Zsolt Dollenstein
0c1d0f7c80
Publish installers to /installers/uv/latest on the mirror ( #18725 )
2026-03-31 10:51:27 -04:00
konsti
b7d5faf568
Reproducible Windows trampoline builds ( #18665 )
...
Build the Windows trampolines in a fully pinned docker container that
allows auditing the compilation in CI.
2026-03-31 12:15:44 +02:00
renovate[bot]
7c2f6c696b
Update astral-sh/setup-uv action to v8 ( #18765 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv ) |
action | major | `v7.6.0` → `v8.0.0` |
---
### Release Notes
<details>
<summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary>
###
[`v8.0.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.0.0 ):
🌈 Immutable releases and secure tags
[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.6.0...v8.0.0 )
### This is the first immutable release of `setup-uv` 🥳
All future releases are also immutable, if you want to know more about
what this means checkout [the
docs](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases ).
This release also has two breaking changes
#### New format for `manifest-file`
The previously deprecated way of defining a custom version manifest to
control which `uv` versions are available and where to download them
from got removed. The functionality is still there but you have to use
the [new
format](https://redirect.github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format ).
#### No more major and minor tags
To increase **security** even more we will **stop publishing minor
tags**. You won't be able to use `@v8` or `@v8.0` any longer. We do this
because pinning to major releases opens up users to supply chain attacks
like what happened to
[tj-actions](https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/ ).
> \[!TIP]
> Use the immutable tag as a version `astral-sh/setup-uv@8.0.0`
> Or even better the githash
`astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57`
#### 🚨 Breaking changes
- Remove update-major-minor-tags workflow
[@​eifinger](https://redirect.github.com/eifinger )
([#​826](https://redirect.github.com/astral-sh/setup-uv/issues/826 ))
- Remove deprecrated custom manifest
[@​eifinger](https://redirect.github.com/eifinger )
([#​813](https://redirect.github.com/astral-sh/setup-uv/issues/813 ))
#### 🧰 Maintenance
- Shortcircuit latest version from manifest
[@​eifinger](https://redirect.github.com/eifinger )
([#​828](https://redirect.github.com/astral-sh/setup-uv/issues/828 ))
- Simplify inputs.ts
[@​eifinger](https://redirect.github.com/eifinger )
([#​827](https://redirect.github.com/astral-sh/setup-uv/issues/827 ))
- Bump release-drafter to v7.1.1
[@​eifinger](https://redirect.github.com/eifinger )
([#​825](https://redirect.github.com/astral-sh/setup-uv/issues/825 ))
- Refactor inputs
[@​eifinger](https://redirect.github.com/eifinger )
([#​823](https://redirect.github.com/astral-sh/setup-uv/issues/823 ))
- Replace inline compile args with tsconfig
[@​eifinger](https://redirect.github.com/eifinger )
([#​824](https://redirect.github.com/astral-sh/setup-uv/issues/824 ))
- chore: update known checksums for 0.11.2
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​821](https://redirect.github.com/astral-sh/setup-uv/issues/821 ))
- chore: update known checksums for 0.11.1
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​817](https://redirect.github.com/astral-sh/setup-uv/issues/817 ))
- chore: update known checksums for 0.11.0
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​815](https://redirect.github.com/astral-sh/setup-uv/issues/815 ))
- Fix latest-version workflow check
[@​eifinger](https://redirect.github.com/eifinger )
([#​812](https://redirect.github.com/astral-sh/setup-uv/issues/812 ))
- chore: update known checksums for 0.10.11/0.10.12
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​811](https://redirect.github.com/astral-sh/setup-uv/issues/811 ))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45NC4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-30 09:48:20 +02:00
renovate[bot]
b3bee55123
Update debian Docker tag to trixie-20260316 ( #18760 )
2026-03-29 21:22:37 -04:00
renovate[bot]
cc2a514406
Update taiki-e/install-action action to v2.69.6 ( #18764 )
2026-03-29 21:22:31 -04:00
renovate[bot]
4f79352b66
Update dependency astral-sh/uv to v0.11.2 ( #18763 )
2026-03-29 21:22:23 -04:00
renovate[bot]
c4c62ddf20
Update CodSpeedHQ/action action to v4.12.1 ( #18762 )
2026-03-29 21:22:15 -04:00
Charlie Marsh
47c8c273b0
Fix all cargo shear warnings ( #18748 )
...
## Summary
Like https://github.com/astral-sh/ruff/pull/24268 .
2026-03-28 14:24:50 -04:00
Zanie Blue
96f329b8d2
Use the release environment in announce ( #18733 )
...
Otherwise, there is no approved deployment!
2026-03-26 22:04:22 +00:00
Zanie Blue
66c65913d0
Fetch the cargo-dist binary directly instead of using the installer ( #18731 )
2026-03-26 15:40:15 -05:00
Zanie Blue
4faa20e7d8
Use the release environment in publish-versions
2026-03-26 14:11:40 -05:00
Zanie Blue
bfefb87a13
Use the release environment in publish-docs ( #18727 )
...
