chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 in the github-actions group#1696
Conversation
There was a problem hiding this comment.
LGTM, straightforward Dependabot minor version bump of astral-sh/setup-uv with SHA pinning.
Extended reasoning...
Overview
This PR is a Dependabot minor version bump of the astral-sh/setup-uv GitHub Action from v8.1.0 to v8.2.0 across 5 occurrences in two workflow files (.github/workflows/ci.yml and .github/workflows/release.yml). The SHA pin is updated alongside the version comment, which is the correct pattern for SHA-pinned actions.
Security risks
None of concern. The v8.2.0 release notes show only minor enhancements (quiet and download-from-astral-mirror inputs) and security/reliability bug fixes — notably the v8.2.0 release stops sending GitHub tokens to the astral.sh mirror and limits GitHub tokens to github.com URLs, which is a defense-in-depth improvement. The action is pinned by full commit SHA, which is the recommended supply-chain hardening practice.
Level of scrutiny
Low. This is a mechanical Dependabot update to CI tooling only — no production/library code is touched. The action's configuration (version: "0.11.2", python-version, enable-cache) is unchanged, so CI behavior should be identical.
Other factors
No bugs were reported by the bug hunting system. No prior reviews exist on this PR. The change follows the same pattern used for other Dependabot bumps in this repo's recent history.
Bumps the github-actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv). Updates `astral-sh/setup-uv` from 8.1.0 to 8.2.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@0880764...fac544c) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
d6114cc to
d36f8a6
Compare
Bumps the github-actions group with 1 update: astral-sh/setup-uv.
Updates
astral-sh/setup-uvfrom 8.1.0 to 8.2.0Release notes
Sourced from astral-sh/setup-uv's releases.
... (truncated)
Commits
fac544cchore(deps): roll up dependabot updates (#903)7390f77docs: update dependabot rollup biome guidance (#902)363c64achore(deps): roll up dependabot updates (#901)c4fcbafchore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 (#900)8e642c5chore: update known checksums for 0.11.18 (#899)a92cb43Add quiet input to suppress info-level log output (#898)e07f2acchore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 (#842)bc4034echore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 (#893)df42d4fchore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 (#891)b9c8c4cfeat: adddownload-from-astral-mirrorinput (#897)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions