Compare commits

..

7 Commits

Author SHA1 Message Date
dependabot[bot]
9225f843d7 chore(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0 (#924)
Bumps
[release-drafter/release-drafter](https://github.com/release-drafter/release-drafter)
from 7.3.1 to 7.4.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/release-drafter/release-drafter/releases">release-drafter/release-drafter's
releases</a>.</em></p>
<blockquote>
<h2>v7.4.0</h2>
<h1>What's Changed</h1>
<h2>New</h2>
<ul>
<li>feat: unify category config around change classification (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1558">#1558</a>)
<a href="https://github.com/cchanche"><code>@​cchanche</code></a></li>
</ul>
<h2>Maintenance</h2>
<ul>
<li>chore: update generated GraphQL types (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1629">#1629</a>)
@<a
href="https://github.com/apps/github-actions">github-actions[bot]</a></li>
</ul>
<h2>Documentation</h2>
<ul>
<li>docs: document github enterprise server support (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1627">#1627</a>)
<a href="https://github.com/cchanche"><code>@​cchanche</code></a></li>
</ul>
<h2>Dependency Updates</h2>
<ul>
<li>build(deps-dev): bump vite from 8.0.13 to 8.0.16 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1634">#1634</a>)
@<a href="https://github.com/apps/dependabot">dependabot[bot]</a></li>
<li>build(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1633">#1633</a>)
@<a href="https://github.com/apps/dependabot">dependabot[bot]</a></li>
<li>build(deps-dev): bump shell-quote from 1.8.3 to 1.8.4 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1632">#1632</a>)
@<a href="https://github.com/apps/dependabot">dependabot[bot]</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/release-drafter/release-drafter/compare/v7.3.1...v7.4.0">https://github.com/release-drafter/release-drafter/compare/v7.3.1...v7.4.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="ed4bc48ec9"><code>ed4bc48</code></a>
chore: release v7.4.0</li>
<li><a
href="0cc23b4878"><code>0cc23b4</code></a>
chore: update generated GraphQL types (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1629">#1629</a>)</li>
<li><a
href="091a8c8308"><code>091a8c8</code></a>
build(deps-dev): bump vite from 8.0.13 to 8.0.16 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1634">#1634</a>)</li>
<li><a
href="5e296d69e2"><code>5e296d6</code></a>
build(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1633">#1633</a>)</li>
<li><a
href="86a47c9c8e"><code>86a47c9</code></a>
build(deps-dev): bump shell-quote from 1.8.3 to 1.8.4 (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1632">#1632</a>)</li>
<li><a
href="bf75d71215"><code>bf75d71</code></a>
docs: document github enterprise server support (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1627">#1627</a>)</li>
<li><a
href="cff71867e2"><code>cff7186</code></a>
feat: unify category config around change classification (<a
href="https://redirect.github.com/release-drafter/release-drafter/issues/1558">#1558</a>)</li>
<li>See full diff in <a
href="693d20e7c1...ed4bc48ec9">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=release-drafter/release-drafter&package-manager=github_actions&previous-version=7.3.1&new-version=7.4.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-02 17:53:48 +02:00
dependabot[bot]
fc16fa3bbf chore(deps): bump actions/checkout from 6.0.2 to 7.0.0 (#926)
Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.2
to 7.0.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v7.0.0</h2>
<h2>What's Changed</h2>
<ul>
<li>block checking out fork pr for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
<li>getting ready for checkout v7 release by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2464">actions/checkout#2464</a></li>
<li>update error wording by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2467">actions/checkout#2467</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6.0.3...v7.0.0">https://github.com/actions/checkout/compare/v6.0.3...v7.0.0</a></p>
<h2>v6.0.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Update changelog by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2357">actions/checkout#2357</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>Update changelog for v6.0.3 by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2446">actions/checkout#2446</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/yaananth"><code>@​yaananth</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v6...v6.0.3">https://github.com/actions/checkout/compare/v6...v6.0.3</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v7.0.0</h2>
<ul>
<li>Block checking out fork PR for pull_request_target and workflow_run
by <a href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2454">actions/checkout#2454</a></li>
<li>Bump actions/publish-immutable-action from 0.0.3 to 0.0.4 in the
minor-actions-dependencies group across 1 directory by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2458">actions/checkout#2458</a></li>
<li>Bump flatted from 3.3.1 to 3.4.2 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2460">actions/checkout#2460</a></li>
<li>Bump js-yaml from 4.1.0 to 4.2.0 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2461">actions/checkout#2461</a></li>
<li>Bump <code>@​actions/core</code> and
<code>@​actions/tool-cache</code> and Remove uuid by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2459">actions/checkout#2459</a></li>
<li>upgrade module to esm and update dependencies by <a
href="https://github.com/aiqiaoy"><code>@​aiqiaoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2463">actions/checkout#2463</a></li>
<li>Bump the minor-npm-dependencies group across 1 directory with 3
updates by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a>[bot]
in <a
href="https://redirect.github.com/actions/checkout/pull/2462">actions/checkout#2462</a></li>
</ul>
<h2>v6.0.3</h2>
<ul>
<li>Fix checkout init for SHA-256 repositories by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2439">actions/checkout#2439</a></li>
<li>fix: expand merge commit SHA regex and add SHA-256 test cases by <a
href="https://github.com/yaananth"><code>@​yaananth</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2414">actions/checkout#2414</a></li>
</ul>
<h2>v6.0.2</h2>
<ul>
<li>Fix tag handling: preserve annotations and explicit fetch-tags by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2356">actions/checkout#2356</a></li>
</ul>
<h2>v6.0.1</h2>
<ul>
<li>Add worktree support for persist-credentials includeIf by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2327">actions/checkout#2327</a></li>
</ul>
<h2>v6.0.0</h2>
<ul>
<li>Persist creds to a separate file by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2286">actions/checkout#2286</a></li>
<li>Update README to include Node.js 24 support details and requirements
by <a href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2248">actions/checkout#2248</a></li>
</ul>
<h2>v5.0.1</h2>
<ul>
<li>Port v6 cleanup to v5 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2301">actions/checkout#2301</a></li>
</ul>
<h2>v5.0.0</h2>
<ul>
<li>Update actions checkout to use node 24 by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2226">actions/checkout#2226</a></li>
</ul>
<h2>v4.3.1</h2>
<ul>
<li>Port v6 cleanup to v4 by <a
href="https://github.com/ericsciple"><code>@​ericsciple</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2305">actions/checkout#2305</a></li>
</ul>
<h2>v4.3.0</h2>
<ul>
<li>docs: update README.md by <a
href="https://github.com/motss"><code>@​motss</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1971">actions/checkout#1971</a></li>
<li>Add internal repos for checking out multiple repositories by <a
href="https://github.com/mouismail"><code>@​mouismail</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1977">actions/checkout#1977</a></li>
<li>Documentation update - add recommended permissions to Readme by <a
href="https://github.com/benwells"><code>@​benwells</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2043">actions/checkout#2043</a></li>
<li>Adjust positioning of user email note and permissions heading by <a
href="https://github.com/joshmgross"><code>@​joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2044">actions/checkout#2044</a></li>
<li>Update README.md by <a
href="https://github.com/nebuk89"><code>@​nebuk89</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2194">actions/checkout#2194</a></li>
<li>Update CODEOWNERS for actions by <a
href="https://github.com/TingluoHuang"><code>@​TingluoHuang</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/2224">actions/checkout#2224</a></li>
<li>Update package dependencies by <a
href="https://github.com/salmanmkc"><code>@​salmanmkc</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/2236">actions/checkout#2236</a></li>
</ul>
<h2>v4.2.2</h2>
<ul>
<li><code>url-helper.ts</code> now leverages well-known environment
variables by <a href="https://github.com/jww3"><code>@​jww3</code></a>
in <a
href="https://redirect.github.com/actions/checkout/pull/1941">actions/checkout#1941</a></li>
<li>Expand unit test coverage for <code>isGhes</code> by <a
href="https://github.com/jww3"><code>@​jww3</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1946">actions/checkout#1946</a></li>
</ul>
<h2>v4.2.1</h2>
<ul>
<li>Check out other refs/* by commit if provided, fall back to ref by <a
href="https://github.com/orhantoy"><code>@​orhantoy</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1924">actions/checkout#1924</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="9c091bb21b"><code>9c091bb</code></a>
update error wording (<a
href="https://redirect.github.com/actions/checkout/issues/2467">#2467</a>)</li>
<li><a
href="1044a6dea9"><code>1044a6d</code></a>
getting ready for checkout v7 release (<a
href="https://redirect.github.com/actions/checkout/issues/2464">#2464</a>)</li>
<li><a
href="f0282184c7"><code>f028218</code></a>
Bump the minor-npm-dependencies group across 1 directory with 3 updates
(<a
href="https://redirect.github.com/actions/checkout/issues/2462">#2462</a>)</li>
<li><a
href="d914b262ff"><code>d914b26</code></a>
upgrade module to esm and update dependencies (<a
href="https://redirect.github.com/actions/checkout/issues/2463">#2463</a>)</li>
<li><a
href="537c7ef99c"><code>537c7ef</code></a>
Bump <code>@​actions/core</code> and <code>@​actions/tool-cache</code>
and Remove uuid (<a
href="https://redirect.github.com/actions/checkout/issues/2459">#2459</a>)</li>
<li><a
href="130a169078"><code>130a169</code></a>
Bump js-yaml from 4.1.0 to 4.2.0 (<a
href="https://redirect.github.com/actions/checkout/issues/2461">#2461</a>)</li>
<li><a
href="7d09575332"><code>7d09575</code></a>
Bump flatted from 3.3.1 to 3.4.2 (<a
href="https://redirect.github.com/actions/checkout/issues/2460">#2460</a>)</li>
<li><a
href="0f9f3aa320"><code>0f9f3aa</code></a>
Bump actions/publish-immutable-action (<a
href="https://redirect.github.com/actions/checkout/issues/2458">#2458</a>)</li>
<li><a
href="f9e715a95f"><code>f9e715a</code></a>
block checking out fork pr for pull_request_target and workflow_run (<a
href="https://redirect.github.com/actions/checkout/issues/2454">#2454</a>)</li>
<li><a
href="df4cb1c069"><code>df4cb1c</code></a>
Update changelog for v6.0.3 (<a
href="https://redirect.github.com/actions/checkout/issues/2446">#2446</a>)</li>
<li>Additional commits viewable in <a
href="de0fac2e45...9c091bb21b">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2026-07-02 17:53:07 +02:00
Kevin Stillhammer
a1a7345c8e ci: call docs update workflow from release (#933)
- replace the docs update tag-push trigger with manual and reusable
workflow entrypoints
- call the docs update reusable workflow after publishing a release
- keep manual docs updates available by selecting the latest semver tag

