifact's releases.

v5.0.0

What's Changed

• Update README.md by @​nebuk89 in actions/download-artifact#407
• BREAKING fix: inconsistent path behavior for single artifact downloads by ID by @​GrantBirki in actions/download-artifact#416

v5.0.0

🚨 Breaking Change

This release fixes an inconsistency in path behavior for single artifact downloads by ID. If you're downloading single artifacts by ID, the output path may change.

What Changed

Previously, single artifact downloads behaved differently depending on how you specified the artifact:

• By name: name: my-artifact → extracted to path/ (direct)
• By ID: artifact-ids: 12345 → extracted to path/my-artifact/ (nested)

Now both methods are consistent:

• By name: name: my-artifact → extracted to path/ (unchanged)
• By ID: artifact-ids: 12345 → extracted to path/ (fixed - now direct)

Migration Guide

✅ No Action Needed If:

• You download artifacts by name
• You download multiple artifacts by ID
• You already use merge-multiple: true as a workaround

⚠️ Action Required If:

You download single artifacts by ID and your workflows expect the nested directory structure.

Before v5 (nested structure):

- uses: actions/download-artifact@v4
  with:
    artifact-ids: 12345
    path: dist
# Files were in: dist/my-artifact/

Where my-artifact is the name of the artifact you previously uploaded

To maintain old behavior (if needed):

</tr></table> 

... (truncated)

Commits

• 634f93c Merge pull request #416 from actions/single-artifact-id-download-path
• b19ff43 refactor: resolve download path correctly in artifact download tests (mainly ...
• e262cbe bundle dist
• bff23f9 update docs
• fff8c14 fix download path logic when downloading a single artifact by id
• 448e3f8 Merge pull request #407 from actions/nebuk89-patch-1
• 47225c4 Update README.md
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.