From 7e5b59524958a6fbcec790869b4995e5c317f010 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 11:24:30 +0300
Subject: [PATCH 1/3] Hash pin GitHub Actions

---
 .github/workflows/auto-tag.yml          | 2 +-
 .github/workflows/check-for-updates.yml | 4 ++--
 .github/workflows/publish.yml           | 8 ++++----
 .github/workflows/tests.yml             | 8 ++++----
 4 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/auto-tag.yml b/.github/workflows/auto-tag.yml
index 475583e..ebfbc88 100644
--- a/.github/workflows/auto-tag.yml
+++ b/.github/workflows/auto-tag.yml
@@ -14,7 +14,7 @@ jobs:
       contents: write
     steps:
       - name: Check out repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Get current version
         id: version
diff --git a/.github/workflows/check-for-updates.yml b/.github/workflows/check-for-updates.yml
index 119d1d0..b1aabe0 100644
--- a/.github/workflows/check-for-updates.yml
+++ b/.github/workflows/check-for-updates.yml
@@ -36,12 +36,12 @@ jobs:
     if: needs.check-pr-exists.outputs.pr_exists == 'false'  # Run only if no PR exists
     steps:
       - name: Check out repository (shallow)
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1  # Shallow clone to save time
 
       - name: Set up Python 3.12
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.12'
 
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3181eae..b1c855b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,9 +24,9 @@ jobs:
     permissions:
       id-token: write
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: '3.x'
     - name: Install dependencies
@@ -44,12 +44,12 @@ jobs:
         tox -e build
     - name: Publish package (TestPyPI)
       if: github.event_name == 'push'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
       with:
         repository-url: https://test.pypi.org/legacy/
         verbose: true
     - name: Publish package
       if: github.event_name == 'release'
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@cef221092ed1bacb1cc03d23a2d87d1d172e277b # v1.14.0
       with:
         verbose: true
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index af8e595..29afba6 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -27,10 +27,10 @@ jobs:
     container:
       image: ${{ matrix.use-container && format('python:{0}', matrix.python-version) || '' }}
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - if: ${{ !matrix.use-container }}
       name: Set up Python ${{ matrix.python-version }} on ${{ matrix.os }} (non-containers)
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
       with:
         python-version: ${{ matrix.python-version }}
         allow-prereleases: true
@@ -51,9 +51,9 @@ jobs:
       TOXENV: ${{ matrix.toxenv }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: ${{ matrix.toxenv }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.x"
       - name: Install tox

From e3b22091aee75327395795921d760e63ffe0108f Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com>
Date: Fri, 24 Apr 2026 11:25:42 +0300
Subject: [PATCH 2/3] Add 14-day cooldown to Dependabot

---
 .github/dependabot.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index 06d4463..c0074c0 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -7,4 +7,9 @@ updates:
     groups:
       actions:
         patterns:
-          - "*"
\ No newline at end of file
+          - "*"
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14

From 1ed894339a0c37a85f8ba2a7c4d7696934d332dd Mon Sep 17 00:00:00 2001
From: Stan Ulbrych <stan@python.org>
Date: Fri, 24 Apr 2026 16:17:30 +0100
Subject: [PATCH 3/3] Update tzdata to version '2026b' (#135)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

# Version 2026.2
Upstream version 2026b released 2026-04-23T06:06:43+00:00

## Briefly:

British Columbia moved to permanent -07 on 2026-03-09. Some more overflow bugs
have been fixed in zic.

