Skip to content

Commit e153e3e

Browse files
dependabot[bot]dependabot[bot]
authored
build(deps): bump astral-sh/setup-uv from 7.6.0 to 8.0.0 (#218)
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.6.0 to 8.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/setup-uv/releases">astral-sh/setup-uv's releases</a>.</em></p> <blockquote> <h2>v8.0.0 🌈 Immutable releases and secure tags</h2> <h1>This is the first immutable release of <code>setup-uv</code> 🥳</h1> <p>All future releases are also immutable, if you want to know more about what this means checkout <a href="https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases">the docs</a>.</p> <p>This release also has two breaking changes</p> <h2>New format for <code>manifest-file</code></h2> <p>The previously deprecated way of defining a custom version manifest to control which <code>uv</code> versions are available and where to download them from got removed. The functionality is still there but you have to use the <a href="https://github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format">new format</a>.</p> <h2>No more major and minor tags</h2> <p>To increase <strong>security</strong> even more we will <strong>stop publishing minor tags</strong>. You won't be able to use <code>@v8</code> or <code>@v8.0</code> any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to <a href="https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/">tj-actions</a>.</p> <blockquote> <p>[!TIP] Use the immutable tag as a version <code>astral-sh/setup-uv@v8.0.0</code> Or even better the githash <code>astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57</code></p> </blockquote> <h2>🚨 Breaking changes</h2> <ul> <li>Remove update-major-minor-tags workflow <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/826">#826</a>)</li> <li>Remove deprecrated custom manifest <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/813">#813</a>)</li> </ul> <h2>🧰 Maintenance</h2> <ul> <li>Shortcircuit latest version from manifest <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/828">#828</a>)</li> <li>Simplify inputs.ts <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/827">#827</a>)</li> <li>Bump release-drafter to v7.1.1 <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/825">#825</a>)</li> <li>Refactor inputs <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/823">#823</a>)</li> <li>Replace inline compile args with tsconfig <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/824">#824</a>)</li> <li>chore: update known checksums for 0.11.2 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/821">#821</a>)</li> <li>chore: update known checksums for 0.11.1 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/817">#817</a>)</li> <li>chore: update known checksums for 0.11.0 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/815">#815</a>)</li> <li>Fix latest-version workflow check <a href="https://github.com/eifinger"><code>@​eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/812">#812</a>)</li> <li>chore: update known checksums for 0.10.11/0.10.12 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/811">#811</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/astral-sh/setup-uv/commit/cec208311dfd045dd5311c1add060b2062131d57"><code>cec2083</code></a> Shortcircuit latest version from manifest (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/828">#828</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/4dd8ab45206a76f8c1dfe399fa88df10a7264f27"><code>4dd8ab4</code></a> Simplify inputs.ts (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/827">#827</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/7fdbe7cf0c8ef50cfd0878eed7b5180abc6b53c7"><code>7fdbe7c</code></a> Remove update-major-minor-tags workflow (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/826">#826</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/485abd05e5c74a247f0a309e333d2433ab9a353a"><code>485abd0</code></a> Bump release-drafter to v7.1.1 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/825">#825</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/f82eb19c06057c455674b2602e0139fd906f1428"><code>f82eb19</code></a> Refactor inputs (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/823">#823</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/868d1f74d9d862d7b40219546bfe35299c6dd452"><code>868d1f7</code></a> Replace inline compile args with tsconfig (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/824">#824</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/447e6d02b15d65b3247cce2d6019f11957285d11"><code>447e6d0</code></a> chore: update known checksums for 0.11.2 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/821">#821</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/5c62c5926145985eec91f09e2e0a75f40daed929"><code>5c62c59</code></a> chore: update known checksums for 0.11.1 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/817">#817</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/e1a7373adb857afd2a70b971e8ebdacc64ed27d0"><code>e1a7373</code></a> chore: update known checksums for 0.11.0 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/815">#815</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/89709315bb3bd4bf0f4b1db4b710e99009087ab5"><code>8970931</code></a> Remove deprecrated custom manifest (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/813">#813</a>)</li> <li>Additional commits viewable in <a href="https://github.com/astral-sh/setup-uv/compare/37802adc94f370d6bfd71619e3f0bf239e1f3b78...cec208311dfd045dd5311c1add060b2062131d57">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=astral-sh/setup-uv&package-manager=github_actions&previous-version=7.6.0&new-version=8.0.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
1 parent 15adb6f commit e153e3e

File tree

2 files changed

+2
-2
lines changed

2 files changed

+2
-2
lines changed

.github/workflows/check.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -33,7 +33,7 @@ jobs:
3333
fetch-depth: 0
3434
persist-credentials: false
3535
- name: Install the latest version of uv
36-
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
36+
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
3737
with:
3838
enable-cache: false
3939
cache-dependency-glob: "pyproject.toml"

.github/workflows/release.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@ jobs:
1515
fetch-depth: 0
1616
persist-credentials: false
1717
- name: Install the latest version of uv
18-
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
18+
uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
1919
with:
2020
enable-cache: false
2121
cache-dependency-glob: "pyproject.toml"

0 commit comments

Comments
 (0)