Refs: pi-session 019f2352-565c-7f60-b96b-f2546fb1690f
2026-07-02 17:48:02 +02:00
Kevin Turcios
a5e9cbfd5f docs: update version references to v8.2.0 (#932)
## Summary
- update README and docs `uses: astral-sh/setup-uv@...` examples to the
v8.2.0 commit SHA
- replace stale `v8.1.0` comments with `v8.2.0`

Fixes #931

## Validation
- npm ci --ignore-scripts
- npm run all
2026-07-02 16:55:59 +02:00
github-actions[bot]
c5680ec91f chore: update known checksums for 0.11.26 (#930)
chore: update known checksums for 0.11.26

Co-authored-by: eifinger <eifinger@users.noreply.github.com>
2026-07-01 07:53:57 +02:00
Zsolt Dollenstein
c86fe4ef1f Add a threat model for setup-uv (#923)
This adds a threat model for `setup-uv` so security scanners can use it
as a baseline in terms of what's in-, and out of scope.

The TM covers credential recipients, executable and cache boundaries,
and release authority. It treats checkout-selected interpreters, paths,
virtual environments, symlinks, and helpers as delegated project
authority unless they override an explicit workflow choice or cross an
independent cache, runner, remote, or publication boundary.
2026-06-27 21:01:45 +02:00
github-actions[bot]
224c887d48 chore: update known checksums for 0.11.25 (#929)
chore: update known checksums for 0.11.25

Co-authored-by: eifinger <eifinger@users.noreply.github.com>
2026-06-27 09:33:56 +02:00
16 changed files with 352 additions and 93 deletions

View File

@@ -41,13 +41,13 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
with:
languages: ${{ matrix.language }}
source-root: src

View File

@@ -19,7 +19,7 @@ jobs:
pull-requests: read
steps:
- name: 🚀 Run Release Drafter
uses: release-drafter/release-drafter@693d20e7c1ce1a81d3a41962f85914253b518449 # v7.3.1
uses: release-drafter/release-drafter@ed4bc48ec97379be2258e7b7ac2624a3e26ab809 # v7.4.0
with:
commitish: ${{ github.sha }}
env:

View File

@@ -111,3 +111,14 @@ jobs:
echo "Publishing draft release $TAG"
gh release edit "$TAG" --draft=false
update-docs:
name: Update docs
needs:
- release
uses: ./.github/workflows/update-docs.yml
permissions:
contents: write
pull-requests: write
with:
tag: v${{ inputs.version }}

View File

@@ -21,7 +21,7 @@ jobs:
permissions:
security-events: write # for zizmor
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Actionlint
@@ -51,7 +51,7 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, macos-14, windows-latest]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install latest version
@@ -76,7 +76,7 @@ jobs:
test-uv-no-modify-path:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install with UV_NO_MODIFY_PATH set
@@ -125,7 +125,7 @@ jobs:
expected-version: "0.1.0"
resolution-strategy: "lowest"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install version ${{ matrix.input.version-input }} with strategy ${{ matrix.input.resolution-strategy || 'highest' }}
@@ -154,7 +154,7 @@ jobs:
matrix:
version-input: ["latest", ">=0.8"]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install version ${{ matrix.version-input }}
@@ -194,7 +194,7 @@ jobs:
- working-directory: "__tests__/fixtures/uv-toml-project"
expected-version: "0.5.15"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install version from ${{ matrix.input.working-directory }}
@@ -220,7 +220,7 @@ jobs:
- version-file: "__tests__/fixtures/.tool-versions"
expected-version: "0.5.15"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install version from ${{ matrix.input.version-file }}
@@ -237,7 +237,7 @@ jobs:
test-malformed-pyproject-file-fallback:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install using malformed pyproject.toml
@@ -257,7 +257,7 @@ jobs:
- os: macos-latest
checksum: "a70cbfbf3bb5c08b2f84963b4f12c94e08fbb2468ba418a3bfe1066fbe9e7218"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Checksum matches expected
@@ -271,7 +271,7 @@ jobs:
test-with-explicit-token:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install default version
@@ -284,7 +284,7 @@ jobs:
test-uvx:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install default version
@@ -297,7 +297,7 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, macos-14, windows-latest]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install default version
@@ -311,7 +311,7 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install latest version
@@ -343,7 +343,7 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install latest version
@@ -382,7 +382,7 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install latest version
@@ -433,7 +433,7 @@ jobs:
test-activate-environment-no-project:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Create incompatible pyproject.toml
@@ -477,7 +477,7 @@ jobs:
runs-on: ubuntu-latest
container: debian:unstable
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install latest version
@@ -491,7 +491,7 @@ jobs:
runs-on: ubuntu-latest
container: alpine
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install latest version
@@ -530,7 +530,7 @@ jobs:
- os: windows-2025
expected-os: "windows-2025"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup uv
@@ -556,7 +556,7 @@ jobs:
enable-cache: ["true", "false", "auto"]
os: ["ubuntu-latest", "windows-latest"]
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup with cache
@@ -575,7 +575,7 @@ jobs:
os: ["ubuntu-latest", "windows-latest"]
needs: test-setup-cache
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Restore with cache
@@ -609,7 +609,7 @@ jobs:
test-setup-cache-requirements-txt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup with cache
@@ -625,7 +625,7 @@ jobs:
runs-on: ubuntu-latest
needs: test-setup-cache-requirements-txt
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Restore with cache
@@ -649,7 +649,7 @@ jobs:
test-setup-cache-dependency-glob:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup with cache
@@ -666,7 +666,7 @@ jobs:
runs-on: ubuntu-latest
needs: test-setup-cache-dependency-glob
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Change pyproject.toml
@@ -694,7 +694,7 @@ jobs:
test-setup-cache-save-cache-false:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup with cache
@@ -710,7 +710,7 @@ jobs:
runs-on: ubuntu-latest
needs: test-setup-cache-save-cache-false
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Restore with cache
@@ -730,7 +730,7 @@ jobs:
test-setup-cache-restore-cache-false:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup with cache
@@ -745,7 +745,7 @@ jobs:
runs-on: ubuntu-latest
needs: test-setup-cache-restore-cache-false
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Restore with cache
@@ -773,7 +773,7 @@ jobs:
expected-cache-dir: "D:\\a\\_temp\\setup-uv-cache"
runs-on: ${{ matrix.inputs.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup with cache
@@ -791,7 +791,7 @@ jobs:
test-cache-local-cache-disabled:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup without cache
@@ -810,7 +810,7 @@ jobs:
test-cache-local-cache-disabled-but-explicit-path:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup without cache
@@ -830,7 +830,7 @@ jobs:
test-no-python-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Fake pyproject.toml at root
@@ -845,7 +845,7 @@ jobs:
test-custom-manifest-file:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install from custom manifest file
@@ -864,7 +864,7 @@ jobs:
test-download-from-astral-mirror-false:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install with download-from-astral-mirror disabled
@@ -878,7 +878,7 @@ jobs:
test-absolute-path:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Create requirements.txt
@@ -898,7 +898,7 @@ jobs:
test-relative-path:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: mkdir
@@ -922,7 +922,7 @@ jobs:
test-cache-prune-force:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup uv
@@ -939,7 +939,7 @@ jobs:
test-cache-dir-from-file:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Verify uv cache dir is not populated
@@ -966,7 +966,7 @@ jobs:
env:
UV_PYTHON_INSTALL_DIR: /tmp/missing-uv-python
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Setup uv with cache and python cache enabled
@@ -987,7 +987,7 @@ jobs:
test-cache-python-installs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Verify Python install dir is not populated
@@ -1014,7 +1014,7 @@ jobs:
runs-on: ubuntu-latest
needs: test-cache-python-installs
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Verify Python install dir does not exist
@@ -1056,7 +1056,7 @@ jobs:
expected-python-dir: "D:\\a\\_temp\\uv-python-dir"
runs-on: ${{ matrix.inputs.os }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install latest version
@@ -1075,7 +1075,7 @@ jobs:
test-act:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Install act
@@ -1090,7 +1090,7 @@ jobs:
validate-typings:
runs-on: "ubuntu-latest"
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Validate typings

View File

@@ -1,28 +1,46 @@
name: "Update docs"
on:
push:
tags:
- "v*.*.*"
workflow_call:
inputs:
tag:
description: "Release tag to update docs for (e.g., v8.2.0)"
required: true
type: string
workflow_dispatch:
permissions: {}
jobs:
update-docs:
continue-on-error: ${{ github.event_name == 'workflow_call' }}
runs-on: ubuntu-24.04-arm
permissions:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
fetch-depth: 0
persist-credentials: true
- name: Get tag info
id: tag-info
run: |
TAG_NAME="${GITHUB_REF#refs/tags/}"
if [ -n "$INPUT_TAG" ]; then
TAG_NAME="$INPUT_TAG"
else
TAG_NAME=$(git tag --list 'v[0-9]*.[0-9]*.[0-9]*' --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1)
fi
if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error::Tag must match vMAJOR.MINOR.PATCH (e.g., v8.2.0)"
exit 1
fi
COMMIT_SHA=$(git rev-list -n 1 "$TAG_NAME")
echo "tag=$TAG_NAME" >> "$GITHUB_OUTPUT"
echo "sha=$COMMIT_SHA" >> "$GITHUB_OUTPUT"
env:
INPUT_TAG: ${{ inputs.tag }}
- name: Update references in docs
run: |
OLD_REF=$(grep -oh 'astral-sh/setup-uv@[a-f0-9]\{40\} # v[0-9][^ ]*' README.md docs/*.md | head -1)

View File

@@ -15,7 +15,7 @@ jobs:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: true
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

View File

@@ -26,7 +26,7 @@ Set up your GitHub Actions workflow with a specific version of [uv](https://docs
```yaml
- name: Install the latest version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
```
If you do not specify a version, this action will look for a [required-version](https://docs.astral.sh/uv/reference/settings/#required-version)
@@ -42,7 +42,7 @@ Have a look under [Advanced Configuration](#advanced-configuration) for detailed
```yaml
- name: Install uv with all available options
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
# The version of uv to install (default: searches for version in config files, then latest)
version: ""
@@ -148,7 +148,7 @@ This will override any python version specifications in `pyproject.toml` and `.p
```yaml
- name: Install the latest version of uv and set the python version to 3.13t
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: 3.13t
- run: uv pip install --python=3.13t pip
@@ -166,7 +166,7 @@ jobs:
steps:
- uses: actions/checkout@v5
- name: Install the latest version of uv and set the python version
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: ${{ matrix.python-version }}
- name: Test with python ${{ matrix.python-version }}
@@ -183,7 +183,7 @@ It also controls where [the venv gets created](#activate-environment), unless `v
```yaml
- name: Install uv based on the config files in the working-directory
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
working-directory: my/subproject/dir
```
@@ -225,7 +225,7 @@ For example:
- name: Checkout the repository
uses: actions/checkout@main
- name: Install the latest version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Test
@@ -237,7 +237,7 @@ To install a specific version of Python, use
```yaml
- name: Install the latest version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Install Python 3.12
@@ -256,7 +256,7 @@ output:
uses: actions/checkout@main
- name: Install the default version of uv
id: setup-uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Print the installed version
run: echo "Installed uv version is ${{ steps.setup-uv.outputs.uv-version }}"
```

5
SECURITY.md Normal file
View File

@@ -0,0 +1,5 @@
# Security policy
Report suspected vulnerabilities according to [Astral's security policy](https://github.com/astral-sh/.github/blob/main/SECURITY.md).
For this repository's security boundaries and reporting criteria, see the [setup-uv threat model](docs/threat-model.md).

