Compare commits

..

1 Commits

Author SHA1 Message Date
dependabot[bot]
7570463c3f chore(deps): bump github/codeql-action/autobuild from 4.36.0 to 4.36.2
Bumps [github/codeql-action/autobuild](https://github.com/github/codeql-action) from 4.36.0 to 4.36.2.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](7211b7c807...8aad20d150)

---
updated-dependencies:
- dependency-name: github/codeql-action/autobuild
  dependency-version: 4.36.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-06-26 10:54:07 +00:00
16 changed files with 93 additions and 352 deletions

View File

@@ -41,7 +41,7 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
@@ -59,7 +59,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild - name: Autobuild
uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 uses: github/codeql-action/autobuild@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
# Command-line programs to run using the OS shell. # Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl # 📚 https://git.io/JvXDl

View File

@@ -19,7 +19,7 @@ jobs:
pull-requests: read pull-requests: read
steps: steps:
- name: 🚀 Run Release Drafter - name: 🚀 Run Release Drafter
uses: release-drafter/release-drafter@ed4bc48ec97379be2258e7b7ac2624a3e26ab809 # v7.4.0 uses: release-drafter/release-drafter@693d20e7c1ce1a81d3a41962f85914253b518449 # v7.3.1
with: with:
commitish: ${{ github.sha }} commitish: ${{ github.sha }}
env: env:

View File

@@ -111,14 +111,3 @@ jobs:
echo "Publishing draft release $TAG" echo "Publishing draft release $TAG"
gh release edit "$TAG" --draft=false gh release edit "$TAG" --draft=false
update-docs:
name: Update docs
needs:
- release
uses: ./.github/workflows/update-docs.yml
permissions:
contents: write
pull-requests: write
with:
tag: v${{ inputs.version }}

View File

@@ -21,7 +21,7 @@ jobs:
permissions: permissions:
security-events: write # for zizmor security-events: write # for zizmor
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Actionlint - name: Actionlint
@@ -51,7 +51,7 @@ jobs:
matrix: matrix:
os: [ubuntu-latest, macos-latest, macos-14, windows-latest] os: [ubuntu-latest, macos-latest, macos-14, windows-latest]
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install latest version - name: Install latest version
@@ -76,7 +76,7 @@ jobs:
test-uv-no-modify-path: test-uv-no-modify-path:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install with UV_NO_MODIFY_PATH set - name: Install with UV_NO_MODIFY_PATH set
@@ -125,7 +125,7 @@ jobs:
expected-version: "0.1.0" expected-version: "0.1.0"
resolution-strategy: "lowest" resolution-strategy: "lowest"
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install version ${{ matrix.input.version-input }} with strategy ${{ matrix.input.resolution-strategy || 'highest' }} - name: Install version ${{ matrix.input.version-input }} with strategy ${{ matrix.input.resolution-strategy || 'highest' }}
@@ -154,7 +154,7 @@ jobs:
matrix: matrix:
version-input: ["latest", ">=0.8"] version-input: ["latest", ">=0.8"]
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install version ${{ matrix.version-input }} - name: Install version ${{ matrix.version-input }}
@@ -194,7 +194,7 @@ jobs:
- working-directory: "__tests__/fixtures/uv-toml-project" - working-directory: "__tests__/fixtures/uv-toml-project"
expected-version: "0.5.15" expected-version: "0.5.15"
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install version from ${{ matrix.input.working-directory }} - name: Install version from ${{ matrix.input.working-directory }}
@@ -220,7 +220,7 @@ jobs:
- version-file: "__tests__/fixtures/.tool-versions" - version-file: "__tests__/fixtures/.tool-versions"
expected-version: "0.5.15" expected-version: "0.5.15"
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install version from ${{ matrix.input.version-file }} - name: Install version from ${{ matrix.input.version-file }}
@@ -237,7 +237,7 @@ jobs:
test-malformed-pyproject-file-fallback: test-malformed-pyproject-file-fallback:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install using malformed pyproject.toml - name: Install using malformed pyproject.toml
@@ -257,7 +257,7 @@ jobs:
- os: macos-latest - os: macos-latest
checksum: "a70cbfbf3bb5c08b2f84963b4f12c94e08fbb2468ba418a3bfe1066fbe9e7218" checksum: "a70cbfbf3bb5c08b2f84963b4f12c94e08fbb2468ba418a3bfe1066fbe9e7218"
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Checksum matches expected - name: Checksum matches expected
@@ -271,7 +271,7 @@ jobs:
test-with-explicit-token: test-with-explicit-token:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install default version - name: Install default version
@@ -284,7 +284,7 @@ jobs:
test-uvx: test-uvx:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install default version - name: Install default version
@@ -297,7 +297,7 @@ jobs:
matrix: matrix:
os: [ubuntu-latest, macos-latest, macos-14, windows-latest] os: [ubuntu-latest, macos-latest, macos-14, windows-latest]
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install default version - name: Install default version
@@ -311,7 +311,7 @@ jobs:
matrix: matrix:
os: [ubuntu-latest, macos-latest, windows-latest] os: [ubuntu-latest, macos-latest, windows-latest]
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install latest version - name: Install latest version
@@ -343,7 +343,7 @@ jobs:
matrix: matrix:
os: [ubuntu-latest, macos-latest, windows-latest] os: [ubuntu-latest, macos-latest, windows-latest]
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install latest version - name: Install latest version
@@ -382,7 +382,7 @@ jobs:
matrix: matrix:
os: [ubuntu-latest, macos-latest, windows-latest] os: [ubuntu-latest, macos-latest, windows-latest]
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install latest version - name: Install latest version
@@ -433,7 +433,7 @@ jobs:
test-activate-environment-no-project: test-activate-environment-no-project:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Create incompatible pyproject.toml - name: Create incompatible pyproject.toml
@@ -477,7 +477,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: debian:unstable container: debian:unstable
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install latest version - name: Install latest version
@@ -491,7 +491,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
container: alpine container: alpine
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install latest version - name: Install latest version
@@ -530,7 +530,7 @@ jobs:
- os: windows-2025 - os: windows-2025
expected-os: "windows-2025" expected-os: "windows-2025"
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup uv - name: Setup uv
@@ -556,7 +556,7 @@ jobs:
enable-cache: ["true", "false", "auto"] enable-cache: ["true", "false", "auto"]
os: ["ubuntu-latest", "windows-latest"] os: ["ubuntu-latest", "windows-latest"]
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup with cache - name: Setup with cache
@@ -575,7 +575,7 @@ jobs:
os: ["ubuntu-latest", "windows-latest"] os: ["ubuntu-latest", "windows-latest"]
needs: test-setup-cache needs: test-setup-cache
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Restore with cache - name: Restore with cache
@@ -609,7 +609,7 @@ jobs:
test-setup-cache-requirements-txt: test-setup-cache-requirements-txt:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup with cache - name: Setup with cache
@@ -625,7 +625,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: test-setup-cache-requirements-txt needs: test-setup-cache-requirements-txt
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Restore with cache - name: Restore with cache
@@ -649,7 +649,7 @@ jobs:
test-setup-cache-dependency-glob: test-setup-cache-dependency-glob:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup with cache - name: Setup with cache
@@ -666,7 +666,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: test-setup-cache-dependency-glob needs: test-setup-cache-dependency-glob
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Change pyproject.toml - name: Change pyproject.toml
@@ -694,7 +694,7 @@ jobs:
test-setup-cache-save-cache-false: test-setup-cache-save-cache-false:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup with cache - name: Setup with cache
@@ -710,7 +710,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: test-setup-cache-save-cache-false needs: test-setup-cache-save-cache-false
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Restore with cache - name: Restore with cache
@@ -730,7 +730,7 @@ jobs:
test-setup-cache-restore-cache-false: test-setup-cache-restore-cache-false:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup with cache - name: Setup with cache
@@ -745,7 +745,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: test-setup-cache-restore-cache-false needs: test-setup-cache-restore-cache-false
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Restore with cache - name: Restore with cache
@@ -773,7 +773,7 @@ jobs:
expected-cache-dir: "D:\\a\\_temp\\setup-uv-cache" expected-cache-dir: "D:\\a\\_temp\\setup-uv-cache"
runs-on: ${{ matrix.inputs.os }} runs-on: ${{ matrix.inputs.os }}
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup with cache - name: Setup with cache
@@ -791,7 +791,7 @@ jobs:
test-cache-local-cache-disabled: test-cache-local-cache-disabled:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup without cache - name: Setup without cache
@@ -810,7 +810,7 @@ jobs:
test-cache-local-cache-disabled-but-explicit-path: test-cache-local-cache-disabled-but-explicit-path:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup without cache - name: Setup without cache
@@ -830,7 +830,7 @@ jobs:
test-no-python-version: test-no-python-version:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Fake pyproject.toml at root - name: Fake pyproject.toml at root
@@ -845,7 +845,7 @@ jobs:
test-custom-manifest-file: test-custom-manifest-file:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install from custom manifest file - name: Install from custom manifest file
@@ -864,7 +864,7 @@ jobs:
test-download-from-astral-mirror-false: test-download-from-astral-mirror-false:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install with download-from-astral-mirror disabled - name: Install with download-from-astral-mirror disabled
@@ -878,7 +878,7 @@ jobs:
test-absolute-path: test-absolute-path:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Create requirements.txt - name: Create requirements.txt
@@ -898,7 +898,7 @@ jobs:
test-relative-path: test-relative-path:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: mkdir - name: mkdir
@@ -922,7 +922,7 @@ jobs:
test-cache-prune-force: test-cache-prune-force:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup uv - name: Setup uv
@@ -939,7 +939,7 @@ jobs:
test-cache-dir-from-file: test-cache-dir-from-file:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Verify uv cache dir is not populated - name: Verify uv cache dir is not populated
@@ -966,7 +966,7 @@ jobs:
env: env:
UV_PYTHON_INSTALL_DIR: /tmp/missing-uv-python UV_PYTHON_INSTALL_DIR: /tmp/missing-uv-python
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Setup uv with cache and python cache enabled - name: Setup uv with cache and python cache enabled
@@ -987,7 +987,7 @@ jobs:
test-cache-python-installs: test-cache-python-installs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Verify Python install dir is not populated - name: Verify Python install dir is not populated
@@ -1014,7 +1014,7 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: test-cache-python-installs needs: test-cache-python-installs
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Verify Python install dir does not exist - name: Verify Python install dir does not exist
@@ -1056,7 +1056,7 @@ jobs:
expected-python-dir: "D:\\a\\_temp\\uv-python-dir" expected-python-dir: "D:\\a\\_temp\\uv-python-dir"
runs-on: ${{ matrix.inputs.os }} runs-on: ${{ matrix.inputs.os }}
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install latest version - name: Install latest version
@@ -1075,7 +1075,7 @@ jobs:
test-act: test-act:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Install act - name: Install act
@@ -1090,7 +1090,7 @@ jobs:
validate-typings: validate-typings:
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: false persist-credentials: false
- name: Validate typings - name: Validate typings

View File

@@ -1,46 +1,28 @@
name: "Update docs" name: "Update docs"
on: on:
workflow_call: push:
inputs: tags:
tag: - "v*.*.*"
description: "Release tag to update docs for (e.g., v8.2.0)"
required: true
type: string
workflow_dispatch:
permissions: {} permissions: {}
jobs: jobs:
update-docs: update-docs:
continue-on-error: ${{ github.event_name == 'workflow_call' }}
runs-on: ubuntu-24.04-arm runs-on: ubuntu-24.04-arm
permissions: permissions:
contents: write contents: write
pull-requests: write pull-requests: write
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
fetch-depth: 0
persist-credentials: true persist-credentials: true
- name: Get tag info - name: Get tag info
id: tag-info id: tag-info
run: | run: |
if [ -n "$INPUT_TAG" ]; then TAG_NAME="${GITHUB_REF#refs/tags/}"
TAG_NAME="$INPUT_TAG"
else
TAG_NAME=$(git tag --list 'v[0-9]*.[0-9]*.[0-9]*' --sort=-v:refname | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+$' | head -1)
fi
if [[ ! "$TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error::Tag must match vMAJOR.MINOR.PATCH (e.g., v8.2.0)"
exit 1
fi
COMMIT_SHA=$(git rev-list -n 1 "$TAG_NAME") COMMIT_SHA=$(git rev-list -n 1 "$TAG_NAME")
echo "tag=$TAG_NAME" >> "$GITHUB_OUTPUT" echo "tag=$TAG_NAME" >> "$GITHUB_OUTPUT"
echo "sha=$COMMIT_SHA" >> "$GITHUB_OUTPUT" echo "sha=$COMMIT_SHA" >> "$GITHUB_OUTPUT"
env:
INPUT_TAG: ${{ inputs.tag }}
- name: Update references in docs - name: Update references in docs
run: | run: |
OLD_REF=$(grep -oh 'astral-sh/setup-uv@[a-f0-9]\{40\} # v[0-9][^ ]*' README.md docs/*.md | head -1) OLD_REF=$(grep -oh 'astral-sh/setup-uv@[a-f0-9]\{40\} # v[0-9][^ ]*' README.md docs/*.md | head -1)

View File

@@ -15,7 +15,7 @@ jobs:
contents: write contents: write
pull-requests: write pull-requests: write
steps: steps:
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with: with:
persist-credentials: true persist-credentials: true
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0

