Skip to content

Bump astral-sh/setup-uv from v7.4.0 to v8.0.0#19

Merged
vpetersson merged 1 commit intosbomify:masterfrom
aurangzaib048:chore/setup-uv-v8
Mar 31, 2026
Merged

Bump astral-sh/setup-uv from v7.4.0 to v8.0.0#19
vpetersson merged 1 commit intosbomify:masterfrom
aurangzaib048:chore/setup-uv-v8

Conversation

@aurangzaib048
Copy link
Copy Markdown
Collaborator

Summary

  • Bump astral-sh/setup-uv from v7.4.0 to v8.0.0 across all workflows (ci.yaml, pypi.yaml)
  • v8.0.0 drops mutable major/minor version tags (@v8, @v8.0) for supply chain security
  • Pinned to immutable commit SHA cec208311dfd045dd5311c1add060b2062131d57

Context

https://github.com/astral-sh/setup-uv/releases/tag/v8.0.0 — this addresses the same class of supply chain attack that affected tj-actions.

v8.0.0 drops mutable major/minor version tags for supply chain
security (same class of attack as tj-actions). Pin to immutable
commit SHA cec208311dfd045dd5311c1add060b2062131d57.
Copilot AI review requested due to automatic review settings March 30, 2026 15:50
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the GitHub Actions workflows to use astral-sh/setup-uv v8.0.0 pinned to an immutable commit SHA, aligning with the action’s newer supply-chain hardening guidance.

Changes:

  • Bump astral-sh/setup-uv from v7.4.0 to v8.0.0 in CI and PyPI workflows.
  • Pin astral-sh/setup-uv to commit cec208311dfd045dd5311c1add060b2062131d57 (immutable) instead of mutable version tags.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.github/workflows/ci.yaml Updates setup-uv action reference to the v8.0.0 pinned commit for CI runs.
.github/workflows/pypi.yaml Updates setup-uv action reference to the v8.0.0 pinned commit for TestPyPI/PyPI publish workflows.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@vpetersson vpetersson merged commit 5f3fe50 into sbomify:master Mar 31, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants