From 0e608b2075573f18594ac79cf5f2f77f7ad77fc0 Mon Sep 17 00:00:00 2001 From: Rana Aurangzaib Date: Mon, 30 Mar 2026 18:49:58 +0300 Subject: [PATCH] Bump astral-sh/setup-uv from v7.4.0 to v8.0.0 v8.0.0 drops mutable major/minor version tags for supply chain security (same class of attack as tj-actions). Pin to immutable commit SHA cec208311dfd045dd5311c1add060b2062131d57. --- .github/workflows/ci.yaml | 2 +- .github/workflows/pypi.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index f3a73c4..5b02ff9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -13,7 +13,7 @@ jobs: python-version: ["3.11", "3.12", "3.13"] steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0 + - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - run: uv python install ${{ matrix.python-version }} - run: uv sync --extra cli - run: uv run ruff check . diff --git a/.github/workflows/pypi.yaml b/.github/workflows/pypi.yaml index bb2de7d..c42c18e 100644 --- a/.github/workflows/pypi.yaml +++ b/.github/workflows/pypi.yaml @@ -19,7 +19,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0 + - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Generate SBOM (PEP 770) uses: sbomify/sbomify-action@master @@ -65,7 +65,7 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0 + - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 - name: Generate SBOM (PEP 770) uses: sbomify/sbomify-action@master