Commit Graph

777 Commits

Author SHA1 Message Date
Zsolt Dollenstein 0c1d0f7c80 Publish installers to /installers/uv/latest on the mirror (#18725) 2026-03-31 10:51:27 -04:00
konsti b7d5faf568 Reproducible Windows trampoline builds (#18665)
Build the Windows trampolines in a fully pinned docker container that
allows auditing the compilation in CI.
2026-03-31 12:15:44 +02:00
renovate[bot] 7c2f6c696b Update astral-sh/setup-uv action to v8 (#18765)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) |
action | major | `v7.6.0` → `v8.0.0` |

---

### Release Notes

<details>
<summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary>

###
[`v8.0.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.0.0):
🌈 Immutable releases and secure tags

[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.6.0...v8.0.0)

### This is the first immutable release of `setup-uv` 🥳

All future releases are also immutable, if you want to know more about
what this means checkout [the
docs](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases).

This release also has two breaking changes

#### New format for `manifest-file`

The previously deprecated way of defining a custom version manifest to
control which `uv` versions are available and where to download them
from got removed. The functionality is still there but you have to use
the [new
format](https://redirect.github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format).

#### No more major and minor tags

To increase **security** even more we will **stop publishing minor
tags**. You won't be able to use `@v8` or `@v8.0` any longer. We do this
because pinning to major releases opens up users to supply chain attacks
like what happened to
[tj-actions](https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/).

> \[!TIP]
> Use the immutable tag as a version `astral-sh/setup-uv@8.0.0`
> Or even better the githash
`astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57`

#### 🚨 Breaking changes

- Remove update-major-minor-tags workflow
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;826](https://redirect.github.com/astral-sh/setup-uv/issues/826))
- Remove deprecrated custom manifest
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;813](https://redirect.github.com/astral-sh/setup-uv/issues/813))

#### 🧰 Maintenance

- Shortcircuit latest version from manifest
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;828](https://redirect.github.com/astral-sh/setup-uv/issues/828))
- Simplify inputs.ts
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;827](https://redirect.github.com/astral-sh/setup-uv/issues/827))
- Bump release-drafter to v7.1.1
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;825](https://redirect.github.com/astral-sh/setup-uv/issues/825))
- Refactor inputs
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;823](https://redirect.github.com/astral-sh/setup-uv/issues/823))
- Replace inline compile args with tsconfig
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;824](https://redirect.github.com/astral-sh/setup-uv/issues/824))
- chore: update known checksums for 0.11.2
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;821](https://redirect.github.com/astral-sh/setup-uv/issues/821))
- chore: update known checksums for 0.11.1
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;817](https://redirect.github.com/astral-sh/setup-uv/issues/817))
- chore: update known checksums for 0.11.0
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;815](https://redirect.github.com/astral-sh/setup-uv/issues/815))
- Fix latest-version workflow check
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;812](https://redirect.github.com/astral-sh/setup-uv/issues/812))
- chore: update known checksums for 0.10.11/0.10.12
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;811](https://redirect.github.com/astral-sh/setup-uv/issues/811))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45NC4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-30 09:48:20 +02:00
renovate[bot] b3bee55123 Update debian Docker tag to trixie-20260316 (#18760) 2026-03-29 21:22:37 -04:00
renovate[bot] cc2a514406 Update taiki-e/install-action action to v2.69.6 (#18764) 2026-03-29 21:22:31 -04:00
renovate[bot] 4f79352b66 Update dependency astral-sh/uv to v0.11.2 (#18763) 2026-03-29 21:22:23 -04:00
renovate[bot] c4c62ddf20 Update CodSpeedHQ/action action to v4.12.1 (#18762) 2026-03-29 21:22:15 -04:00
Charlie Marsh 47c8c273b0 Fix all cargo shear warnings (#18748)
## Summary

Like https://github.com/astral-sh/ruff/pull/24268.
2026-03-28 14:24:50 -04:00
Zanie Blue 96f329b8d2 Use the release environment in announce (#18733)
Otherwise, there is no approved deployment!
2026-03-26 22:04:22 +00:00
Zanie Blue 66c65913d0 Fetch the cargo-dist binary directly instead of using the installer (#18731) 2026-03-26 15:40:15 -05:00
Zanie Blue 4faa20e7d8 Use the release environment in publish-versions 2026-03-26 14:11:40 -05:00
Zanie Blue bfefb87a13 Use the release environment in publish-docs (#18727)
See https://github.com/astral-sh/ty/pull/3147
2026-03-26 12:05:26 -05:00
Zanie Blue edc1beb69a Use trusted publishing for crates.io (#18709)
Moves from a crates.io API key to trusted publishing.

