chore(deps): update astral-sh/setup-uv action to v8#168
Open
anaconda-renovate[bot] wants to merge 1 commit into
Open
chore(deps): update astral-sh/setup-uv action to v8#168anaconda-renovate[bot] wants to merge 1 commit into
anaconda-renovate[bot] wants to merge 1 commit into
Conversation
anaconda-renovate
Bot
force-pushed
the
renovate/astral-sh-setup-uv-8.x
branch
from
1ecf8e2 to
3e5a622
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v7.3.1→v8.2.0renovate update details
¹ only available for some managers
Release Notes
astral-sh/setup-uv (astral-sh/setup-uv)
v8.2.0: 🌈 New inputsquietanddownload-from-astral-mirrorCompare Source
Changes
This release brings two new inputs and a few bug fixes.
New inputs
Lets talk about the new inputs first.
quiet
Pretty simple. It turns of all
infologgings. Useful if you use this in a composite action and are not interested in all the details.In the upcoming releases we will add log groups to fully implement support for "less noise"
download-from-astral-mirror
In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting
download-from-astral-mirror: falseallows you to do that.Bugfixes
When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.
We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.
🐛 Bug fixes
🚀 Enhancements
download-from-astral-mirrorinput @eifinger (#897)🧰 Maintenance
⬆️ Dependency updates
v8.1.0: 🌈 New inputno-projectCompare Source
Changes
This add the a new boolean input
no-project.It only makes sense to use in combination with
activate-environment: trueand will append--no projectto theuv venvcall. This is for example useful if you have a pyproject.toml file with parts unparseable by uv🚀 Enhancements
🧰 Maintenance
📚 Documentation
⬆️ Dependency updates
v8.0.0: 🌈 Immutable releases and secure tagsCompare Source
This is the first immutable release of
setup-uv🥳All future releases are also immutable, if you want to know more about what this means checkout the docs.
This release also has two breaking changes
New format for
manifest-fileThe previously deprecated way of defining a custom version manifest to control which
uvversions are available and where to download them from got removed. The functionality is still there but you have to use the new format.No more major and minor tags
To increase security even more we will stop publishing minor tags. You won't be able to use
@v8or@v8.0any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.🚨 Breaking changes
🧰 Maintenance
v7.6.0: 🌈 Fetch uv from Astral's mirror by defaultCompare Source
Changes
We now default to download uv from
releases.astral.sh.This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
v7.5.0: 🌈 Useastral-sh/versionsas version providerCompare Source
No more rate-limits
This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.
Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.
The
manifest-fileinput was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest.However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.
This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:
https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson
By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.
The
manifest-fileinput lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:
{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]} {"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}Changes
🚀 Enhancements
📚 Documentation
v7.4.0: 🌈 Add riscv64 architecture support to platform detectionCompare Source
Changes
Thank you @luhenry for adding support for riscv64 arch
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates
Configuration
📅 Schedule: (in timezone UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate.