chore(deps): bump astral-sh/setup-uv from 8.2.0 to 8.3.0 in the github-actions group#1754
Conversation
Bumps the github-actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv). Updates `astral-sh/setup-uv` from 8.2.0 to 8.3.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@fac544c...d31148d) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
LGTM — mechanical Dependabot minor version bump of astral-sh/setup-uv from 8.2.0 to 8.3.0, SHA-pinned in all 5 workflow steps.
What was reviewed:
- Confirmed the SHA d31148d669074a8d0a63714ba94f3201e7020bc3 is applied consistently to all 5 usages across ci.yml and release.yml
- No changes to the
with:inputs (uv version 0.11.2, python-version, enable-cache flags) — only the pinned commit changed - Upstream v8.3.0 release notes describe non-breaking fixes (cache keys for Python ranges, environment marker stripping)
Extended reasoning...
Overview
This PR is generated by Dependabot and bumps the pinned commit SHA for astral-sh/setup-uv from v8.2.0 to v8.3.0 in .github/workflows/ci.yml (4 occurrences) and .github/workflows/release.yml (1 occurrence). No workflow logic, no application code, and no action inputs were changed.
Security risks
The action reference is pinned by full commit SHA rather than a tag, which is the recommended defense against tag-mutation supply-chain attacks. The zizmor cache-poisoning suppression comments and persist-credentials: false posture on adjacent steps are unchanged. No new secrets or permissions are introduced.
Level of scrutiny
Low. This is a pure minor-version dependency bump for a CI-only action with an SHA pin. There is no runtime code impact, no impact on published artifacts beyond how they are built (and the release job'''s own smoke-test steps guard against a build regression).
Other factors
No prior human or bot review activity on this PR to reconcile. The bug hunting system reported no findings. The upstream diff between the two SHAs is small (a few Dependabot rollups plus fixes to cache-key handling and environment-marker parsing), none of which alter the interface this repo uses.
Bumps the github-actions group with 1 update: astral-sh/setup-uv.
Updates
astral-sh/setup-uvfrom 8.2.0 to 8.3.0Commits
d31148dStrip environment markers from detected uv dependency pins (#938)17c3989Fix cache keys for Python version ranges (#937)3cc3c11chore(deps): roll up Dependabot updates (#936)9225f84chore(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0 (#924)fc16fa3chore(deps): bump actions/checkout from 6.0.2 to 7.0.0 (#926)a1a7345ci: call docs update workflow from release (#933)a5e9cbfdocs: update version references to v8.2.0 (#932)c5680ecchore: update known checksums for 0.11.26 (#930)c86fe4eAdd a threat model for setup-uv (#923)224c887chore: update known checksums for 0.11.25 (#929)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditions