FoxDen/core

Fork 0

Update https://github.com/astral-sh/setup-uv action to v8 #99

Merged

Doridian merged 2 commits from renovate/https-github.com-astral-sh-setup-uv-8.x into main

2026-06-18 14:54:19 -07:00

MaidFox commented

2026-06-18 14:47:43 -07:00

Member

This PR contains the following updates:

Package	Type	Update	Change
https://github.com/astral-sh/setup-uv	action	major	`v7` → `v8.2.0`

⚠️ Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

astral-sh/setup-uv (https://github.com/astral-sh/setup-uv)

`v8.2.0`: 🌈 New inputs `quiet` and `download-from-astral-mirror`

Compare Source

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details.
In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes

fix: report unexpected cache save failures @eifinger (#896)
fix: report unexpected setup failures @eifinger (#895)
fix: add timeout to fetch to prevent silent hangs @eifinger-bot (#883)
Limit GitHub tokens to github.com download URLs @zsol (#878)
increase libuv-workaround timeout to 100ms @eifinger (#880)

🚀 Enhancements

Add quiet input to suppress info-level log output @eifinger (#898)
feat: add download-from-astral-mirror input @eifinger (#897)

🧰 Maintenance

docs: update dependabot rollup biome guidance @eifinger (#902)
chore: update known checksums for 0.11.18 @github-actions[bot] (#899)
chore: update known checksums for 0.11.17 @github-actions[bot] (#892)
chore: update known checksums for 0.11.16 @github-actions[bot] (#889)
chore: update known checksums for 0.11.15 @github-actions[bot] (#885)
chore: update known checksums for 0.11.14 @github-actions[bot] (#879)
chore: update known checksums for 0.11.13 @github-actions[bot] (#877)
chore: update known checksums for 0.11.12 @github-actions[bot] (#876)
chore: update known checksums for 0.11.11 @github-actions[bot] (#873)
chore: update known checksums for 0.11.9/0.11.10 @github-actions[bot] (#871)
chore: update known checksums for 0.11.8 @github-actions[bot] (#867)
Bump setup-uv references to v8.1.0 SHA in docs @eifinger (#862)
Add update-docs.yml workflow @eifinger (#861)

⬆️ Dependency updates

chore(deps): roll up dependabot updates @eifinger (#903)
chore(deps): roll up dependabot updates @eifinger (#901)
chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 @dependabot[bot] (#900)
chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 @dependabot[bot] (#842)
chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 @dependabot[bot] (#893)
chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 @dependabot[bot] (#891)
chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0 @dependabot[bot] (#884)
chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 @dependabot[bot] (#888)
chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 @dependabot[bot] (#881)
chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3 @dependabot[bot] (#875)
chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 @dependabot[bot] (#866)
chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 @dependabot[bot] (#864)
chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 @dependabot[bot] (#863)

`v8.1.0`: 🌈 New input `no-project`

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

Add input no-project in combination with activate-environment @eifinger (#856)

🧰 Maintenance

fix: grant contents:write to validate-release job @eifinger (#860)
Add a release-gate step to the release workflow @zanieb (#859)
Draft commitish releases @eifinger (#858)
Add action-types.yml to instructions @eifinger (#857)
chore: update known checksums for 0.11.7 @github-actions[bot] (#853)
Refactor version resolving @eifinger (#852)
chore: update known checksums for 0.11.6 @github-actions[bot] (#850)
chore: update known checksums for 0.11.5 @github-actions[bot] (#845)
chore: update known checksums for 0.11.4 @github-actions[bot] (#843)
Add a release workflow @zanieb (#839)
chore: update known checksums for 0.11.3 @github-actions[bot] (#836)

📚 Documentation

Update ignore-nothing-to-cache documentation @eifinger (#833)
Pin setup-uv docs to v8 @eifinger (#829)

⬆️ Dependency updates

chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @dependabot[bot] (#855)

`v8.0.0`: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of `setup-uv` 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for `manifest-file`

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

Remove update-major-minor-tags workflow @eifinger (#826)
Remove deprecrated custom manifest @eifinger (#813)

🧰 Maintenance

Shortcircuit latest version from manifest @eifinger (#828)
Simplify inputs.ts @eifinger (#827)
Bump release-drafter to v7.1.1 @eifinger (#825)
Refactor inputs @eifinger (#823)
Replace inline compile args with tsconfig @eifinger (#824)
chore: update known checksums for 0.11.2 @github-actions[bot] (#821)
chore: update known checksums for 0.11.1 @github-actions[bot] (#817)
chore: update known checksums for 0.11.0 @github-actions[bot] (#815)
Fix latest-version workflow check @eifinger (#812)
chore: update known checksums for 0.10.11/0.10.12 @github-actions[bot] (#811)

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [https://github.com/astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | action | major | `v7` → `v8.2.0` | --- > ⚠️ **Warning** > > Some dependencies could not be looked up. Check the warning logs for more information. --- ### Release Notes <details> <summary>astral-sh/setup-uv (https://github.com/astral-sh/setup-uv)</summary> ### [`v8.2.0`](https://github.com/astral-sh/setup-uv/releases/tag/v8.2.0): 🌈 New inputs `quiet` and `download-from-astral-mirror` [Compare Source](https://github.com/astral-sh/setup-uv/compare/v8.1.0...v8.2.0) #### Changes This release brings two new inputs and a few bug fixes. ##### New inputs Lets talk about the new inputs first. ##### quiet Pretty simple. It turns of all `info` loggings. Useful if you use this in a composite action and are not interested in all the details. In the upcoming releases we will add log groups to fully implement support for "less noise" > \[!NOTE]\ > Warnings and errors are always logged. ##### download-from-astral-mirror In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting `download-from-astral-mirror: false` allows you to do that. ##### Bugfixes When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token. All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults. We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down. #### 🐛 Bug fixes - fix: report unexpected cache save failures [@eifinger](https://github.com/eifinger) ([#896](https://github.com/astral-sh/setup-uv/issues/896)) - fix: report unexpected setup failures [@eifinger](https://github.com/eifinger) ([#895](https://github.com/astral-sh/setup-uv/issues/895)) - fix: add timeout to fetch to prevent silent hangs [@eifinger-bot](https://github.com/eifinger-bot) ([#883](https://github.com/astral-sh/setup-uv/issues/883)) - Limit GitHub tokens to github.com download URLs [@zsol](https://github.com/zsol) ([#878](https://github.com/astral-sh/setup-uv/issues/878)) - increase libuv-workaround timeout to 100ms [@eifinger](https://github.com/eifinger) ([#880](https://github.com/astral-sh/setup-uv/issues/880)) #### 🚀 Enhancements - Add quiet input to suppress info-level log output [@eifinger](https://github.com/eifinger) ([#898](https://github.com/astral-sh/setup-uv/issues/898)) - feat: add `download-from-astral-mirror` input [@eifinger](https://github.com/eifinger) ([#897](https://github.com/astral-sh/setup-uv/issues/897)) #### 🧰 Maintenance - docs: update dependabot rollup biome guidance [@eifinger](https://github.com/eifinger) ([#902](https://github.com/astral-sh/setup-uv/issues/902)) - chore: update known checksums for 0.11.18 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#899](https://github.com/astral-sh/setup-uv/issues/899)) - chore: update known checksums for 0.11.17 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#892](https://github.com/astral-sh/setup-uv/issues/892)) - chore: update known checksums for 0.11.16 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#889](https://github.com/astral-sh/setup-uv/issues/889)) - chore: update known checksums for 0.11.15 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#885](https://github.com/astral-sh/setup-uv/issues/885)) - chore: update known checksums for 0.11.14 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#879](https://github.com/astral-sh/setup-uv/issues/879)) - chore: update known checksums for 0.11.13 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#877](https://github.com/astral-sh/setup-uv/issues/877)) - chore: update known checksums for 0.11.12 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#876](https://github.com/astral-sh/setup-uv/issues/876)) - chore: update known checksums for 0.11.11 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#873](https://github.com/astral-sh/setup-uv/issues/873)) - chore: update known checksums for 0.11.9/0.11.10 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#871](https://github.com/astral-sh/setup-uv/issues/871)) - chore: update known checksums for 0.11.8 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#867](https://github.com/astral-sh/setup-uv/issues/867)) - Bump setup-uv references to v8.1.0 SHA in docs [@eifinger](https://github.com/eifinger) ([#862](https://github.com/astral-sh/setup-uv/issues/862)) - Add update-docs.yml workflow [@eifinger](https://github.com/eifinger) ([#861](https://github.com/astral-sh/setup-uv/issues/861)) #### ⬆️ Dependency updates - chore(deps): roll up dependabot updates [@eifinger](https://github.com/eifinger) ([#903](https://github.com/astral-sh/setup-uv/issues/903)) - chore(deps): roll up dependabot updates [@eifinger](https://github.com/eifinger) ([#901](https://github.com/astral-sh/setup-uv/issues/901)) - chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#900](https://github.com/astral-sh/setup-uv/issues/900)) - chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#842](https://github.com/astral-sh/setup-uv/issues/842)) - chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#893](https://github.com/astral-sh/setup-uv/issues/893)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#891](https://github.com/astral-sh/setup-uv/issues/891)) - chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#884](https://github.com/astral-sh/setup-uv/issues/884)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#888](https://github.com/astral-sh/setup-uv/issues/888)) - chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#881](https://github.com/astral-sh/setup-uv/issues/881)) - chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#875](https://github.com/astral-sh/setup-uv/issues/875)) - chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#866](https://github.com/astral-sh/setup-uv/issues/866)) - chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#864](https://github.com/astral-sh/setup-uv/issues/864)) - chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#863](https://github.com/astral-sh/setup-uv/issues/863)) ### [`v8.1.0`](https://github.com/astral-sh/setup-uv/releases/tag/v8.1.0): 🌈 New input `no-project` [Compare Source](https://github.com/astral-sh/setup-uv/compare/v8.0.0...v8.1.0) #### Changes This add the a new boolean input `no-project`. It only makes sense to use in combination with `activate-environment: true` and will append `--no project` to the `uv venv` call. This is for example useful [if you have a pyproject.toml file with parts unparseable by uv](https://github.com/astral-sh/setup-uv/issues/854) #### 🚀 Enhancements - Add input no-project in combination with activate-environment [@eifinger](https://github.com/eifinger) ([#856](https://github.com/astral-sh/setup-uv/issues/856)) #### 🧰 Maintenance - fix: grant contents:write to validate-release job [@eifinger](https://github.com/eifinger) ([#860](https://github.com/astral-sh/setup-uv/issues/860)) - Add a release-gate step to the release workflow [@zanieb](https://github.com/zanieb) ([#859](https://github.com/astral-sh/setup-uv/issues/859)) - Draft commitish releases [@eifinger](https://github.com/eifinger) ([#858](https://github.com/astral-sh/setup-uv/issues/858)) - Add action-types.yml to instructions [@eifinger](https://github.com/eifinger) ([#857](https://github.com/astral-sh/setup-uv/issues/857)) - chore: update known checksums for 0.11.7 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#853](https://github.com/astral-sh/setup-uv/issues/853)) - Refactor version resolving [@eifinger](https://github.com/eifinger) ([#852](https://github.com/astral-sh/setup-uv/issues/852)) - chore: update known checksums for 0.11.6 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#850](https://github.com/astral-sh/setup-uv/issues/850)) - chore: update known checksums for 0.11.5 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#845](https://github.com/astral-sh/setup-uv/issues/845)) - chore: update known checksums for 0.11.4 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#843](https://github.com/astral-sh/setup-uv/issues/843)) - Add a release workflow [@zanieb](https://github.com/zanieb) ([#839](https://github.com/astral-sh/setup-uv/issues/839)) - chore: update known checksums for 0.11.3 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#836](https://github.com/astral-sh/setup-uv/issues/836)) #### 📚 Documentation - Update ignore-nothing-to-cache documentation [@eifinger](https://github.com/eifinger) ([#833](https://github.com/astral-sh/setup-uv/issues/833)) - Pin setup-uv docs to v8 [@eifinger](https://github.com/eifinger) ([#829](https://github.com/astral-sh/setup-uv/issues/829)) #### ⬆️ Dependency updates - chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @[dependabot\[bot\]](https://github.com/apps/dependabot) ([#855](https://github.com/astral-sh/setup-uv/issues/855)) ### [`v8.0.0`](https://github.com/astral-sh/setup-uv/releases/tag/v8.0.0): 🌈 Immutable releases and secure tags [Compare Source](https://github.com/astral-sh/setup-uv/compare/v7.6.0...v8.0.0) ### This is the first immutable release of `setup-uv` 🥳 All future releases are also immutable, if you want to know more about what this means checkout [the docs](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases). This release also has two breaking changes #### New format for `manifest-file` The previously deprecated way of defining a custom version manifest to control which `uv` versions are available and where to download them from got removed. The functionality is still there but you have to use the [new format](https://github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format). #### No more major and minor tags To increase **security** even more we will **stop publishing minor tags**. You won't be able to use `@v8` or `@v8.0` any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to [tj-actions](https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/). > \[!TIP] > Use the immutable tag as a version `astral-sh/setup-uv@v8.0.0` > Or even better the githash `astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57` #### 🚨 Breaking changes - Remove update-major-minor-tags workflow [@eifinger](https://github.com/eifinger) ([#826](https://github.com/astral-sh/setup-uv/issues/826)) - Remove deprecrated custom manifest [@eifinger](https://github.com/eifinger) ([#813](https://github.com/astral-sh/setup-uv/issues/813)) #### 🧰 Maintenance - Shortcircuit latest version from manifest [@eifinger](https://github.com/eifinger) ([#828](https://github.com/astral-sh/setup-uv/issues/828)) - Simplify inputs.ts [@eifinger](https://github.com/eifinger) ([#827](https://github.com/astral-sh/setup-uv/issues/827)) - Bump release-drafter to v7.1.1 [@eifinger](https://github.com/eifinger) ([#825](https://github.com/astral-sh/setup-uv/issues/825)) - Refactor inputs [@eifinger](https://github.com/eifinger) ([#823](https://github.com/astral-sh/setup-uv/issues/823)) - Replace inline compile args with tsconfig [@eifinger](https://github.com/eifinger) ([#824](https://github.com/astral-sh/setup-uv/issues/824)) - chore: update known checksums for 0.11.2 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#821](https://github.com/astral-sh/setup-uv/issues/821)) - chore: update known checksums for 0.11.1 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#817](https://github.com/astral-sh/setup-uv/issues/817)) - chore: update known checksums for 0.11.0 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#815](https://github.com/astral-sh/setup-uv/issues/815)) - Fix latest-version workflow check [@eifinger](https://github.com/eifinger) ([#812](https://github.com/astral-sh/setup-uv/issues/812)) - chore: update known checksums for 0.10.11/0.10.12 @[github-actions\[bot\]](https://github.com/apps/github-actions) ([#811](https://github.com/astral-sh/setup-uv/issues/811)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).

MaidFox added 1 commit

2026-06-18 14:47:43 -07:00

Update https://github.com/astral-sh/setup-uv action to v8

/ lint (pull_request) Successful in 4m0s

Details

4a497fe56c

Doridian added 1 commit

2026-06-18 14:54:16 -07:00