Skip to content

chore(deps): bump astral-sh/setup-uv from 8.2.0 to 8.3.0 in the github-actions group#1754

Merged
wochinge merged 1 commit into
mainfrom
dependabot/github_actions/github-actions-fb569a3cc9
Jul 13, 2026
Merged

chore(deps): bump astral-sh/setup-uv from 8.2.0 to 8.3.0 in the github-actions group#1754
wochinge merged 1 commit into
mainfrom
dependabot/github_actions/github-actions-fb569a3cc9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 1 update: astral-sh/setup-uv.

Updates astral-sh/setup-uv from 8.2.0 to 8.3.0

Commits
  • d31148d Strip environment markers from detected uv dependency pins (#938)
  • 17c3989 Fix cache keys for Python version ranges (#937)
  • 3cc3c11 chore(deps): roll up Dependabot updates (#936)
  • 9225f84 chore(deps): bump release-drafter/release-drafter from 7.3.1 to 7.4.0 (#924)
  • fc16fa3 chore(deps): bump actions/checkout from 6.0.2 to 7.0.0 (#926)
  • a1a7345 ci: call docs update workflow from release (#933)
  • a5e9cbf docs: update version references to v8.2.0 (#932)
  • c5680ec chore: update known checksums for 0.11.26 (#930)
  • c86fe4e Add a threat model for setup-uv (#923)
  • 224c887 chore: update known checksums for 0.11.25 (#929)
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the github-actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv).


Updates `astral-sh/setup-uv` from 8.2.0 to 8.3.0
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@fac544c...d31148d)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 13, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 13, 2026 05:57
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 13, 2026

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — mechanical Dependabot minor version bump of astral-sh/setup-uv from 8.2.0 to 8.3.0, SHA-pinned in all 5 workflow steps.

What was reviewed:

  • Confirmed the SHA d31148d669074a8d0a63714ba94f3201e7020bc3 is applied consistently to all 5 usages across ci.yml and release.yml
  • No changes to the with: inputs (uv version 0.11.2, python-version, enable-cache flags) — only the pinned commit changed
  • Upstream v8.3.0 release notes describe non-breaking fixes (cache keys for Python ranges, environment marker stripping)
Extended reasoning...

Overview

This PR is generated by Dependabot and bumps the pinned commit SHA for astral-sh/setup-uv from v8.2.0 to v8.3.0 in .github/workflows/ci.yml (4 occurrences) and .github/workflows/release.yml (1 occurrence). No workflow logic, no application code, and no action inputs were changed.

Security risks

The action reference is pinned by full commit SHA rather than a tag, which is the recommended defense against tag-mutation supply-chain attacks. The zizmor cache-poisoning suppression comments and persist-credentials: false posture on adjacent steps are unchanged. No new secrets or permissions are introduced.

Level of scrutiny

Low. This is a pure minor-version dependency bump for a CI-only action with an SHA pin. There is no runtime code impact, no impact on published artifacts beyond how they are built (and the release job'''s own smoke-test steps guard against a build regression).

Other factors

No prior human or bot review activity on this PR to reconcile. The bug hunting system reported no findings. The upstream diff between the two SHAs is small (a few Dependabot rollups plus fixes to cache-key handling and environment-marker parsing), none of which alter the interface this repo uses.

@wochinge wochinge merged commit 69e74df into main Jul 13, 2026
20 checks passed
@wochinge wochinge deleted the dependabot/github_actions/github-actions-fb569a3cc9 branch July 13, 2026 07:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant