chore(deps): Bump astral-sh/setup-uv from 7.3.1 to 8.0.0#2314
Merged
Conversation
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.3.1 to 8.0.0. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@5a095e7...cec2083) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dannycjones
approved these changes
Apr 5, 2026
CTTY
approved these changes
Apr 15, 2026
toutane
pushed a commit
to DataDog/iceberg-rust
that referenced
this pull request
Apr 30, 2026
Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 7.3.1 to 8.0.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/astral-sh/setup-uv/releases">astral-sh/setup-uv's releases</a>.</em></p> <blockquote> <h2>v8.0.0 🌈 Immutable releases and secure tags</h2> <h1>This is the first immutable release of <code>setup-uv</code> 🥳</h1> <p>All future releases are also immutable, if you want to know more about what this means checkout <a href="https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases">the docs</a>.</p> <p>This release also has two breaking changes</p> <h2>New format for <code>manifest-file</code></h2> <p>The previously deprecated way of defining a custom version manifest to control which <code>uv</code> versions are available and where to download them from got removed. The functionality is still there but you have to use the <a href="https://github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format">new format</a>.</p> <h2>No more major and minor tags</h2> <p>To increase <strong>security</strong> even more we will <strong>stop publishing minor tags</strong>. You won't be able to use <code>@v8</code> or <code>@v8.0</code> any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to <a href="https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/">tj-actions</a>.</p> <blockquote> <p>[!TIP] Use the immutable tag as a version <code>astral-sh/setup-uv@v8.0.0</code> Or even better the githash <code>astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57</code></p> </blockquote> <h2>🚨 Breaking changes</h2> <ul> <li>Remove update-major-minor-tags workflow <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/826">#826</a>)</li> <li>Remove deprecrated custom manifest <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/813">#813</a>)</li> </ul> <h2>🧰 Maintenance</h2> <ul> <li>Shortcircuit latest version from manifest <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/828">#828</a>)</li> <li>Simplify inputs.ts <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/827">#827</a>)</li> <li>Bump release-drafter to v7.1.1 <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/825">#825</a>)</li> <li>Refactor inputs <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/823">#823</a>)</li> <li>Replace inline compile args with tsconfig <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/824">#824</a>)</li> <li>chore: update known checksums for 0.11.2 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/821">#821</a>)</li> <li>chore: update known checksums for 0.11.1 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/817">#817</a>)</li> <li>chore: update known checksums for 0.11.0 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/815">#815</a>)</li> <li>Fix latest-version workflow check <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/812">#812</a>)</li> <li>chore: update known checksums for 0.10.11/0.10.12 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/811">#811</a>)</li> </ul> <h2>v7.6.0 🌈 Fetch uv from Astral's mirror by default</h2> <h2>Changes</h2> <p>We now default to download uv from <code>releases.astral.sh</code>. This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.</p> <h2>🚀 Enhancements</h2> <ul> <li>Fetch uv from Astral's mirror by default <a href="https://github.com/zsol"><code>@zsol</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/809">#809</a>)</li> </ul> <h2>🧰 Maintenance</h2> <ul> <li>Switch to ESM for source and test, use CommonJS for dist <a href="https://github.com/eifinger"><code>@eifinger</code></a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/806">#806</a>)</li> <li>chore: update known checksums for 0.10.10 @<a href="https://github.com/apps/github-actions">github-actions[bot]</a> (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/804">#804</a>)</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/astral-sh/setup-uv/commit/cec208311dfd045dd5311c1add060b2062131d57"><code>cec2083</code></a> Shortcircuit latest version from manifest (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/828">#828</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/4dd8ab45206a76f8c1dfe399fa88df10a7264f27"><code>4dd8ab4</code></a> Simplify inputs.ts (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/827">#827</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/7fdbe7cf0c8ef50cfd0878eed7b5180abc6b53c7"><code>7fdbe7c</code></a> Remove update-major-minor-tags workflow (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/826">#826</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/485abd05e5c74a247f0a309e333d2433ab9a353a"><code>485abd0</code></a> Bump release-drafter to v7.1.1 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/825">#825</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/f82eb19c06057c455674b2602e0139fd906f1428"><code>f82eb19</code></a> Refactor inputs (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/823">#823</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/868d1f74d9d862d7b40219546bfe35299c6dd452"><code>868d1f7</code></a> Replace inline compile args with tsconfig (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/824">#824</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/447e6d02b15d65b3247cce2d6019f11957285d11"><code>447e6d0</code></a> chore: update known checksums for 0.11.2 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/821">#821</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/5c62c5926145985eec91f09e2e0a75f40daed929"><code>5c62c59</code></a> chore: update known checksums for 0.11.1 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/817">#817</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/e1a7373adb857afd2a70b971e8ebdacc64ed27d0"><code>e1a7373</code></a> chore: update known checksums for 0.11.0 (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/815">#815</a>)</li> <li><a href="https://github.com/astral-sh/setup-uv/commit/89709315bb3bd4bf0f4b1db4b710e99009087ab5"><code>8970931</code></a> Remove deprecrated custom manifest (<a href="https://redirect.github.com/astral-sh/setup-uv/issues/813">#813</a>)</li> <li>Additional commits viewable in <a href="https://github.com/astral-sh/setup-uv/compare/5a095e7a2014a4212f075830d4f7277575a9d098...cec208311dfd045dd5311c1add060b2062131d57">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Shawn Chang <yxchang@amazon.com> (cherry picked from commit d118aa8)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps astral-sh/setup-uv from 7.3.1 to 8.0.0.
Release notes
Sourced from astral-sh/setup-uv's releases.
... (truncated)
Commits
cec2083Shortcircuit latest version from manifest (#828)4dd8ab4Simplify inputs.ts (#827)7fdbe7cRemove update-major-minor-tags workflow (#826)485abd0Bump release-drafter to v7.1.1 (#825)f82eb19Refactor inputs (#823)868d1f7Replace inline compile args with tsconfig (#824)447e6d0chore: update known checksums for 0.11.2 (#821)5c62c59chore: update known checksums for 0.11.1 (#817)e1a7373chore: update known checksums for 0.11.0 (#815)8970931Remove deprecrated custom manifest (#813)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)