## Changes to future timestamps

British Columbia’s 2026-03-08 spring forward was its last foreseeable clock
change, as it moved to permanent -07 thereafter. (Thanks to Arthur David Olson.)
Although the change to permanent -07 legally took place on 2026-03-09,
temporarily model the change to occur on 2026-11-01 at 02:00 instead.  This
works around a limitation in CLDR v48.2 (2026-03-17).  This temporary hack is
planned to be removed after CLDR is fixed.
---
 NEWS.md                               |  19 +++++++++++++++++++
 VERSION                               |   2 +-
 src/tzdata/__init__.py                |   4 ++--
 src/tzdata/zoneinfo/America/Vancouver | Bin 1330 -> 1673 bytes
 src/tzdata/zoneinfo/Asia/Ho_Chi_Minh  | Bin 236 -> 232 bytes
 src/tzdata/zoneinfo/Asia/Saigon       | Bin 236 -> 232 bytes
 src/tzdata/zoneinfo/Canada/Pacific    | Bin 1330 -> 1673 bytes
 src/tzdata/zoneinfo/tzdata.zi         |   6 ++++--
 src/tzdata/zoneinfo/zone.tab          |   2 +-
 src/tzdata/zoneinfo/zone1970.tab      |   2 +-
 src/tzdata/zoneinfo/zonenow.tab       |   3 +++
 11 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/NEWS.md b/NEWS.md
index 89cab0e..eb1bf60 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -1,3 +1,22 @@
+# Version 2026.2
+Upstream version 2026b released 2026-04-23T06:06:43+00:00
+
+## Briefly:
+
+British Columbia moved to permanent -07 on 2026-03-09. Some more overflow bugs
+have been fixed in zic.
+
+## Changes to future timestamps
+
+British Columbia’s 2026-03-08 spring forward was its last foreseeable clock
+change, as it moved to permanent -07 thereafter. (Thanks to Arthur David Olson.)
+Although the change to permanent -07 legally took place on 2026-03-09,
+temporarily model the change to occur on 2026-11-01 at 02:00 instead.  This
+works around a limitation in CLDR v48.2 (2026-03-17).  This temporary hack is
+planned to be removed after CLDR is fixed.
+
+---
+
 # Version 2026.1
 Upstream version 2026a released 2026-03-02T06:59:49+00:00
 
diff --git a/VERSION b/VERSION
index 8468728..551197f 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2026.1
\ No newline at end of file
+2026.2
\ No newline at end of file
diff --git a/src/tzdata/__init__.py b/src/tzdata/__init__.py
index 497592c..95e9153 100644
--- a/src/tzdata/__init__.py
+++ b/src/tzdata/__init__.py
@@ -1,6 +1,6 @@
 # IANA versions like 2020a are not valid PEP 440 identifiers; the recommended
 # way to translate the version is to use YYYY.n where `n` is a 0-based index.
-__version__ = "2026.1"
+__version__ = "2026.2"
 
 # This exposes the original IANA version number.
-IANA_VERSION = "2026a"
+IANA_VERSION = "2026b"
diff --git a/src/tzdata/zoneinfo/America/Vancouver b/src/tzdata/zoneinfo/America/Vancouver
index c998491112ea5e4430b8266498cf7f23e1266bc5..1ab2eaf95ac2132a73277675ff76a85e42d9a34a 100644
GIT binary patch
delta 391
zcmdnQ)yX>{jB^D80|OfnOKgniV5tW(7~FNc1i<v=tqLI8lQ##<_uM=k%=dch2j+Xv
z*}MQG?{h6{0*LmlnYsW(`)%_9^ZjGW!Tf+}dSHH_O(d8fR3-rC2g_K4`5~d7!2FOu
zvh`qrFw-kwfv~4m3JgFHA@@-LOdpj2^CSOV2J@qq`~&l&?`;M1V_F`7`LX+^gZXhO
zhrs;!d6i&(g73Wr3_y_BK6L_!PSQQF07NIJmxK8!y!MO00;%qiV1d-PEnt4Sx;2=e
zel`uv&t#Vc^E20afcaU^{!d_HWMXEST)<K>xq(HCk#+J57CDvw|L0C%5b^O1VF+*m
V;$R>S2jYMb245hX3rLuA0RUW0S@{3}

delta 73
zcmeC=-NZE^jI)t}fq@l>MK;EBuuPuM+Bn&rO-{$hH-sU;1&D)zI2?!rLKwJ!91EbJ
Uj<2zvk)DB$uc4uyp`HO30D%G!!T<mO

diff --git a/src/tzdata/zoneinfo/Asia/Ho_Chi_Minh b/src/tzdata/zoneinfo/Asia/Ho_Chi_Minh
index 86e21b0f524426287fb3b21a82369283c4040c0e..294796a7a33125f7ae35624ac8db6a9bb75819d0 100644
GIT binary patch
delta 63
zcmaFE_=0gl9HZdG_%LHe28QHs3_y@nz`)ADP|(1@$-q!Ifq^%`$2WvQ+rS)%Er8gP
Nfy)NSv(q)_0s!K^4G#bS

delta 44
zcmaFC_=a&p9HZ#O_%K-p28QHs3@i)`Nd*j?3=9Pg47>~sbrTo_eSAY0CZ3Z500sgI
A_y7O^

diff --git a/src/tzdata/zoneinfo/Asia/Saigon b/src/tzdata/zoneinfo/Asia/Saigon
index 86e21b0f524426287fb3b21a82369283c4040c0e..294796a7a33125f7ae35624ac8db6a9bb75819d0 100644
GIT binary patch
delta 63
zcmaFE_=0gl9HZdG_%LHe28QHs3_y@nz`)ADP|(1@$-q!Ifq^%`$2WvQ+rS)%Er8gP
Nfy)NSv(q)_0s!K^4G#bS

delta 44
zcmaFC_=a&p9HZ#O_%K-p28QHs3@i)`Nd*j?3=9Pg47>~sbrTo_eSAY0CZ3Z500sgI
A_y7O^

diff --git a/src/tzdata/zoneinfo/Canada/Pacific b/src/tzdata/zoneinfo/Canada/Pacific
index c998491112ea5e4430b8266498cf7f23e1266bc5..1ab2eaf95ac2132a73277675ff76a85e42d9a34a 100644
GIT binary patch
delta 391
zcmdnQ)yX>{jB^D80|OfnOKgniV5tW(7~FNc1i<v=tqLI8lQ##<_uM=k%=dch2j+Xv
z*}MQG?{h6{0*LmlnYsW(`)%_9^ZjGW!Tf+}dSHH_O(d8fR3-rC2g_K4`5~d7!2FOu
zvh`qrFw-kwfv~4m3JgFHA@@-LOdpj2^CSOV2J@qq`~&l&?`;M1V_F`7`LX+^gZXhO
zhrs;!d6i&(g73Wr3_y_BK6L_!PSQQF07NIJmxK8!y!MO00;%qiV1d-PEnt4Sx;2=e
zel`uv&t#Vc^E20afcaU^{!d_HWMXEST)<K>xq(HCk#+J57CDvw|L0C%5b^O1VF+*m
V;$R>S2jYMb245hX3rLuA0RUW0S@{3}

delta 73
zcmeC=-NZE^jI)t}fq@l>MK;EBuuPuM+Bn&rO-{$hH-sU;1&D)zI2?!rLKwJ!91EbJ
Uj<2zvk)DB$uc4uyp`HO30D%G!!T<mO