View File

@@ -26,7 +26,7 @@ Set up your GitHub Actions workflow with a specific version of [uv](https://docs
```yaml ```yaml
- name: Install the latest version of uv - name: Install the latest version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
``` ```
If you do not specify a version, this action will look for a [required-version](https://docs.astral.sh/uv/reference/settings/#required-version) If you do not specify a version, this action will look for a [required-version](https://docs.astral.sh/uv/reference/settings/#required-version)
@@ -42,7 +42,7 @@ Have a look under [Advanced Configuration](#advanced-configuration) for detailed
```yaml ```yaml
- name: Install uv with all available options - name: Install uv with all available options
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
# The version of uv to install (default: searches for version in config files, then latest) # The version of uv to install (default: searches for version in config files, then latest)
version: "" version: ""
@@ -148,7 +148,7 @@ This will override any python version specifications in `pyproject.toml` and `.p
```yaml ```yaml
- name: Install the latest version of uv and set the python version to 3.13t - name: Install the latest version of uv and set the python version to 3.13t
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
python-version: 3.13t python-version: 3.13t
- run: uv pip install --python=3.13t pip - run: uv pip install --python=3.13t pip
@@ -166,7 +166,7 @@ jobs:
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v5
- name: Install the latest version of uv and set the python version - name: Install the latest version of uv and set the python version
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
python-version: ${{ matrix.python-version }} python-version: ${{ matrix.python-version }}
- name: Test with python ${{ matrix.python-version }} - name: Test with python ${{ matrix.python-version }}
@@ -183,7 +183,7 @@ It also controls where [the venv gets created](#activate-environment), unless `v
```yaml ```yaml
- name: Install uv based on the config files in the working-directory - name: Install uv based on the config files in the working-directory
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
working-directory: my/subproject/dir working-directory: my/subproject/dir
``` ```
@@ -225,7 +225,7 @@ For example:
- name: Checkout the repository - name: Checkout the repository
uses: actions/checkout@main uses: actions/checkout@main
- name: Install the latest version of uv - name: Install the latest version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
- name: Test - name: Test
@@ -237,7 +237,7 @@ To install a specific version of Python, use
```yaml ```yaml
- name: Install the latest version of uv - name: Install the latest version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
- name: Install Python 3.12 - name: Install Python 3.12
@@ -256,7 +256,7 @@ output:
uses: actions/checkout@main uses: actions/checkout@main
- name: Install the default version of uv - name: Install the default version of uv
id: setup-uv id: setup-uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
- name: Print the installed version - name: Print the installed version
run: echo "Installed uv version is ${{ steps.setup-uv.outputs.uv-version }}" run: echo "Installed uv version is ${{ steps.setup-uv.outputs.uv-version }}"
``` ```

View File

@@ -1,5 +0,0 @@
# Security policy
Report suspected vulnerabilities according to [Astral's security policy](https://github.com/astral-sh/.github/blob/main/SECURITY.md).
For this repository's security boundaries and reporting criteria, see the [setup-uv threat model](docs/threat-model.md).

36
dist/setup/index.cjs generated vendored
View File

@@ -91741,42 +91741,6 @@ var fs10 = __toESM(require("node:fs"), 1);
// src/download/checksum/known-checksums.ts // src/download/checksum/known-checksums.ts
var KNOWN_CHECKSUMS = { var KNOWN_CHECKSUMS = {
"aarch64-apple-darwin-0.11.26": "8f7fbf1708399b921857bce71e1d60f0d3ccf52a30caebc1c1a2f175dce13ab6",
"aarch64-pc-windows-msvc-0.11.26": "98246149741f558e25e45ecf2b0b20f34de0634269f2bf0dcb4012d4b6ba289a",
"aarch64-unknown-linux-gnu-0.11.26": "befa1a59c91e96eb601b0fd9a97c03dd666f17baba644b2b4db9c59a767e387e",
"aarch64-unknown-linux-musl-0.11.26": "47418cfdb34b1ca42e503da72631ac8c475602e2411ac6c39aa84c2373fe6324",
"arm-unknown-linux-musleabihf-0.11.26": "400ebbca4062f7960cbdb2359cd28741dc9a1fab2656abb9ee05fb525e3f1e12",
"armv7-unknown-linux-gnueabihf-0.11.26": "e1a6e135f68c237f969f2acb5277ef2691dec582e99d9f6c237c21583bd26f7b",
"armv7-unknown-linux-musleabihf-0.11.26": "3b4453d821588f7fafe622a099db4b7f55a668bec79db73411414ffc24b8c45d",
"i686-pc-windows-msvc-0.11.26": "6e19e7ef0ccacfeea7edeb0a7be951d31148b49f5170c1770c58db312fe443f8",
"i686-unknown-linux-gnu-0.11.26": "65cc2d8719febecd1bc2fd3ea437c72317ac54de96e54de0a73344e150982478",
"i686-unknown-linux-musl-0.11.26": "ef5d5c982dfd4d6b5aa107c33b882b978ccccf1487500ae2adbc1d3665ea7e04",
"powerpc64le-unknown-linux-gnu-0.11.26": "095f7cfd814495719244897f96f1c35f10369bcd9237276c63cfed824353f505",
"riscv64gc-unknown-linux-gnu-0.11.26": "253d728a2660006e4aadee627f5d9f3ca2a874559b5fc716a5023965e58092bf",
"riscv64gc-unknown-linux-musl-0.11.26": "4ef67e6bb961583eb4ee7ce61b3c98bcede9e51b771b4b4967719d0fb6aa3cbd",
"s390x-unknown-linux-gnu-0.11.26": "34f514ed6ecbf33a3d90346c8bf3074954dd0c76340f5765b88577daa05d307b",
"x86_64-apple-darwin-0.11.26": "922b460202707dd5f4ccacbadbe7f6a546cc46e82a99bf50ca99a7977a78eddd",
"x86_64-pc-windows-msvc-0.11.26": "4e1278ede866be6c0bf32d2f466cc6de7a9fb399ecf20c9ce2d186e52424be47",
"x86_64-unknown-linux-gnu-0.11.26": "6426a73c3837e6e2483ee344cbc00f36394d179afcba6183cb77437e67db4af0",
"x86_64-unknown-linux-musl-0.11.26": "62bf1a53501adf4083224b69b33737450ac516935f5a5e483e9dfaf2665084de",
"aarch64-apple-darwin-0.11.25": "5fc334bb25d19806262efd1f6e7d380155c7e817d89bf426df4ba7ae873c9471",
"aarch64-pc-windows-msvc-0.11.25": "40d65c29c4d97db6a0993df665d3727700bb799b3618992ce9a4dc533c6d1a31",
"aarch64-unknown-linux-gnu-0.11.25": "e0e9d73f74e06a7dcd53910d5962146ab48f0af9c92cc8df33a37baa0121014d",
"aarch64-unknown-linux-musl-0.11.25": "3d9c9a95f1868ff20ac880712f3a337d710ea4b65f135184b7a35635d1acbf84",
"arm-unknown-linux-musleabihf-0.11.25": "50ef6368eebaa9f31d8e8685a91689666c7bae86a1bd9a72b7a505f752084ef9",
"armv7-unknown-linux-gnueabihf-0.11.25": "eb60b2931d2461022e1675a7f6c08078b1e47150edb2f7728fe117563a5ebc99",
"armv7-unknown-linux-musleabihf-0.11.25": "50f6f10ca38e4628998c17de24c2780f429d9b354db98b1832c130b7394e8ec4",
"i686-pc-windows-msvc-0.11.25": "91a87e8a7ea2d5e9451b9bd8b1e9fa490542311ac43e80a9115abbd231c417fb",
"i686-unknown-linux-gnu-0.11.25": "1b0f2ceee8dbe718eb1e14d7eccf67534d2f72698f4f85e70cf8a5055412b5d3",
"i686-unknown-linux-musl-0.11.25": "e650be31af3fd31f5e2236a47daab0899070a66a732026d140461f1614fbe786",
"powerpc64le-unknown-linux-gnu-0.11.25": "fbf67c8beccc718b9de478d7e74d605fe9c2e259c4398f95c9df7680da710af1",
"riscv64gc-unknown-linux-gnu-0.11.25": "29e74713e89242c6bf0971b28e904836298a04fb7e0d83262c7bd5aff695ae33",
"riscv64gc-unknown-linux-musl-0.11.25": "90c5a720dd9ddf32de8511c79fc83bc69e38795a94b5b49fcb2d010f96b1374d",
"s390x-unknown-linux-gnu-0.11.25": "3d508ed6e66898ce80aa668cb7d6ec4ddb4d30440fcfbd409365d3d0e4afa75c",
"x86_64-apple-darwin-0.11.25": "65ff85b33212f75d34d7c0f0724aba9a742c74f62559f67dc0d6c543dc2fc52f",
"x86_64-pc-windows-msvc-0.11.25": "15bfd1423b7eaa7aae949922d4712ebaac2bb44a81af64ab59bbe007090cb0d0",
"x86_64-unknown-linux-gnu-0.11.25": "1db18b5e76fa645a7f3865773139bdec8e2d46adbdbb35e7410b34fa8015ccd2",
"x86_64-unknown-linux-musl-0.11.25": "7195cfcc1785d0c559d4682ad9109f26664b8db4d828d42d66078ef454061891",
"aarch64-apple-darwin-0.11.24": "7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf", "aarch64-apple-darwin-0.11.24": "7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf",
"aarch64-pc-windows-msvc-0.11.24": "51bcf8051dcc2075fba9136ece0f229205a6ef813e68e5709c6eeb18802afed5", "aarch64-pc-windows-msvc-0.11.24": "51bcf8051dcc2075fba9136ece0f229205a6ef813e68e5709c6eeb18802afed5",
"aarch64-unknown-linux-gnu-0.11.24": "e22c66d36a0098b17cff80a8647e0b8c58202af899d4e9eb820fc7ad126435a1", "aarch64-unknown-linux-gnu-0.11.24": "e22c66d36a0098b17cff80a8647e0b8c58202af899d4e9eb820fc7ad126435a1",

View File

@@ -45701,42 +45701,6 @@ var semver = __toESM(require_semver(), 1);
// src/download/checksum/known-checksums.ts // src/download/checksum/known-checksums.ts
var KNOWN_CHECKSUMS = { var KNOWN_CHECKSUMS = {
"aarch64-apple-darwin-0.11.26": "8f7fbf1708399b921857bce71e1d60f0d3ccf52a30caebc1c1a2f175dce13ab6",
"aarch64-pc-windows-msvc-0.11.26": "98246149741f558e25e45ecf2b0b20f34de0634269f2bf0dcb4012d4b6ba289a",
"aarch64-unknown-linux-gnu-0.11.26": "befa1a59c91e96eb601b0fd9a97c03dd666f17baba644b2b4db9c59a767e387e",
"aarch64-unknown-linux-musl-0.11.26": "47418cfdb34b1ca42e503da72631ac8c475602e2411ac6c39aa84c2373fe6324",
"arm-unknown-linux-musleabihf-0.11.26": "400ebbca4062f7960cbdb2359cd28741dc9a1fab2656abb9ee05fb525e3f1e12",
"armv7-unknown-linux-gnueabihf-0.11.26": "e1a6e135f68c237f969f2acb5277ef2691dec582e99d9f6c237c21583bd26f7b",
"armv7-unknown-linux-musleabihf-0.11.26": "3b4453d821588f7fafe622a099db4b7f55a668bec79db73411414ffc24b8c45d",
"i686-pc-windows-msvc-0.11.26": "6e19e7ef0ccacfeea7edeb0a7be951d31148b49f5170c1770c58db312fe443f8",
"i686-unknown-linux-gnu-0.11.26": "65cc2d8719febecd1bc2fd3ea437c72317ac54de96e54de0a73344e150982478",
"i686-unknown-linux-musl-0.11.26": "ef5d5c982dfd4d6b5aa107c33b882b978ccccf1487500ae2adbc1d3665ea7e04",
"powerpc64le-unknown-linux-gnu-0.11.26": "095f7cfd814495719244897f96f1c35f10369bcd9237276c63cfed824353f505",
"riscv64gc-unknown-linux-gnu-0.11.26": "253d728a2660006e4aadee627f5d9f3ca2a874559b5fc716a5023965e58092bf",
"riscv64gc-unknown-linux-musl-0.11.26": "4ef67e6bb961583eb4ee7ce61b3c98bcede9e51b771b4b4967719d0fb6aa3cbd",
"s390x-unknown-linux-gnu-0.11.26": "34f514ed6ecbf33a3d90346c8bf3074954dd0c76340f5765b88577daa05d307b",
"x86_64-apple-darwin-0.11.26": "922b460202707dd5f4ccacbadbe7f6a546cc46e82a99bf50ca99a7977a78eddd",
"x86_64-pc-windows-msvc-0.11.26": "4e1278ede866be6c0bf32d2f466cc6de7a9fb399ecf20c9ce2d186e52424be47",
"x86_64-unknown-linux-gnu-0.11.26": "6426a73c3837e6e2483ee344cbc00f36394d179afcba6183cb77437e67db4af0",
"x86_64-unknown-linux-musl-0.11.26": "62bf1a53501adf4083224b69b33737450ac516935f5a5e483e9dfaf2665084de",
"aarch64-apple-darwin-0.11.25": "5fc334bb25d19806262efd1f6e7d380155c7e817d89bf426df4ba7ae873c9471",
"aarch64-pc-windows-msvc-0.11.25": "40d65c29c4d97db6a0993df665d3727700bb799b3618992ce9a4dc533c6d1a31",
"aarch64-unknown-linux-gnu-0.11.25": "e0e9d73f74e06a7dcd53910d5962146ab48f0af9c92cc8df33a37baa0121014d",
"aarch64-unknown-linux-musl-0.11.25": "3d9c9a95f1868ff20ac880712f3a337d710ea4b65f135184b7a35635d1acbf84",
"arm-unknown-linux-musleabihf-0.11.25": "50ef6368eebaa9f31d8e8685a91689666c7bae86a1bd9a72b7a505f752084ef9",
"armv7-unknown-linux-gnueabihf-0.11.25": "eb60b2931d2461022e1675a7f6c08078b1e47150edb2f7728fe117563a5ebc99",
"armv7-unknown-linux-musleabihf-0.11.25": "50f6f10ca38e4628998c17de24c2780f429d9b354db98b1832c130b7394e8ec4",
"i686-pc-windows-msvc-0.11.25": "91a87e8a7ea2d5e9451b9bd8b1e9fa490542311ac43e80a9115abbd231c417fb",
"i686-unknown-linux-gnu-0.11.25": "1b0f2ceee8dbe718eb1e14d7eccf67534d2f72698f4f85e70cf8a5055412b5d3",
"i686-unknown-linux-musl-0.11.25": "e650be31af3fd31f5e2236a47daab0899070a66a732026d140461f1614fbe786",
"powerpc64le-unknown-linux-gnu-0.11.25": "fbf67c8beccc718b9de478d7e74d605fe9c2e259c4398f95c9df7680da710af1",
"riscv64gc-unknown-linux-gnu-0.11.25": "29e74713e89242c6bf0971b28e904836298a04fb7e0d83262c7bd5aff695ae33",
"riscv64gc-unknown-linux-musl-0.11.25": "90c5a720dd9ddf32de8511c79fc83bc69e38795a94b5b49fcb2d010f96b1374d",
"s390x-unknown-linux-gnu-0.11.25": "3d508ed6e66898ce80aa668cb7d6ec4ddb4d30440fcfbd409365d3d0e4afa75c",
"x86_64-apple-darwin-0.11.25": "65ff85b33212f75d34d7c0f0724aba9a742c74f62559f67dc0d6c543dc2fc52f",
"x86_64-pc-windows-msvc-0.11.25": "15bfd1423b7eaa7aae949922d4712ebaac2bb44a81af64ab59bbe007090cb0d0",
"x86_64-unknown-linux-gnu-0.11.25": "1db18b5e76fa645a7f3865773139bdec8e2d46adbdbb35e7410b34fa8015ccd2",
"x86_64-unknown-linux-musl-0.11.25": "7195cfcc1785d0c559d4682ad9109f26664b8db4d828d42d66078ef454061891",
"aarch64-apple-darwin-0.11.24": "7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf", "aarch64-apple-darwin-0.11.24": "7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf",
"aarch64-pc-windows-msvc-0.11.24": "51bcf8051dcc2075fba9136ece0f229205a6ef813e68e5709c6eeb18802afed5", "aarch64-pc-windows-msvc-0.11.24": "51bcf8051dcc2075fba9136ece0f229205a6ef813e68e5709c6eeb18802afed5",
"aarch64-unknown-linux-gnu-0.11.24": "e22c66d36a0098b17cff80a8647e0b8c58202af899d4e9eb820fc7ad126435a1", "aarch64-unknown-linux-gnu-0.11.24": "e22c66d36a0098b17cff80a8647e0b8c58202af899d4e9eb820fc7ad126435a1",

View File

@@ -6,7 +6,7 @@ This document covers advanced options for configuring which version of uv to ins
```yaml ```yaml
- name: Install the latest version of uv - name: Install the latest version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version: "latest" version: "latest"
``` ```
@@ -15,7 +15,7 @@ This document covers advanced options for configuring which version of uv to ins
```yaml ```yaml
- name: Install a specific version of uv - name: Install a specific version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version: "0.4.4" version: "0.4.4"
``` ```
@@ -28,21 +28,21 @@ to install the latest version that satisfies the range.
```yaml ```yaml
- name: Install a semver range of uv - name: Install a semver range of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version: ">=0.4.0" version: ">=0.4.0"
``` ```
```yaml ```yaml
- name: Pinning a minor version of uv - name: Pinning a minor version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version: "0.4.x" version: "0.4.x"
``` ```
```yaml ```yaml
- name: Install a pep440-specifier-satisfying version of uv - name: Install a pep440-specifier-satisfying version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version: ">=0.4.25,<0.5" version: ">=0.4.25,<0.5"
``` ```
@@ -54,7 +54,7 @@ You can change this behavior using the `resolution-strategy` input:
```yaml ```yaml
- name: Install the lowest compatible version of uv - name: Install the lowest compatible version of uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version: ">=0.4.0" version: ">=0.4.0"
resolution-strategy: "lowest" resolution-strategy: "lowest"
@@ -76,7 +76,7 @@ uv defined as a dependency in `pyproject.toml` or `requirements.txt`.
```yaml ```yaml
- name: Install uv based on the version defined in pyproject.toml - name: Install uv based on the version defined in pyproject.toml
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version-file: "pyproject.toml" version-file: "pyproject.toml"
``` ```
@@ -87,7 +87,7 @@ silently picking up a newer uv until the lockfile is updated.
```yaml ```yaml
- name: Install uv based on the version locked in uv.lock - name: Install uv based on the version locked in uv.lock
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version-file: "uv.lock" version-file: "uv.lock"
``` ```

View File

@@ -23,7 +23,7 @@ The computed cache key is available as the `cache-key` output:
```yaml ```yaml
- name: Setup uv - name: Setup uv
id: setup-uv id: setup-uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
- name: Print cache key - name: Print cache key
@@ -50,7 +50,7 @@ You can optionally define a custom cache key suffix.
```yaml ```yaml
- name: Enable caching and define a custom cache key suffix - name: Enable caching and define a custom cache key suffix
id: setup-uv id: setup-uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
cache-suffix: "optional-suffix" cache-suffix: "optional-suffix"
@@ -89,7 +89,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml ```yaml
- name: Define a cache dependency glob - name: Define a cache dependency glob
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
cache-dependency-glob: "**/pyproject.toml" cache-dependency-glob: "**/pyproject.toml"
@@ -97,7 +97,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml ```yaml
- name: Define a list of cache dependency globs - name: Define a list of cache dependency globs
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
cache-dependency-glob: | cache-dependency-glob: |
@@ -107,7 +107,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml ```yaml
- name: Define an absolute cache dependency glob - name: Define an absolute cache dependency glob
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
cache-dependency-glob: "/tmp/my-folder/requirements*.txt" cache-dependency-glob: "/tmp/my-folder/requirements*.txt"
@@ -115,7 +115,7 @@ changes. If you use relative paths, they are relative to the working directory.
```yaml ```yaml
- name: Never invalidate the cache - name: Never invalidate the cache
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
cache-dependency-glob: "" cache-dependency-glob: ""
@@ -128,7 +128,7 @@ By default, the cache will be restored.
```yaml ```yaml
- name: Don't restore an existing cache - name: Don't restore an existing cache
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
restore-cache: false restore-cache: false
@@ -142,7 +142,7 @@ By default, the cache will be saved.
```yaml ```yaml
- name: Don't save the cache after the run - name: Don't save the cache after the run
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
save-cache: false save-cache: false
@@ -168,7 +168,7 @@ It defaults to `setup-uv-cache` in the `TMP` dir, `D:\a\_temp\setup-uv-cache` on
```yaml ```yaml
- name: Define a custom uv cache path - name: Define a custom uv cache path
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
cache-local-path: "/path/to/cache" cache-local-path: "/path/to/cache"
``` ```
@@ -187,7 +187,7 @@ input.
```yaml ```yaml
- name: Don't prune the cache before saving it - name: Don't prune the cache before saving it
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
prune-cache: false prune-cache: false
@@ -205,7 +205,7 @@ To force managed Python installs, set `UV_PYTHON_PREFERENCE=only-managed`.
```yaml ```yaml
- name: Cache Python installs - name: Cache Python installs
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
cache-python: true cache-python: true
@@ -223,7 +223,7 @@ If you want to ignore this, set the `ignore-nothing-to-cache` input to `true`.
```yaml ```yaml
- name: Ignore nothing to cache - name: Ignore nothing to cache
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
enable-cache: true enable-cache: true
ignore-nothing-to-cache: true ignore-nothing-to-cache: true

View File

@@ -10,7 +10,7 @@ are automatically verified by this action. The sha256 hashes can be found on the
```yaml ```yaml
- name: Install a specific version and validate the checksum - name: Install a specific version and validate the checksum
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
version: "0.3.1" version: "0.3.1"
checksum: "e11b01402ab645392c7ad6044db63d37e4fd1e745e015306993b07695ea5f9f8" checksum: "e11b01402ab645392c7ad6044db63d37e4fd1e745e015306993b07695ea5f9f8"
@@ -39,7 +39,7 @@ The `archive_format` field is currently ignored.
```yaml ```yaml
- name: Use a custom manifest file - name: Use a custom manifest file
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
manifest-file: "https://example.com/my-custom-manifest.ndjson" manifest-file: "https://example.com/my-custom-manifest.ndjson"
``` ```
@@ -58,7 +58,7 @@ You can disable this by setting the `add-problem-matchers` input to `false`.
```yaml ```yaml
- name: Install the latest version of uv without problem matchers - name: Install the latest version of uv without problem matchers
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
add-problem-matchers: false add-problem-matchers: false
``` ```