36
dist/setup/index.cjs generated vendored
View File

@@ -91741,6 +91741,42 @@ var fs10 = __toESM(require("node:fs"), 1);
// src/download/checksum/known-checksums.ts
var KNOWN_CHECKSUMS = {
"aarch64-apple-darwin-0.11.26": "8f7fbf1708399b921857bce71e1d60f0d3ccf52a30caebc1c1a2f175dce13ab6",
"aarch64-pc-windows-msvc-0.11.26": "98246149741f558e25e45ecf2b0b20f34de0634269f2bf0dcb4012d4b6ba289a",
"aarch64-unknown-linux-gnu-0.11.26": "befa1a59c91e96eb601b0fd9a97c03dd666f17baba644b2b4db9c59a767e387e",
"aarch64-unknown-linux-musl-0.11.26": "47418cfdb34b1ca42e503da72631ac8c475602e2411ac6c39aa84c2373fe6324",
"arm-unknown-linux-musleabihf-0.11.26": "400ebbca4062f7960cbdb2359cd28741dc9a1fab2656abb9ee05fb525e3f1e12",
"armv7-unknown-linux-gnueabihf-0.11.26": "e1a6e135f68c237f969f2acb5277ef2691dec582e99d9f6c237c21583bd26f7b",
"armv7-unknown-linux-musleabihf-0.11.26": "3b4453d821588f7fafe622a099db4b7f55a668bec79db73411414ffc24b8c45d",
"i686-pc-windows-msvc-0.11.26": "6e19e7ef0ccacfeea7edeb0a7be951d31148b49f5170c1770c58db312fe443f8",
"i686-unknown-linux-gnu-0.11.26": "65cc2d8719febecd1bc2fd3ea437c72317ac54de96e54de0a73344e150982478",
"i686-unknown-linux-musl-0.11.26": "ef5d5c982dfd4d6b5aa107c33b882b978ccccf1487500ae2adbc1d3665ea7e04",
"powerpc64le-unknown-linux-gnu-0.11.26": "095f7cfd814495719244897f96f1c35f10369bcd9237276c63cfed824353f505",
"riscv64gc-unknown-linux-gnu-0.11.26": "253d728a2660006e4aadee627f5d9f3ca2a874559b5fc716a5023965e58092bf",
"riscv64gc-unknown-linux-musl-0.11.26": "4ef67e6bb961583eb4ee7ce61b3c98bcede9e51b771b4b4967719d0fb6aa3cbd",
"s390x-unknown-linux-gnu-0.11.26": "34f514ed6ecbf33a3d90346c8bf3074954dd0c76340f5765b88577daa05d307b",
"x86_64-apple-darwin-0.11.26": "922b460202707dd5f4ccacbadbe7f6a546cc46e82a99bf50ca99a7977a78eddd",
"x86_64-pc-windows-msvc-0.11.26": "4e1278ede866be6c0bf32d2f466cc6de7a9fb399ecf20c9ce2d186e52424be47",
"x86_64-unknown-linux-gnu-0.11.26": "6426a73c3837e6e2483ee344cbc00f36394d179afcba6183cb77437e67db4af0",
"x86_64-unknown-linux-musl-0.11.26": "62bf1a53501adf4083224b69b33737450ac516935f5a5e483e9dfaf2665084de",
"aarch64-apple-darwin-0.11.25": "5fc334bb25d19806262efd1f6e7d380155c7e817d89bf426df4ba7ae873c9471",
"aarch64-pc-windows-msvc-0.11.25": "40d65c29c4d97db6a0993df665d3727700bb799b3618992ce9a4dc533c6d1a31",
"aarch64-unknown-linux-gnu-0.11.25": "e0e9d73f74e06a7dcd53910d5962146ab48f0af9c92cc8df33a37baa0121014d",
"aarch64-unknown-linux-musl-0.11.25": "3d9c9a95f1868ff20ac880712f3a337d710ea4b65f135184b7a35635d1acbf84",
"arm-unknown-linux-musleabihf-0.11.25": "50ef6368eebaa9f31d8e8685a91689666c7bae86a1bd9a72b7a505f752084ef9",
"armv7-unknown-linux-gnueabihf-0.11.25": "eb60b2931d2461022e1675a7f6c08078b1e47150edb2f7728fe117563a5ebc99",
"armv7-unknown-linux-musleabihf-0.11.25": "50f6f10ca38e4628998c17de24c2780f429d9b354db98b1832c130b7394e8ec4",
"i686-pc-windows-msvc-0.11.25": "91a87e8a7ea2d5e9451b9bd8b1e9fa490542311ac43e80a9115abbd231c417fb",
"i686-unknown-linux-gnu-0.11.25": "1b0f2ceee8dbe718eb1e14d7eccf67534d2f72698f4f85e70cf8a5055412b5d3",
"i686-unknown-linux-musl-0.11.25": "e650be31af3fd31f5e2236a47daab0899070a66a732026d140461f1614fbe786",
"powerpc64le-unknown-linux-gnu-0.11.25": "fbf67c8beccc718b9de478d7e74d605fe9c2e259c4398f95c9df7680da710af1",
"riscv64gc-unknown-linux-gnu-0.11.25": "29e74713e89242c6bf0971b28e904836298a04fb7e0d83262c7bd5aff695ae33",
"riscv64gc-unknown-linux-musl-0.11.25": "90c5a720dd9ddf32de8511c79fc83bc69e38795a94b5b49fcb2d010f96b1374d",
"s390x-unknown-linux-gnu-0.11.25": "3d508ed6e66898ce80aa668cb7d6ec4ddb4d30440fcfbd409365d3d0e4afa75c",
"x86_64-apple-darwin-0.11.25": "65ff85b33212f75d34d7c0f0724aba9a742c74f62559f67dc0d6c543dc2fc52f",
"x86_64-pc-windows-msvc-0.11.25": "15bfd1423b7eaa7aae949922d4712ebaac2bb44a81af64ab59bbe007090cb0d0",
"x86_64-unknown-linux-gnu-0.11.25": "1db18b5e76fa645a7f3865773139bdec8e2d46adbdbb35e7410b34fa8015ccd2",
"x86_64-unknown-linux-musl-0.11.25": "7195cfcc1785d0c559d4682ad9109f26664b8db4d828d42d66078ef454061891",
"aarch64-apple-darwin-0.11.24": "7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf",
"aarch64-pc-windows-msvc-0.11.24": "51bcf8051dcc2075fba9136ece0f229205a6ef813e68e5709c6eeb18802afed5",
"aarch64-unknown-linux-gnu-0.11.24": "e22c66d36a0098b17cff80a8647e0b8c58202af899d4e9eb820fc7ad126435a1",

View File

@@ -45701,6 +45701,42 @@ var semver = __toESM(require_semver(), 1);
// src/download/checksum/known-checksums.ts
var KNOWN_CHECKSUMS = {
"aarch64-apple-darwin-0.11.26": "8f7fbf1708399b921857bce71e1d60f0d3ccf52a30caebc1c1a2f175dce13ab6",
"aarch64-pc-windows-msvc-0.11.26": "98246149741f558e25e45ecf2b0b20f34de0634269f2bf0dcb4012d4b6ba289a",
"aarch64-unknown-linux-gnu-0.11.26": "befa1a59c91e96eb601b0fd9a97c03dd666f17baba644b2b4db9c59a767e387e",
"aarch64-unknown-linux-musl-0.11.26": "47418cfdb34b1ca42e503da72631ac8c475602e2411ac6c39aa84c2373fe6324",
"arm-unknown-linux-musleabihf-0.11.26": "400ebbca4062f7960cbdb2359cd28741dc9a1fab2656abb9ee05fb525e3f1e12",
"armv7-unknown-linux-gnueabihf-0.11.26": "e1a6e135f68c237f969f2acb5277ef2691dec582e99d9f6c237c21583bd26f7b",
"armv7-unknown-linux-musleabihf-0.11.26": "3b4453d821588f7fafe622a099db4b7f55a668bec79db73411414ffc24b8c45d",
"i686-pc-windows-msvc-0.11.26": "6e19e7ef0ccacfeea7edeb0a7be951d31148b49f5170c1770c58db312fe443f8",
"i686-unknown-linux-gnu-0.11.26": "65cc2d8719febecd1bc2fd3ea437c72317ac54de96e54de0a73344e150982478",
"i686-unknown-linux-musl-0.11.26": "ef5d5c982dfd4d6b5aa107c33b882b978ccccf1487500ae2adbc1d3665ea7e04",
"powerpc64le-unknown-linux-gnu-0.11.26": "095f7cfd814495719244897f96f1c35f10369bcd9237276c63cfed824353f505",
"riscv64gc-unknown-linux-gnu-0.11.26": "253d728a2660006e4aadee627f5d9f3ca2a874559b5fc716a5023965e58092bf",
"riscv64gc-unknown-linux-musl-0.11.26": "4ef67e6bb961583eb4ee7ce61b3c98bcede9e51b771b4b4967719d0fb6aa3cbd",
"s390x-unknown-linux-gnu-0.11.26": "34f514ed6ecbf33a3d90346c8bf3074954dd0c76340f5765b88577daa05d307b",
"x86_64-apple-darwin-0.11.26": "922b460202707dd5f4ccacbadbe7f6a546cc46e82a99bf50ca99a7977a78eddd",
"x86_64-pc-windows-msvc-0.11.26": "4e1278ede866be6c0bf32d2f466cc6de7a9fb399ecf20c9ce2d186e52424be47",
"x86_64-unknown-linux-gnu-0.11.26": "6426a73c3837e6e2483ee344cbc00f36394d179afcba6183cb77437e67db4af0",
"x86_64-unknown-linux-musl-0.11.26": "62bf1a53501adf4083224b69b33737450ac516935f5a5e483e9dfaf2665084de",
"aarch64-apple-darwin-0.11.25": "5fc334bb25d19806262efd1f6e7d380155c7e817d89bf426df4ba7ae873c9471",
"aarch64-pc-windows-msvc-0.11.25": "40d65c29c4d97db6a0993df665d3727700bb799b3618992ce9a4dc533c6d1a31",
"aarch64-unknown-linux-gnu-0.11.25": "e0e9d73f74e06a7dcd53910d5962146ab48f0af9c92cc8df33a37baa0121014d",
"aarch64-unknown-linux-musl-0.11.25": "3d9c9a95f1868ff20ac880712f3a337d710ea4b65f135184b7a35635d1acbf84",
"arm-unknown-linux-musleabihf-0.11.25": "50ef6368eebaa9f31d8e8685a91689666c7bae86a1bd9a72b7a505f752084ef9",
"armv7-unknown-linux-gnueabihf-0.11.25": "eb60b2931d2461022e1675a7f6c08078b1e47150edb2f7728fe117563a5ebc99",
"armv7-unknown-linux-musleabihf-0.11.25": "50f6f10ca38e4628998c17de24c2780f429d9b354db98b1832c130b7394e8ec4",
"i686-pc-windows-msvc-0.11.25": "91a87e8a7ea2d5e9451b9bd8b1e9fa490542311ac43e80a9115abbd231c417fb",
"i686-unknown-linux-gnu-0.11.25": "1b0f2ceee8dbe718eb1e14d7eccf67534d2f72698f4f85e70cf8a5055412b5d3",
"i686-unknown-linux-musl-0.11.25": "e650be31af3fd31f5e2236a47daab0899070a66a732026d140461f1614fbe786",
"powerpc64le-unknown-linux-gnu-0.11.25": "fbf67c8beccc718b9de478d7e74d605fe9c2e259c4398f95c9df7680da710af1",
"riscv64gc-unknown-linux-gnu-0.11.25": "29e74713e89242c6bf0971b28e904836298a04fb7e0d83262c7bd5aff695ae33",
"riscv64gc-unknown-linux-musl-0.11.25": "90c5a720dd9ddf32de8511c79fc83bc69e38795a94b5b49fcb2d010f96b1374d",
"s390x-unknown-linux-gnu-0.11.25": "3d508ed6e66898ce80aa668cb7d6ec4ddb4d30440fcfbd409365d3d0e4afa75c",
"x86_64-apple-darwin-0.11.25": "65ff85b33212f75d34d7c0f0724aba9a742c74f62559f67dc0d6c543dc2fc52f",
"x86_64-pc-windows-msvc-0.11.25": "15bfd1423b7eaa7aae949922d4712ebaac2bb44a81af64ab59bbe007090cb0d0",
"x86_64-unknown-linux-gnu-0.11.25": "1db18b5e76fa645a7f3865773139bdec8e2d46adbdbb35e7410b34fa8015ccd2",
"x86_64-unknown-linux-musl-0.11.25": "7195cfcc1785d0c559d4682ad9109f26664b8db4d828d42d66078ef454061891",
"aarch64-apple-darwin-0.11.24": "7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf",
"aarch64-pc-windows-msvc-0.11.24": "51bcf8051dcc2075fba9136ece0f229205a6ef813e68e5709c6eeb18802afed5",
"aarch64-unknown-linux-gnu-0.11.24": "e22c66d36a0098b17cff80a8647e0b8c58202af899d4e9eb820fc7ad126435a1",

View File

@@ -6,7 +6,7 @@ This document covers advanced options for configuring which version of uv to ins
```yaml
- name: Install the latest version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: "latest"
```
@@ -15,7 +15,7 @@ This document covers advanced options for configuring which version of uv to ins
```yaml
- name: Install a specific version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: "0.4.4"
```
@@ -28,21 +28,21 @@ to install the latest version that satisfies the range.
```yaml
- name: Install a semver range of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: ">=0.4.0"
```
```yaml
- name: Pinning a minor version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: "0.4.x"
```
```yaml
- name: Install a pep440-specifier-satisfying version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: ">=0.4.25,<0.5"
```
@@ -54,7 +54,7 @@ You can change this behavior using the `resolution-strategy` input:
```yaml
- name: Install the lowest compatible version of uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: ">=0.4.0"
resolution-strategy: "lowest"
@@ -76,7 +76,7 @@ uv defined as a dependency in `pyproject.toml` or `requirements.txt`.
```yaml
- name: Install uv based on the version defined in pyproject.toml
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version-file: "pyproject.toml"
```
@@ -87,7 +87,7 @@ silently picking up a newer uv until the lockfile is updated.
```yaml
- name: Install uv based on the version locked in uv.lock
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version-file: "uv.lock"
```

View File

@@ -23,7 +23,7 @@ The computed cache key is available as the `cache-key` output:
```yaml
- name: Setup uv
id: setup-uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
- name: Print cache key
@@ -50,7 +50,7 @@ You can optionally define a custom cache key suffix.
```yaml
- name: Enable caching and define a custom cache key suffix
id: setup-uv
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-suffix: "optional-suffix"
@@ -89,7 +89,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml
- name: Define a cache dependency glob
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-dependency-glob: "**/pyproject.toml"
@@ -97,7 +97,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml
- name: Define a list of cache dependency globs
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-dependency-glob: |
@@ -107,7 +107,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml
- name: Define an absolute cache dependency glob
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-dependency-glob: "/tmp/my-folder/requirements*.txt"
@@ -115,7 +115,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml
- name: Never invalidate the cache
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-dependency-glob: ""
@@ -128,7 +128,7 @@ By default, the cache will be restored.
```yaml
- name: Don't restore an existing cache
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
restore-cache: false
@@ -142,7 +142,7 @@ By default, the cache will be saved.
```yaml
- name: Don't save the cache after the run
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
save-cache: false
@@ -168,7 +168,7 @@ It defaults to `setup-uv-cache` in the `TMP` dir, `D:\a\_temp\setup-uv-cache` on
```yaml
- name: Define a custom uv cache path
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
cache-local-path: "/path/to/cache"
```
@@ -187,7 +187,7 @@ input.
```yaml
- name: Don't prune the cache before saving it
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
prune-cache: false
@@ -205,7 +205,7 @@ To force managed Python installs, set `UV_PYTHON_PREFERENCE=only-managed`.
```yaml
- name: Cache Python installs
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
cache-python: true
@@ -223,7 +223,7 @@ If you want to ignore this, set the `ignore-nothing-to-cache` input to `true`.
```yaml
- name: Ignore nothing to cache
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
enable-cache: true
ignore-nothing-to-cache: true

View File

@@ -10,7 +10,7 @@ are automatically verified by this action. The sha256 hashes can be found on the
```yaml
- name: Install a specific version and validate the checksum
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
version: "0.3.1"
checksum: "e11b01402ab645392c7ad6044db63d37e4fd1e745e015306993b07695ea5f9f8"
@@ -39,7 +39,7 @@ The `archive_format` field is currently ignored.
```yaml
- name: Use a custom manifest file
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
manifest-file: "https://example.com/my-custom-manifest.ndjson"
```
@@ -58,7 +58,7 @@ You can disable this by setting the `add-problem-matchers` input to `false`.
```yaml
- name: Install the latest version of uv without problem matchers
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
add-problem-matchers: false
```

View File

@@ -9,7 +9,7 @@ This allows directly using it in later steps:
```yaml
- name: Install the latest version of uv and activate the environment
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
activate-environment: true
- run: uv pip install pip
@@ -20,7 +20,7 @@ By default, the venv is created at `.venv` inside the `working-directory`.
You can customize the venv location with `venv-path`, for example to place it in the runner temp directory:
```yaml
- uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
activate-environment: true
venv-path: ${{ runner.temp }}/custom-venv
@@ -51,7 +51,7 @@ are not sufficient, you can provide a custom GitHub token with the necessary per
```yaml
- name: Install the latest version of uv with a custom GitHub token
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
github-token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
```
@@ -69,7 +69,7 @@ input:
```yaml
- name: Install the latest version of uv with a custom tool dir
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
tool-dir: "/path/to/tool/dir"
```
@@ -88,7 +88,7 @@ If you want to change this behaviour (especially on self-hosted runners) you can
```yaml
- name: Install the latest version of uv with a custom tool bin dir
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
tool-bin-dir: "/path/to/tool-bin/dir"
```
@@ -105,7 +105,7 @@ This action supports expanding the `~` character to the user's home directory fo
```yaml
- name: Expand the tilde character
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
cache-local-path: "~/path/to/cache"
tool-dir: "~/path/to/tool/dir"
@@ -122,7 +122,7 @@ If you want to ignore this, set the `ignore-empty-workdir` input to `true`.
```yaml
- name: Ignore empty workdir
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
ignore-empty-workdir: true
```
@@ -145,7 +145,7 @@ This action sets several environment variables that influence uv's behavior and
```yaml
- name: Example using environment variables
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
with:
python-version: "3.12"
tool-dir: "/custom/tool/dir"

81
docs/threat-model.md Normal file
View File

@@ -0,0 +1,81 @@
# setup-uv Repository Threat Model
## Overview
`setup-uv` is a GitHub Action that installs or reuses `uv`, modifies `PATH` and the environment for later steps, may execute a discovered Python interpreter, may create or clear a virtual environment, and may restore or save caches. It may use `github-token` to authenticate GitHub downloads; it requires no OIDC credential or additional workflow secret.
The consumer runtime is the selected ref's committed action metadata, bundles, and runner-interpreted companion files; source alone is not evidence of shipped behavior. Privileged automation that generates, updates, or publishes those artifacts is also in scope.
The assets are job credentials; integrity of installed executables, interpreter, environment, checkout, runner, artifacts, and caches; isolation between jobs sharing caches or persistent runners; integrity of published action refs; and workflow compute/storage availability.
Material failures are unauthorized executable selection, credential disclosure, premature execution of lower-authority content, filesystem escape or destructive path use, cross-authority cache/runner persistence, and unauthorized publication.
## Threat Model, Trust Boundaries, and Assumptions
### Authority and trust boundaries
| Actor or input | Trust decision |
|---|---|
| Maintainers, repository/configuration administrators, and GitHub infrastructure | Trusted roots for source, bundles, workflows, refs, rulesets, environments, runner protocol, hosted isolation, and cache service. A lower-authority path into these roots is in scope; their compromise alone is not a repository bug. |
| Consumer workflow authors and runner operators | Control the action ref, trigger, runner, permissions, secrets, proxy, environment, inputs, paths, globs, and custom sources. These are trusted choices unless derived from lower-authority event data. Selecting a custom manifest delegates metadata and executable authority; selecting a path authorizes normal operations on it and intended referents. |
| Selected checkout, project authors, and pull-request contributors | The consumer delegates project/version files, interpreter discovery state, virtual environments, symlinks, cache inputs, and code execution within `setup-uv`'s process environment. Checkout-controlled behavior is trusted unless it overrides an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary. |
| Remote metadata and artifacts | Default official endpoints, TLS roots, and an operator proxy are trusted mutable authorities. A custom manifest authorizes its URLs and hashes; a hash supplied by that same authority detects corruption, not malice. |
| Cache and runner-state producers/consumers | Same-principal state is trusted by default. Integrity attacks require a lower-authority producer and higher-authority consumer. Confidentiality can flow the opposite way because lower-authority refs may read eligible higher-authority caches. Shared self-hosted state creates a boundary only when principals and authority differ. |
| GitHub-managed automation | Dependency, coding-agent, and review workflows may exist outside the committed tree. Treat them as external principals and obtain their effective trigger, actor, token, environment, ref, and write/secret authority from live evidence. |
### Assumptions
- Running the selected `uv` and checkout-selected Python interpreters is intended. Project execution is out of scope unless it bypasses an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary.
- Mutable official manifests, ranges, `latest`, and unprotected refs are not attacker control. A protected ref or independent checksum matters only if the selected bundle actually enforces it.
- Same-user changes to paths, environment, proxies, or tool/cache state are not separate attacks. Demonstrate a cross-principal or lower-to-higher boundary.
- Content merged through a trust path that can also merge executable code is not a lower-authority source; require a narrower writer or post-review mutation path.
- Running `setup-uv` on an untrusted checkout with higher authority is a consumer trust decision; checkout-selected code may inherit the action environment.
- Authorized paths include expected symlink/junction referents. Absolute paths and paths outside the workspace are supported; an escape requires independent control crossing an unauthorized boundary.
- Hosted runners are assumed ephemeral and isolated. Persistence or hostile co-tenancy on self-hosted runners must be demonstrated.
- Branch/tag rules, environments, token defaults, cache visibility, fork policy, dynamic workflows, and runner allocation are external state. Re-query required approvals/checks, bypass actors, tag movement, deployment reviewers/principals, release targets, and effective permissions for each attack path.
- Web-application classes such as sessions, CSRF, XSS, SQL injection, and tenant isolation are not applicable.
### Security invariants
1. **Published runtime:** review `action.yml`, committed `dist/*.cjs`, and runner-interpreted shipped files; source-only fixes do not protect consumers.
2. **Executable identity:** precedence is workflow version, version file, project configuration, then `latest`. Manifest authority, platform, variant, URL, checksum, mirror fallback, extraction, and cache placement must bind the intended artifact. A tool-cache hit bypasses download validation and depends on cache provenance.
3. **Credential recipients:** tokens and URL credentials may reach only workflow-authorized origins, redirects, paths, and logs. Metadata authority does not imply token-recipient authority.
4. **Executable boundaries:** checkout-selected interpreters are authorized by default. Explicit workflow selections must win, and independent cache, runner, or remote state must not substitute executables or gain additional authority.
5. **Paths and action channels:** path/environment changes, virtual-environment clearing, outputs, state, and problem matchers must affect only authorized targets and keep untrusted values as data.
6. **Cache boundaries:** keys, scope, restore paths, and executable content must prevent lower-to-higher poisoning; cache contents and post-action path re-resolution must prevent higher-to-lower disclosure, destructive pruning, or persistence.
7. **Workflow and release authority:** unreviewed code or mutable tooling must not acquire write, secret, OIDC, artifact, deployment, tag, or publication authority. Only the intended reviewed bundles and commit may be released.
8. **Availability:** independently controlled manifests, archives, globs, traversal, and caches must stay within the accepted one-job resource-failure model.
### Finding gate
Before reporting, identify the attacker and victim principals; exact controlled input; scanned action and checkout refs; runtime reachability in committed bundles; effective token, secrets/OIDC, environment gates, cache scope, and runner persistence; applicable defaults and opt-ins; validation performed or skipped; declared trust roots; baseline versus incremental capability; and concrete impact. Reproduce platform-specific behavior and distinguish the scanned ref from other versions.
A report must demonstrate independent attacker control, a violated guarantee, committed-runtime reachability, incremental capability, and practical impact; otherwise it is not a security finding and should not be reported as one.
## Attack Surface, Mitigations, and Attacker Stories
| Surface | Security-relevant behavior and controls | Reportable attacker story |
|---|---|---|
| Published action and build/release supply chain | Consumers execute committed bundles and embedded dependencies. Verify source/bundle alignment, lockfile integrity, dependency-install policy, reproducible/generated-diff checks, immutable action pins, branch enforcement, and publication target checks. | A lower-authority contributor or dependency changes shipped code, or release automation publishes a different commit, by bypassing an effective review, branch, or release control. |
| Version, manifest, proxy, and network selection | Project files may select an official version by documented precedence. Custom manifests may select URLs, hashes, variants, and platforms and may reach arbitrary network locations. Parsing should reject malformed, ambiguous, unsupported, or incorrectly typed records; verify HTTPS, time/size bounds, proxy behavior, and selected-ref defaults. | Lower-authority event/project data violates a promised fixed version, escapes the selected manifest, probes runner-only services, causes material resource use, selects attacker bytes, or redirects later credentials. Operator selection of a custom authority is not itself a finding. |
| Artifact URL, token, checksum, extraction, and tool cache | Mirror fallback must preserve identity and checksum policy. Origin gating should restrict tokens; redirect handling should strip authorization across unauthorized hosts and reject downgrade. Verify checksum precedence and reject missing/empty hashes when policy requires validation. Independent hashes must precede extraction. Native helpers come from `PATH`; tool-cache hits skip network/hash validation. | An attacker receives a usable token outside delegated authority, bypasses an independent pin, exploits archive/link traversal, substitutes the cached executable, or poisons shared tool state later executed with higher authority. Same-authority manifest hashes and same-user cache changes do not establish the boundary. |
| Interpreter, PATH, virtual environment, and action channels | Checkout-selected interpreters, virtual environments, paths, symlinks, and helpers are delegated project authority. Explicit workflow choices must bind; the action also changes later-step paths/environment, emits state/outputs, invokes native helpers, and consumes cache/runner state. | Independent cache, runner, or remote content substitutes an executable; an explicit workflow choice is bypassed; or action channels cross an authority boundary. Same-checkout interpreter, path, and helper effects are not findings. |
| GitHub uv/Python caches and post action | Cache keys should partition platform, interpreter, dependency, and policy state and restore without unsafe fallback. Determine cache defaults, visibility, and the exact hit/miss path from the selected ref and GitHub policy; an exact hit may suppress post save/prune. Post processing re-reads inputs/config/environment and may save re-resolved uv or Python paths. | A lower producer supplies executable content to a higher consumer; a higher producer exposes private data to a lower cache reader; or a later successful step retargets a cache miss toward sensitive files, destructive pruning, or cross-job persistence. Existing equal-authority code with the same secrets often gains no new confidentiality. |
| CI, updater, dynamic automation, and release workflows | PR workflows intentionally execute contributor code. Verify effective permissions, fork behavior, credential persistence, mutable tooling, security-upload authority, and whether checks are required. Updaters convert remote data into source under write authority. Distinguish ruleset-required deployment from human review present only in a workflow DAG. | Unreviewed code gains write/secret/OIDC/artifact authority; remote metadata becomes executable generated source; a dynamic workflow has unexpected authority; or an actor satisfies a deployment/tag rule without the intended review and publishes a malicious ref. |
| Availability and logging | Manifests, version enumeration, archives, globs, hashing, caches, and remote strings can consume resources or influence logs. Verify size/count/expansion bounds, timeouts, retries, top-level error handling, and that parsing never executes data. | Independently controlled input causes reliable material workflow cost, disk/memory exhaustion, or meaningful log/output manipulation. A bounded one-job failure or operator-selected broad input is usually Low or correctness. |
| Lower-priority classes | Shell injection is constrained where child execution uses argv, but workflow shell blocks still require quoting review. Prototype pollution requires a dangerous merge/sink. Secret-shaped strings require proof of a genuine usable secret. Documentation drift, range surprises, malformed trusted config, and test-only code normally lack a security boundary. | Report only when a concrete lower-authority value reaches an execution, credential, persistent-state, publication, or material-availability sink. |
## Severity Calibration (Critical, High, Medium, Low)
Severity follows the complete attack graph and incremental capability, not the presence of words such as token, checksum, cache, manifest, archive, Python, PATH, release, or OIDC.
| Severity | Threshold | Representative examples |
|---|---|---|
| **Critical** | A low-prerequisite remote/lower-authority attacker compromises default distribution or installation across many consumers, publishes trusted malicious action artifacts, or gains broad credentials/runner control under safe defaults without first compromising a declared trust root. | Bypass an effective hash/origin control to distribute an automatically executed malicious binary at scale; reach publication authority to ship malicious bundles or move trusted refs without required approval; exploit default-accepted archive content for host overwrite or cross-job execution across hosted runners. |
| **High** | A demonstrated lower-authority input crosses an execution, confidentiality, integrity, or persistence boundary in a privileged job and gains substantial capability. | Independent shared-state interpreter substitution in a write/OIDC release job; shared cache poisoning later executed with secrets; high-value cache disclosure to an untrusted ref; usable write-token disclosure; independent-pin bypass; archive/cache escape into sensitive state. |
| **Medium** | A real but constrained crossing causes limited credential/filesystem impact, reliable remote denial of service, scoped persistence, or premature execution in a realistic uncommon configuration. | Limited executable substitution from independent cache/runner state in a read-only job; same-repository cache confusion or disclosure; reliable hosted-runner exhaustion; disclosure of a usable read-only private token; output manipulation without publication or high-value credentials. |
| **Low** | A genuine weak boundary causes narrow disclosure, log/annotation spoofing, defense-in-depth weakness, exotic cache aliasing without a privileged consumer, or limited waste. | Confusing logs with no execution effect; bounded job failure; limited overwrite of nonexecuted cache data; disclosure of a path/URL without private data or follow-on capability. |
Trust-root compromise may have Critical impact but is not a repository Critical without a lower-authority path into that root or an independent control that should have survived. High requires exact trigger, refs, effective authority, sink, and committed runtime; it cannot rely only on a trusted operator choosing malicious inputs, same-user state changes, or code already intentionally executed with equal authority. A separate privileged consumer, broad secret, persistent trusted state, publication path, or cross-repository boundary can raise Medium to High.
Normally non-reportable without additional evidence: expected mutability of ranges, `latest`, official/custom sources, or unprotected refs; documented project version selection; checkout-selected interpreters, paths, virtual environments, symlinks, and helpers; deliberate operator selection of manifests, proxies, checksums, or paths; same-principal cache/path changes; requested `uv` or dependency execution; trusted-runner `PATH` lookup; test/developer-only code without a shipped or privileged-workflow path; behavior fixed in the scanned ref; and correctness/compatibility/documentation issues without incremental confidentiality, integrity, persistence, or availability impact.

View File

@@ -1,5 +1,77 @@
// AUTOGENERATED_DO_NOT_EDIT
export const KNOWN_CHECKSUMS: { [key: string]: string } = {
"aarch64-apple-darwin-0.11.26":
"8f7fbf1708399b921857bce71e1d60f0d3ccf52a30caebc1c1a2f175dce13ab6",
"aarch64-pc-windows-msvc-0.11.26":
"98246149741f558e25e45ecf2b0b20f34de0634269f2bf0dcb4012d4b6ba289a",
"aarch64-unknown-linux-gnu-0.11.26":
"befa1a59c91e96eb601b0fd9a97c03dd666f17baba644b2b4db9c59a767e387e",
"aarch64-unknown-linux-musl-0.11.26":
"47418cfdb34b1ca42e503da72631ac8c475602e2411ac6c39aa84c2373fe6324",
"arm-unknown-linux-musleabihf-0.11.26":
"400ebbca4062f7960cbdb2359cd28741dc9a1fab2656abb9ee05fb525e3f1e12",
"armv7-unknown-linux-gnueabihf-0.11.26":
"e1a6e135f68c237f969f2acb5277ef2691dec582e99d9f6c237c21583bd26f7b",
"armv7-unknown-linux-musleabihf-0.11.26":
"3b4453d821588f7fafe622a099db4b7f55a668bec79db73411414ffc24b8c45d",
"i686-pc-windows-msvc-0.11.26":
"6e19e7ef0ccacfeea7edeb0a7be951d31148b49f5170c1770c58db312fe443f8",
"i686-unknown-linux-gnu-0.11.26":
"65cc2d8719febecd1bc2fd3ea437c72317ac54de96e54de0a73344e150982478",
"i686-unknown-linux-musl-0.11.26":
"ef5d5c982dfd4d6b5aa107c33b882b978ccccf1487500ae2adbc1d3665ea7e04",
"powerpc64le-unknown-linux-gnu-0.11.26":
"095f7cfd814495719244897f96f1c35f10369bcd9237276c63cfed824353f505",
"riscv64gc-unknown-linux-gnu-0.11.26":
"253d728a2660006e4aadee627f5d9f3ca2a874559b5fc716a5023965e58092bf",
"riscv64gc-unknown-linux-musl-0.11.26":
"4ef67e6bb961583eb4ee7ce61b3c98bcede9e51b771b4b4967719d0fb6aa3cbd",
"s390x-unknown-linux-gnu-0.11.26":
"34f514ed6ecbf33a3d90346c8bf3074954dd0c76340f5765b88577daa05d307b",
"x86_64-apple-darwin-0.11.26":
"922b460202707dd5f4ccacbadbe7f6a546cc46e82a99bf50ca99a7977a78eddd",
"x86_64-pc-windows-msvc-0.11.26":
"4e1278ede866be6c0bf32d2f466cc6de7a9fb399ecf20c9ce2d186e52424be47",
"x86_64-unknown-linux-gnu-0.11.26":
"6426a73c3837e6e2483ee344cbc00f36394d179afcba6183cb77437e67db4af0",
"x86_64-unknown-linux-musl-0.11.26":
"62bf1a53501adf4083224b69b33737450ac516935f5a5e483e9dfaf2665084de",
"aarch64-apple-darwin-0.11.25":
"5fc334bb25d19806262efd1f6e7d380155c7e817d89bf426df4ba7ae873c9471",
"aarch64-pc-windows-msvc-0.11.25":
"40d65c29c4d97db6a0993df665d3727700bb799b3618992ce9a4dc533c6d1a31",
"aarch64-unknown-linux-gnu-0.11.25":
"e0e9d73f74e06a7dcd53910d5962146ab48f0af9c92cc8df33a37baa0121014d",
"aarch64-unknown-linux-musl-0.11.25":
"3d9c9a95f1868ff20ac880712f3a337d710ea4b65f135184b7a35635d1acbf84",
"arm-unknown-linux-musleabihf-0.11.25":
"50ef6368eebaa9f31d8e8685a91689666c7bae86a1bd9a72b7a505f752084ef9",
"armv7-unknown-linux-gnueabihf-0.11.25":
"eb60b2931d2461022e1675a7f6c08078b1e47150edb2f7728fe117563a5ebc99",
"armv7-unknown-linux-musleabihf-0.11.25":
"50f6f10ca38e4628998c17de24c2780f429d9b354db98b1832c130b7394e8ec4",
"i686-pc-windows-msvc-0.11.25":
"91a87e8a7ea2d5e9451b9bd8b1e9fa490542311ac43e80a9115abbd231c417fb",
"i686-unknown-linux-gnu-0.11.25":
"1b0f2ceee8dbe718eb1e14d7eccf67534d2f72698f4f85e70cf8a5055412b5d3",
"i686-unknown-linux-musl-0.11.25":
"e650be31af3fd31f5e2236a47daab0899070a66a732026d140461f1614fbe786",
"powerpc64le-unknown-linux-gnu-0.11.25":
"fbf67c8beccc718b9de478d7e74d605fe9c2e259c4398f95c9df7680da710af1",
"riscv64gc-unknown-linux-gnu-0.11.25":
"29e74713e89242c6bf0971b28e904836298a04fb7e0d83262c7bd5aff695ae33",
"riscv64gc-unknown-linux-musl-0.11.25":
"90c5a720dd9ddf32de8511c79fc83bc69e38795a94b5b49fcb2d010f96b1374d",
"s390x-unknown-linux-gnu-0.11.25":
"3d508ed6e66898ce80aa668cb7d6ec4ddb4d30440fcfbd409365d3d0e4afa75c",
"x86_64-apple-darwin-0.11.25":
"65ff85b33212f75d34d7c0f0724aba9a742c74f62559f67dc0d6c543dc2fc52f",
"x86_64-pc-windows-msvc-0.11.25":
"15bfd1423b7eaa7aae949922d4712ebaac2bb44a81af64ab59bbe007090cb0d0",
"x86_64-unknown-linux-gnu-0.11.25":
"1db18b5e76fa645a7f3865773139bdec8e2d46adbdbb35e7410b34fa8015ccd2",
"x86_64-unknown-linux-musl-0.11.25":
"7195cfcc1785d0c559d4682ad9109f26664b8db4d828d42d66078ef454061891",
"aarch64-apple-darwin-0.11.24":
"7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf",
"aarch64-pc-windows-msvc-0.11.24":