Setup of trusted publishing is automated via a script which creates the
trust relationship and disables publish by API key. The main breakage
here is that now, when we add a new crate, a release will fail. The
script is invoked during `release.sh` to catch this case and supports
creating a stub crate so the release can subsequently succeed — but this
will require the release author to have a local crates.io API key with
permissions to create projects and configure publishing. I tested this
script a few times end-to-end, but would not be surprised if it bites us
in the future.
2026-03-25 09:15:44 -05:00
Zanie Blue 3f215e4c95 Disable deployment on environment use (#18677)
See
https://github.blog/changelog/2026-03-19-github-actions-late-march-2026-updates/#github-actions-now-allows-developers-to-use-environments-without-auto-deployment
2026-03-23 14:24:12 -05:00
Zanie Blue b6854d77bf Upgrade reqwest to 0.13 (#18550)
The following user-facing changes are included here:

- `aws-lc` is used instead of `ring` for a cryptography backend
- Expands our certificate signature algorithm support to include
ECDSA_P256_SHA512, ECDSA_P384_SHA512, ECDSA_P521_SHA256,
ECDSA_P521_SHA384, and ECDSA_P521_SHA512
- `--native-tls` is deprecated in favor of a new `--system-certs` flag,
avoiding confusion with the TLS implementation used (we use `rustls` not
`native-tls`, see prior confusion at
https://github.com/astral-sh/uv/issues/11595)
- NASM is a new build requirement on Windows, it is required by `aws-lc`
on x86-64 and i386
- `rustls-platform-verifier` is used instead of `rustls-native-certs`
for system certificate verification
- On macOS, certificate validation is now delegated to
`Security.framework` (`SecTrust`). Performance when using
`--system-certs` is improved by avoiding exporting and parsing all the
certificates from the keychain at startup.
- On Windows, certificate validation is now delegated to
`CertGetCertificateChain` and `CertVerifyCertificateChainPolicy`
    - On Linux, certificate validation should be approximately unchanged
- Some previously failing chains may succeed, and some previously
accepted chains may fail; generally, this should result in behavior
closer matching browsers and other native applications
- macOS and Windows may now perform live OCSP fetches for early
revocation, which could add latency to some requests
- Empty `SSL_CERT_FILE` values are ignored (for consistency with
`SSL_CERT_DIR`)

The following internal changes are included here:

- Certificate loading has been refactored to use a newtype with helper
methods
- The certificate tests have been rewritten
- We use `webpki-root-certs` instead of `webpki-roots`, see
https://github.com/astral-sh/uv/pull/17543#discussion_r2820187691
- We request `identity` encoding for range requests, see
https://github.com/astral-sh/async_http_range_reader/pull/3#discussion_r2700194798
- Various dependencies (including forks) updates to versions which use
reqwest 0.13+

This is a replacement of #17543 with an updated description. See that
pull request for prior discussion. I've made the following changes from
the initial approach there:

- Previously, the `native-tls` TLS implementation was added which
included an OpenSSL build. We don't currently use the `native-tls`
implementation, but the `--native-tls` flag there was erroneously
updated to enable it.
- Previously, there was a `--tls-backend` flag to toggle between
`native-tls` and `rustls`. Since we currently always use `rustls`, this
is deferred to future work (if we need it at all).
- Previously, there were unintentional breaking changes to
`SSL_CERT_FILE` and `SSL_CERT_DIR` handling, including merging with the
base certificates instead of replacing them, dropping support for
OpenSSL hash-named certificate files, skipping deduplication of
certificates. Here, we retain use of `rustls-native-certs` for loading
certificates from the system as it handles these edge cases.


Closes https://github.com/astral-sh/uv/issues/17427

---------

Co-authored-by: salmonsd <22984014+salmonsd@users.noreply.github.com>
2026-03-23 13:22:19 -05:00
Zsolt Dollenstein 2175e2ffba Enable checksum verification in the generated installer script (#18625) 2026-03-23 13:57:11 -04:00
renovate[bot] 2e9c966226 Update taiki-e/install-action action to v2.68.33 (#18658) 2026-03-22 22:12:31 -04:00
renovate[bot] fea07bb581 Update taiki-e/install-action action to v2.68.32 (#18652) 2026-03-22 21:39:56 -04:00
renovate[bot] 5708102a5d Update Swatinem/rust-cache action to v2.9.1 (#18656) 2026-03-22 21:39:30 -04:00
renovate[bot] 133c65f710 Update cgr.dev/chainguard/python:latest-dev Docker digest to 197dc1b (#18647) 2026-03-22 21:39:01 -04:00
renovate[bot] 65bf6221dc Update acj/freebsd-firecracker-action action to v0.9.0 (#18653) 2026-03-23 01:13:49 +00:00
renovate[bot] baf0d55c4d Update dependency astral-sh/uv to v0.10.12 (#18648) 2026-03-23 01:09:51 +00:00
William Woodruff 3d4cb95c80 CI: Interpose a template through an environment variable (#18624) 2026-03-22 00:03:11 +09:00
Zanie Blue 8093dfcaa9 Add a system test for the chainguard Python image (#18460)
Should require https://github.com/astral-sh/uv/pull/18457
2026-03-20 13:13:43 -05:00
Zanie Blue cedae1aa42 Trigger system tests when the system check file changes (#18590)
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-20 16:22:01 +00:00
Zanie Blue 04bbd6a6ab Trigger benchmarks when bench workflow changes (#18589)
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-20 16:19:09 +00:00
Zanie Blue 1597e9f96c Use a Depot runner for simulated benchmarks (#18585)
Hopefully, this means we will get consistent hardware and improve
stability
2026-03-20 12:28:10 +00:00
Zanie Blue f13abc388e Use a Termux image with Python pre-installed instead (#18573)
Created at https://github.com/astral-sh/termux-python

Termux's package repositories seem to be horribly unstable.
2026-03-19 20:59:13 +00:00
Zanie Blue c541a91c85 Add a test case for armv7 uv on aarch64 (#18532)
Reproduces https://github.com/astral-sh/uv/issues/18509
Related https://github.com/astral-sh/uv/pull/18517
Requires #18530
2026-03-18 18:59:47 -05:00
Zanie Blue 42c85f654f Add support for using Python 3.6 interpreters (#18454)
Applies a patch to use Python 3.6 compatible types in our vendored
`packaging` implementation used in the interpreter query script. Adds
Python 3.6 and 3.7 test coverage in CI.
2026-03-18 18:33:30 -05:00
renovate[bot] 165b63d09e Update docker/metadata-action action to v6 (#18501)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[docker/metadata-action](https://redirect.github.com/docker/metadata-action)
| action | major | `v5.10.0` → `v6.0.0` |

---

### Release Notes

<details>
<summary>docker/metadata-action (docker/metadata-action)</summary>

###
[`v6.0.0`](https://redirect.github.com/docker/metadata-action/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/docker/metadata-action/compare/v5.10.0...v6.0.0)

- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later) by [@&#8203;crazy-max](https://redirect.github.com/crazy-max)
in
[#&#8203;605](https://redirect.github.com/docker/metadata-action/pull/605)
- List inputs now preserve `#` inside values while still supporting
full-line `#` comments by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;607](https://redirect.github.com/docker/metadata-action/pull/607)
- Switch to ESM and update config/test wiring by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;602](https://redirect.github.com/docker/metadata-action/pull/602)
- Bump lodash from 4.17.21 to 4.17.23 in
[#&#8203;588](https://redirect.github.com/docker/metadata-action/pull/588)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
from 1.11.1 to 3.0.0 in
[#&#8203;599](https://redirect.github.com/docker/metadata-action/pull/599)
- Bump
[@&#8203;actions/github](https://redirect.github.com/actions/github)
from 6.0.1 to 9.0.0 in
[#&#8203;597](https://redirect.github.com/docker/metadata-action/pull/597)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.68.0 to 0.79.0 in
[#&#8203;604](https://redirect.github.com/docker/metadata-action/pull/604)
- Bump
[@&#8203;isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion)
from 5.0.0 to 5.0.1 in
[#&#8203;600](https://redirect.github.com/docker/metadata-action/pull/600)
- Bump semver from 7.7.3 to 7.7.4 in
[#&#8203;603](https://redirect.github.com/docker/metadata-action/pull/603)

**Full Changelog**:
<https://github.com/docker/metadata-action/compare/v5.10.0...v6.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-18 13:26:49 +00:00
renovate[bot] a47ae0cd35 Update docker/login-action action to v4 (#18500)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [docker/login-action](https://redirect.github.com/docker/login-action)
| action | major | `v3.7.0` → `v4.0.0` |

---

### Release Notes

<details>
<summary>docker/login-action (docker/login-action)</summary>

###
[`v4.0.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.0.0)

[Compare
Source](https://redirect.github.com/docker/login-action/compare/v3.7.0...v4.0.0)

- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later) by [@&#8203;crazy-max](https://redirect.github.com/crazy-max)
in
[#&#8203;929](https://redirect.github.com/docker/login-action/pull/929)
- Switch to ESM and update config/test wiring by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;927](https://redirect.github.com/docker/login-action/pull/927)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
from 1.11.1 to 3.0.0 in
[#&#8203;919](https://redirect.github.com/docker/login-action/pull/919)
- Bump
[@&#8203;aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr)
from 3.890.0 to 3.1000.0 in
[#&#8203;909](https://redirect.github.com/docker/login-action/pull/909)
[#&#8203;920](https://redirect.github.com/docker/login-action/pull/920)
- Bump
[@&#8203;aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public)
from 3.890.0 to 3.1000.0 in
[#&#8203;909](https://redirect.github.com/docker/login-action/pull/909)
[#&#8203;920](https://redirect.github.com/docker/login-action/pull/920)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.63.0 to 0.77.0 in
[#&#8203;910](https://redirect.github.com/docker/login-action/pull/910)
[#&#8203;928](https://redirect.github.com/docker/login-action/pull/928)
- Bump
[@&#8203;isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion)
from 5.0.0 to 5.0.1 in
[#&#8203;921](https://redirect.github.com/docker/login-action/pull/921)
- Bump js-yaml from 4.1.0 to 4.1.1 in
[#&#8203;901](https://redirect.github.com/docker/login-action/pull/901)

**Full Changelog**:
<https://github.com/docker/login-action/compare/v3.7.0...v4.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-18 08:15:40 -05:00
Zanie Blue 17afca33e9 Upgrade the release build runners from Windows 2022 -> 2025 (#18528)
Needed for WinGet in #17543

The `windows-latest` label already changed
https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/

I don't think this should affect users.
2026-03-17 15:13:20 -05:00
renovate[bot] ebdd2bf4b9 Update zizmorcore/zizmor-action action to v0.5.2 (#18496) 2026-03-16 14:44:10 -04:00
renovate[bot] 6bde8a4e63 Update taiki-e/install-action action to v2.68.25 (#18495) 2026-03-16 14:43:54 -04:00
renovate[bot] d52c38980f Update dependency astral-sh/uv to v0.10.10 (#18489) 2026-03-16 14:41:43 -04:00
renovate[bot] 59123af42a Update CodSpeedHQ/action action to v4.11.1 (#18488) 2026-03-16 14:41:37 -04:00
renovate[bot] 24d81d2bf4 Update astral-sh/setup-uv action to v7.6.0 (#18515)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-16 17:19:45 +00:00
Zanie Blue 34f967310f Add an integration test for Intel conda (#18461)
Reproduces #14267 — see
https://github.com/astral-sh/uv/actions/runs/23076175099/job/67037153580

Which is resolved by https://github.com/astral-sh/uv/pull/18452 — see
https://github.com/astral-sh/uv/actions/runs/23090030294/job/67074278041
2026-03-14 17:57:49 +00:00
Zanie Blue 9753c0991b Run the integration tests on changes (#18465) 2026-03-13 17:45:24 -05:00
Zanie Blue 91b73925e2 Run macOS tests whenever we build release binaries (#18458) 2026-03-13 19:47:01 +00:00
renovate[bot] afd816f3cd Update astral-sh/setup-uv action to v7.5.0 (#18432)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) |
action | minor | `v7.3.1` → `v7.5.0` |

---

### Release Notes

<details>
<summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary>

###
[`v7.5.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v7.5.0):
🌈 Use &#x60;astral-sh/versions&#x60; as version provider

[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.4.0...v7.5.0)

### No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit
failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by
iterating over available uv releases via the GitHub API to find the best
match. In contrast, latest and exact versions such as 0.5.0 skipped
version resolution entirely and downloaded uv directly.

The `manifest-file` input was an earlier attempt to improve this. It
allows providing an url to a file that lists available versions,
checksums, and even custom download URLs. The action also shipped with
such a manifest.
However, because that bundled file could become outdated whenever new uv
releases were published, the action still had to fall back to the GitHub
API in many cases.

This release solves the problem by sourcing version data from Astral’s
versions repository via the raw content endpoint:


<https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson>

By using the raw endpoint instead of the GitHub API, version resolution
no longer depends on API authentication and is much less likely to run
into rate limits or timeouts.

***

> \[!TIP]
> The next section is only interesting for users of the `manifest-file`
input

The `manifest-file` input lets you override that source with your own
URL, for example to test custom uv builds or alternate download
locations.

The manifest file must be in NDJSON format, where each line is a JSON
object representing a version and its artifacts. For example:

```json
{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
```

> \[!WARNING]\
> The old format still works but is deprecated. A warning will be logged
when you use it.

#### Changes

- docs: replace copilot instructions with AGENTS.md
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;794](https://redirect.github.com/astral-sh/setup-uv/issues/794))

#### 🚀 Enhancements

- Use astral-sh/versions as primary version provider
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;802](https://redirect.github.com/astral-sh/setup-uv/issues/802))

#### 📚 Documentation

- docs: add cross-client dependabot rollup skill
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;793](https://redirect.github.com/astral-sh/setup-uv/issues/793))

###
[`v7.4.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v7.4.0):
🌈 Add riscv64 architecture support to platform detection

[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.3.1...v7.4.0)

##### Changes

Thank you [@&#8203;luhenry](https://redirect.github.com/luhenry) for
adding support for riscv64 arch

##### 🚀 Enhancements

- Add riscv64 architecture support to platform detection
[@&#8203;luhenry](https://redirect.github.com/luhenry)
([#&#8203;791](https://redirect.github.com/astral-sh/setup-uv/issues/791))

##### 🧰 Maintenance

- Delete .github/workflows/dependabot-build.yml
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;789](https://redirect.github.com/astral-sh/setup-uv/issues/789))
- Harden Dependabot build workflow
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;788](https://redirect.github.com/astral-sh/setup-uv/issues/788))
- Fix: check PR author instead of event sender for Dependabot detection
[@&#8203;eifinger-bot](https://redirect.github.com/eifinger-bot)
([#&#8203;787](https://redirect.github.com/astral-sh/setup-uv/issues/787))
- chore: update known checksums for 0.10.9
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;783](https://redirect.github.com/astral-sh/setup-uv/issues/783))
- Add workflow to auto-build dist on Dependabot PRs
[@&#8203;eifinger-bot](https://redirect.github.com/eifinger-bot)
([#&#8203;782](https://redirect.github.com/astral-sh/setup-uv/issues/782))
- chore: update known checksums for 0.10.8
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;779](https://redirect.github.com/astral-sh/setup-uv/issues/779))
- chore: update known checksums for 0.10.7
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;775](https://redirect.github.com/astral-sh/setup-uv/issues/775))

##### ⬆️ Dependency updates

- chore(deps): bump versions
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;792](https://redirect.github.com/astral-sh/setup-uv/issues/792))
- Bump actions/setup-node from 6.2.0 to 6.3.0
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
([#&#8203;790](https://redirect.github.com/astral-sh/setup-uv/issues/790))
- Bump eifinger/actionlint-action from 1.10.0 to 1.10.1
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
([#&#8203;778](https://redirect.github.com/astral-sh/setup-uv/issues/778))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-13 07:51:23 +00:00
Zanie Blue 273d29b8f2 Allow snapshots to be updated from failures in CI (#18424)
Persists snapshots as artifacts on test failure in CI and adds a script
to apply them locally

```
❯ ./scripts/apply-ci-snapshots.sh
Found pull request #18424 for branch 'zb/ci-snapshots'...
Found latest CI run 23022983761
Downloading pending snapshot artifacts...
Downloaded 3 artifacts
Applying 2 snapshot changes...
accepted:
  crates/uv/tests/it/pip_install.rs:13679 (transitive_dependency_config_settings_invalidation-2)
  crates/uv/tests/it/python_install.rs:1694 (python_install_default-5)
```

We infer the target run via the `gh` CLI. You may also provide the run
ID directly.

We'll merge snapshot artifacts from multiple platforms, so if there are
platform-specific failures on both Linux and Windows we'll apply both.
2026-03-12 17:13:28 -05:00
messense 91823b6c11 Add riscv64 musl target to build-release-binaries workflow (#18228)
## Summary

Closes #16063

## Test Plan

Test on GitHub Actions:
https://github.com/astral-sh/uv/actions/runs/22535106542/job/65281038532?pr=18228
2026-03-10 11:36:46 +01:00
renovate[bot] e4a4e75e77 Update actions/attest-build-provenance action to v4 (#18382)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/attest-build-provenance](https://redirect.github.com/actions/attest-build-provenance)
| action | major | `v3.2.0` → `v4.1.0` |

---

### Release Notes

<details>
<summary>actions/attest-build-provenance
(actions/attest-build-provenance)</summary>

###
[`v4.1.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v4.1.0)

[Compare
Source](https://redirect.github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0)

> \[!NOTE]
> As of version 4, `actions/attest-build-provenance` is simply a wrapper
on top of
[`actions/attest`](https://redirect.github.com/actions/attest).
>
> Existing applications may continue to use the
`attest-build-provenance` action, but new implementations should use
`actions/attest` instead.

#### What's Changed

- Update RELEASE.md docs by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[#&#8203;836](https://redirect.github.com/actions/attest-build-provenance/pull/836)
- Bump `actions/attest` from 4.0.0 to 4.1.0 by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[#&#8203;838](https://redirect.github.com/actions/attest-build-provenance/pull/838)
- Bump `@actions/attest` from 3.0.0 to 3.1.0 by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#362](https://redirect.github.com/actions/attest/pull/362)
- Bump `@actions/attest` from 3.1.0 to 3.2.0 by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#365](https://redirect.github.com/actions/attest/pull/365)
- Add new `subject-version` input for inclusion in storage record by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#364](https://redirect.github.com/actions/attest/pull/364)
- Add storage record content to README by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#366](https://redirect.github.com/actions/attest/pull/366)

**Full Changelog**:
<https://github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0>

###
[`v4.0.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v4.0.0)

[Compare
Source](https://redirect.github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0)

> \[!NOTE]
> As of version 4, `actions/attest-build-provenance` is simply a wrapper
on top of
[`actions/attest`](https://redirect.github.com/actions/attest).
>
> Existing applications may continue to use the
`attest-build-provenance` action, but new implementations should use
`actions/attest` instead.

#### What's Changed

- Prepare v4 release by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[#&#8203;835](https://redirect.github.com/actions/attest-build-provenance/pull/835)

**Full Changelog**:
<https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-09 21:01:57 +08:00
renovate[bot] 50d5d89079 Update taiki-e/install-action action to v2.68.16 (#18381) 2026-03-08 22:47:13 -04:00
renovate[bot] a653c3d09c Update crate-ci/typos action to v1.44.0 (#18379) 2026-03-08 22:46:57 -04:00
renovate[bot] cf668efe84 Update CodSpeedHQ/action action to v4.11.0 (#18378) 2026-03-08 22:46:49 -04:00
renovate[bot] 0a17ba5406 Update dependency astral-sh/uv to v0.10.9 (#18374) 2026-03-08 22:44:34 -04:00
Zanie Blue 8fedd25b41 Use uv 0.10.8 for internal workflows (#18354)
This should resolve GitHub Python download flakes
2026-03-06 19:45:40 +00:00