View File

@@ -9,7 +9,7 @@ This allows directly using it in later steps:
```yaml ```yaml
- name: Install the latest version of uv and activate the environment - name: Install the latest version of uv and activate the environment
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
activate-environment: true activate-environment: true
- run: uv pip install pip - run: uv pip install pip
@@ -20,7 +20,7 @@ By default, the venv is created at `.venv` inside the `working-directory`.
You can customize the venv location with `venv-path`, for example to place it in the runner temp directory: You can customize the venv location with `venv-path`, for example to place it in the runner temp directory:
```yaml ```yaml
- uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
activate-environment: true activate-environment: true
venv-path: ${{ runner.temp }}/custom-venv venv-path: ${{ runner.temp }}/custom-venv
@@ -51,7 +51,7 @@ are not sufficient, you can provide a custom GitHub token with the necessary per
```yaml ```yaml
- name: Install the latest version of uv with a custom GitHub token - name: Install the latest version of uv with a custom GitHub token
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
github-token: ${{ secrets.CUSTOM_GITHUB_TOKEN }} github-token: ${{ secrets.CUSTOM_GITHUB_TOKEN }}
``` ```
@@ -69,7 +69,7 @@ input:
```yaml ```yaml
- name: Install the latest version of uv with a custom tool dir - name: Install the latest version of uv with a custom tool dir
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
tool-dir: "/path/to/tool/dir" tool-dir: "/path/to/tool/dir"
``` ```
@@ -88,7 +88,7 @@ If you want to change this behaviour (especially on self-hosted runners) you can
```yaml ```yaml
- name: Install the latest version of uv with a custom tool bin dir - name: Install the latest version of uv with a custom tool bin dir
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
tool-bin-dir: "/path/to/tool-bin/dir" tool-bin-dir: "/path/to/tool-bin/dir"
``` ```
@@ -105,7 +105,7 @@ This action supports expanding the `~` character to the user's home directory fo
```yaml ```yaml
- name: Expand the tilde character - name: Expand the tilde character
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
cache-local-path: "~/path/to/cache" cache-local-path: "~/path/to/cache"
tool-dir: "~/path/to/tool/dir" tool-dir: "~/path/to/tool/dir"
@@ -122,7 +122,7 @@ If you want to ignore this, set the `ignore-empty-workdir` input to `true`.
```yaml ```yaml
- name: Ignore empty workdir - name: Ignore empty workdir
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
ignore-empty-workdir: true ignore-empty-workdir: true
``` ```
@@ -145,7 +145,7 @@ This action sets several environment variables that influence uv's behavior and
```yaml ```yaml
- name: Example using environment variables - name: Example using environment variables
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
with: with:
python-version: "3.12" python-version: "3.12"
tool-dir: "/custom/tool/dir" tool-dir: "/custom/tool/dir"