diff --git a/src/tzdata/zoneinfo/tzdata.zi b/src/tzdata/zoneinfo/tzdata.zi
index 88f7d34..40a46ea 100644
--- a/src/tzdata/zoneinfo/tzdata.zi
+++ b/src/tzdata/zoneinfo/tzdata.zi
@@ -1,4 +1,4 @@
-# version 2026a
+# version 2026b-dirty
 # redo posix_only
 # This zic input file is in the public domain.
 R d 1916 o - Jun 14 23s 1 S
@@ -2966,7 +2966,9 @@ Z America/Toronto -5:17:32 - LMT 1895
 -5 C E%sT
 Z America/Vancouver -8:12:28 - LMT 1884
 -8 Va P%sT 1987
--8 C P%sT
+-8 C P%sT 2026 Mar 9
+-8 1 PDT 2026 N 1 2
+-7 - MST
 Z America/Whitehorse -9:0:12 - LMT 1900 Au 20
 -9 Y Y%sT 1965
 -9 Yu Y%sT 1966 F 27
diff --git a/src/tzdata/zoneinfo/zone.tab b/src/tzdata/zoneinfo/zone.tab
index 2626b05..2ae8a8c 100644
--- a/src/tzdata/zoneinfo/zone.tab
+++ b/src/tzdata/zoneinfo/zone.tab
@@ -124,12 +124,12 @@ CA	+5017-10750	America/Swift_Current	CST - SK (midwest)
 CA	+5333-11328	America/Edmonton	Mountain - AB, BC(E), NT(E), SK(W)
 CA	+690650-1050310	America/Cambridge_Bay	Mountain - NU (west)
 CA	+682059-1334300	America/Inuvik	Mountain - NT (west)
+CA	+4916-12307	America/Vancouver	MST - BC (most areas)
 CA	+4906-11631	America/Creston	MST - BC (Creston)
 CA	+5546-12014	America/Dawson_Creek	MST - BC (Dawson Cr, Ft St John)
 CA	+5848-12242	America/Fort_Nelson	MST - BC (Ft Nelson)
 CA	+6043-13503	America/Whitehorse	MST - Yukon (east)
 CA	+6404-13925	America/Dawson	MST - Yukon (west)
-CA	+4916-12307	America/Vancouver	Pacific - BC (most areas)
 CC	-1210+09655	Indian/Cocos
 CD	-0418+01518	Africa/Kinshasa	Dem. Rep. of Congo (west)
 CD	-1140+02728	Africa/Lubumbashi	Dem. Rep. of Congo (east)
diff --git a/src/tzdata/zoneinfo/zone1970.tab b/src/tzdata/zoneinfo/zone1970.tab
index cd43e3d..a9b47bc 100644
--- a/src/tzdata/zoneinfo/zone1970.tab
+++ b/src/tzdata/zoneinfo/zone1970.tab
@@ -115,11 +115,11 @@ CA	+5017-10750	America/Swift_Current	CST - SK (midwest)
 CA	+5333-11328	America/Edmonton	Mountain - AB, BC(E), NT(E), SK(W)
 CA	+690650-1050310	America/Cambridge_Bay	Mountain - NU (west)
 CA	+682059-1334300	America/Inuvik	Mountain - NT (west)
+CA	+4916-12307	America/Vancouver	MST - BC (most areas)
 CA	+5546-12014	America/Dawson_Creek	MST - BC (Dawson Cr, Ft St John)
 CA	+5848-12242	America/Fort_Nelson	MST - BC (Ft Nelson)
 CA	+6043-13503	America/Whitehorse	MST - Yukon (east)
 CA	+6404-13925	America/Dawson	MST - Yukon (west)
-CA	+4916-12307	America/Vancouver	Pacific - BC (most areas)
 CH,DE,LI	+4723+00832	Europe/Zurich	Büsingen
 CI,BF,GH,GM,GN,IS,ML,MR,SH,SL,SN,TG	+0519-00402	Africa/Abidjan
 CK	-2114-15946	Pacific/Rarotonga
diff --git a/src/tzdata/zoneinfo/zonenow.tab b/src/tzdata/zoneinfo/zonenow.tab
index aa3a64f..54e4485 100644
--- a/src/tzdata/zoneinfo/zonenow.tab
+++ b/src/tzdata/zoneinfo/zonenow.tab
@@ -58,6 +58,9 @@ XX	-2504-13005	Pacific/Pitcairn	Pitcairn
 # -08/-07 - PST/PDT (North America DST)
 XX	+340308-1181434	America/Los_Angeles	Pacific (PST/PDT) - US & Canada; Mexico near US border
 #
+# -08/-07 - PST/PDT (North America DST) until 2026-11-01 02:00; then MST
+XX	+4916-12307	America/Vancouver	MST - BC (most areas)
+#
 # -07 - MST
 XX	+332654-1120424	America/Phoenix	Mountain Standard (MST) - Arizona; western Mexico; Yukon
 #