View File

@@ -1,81 +0,0 @@
# setup-uv Repository Threat Model
## Overview
`setup-uv` is a GitHub Action that installs or reuses `uv`, modifies `PATH` and the environment for later steps, may execute a discovered Python interpreter, may create or clear a virtual environment, and may restore or save caches. It may use `github-token` to authenticate GitHub downloads; it requires no OIDC credential or additional workflow secret.
The consumer runtime is the selected ref's committed action metadata, bundles, and runner-interpreted companion files; source alone is not evidence of shipped behavior. Privileged automation that generates, updates, or publishes those artifacts is also in scope.
The assets are job credentials; integrity of installed executables, interpreter, environment, checkout, runner, artifacts, and caches; isolation between jobs sharing caches or persistent runners; integrity of published action refs; and workflow compute/storage availability.
Material failures are unauthorized executable selection, credential disclosure, premature execution of lower-authority content, filesystem escape or destructive path use, cross-authority cache/runner persistence, and unauthorized publication.
## Threat Model, Trust Boundaries, and Assumptions
### Authority and trust boundaries
| Actor or input | Trust decision |
|---|---|
| Maintainers, repository/configuration administrators, and GitHub infrastructure | Trusted roots for source, bundles, workflows, refs, rulesets, environments, runner protocol, hosted isolation, and cache service. A lower-authority path into these roots is in scope; their compromise alone is not a repository bug. |
| Consumer workflow authors and runner operators | Control the action ref, trigger, runner, permissions, secrets, proxy, environment, inputs, paths, globs, and custom sources. These are trusted choices unless derived from lower-authority event data. Selecting a custom manifest delegates metadata and executable authority; selecting a path authorizes normal operations on it and intended referents. |
| Selected checkout, project authors, and pull-request contributors | The consumer delegates project/version files, interpreter discovery state, virtual environments, symlinks, cache inputs, and code execution within `setup-uv`'s process environment. Checkout-controlled behavior is trusted unless it overrides an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary. |
| Remote metadata and artifacts | Default official endpoints, TLS roots, and an operator proxy are trusted mutable authorities. A custom manifest authorizes its URLs and hashes; a hash supplied by that same authority detects corruption, not malice. |
| Cache and runner-state producers/consumers | Same-principal state is trusted by default. Integrity attacks require a lower-authority producer and higher-authority consumer. Confidentiality can flow the opposite way because lower-authority refs may read eligible higher-authority caches. Shared self-hosted state creates a boundary only when principals and authority differ. |
| GitHub-managed automation | Dependency, coding-agent, and review workflows may exist outside the committed tree. Treat them as external principals and obtain their effective trigger, actor, token, environment, ref, and write/secret authority from live evidence. |
### Assumptions
- Running the selected `uv` and checkout-selected Python interpreters is intended. Project execution is out of scope unless it bypasses an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary.
- Mutable official manifests, ranges, `latest`, and unprotected refs are not attacker control. A protected ref or independent checksum matters only if the selected bundle actually enforces it.
- Same-user changes to paths, environment, proxies, or tool/cache state are not separate attacks. Demonstrate a cross-principal or lower-to-higher boundary.
- Content merged through a trust path that can also merge executable code is not a lower-authority source; require a narrower writer or post-review mutation path.
- Running `setup-uv` on an untrusted checkout with higher authority is a consumer trust decision; checkout-selected code may inherit the action environment.
- Authorized paths include expected symlink/junction referents. Absolute paths and paths outside the workspace are supported; an escape requires independent control crossing an unauthorized boundary.
- Hosted runners are assumed ephemeral and isolated. Persistence or hostile co-tenancy on self-hosted runners must be demonstrated.
- Branch/tag rules, environments, token defaults, cache visibility, fork policy, dynamic workflows, and runner allocation are external state. Re-query required approvals/checks, bypass actors, tag movement, deployment reviewers/principals, release targets, and effective permissions for each attack path.
- Web-application classes such as sessions, CSRF, XSS, SQL injection, and tenant isolation are not applicable.
### Security invariants
1. **Published runtime:** review `action.yml`, committed `dist/*.cjs`, and runner-interpreted shipped files; source-only fixes do not protect consumers.
2. **Executable identity:** precedence is workflow version, version file, project configuration, then `latest`. Manifest authority, platform, variant, URL, checksum, mirror fallback, extraction, and cache placement must bind the intended artifact. A tool-cache hit bypasses download validation and depends on cache provenance.
3. **Credential recipients:** tokens and URL credentials may reach only workflow-authorized origins, redirects, paths, and logs. Metadata authority does not imply token-recipient authority.
4. **Executable boundaries:** checkout-selected interpreters are authorized by default. Explicit workflow selections must win, and independent cache, runner, or remote state must not substitute executables or gain additional authority.
5. **Paths and action channels:** path/environment changes, virtual-environment clearing, outputs, state, and problem matchers must affect only authorized targets and keep untrusted values as data.
6. **Cache boundaries:** keys, scope, restore paths, and executable content must prevent lower-to-higher poisoning; cache contents and post-action path re-resolution must prevent higher-to-lower disclosure, destructive pruning, or persistence.
7. **Workflow and release authority:** unreviewed code or mutable tooling must not acquire write, secret, OIDC, artifact, deployment, tag, or publication authority. Only the intended reviewed bundles and commit may be released.
8. **Availability:** independently controlled manifests, archives, globs, traversal, and caches must stay within the accepted one-job resource-failure model.
### Finding gate
Before reporting, identify the attacker and victim principals; exact controlled input; scanned action and checkout refs; runtime reachability in committed bundles; effective token, secrets/OIDC, environment gates, cache scope, and runner persistence; applicable defaults and opt-ins; validation performed or skipped; declared trust roots; baseline versus incremental capability; and concrete impact. Reproduce platform-specific behavior and distinguish the scanned ref from other versions.
A report must demonstrate independent attacker control, a violated guarantee, committed-runtime reachability, incremental capability, and practical impact; otherwise it is not a security finding and should not be reported as one.
## Attack Surface, Mitigations, and Attacker Stories
| Surface | Security-relevant behavior and controls | Reportable attacker story |
|---|---|---|
| Published action and build/release supply chain | Consumers execute committed bundles and embedded dependencies. Verify source/bundle alignment, lockfile integrity, dependency-install policy, reproducible/generated-diff checks, immutable action pins, branch enforcement, and publication target checks. | A lower-authority contributor or dependency changes shipped code, or release automation publishes a different commit, by bypassing an effective review, branch, or release control. |
| Version, manifest, proxy, and network selection | Project files may select an official version by documented precedence. Custom manifests may select URLs, hashes, variants, and platforms and may reach arbitrary network locations. Parsing should reject malformed, ambiguous, unsupported, or incorrectly typed records; verify HTTPS, time/size bounds, proxy behavior, and selected-ref defaults. | Lower-authority event/project data violates a promised fixed version, escapes the selected manifest, probes runner-only services, causes material resource use, selects attacker bytes, or redirects later credentials. Operator selection of a custom authority is not itself a finding. |
| Artifact URL, token, checksum, extraction, and tool cache | Mirror fallback must preserve identity and checksum policy. Origin gating should restrict tokens; redirect handling should strip authorization across unauthorized hosts and reject downgrade. Verify checksum precedence and reject missing/empty hashes when policy requires validation. Independent hashes must precede extraction. Native helpers come from `PATH`; tool-cache hits skip network/hash validation. | An attacker receives a usable token outside delegated authority, bypasses an independent pin, exploits archive/link traversal, substitutes the cached executable, or poisons shared tool state later executed with higher authority. Same-authority manifest hashes and same-user cache changes do not establish the boundary. |
| Interpreter, PATH, virtual environment, and action channels | Checkout-selected interpreters, virtual environments, paths, symlinks, and helpers are delegated project authority. Explicit workflow choices must bind; the action also changes later-step paths/environment, emits state/outputs, invokes native helpers, and consumes cache/runner state. | Independent cache, runner, or remote content substitutes an executable; an explicit workflow choice is bypassed; or action channels cross an authority boundary. Same-checkout interpreter, path, and helper effects are not findings. |
| GitHub uv/Python caches and post action | Cache keys should partition platform, interpreter, dependency, and policy state and restore without unsafe fallback. Determine cache defaults, visibility, and the exact hit/miss path from the selected ref and GitHub policy; an exact hit may suppress post save/prune. Post processing re-reads inputs/config/environment and may save re-resolved uv or Python paths. | A lower producer supplies executable content to a higher consumer; a higher producer exposes private data to a lower cache reader; or a later successful step retargets a cache miss toward sensitive files, destructive pruning, or cross-job persistence. Existing equal-authority code with the same secrets often gains no new confidentiality. |
| CI, updater, dynamic automation, and release workflows | PR workflows intentionally execute contributor code. Verify effective permissions, fork behavior, credential persistence, mutable tooling, security-upload authority, and whether checks are required. Updaters convert remote data into source under write authority. Distinguish ruleset-required deployment from human review present only in a workflow DAG. | Unreviewed code gains write/secret/OIDC/artifact authority; remote metadata becomes executable generated source; a dynamic workflow has unexpected authority; or an actor satisfies a deployment/tag rule without the intended review and publishes a malicious ref. |
| Availability and logging | Manifests, version enumeration, archives, globs, hashing, caches, and remote strings can consume resources or influence logs. Verify size/count/expansion bounds, timeouts, retries, top-level error handling, and that parsing never executes data. | Independently controlled input causes reliable material workflow cost, disk/memory exhaustion, or meaningful log/output manipulation. A bounded one-job failure or operator-selected broad input is usually Low or correctness. |
| Lower-priority classes | Shell injection is constrained where child execution uses argv, but workflow shell blocks still require quoting review. Prototype pollution requires a dangerous merge/sink. Secret-shaped strings require proof of a genuine usable secret. Documentation drift, range surprises, malformed trusted config, and test-only code normally lack a security boundary. | Report only when a concrete lower-authority value reaches an execution, credential, persistent-state, publication, or material-availability sink. |
## Severity Calibration (Critical, High, Medium, Low)
Severity follows the complete attack graph and incremental capability, not the presence of words such as token, checksum, cache, manifest, archive, Python, PATH, release, or OIDC.
| Severity | Threshold | Representative examples |
|---|---|---|
| **Critical** | A low-prerequisite remote/lower-authority attacker compromises default distribution or installation across many consumers, publishes trusted malicious action artifacts, or gains broad credentials/runner control under safe defaults without first compromising a declared trust root. | Bypass an effective hash/origin control to distribute an automatically executed malicious binary at scale; reach publication authority to ship malicious bundles or move trusted refs without required approval; exploit default-accepted archive content for host overwrite or cross-job execution across hosted runners. |
| **High** | A demonstrated lower-authority input crosses an execution, confidentiality, integrity, or persistence boundary in a privileged job and gains substantial capability. | Independent shared-state interpreter substitution in a write/OIDC release job; shared cache poisoning later executed with secrets; high-value cache disclosure to an untrusted ref; usable write-token disclosure; independent-pin bypass; archive/cache escape into sensitive state. |
| **Medium** | A real but constrained crossing causes limited credential/filesystem impact, reliable remote denial of service, scoped persistence, or premature execution in a realistic uncommon configuration. | Limited executable substitution from independent cache/runner state in a read-only job; same-repository cache confusion or disclosure; reliable hosted-runner exhaustion; disclosure of a usable read-only private token; output manipulation without publication or high-value credentials. |
| **Low** | A genuine weak boundary causes narrow disclosure, log/annotation spoofing, defense-in-depth weakness, exotic cache aliasing without a privileged consumer, or limited waste. | Confusing logs with no execution effect; bounded job failure; limited overwrite of nonexecuted cache data; disclosure of a path/URL without private data or follow-on capability. |
Trust-root compromise may have Critical impact but is not a repository Critical without a lower-authority path into that root or an independent control that should have survived. High requires exact trigger, refs, effective authority, sink, and committed runtime; it cannot rely only on a trusted operator choosing malicious inputs, same-user state changes, or code already intentionally executed with equal authority. A separate privileged consumer, broad secret, persistent trusted state, publication path, or cross-repository boundary can raise Medium to High.
Normally non-reportable without additional evidence: expected mutability of ranges, `latest`, official/custom sources, or unprotected refs; documented project version selection; checkout-selected interpreters, paths, virtual environments, symlinks, and helpers; deliberate operator selection of manifests, proxies, checksums, or paths; same-principal cache/path changes; requested `uv` or dependency execution; trusted-runner `PATH` lookup; test/developer-only code without a shipped or privileged-workflow path; behavior fixed in the scanned ref; and correctness/compatibility/documentation issues without incremental confidentiality, integrity, persistence, or availability impact.

View File

@@ -1,77 +1,5 @@
// AUTOGENERATED_DO_NOT_EDIT // AUTOGENERATED_DO_NOT_EDIT
export const KNOWN_CHECKSUMS: { [key: string]: string } = { export const KNOWN_CHECKSUMS: { [key: string]: string } = {
"aarch64-apple-darwin-0.11.26":
"8f7fbf1708399b921857bce71e1d60f0d3ccf52a30caebc1c1a2f175dce13ab6",
"aarch64-pc-windows-msvc-0.11.26":
"98246149741f558e25e45ecf2b0b20f34de0634269f2bf0dcb4012d4b6ba289a",
"aarch64-unknown-linux-gnu-0.11.26":
"befa1a59c91e96eb601b0fd9a97c03dd666f17baba644b2b4db9c59a767e387e",
"aarch64-unknown-linux-musl-0.11.26":
"47418cfdb34b1ca42e503da72631ac8c475602e2411ac6c39aa84c2373fe6324",
"arm-unknown-linux-musleabihf-0.11.26":
"400ebbca4062f7960cbdb2359cd28741dc9a1fab2656abb9ee05fb525e3f1e12",
"armv7-unknown-linux-gnueabihf-0.11.26":
"e1a6e135f68c237f969f2acb5277ef2691dec582e99d9f6c237c21583bd26f7b",
"armv7-unknown-linux-musleabihf-0.11.26":
"3b4453d821588f7fafe622a099db4b7f55a668bec79db73411414ffc24b8c45d",
"i686-pc-windows-msvc-0.11.26":
"6e19e7ef0ccacfeea7edeb0a7be951d31148b49f5170c1770c58db312fe443f8",
"i686-unknown-linux-gnu-0.11.26":
"65cc2d8719febecd1bc2fd3ea437c72317ac54de96e54de0a73344e150982478",
"i686-unknown-linux-musl-0.11.26":
"ef5d5c982dfd4d6b5aa107c33b882b978ccccf1487500ae2adbc1d3665ea7e04",
"powerpc64le-unknown-linux-gnu-0.11.26":
"095f7cfd814495719244897f96f1c35f10369bcd9237276c63cfed824353f505",
"riscv64gc-unknown-linux-gnu-0.11.26":
"253d728a2660006e4aadee627f5d9f3ca2a874559b5fc716a5023965e58092bf",
"riscv64gc-unknown-linux-musl-0.11.26":
"4ef67e6bb961583eb4ee7ce61b3c98bcede9e51b771b4b4967719d0fb6aa3cbd",
"s390x-unknown-linux-gnu-0.11.26":
"34f514ed6ecbf33a3d90346c8bf3074954dd0c76340f5765b88577daa05d307b",
"x86_64-apple-darwin-0.11.26":
"922b460202707dd5f4ccacbadbe7f6a546cc46e82a99bf50ca99a7977a78eddd",
"x86_64-pc-windows-msvc-0.11.26":
"4e1278ede866be6c0bf32d2f466cc6de7a9fb399ecf20c9ce2d186e52424be47",
"x86_64-unknown-linux-gnu-0.11.26":
"6426a73c3837e6e2483ee344cbc00f36394d179afcba6183cb77437e67db4af0",
"x86_64-unknown-linux-musl-0.11.26":
"62bf1a53501adf4083224b69b33737450ac516935f5a5e483e9dfaf2665084de",
"aarch64-apple-darwin-0.11.25":
"5fc334bb25d19806262efd1f6e7d380155c7e817d89bf426df4ba7ae873c9471",
"aarch64-pc-windows-msvc-0.11.25":
"40d65c29c4d97db6a0993df665d3727700bb799b3618992ce9a4dc533c6d1a31",
"aarch64-unknown-linux-gnu-0.11.25":
"e0e9d73f74e06a7dcd53910d5962146ab48f0af9c92cc8df33a37baa0121014d",
"aarch64-unknown-linux-musl-0.11.25":
"3d9c9a95f1868ff20ac880712f3a337d710ea4b65f135184b7a35635d1acbf84",
"arm-unknown-linux-musleabihf-0.11.25":
"50ef6368eebaa9f31d8e8685a91689666c7bae86a1bd9a72b7a505f752084ef9",
"armv7-unknown-linux-gnueabihf-0.11.25":
"eb60b2931d2461022e1675a7f6c08078b1e47150edb2f7728fe117563a5ebc99",
"armv7-unknown-linux-musleabihf-0.11.25":
"50f6f10ca38e4628998c17de24c2780f429d9b354db98b1832c130b7394e8ec4",
"i686-pc-windows-msvc-0.11.25":
"91a87e8a7ea2d5e9451b9bd8b1e9fa490542311ac43e80a9115abbd231c417fb",
"i686-unknown-linux-gnu-0.11.25":
"1b0f2ceee8dbe718eb1e14d7eccf67534d2f72698f4f85e70cf8a5055412b5d3",
"i686-unknown-linux-musl-0.11.25":
"e650be31af3fd31f5e2236a47daab0899070a66a732026d140461f1614fbe786",
"powerpc64le-unknown-linux-gnu-0.11.25":
"fbf67c8beccc718b9de478d7e74d605fe9c2e259c4398f95c9df7680da710af1",
"riscv64gc-unknown-linux-gnu-0.11.25":
"29e74713e89242c6bf0971b28e904836298a04fb7e0d83262c7bd5aff695ae33",
"riscv64gc-unknown-linux-musl-0.11.25":
"90c5a720dd9ddf32de8511c79fc83bc69e38795a94b5b49fcb2d010f96b1374d",
"s390x-unknown-linux-gnu-0.11.25":
"3d508ed6e66898ce80aa668cb7d6ec4ddb4d30440fcfbd409365d3d0e4afa75c",
"x86_64-apple-darwin-0.11.25":
"65ff85b33212f75d34d7c0f0724aba9a742c74f62559f67dc0d6c543dc2fc52f",
"x86_64-pc-windows-msvc-0.11.25":
"15bfd1423b7eaa7aae949922d4712ebaac2bb44a81af64ab59bbe007090cb0d0",
"x86_64-unknown-linux-gnu-0.11.25":
"1db18b5e76fa645a7f3865773139bdec8e2d46adbdbb35e7410b34fa8015ccd2",
"x86_64-unknown-linux-musl-0.11.25":
"7195cfcc1785d0c559d4682ad9109f26664b8db4d828d42d66078ef454061891",
"aarch64-apple-darwin-0.11.24": "aarch64-apple-darwin-0.11.24":
"7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf", "7578c6087c5cd76981732b1f5d126248101faebdf81016ba780a65ce03653cdf",
"aarch64-pc-windows-msvc-0.11.24": "aarch64-pc-windows-msvc-0.11.24":