See https://github.com/astral-sh/ty/pull/3147
2026-03-26 12:05:26 -05:00
Zanie Blue
edc1beb69a
Use trusted publishing for crates.io ( #18709 )
...
Moves from a crates.io API key to trusted publishing.
Setup of trusted publishing is automated via a script which creates the
trust relationship and disables publish by API key. The main breakage
here is that now, when we add a new crate, a release will fail. The
script is invoked during `release.sh` to catch this case and supports
creating a stub crate so the release can subsequently succeed — but this
will require the release author to have a local crates.io API key with
permissions to create projects and configure publishing. I tested this
script a few times end-to-end, but would not be surprised if it bites us
in the future.
2026-03-25 09:15:44 -05:00
Zanie Blue
3f215e4c95
Disable deployment on environment use ( #18677 )
...
See
https://github.blog/changelog/2026-03-19-github-actions-late-march-2026-updates/#github-actions-now-allows-developers-to-use-environments-without-auto-deployment
2026-03-23 14:24:12 -05:00
Zanie Blue
b6854d77bf
Upgrade reqwest to 0.13 ( #18550 )
...
The following user-facing changes are included here:
- `aws-lc` is used instead of `ring` for a cryptography backend
- Expands our certificate signature algorithm support to include
ECDSA_P256_SHA512, ECDSA_P384_SHA512, ECDSA_P521_SHA256,
ECDSA_P521_SHA384, and ECDSA_P521_SHA512
- `--native-tls` is deprecated in favor of a new `--system-certs` flag,
avoiding confusion with the TLS implementation used (we use `rustls` not
`native-tls`, see prior confusion at
https://github.com/astral-sh/uv/issues/11595 )
- NASM is a new build requirement on Windows, it is required by `aws-lc`
on x86-64 and i386
- `rustls-platform-verifier` is used instead of `rustls-native-certs`
for system certificate verification
- On macOS, certificate validation is now delegated to
`Security.framework` (`SecTrust`). Performance when using
`--system-certs` is improved by avoiding exporting and parsing all the
certificates from the keychain at startup.
- On Windows, certificate validation is now delegated to
`CertGetCertificateChain` and `CertVerifyCertificateChainPolicy`
- On Linux, certificate validation should be approximately unchanged
- Some previously failing chains may succeed, and some previously
accepted chains may fail; generally, this should result in behavior
closer matching browsers and other native applications
- macOS and Windows may now perform live OCSP fetches for early
revocation, which could add latency to some requests
- Empty `SSL_CERT_FILE` values are ignored (for consistency with
`SSL_CERT_DIR`)
The following internal changes are included here:
- Certificate loading has been refactored to use a newtype with helper
methods
- The certificate tests have been rewritten
- We use `webpki-root-certs` instead of `webpki-roots`, see
https://github.com/astral-sh/uv/pull/17543#discussion_r2820187691
- We request `identity` encoding for range requests, see
https://github.com/astral-sh/async_http_range_reader/pull/3#discussion_r2700194798
- Various dependencies (including forks) updates to versions which use
reqwest 0.13+
This is a replacement of #17543 with an updated description. See that
pull request for prior discussion. I've made the following changes from
the initial approach there:
- Previously, the `native-tls` TLS implementation was added which
included an OpenSSL build. We don't currently use the `native-tls`
implementation, but the `--native-tls` flag there was erroneously
updated to enable it.
- Previously, there was a `--tls-backend` flag to toggle between
`native-tls` and `rustls`. Since we currently always use `rustls`, this
is deferred to future work (if we need it at all).
- Previously, there were unintentional breaking changes to
`SSL_CERT_FILE` and `SSL_CERT_DIR` handling, including merging with the
base certificates instead of replacing them, dropping support for
OpenSSL hash-named certificate files, skipping deduplication of
certificates. Here, we retain use of `rustls-native-certs` for loading
certificates from the system as it handles these edge cases.
Closes https://github.com/astral-sh/uv/issues/17427
---------
Co-authored-by: salmonsd <22984014+salmonsd@users.noreply.github.com >
2026-03-23 13:22:19 -05:00
Zsolt Dollenstein
2175e2ffba
Enable checksum verification in the generated installer script ( #18625 )
2026-03-23 13:57:11 -04:00
renovate[bot]
2e9c966226
Update taiki-e/install-action action to v2.68.33 ( #18658 )
2026-03-22 22:12:31 -04:00
renovate[bot]
fea07bb581
Update taiki-e/install-action action to v2.68.32 ( #18652 )
2026-03-22 21:39:56 -04:00
renovate[bot]
5708102a5d
Update Swatinem/rust-cache action to v2.9.1 ( #18656 )
2026-03-22 21:39:30 -04:00
renovate[bot]
133c65f710
Update cgr.dev/chainguard/python:latest-dev Docker digest to 197dc1b ( #18647 )
2026-03-22 21:39:01 -04:00
renovate[bot]
65bf6221dc
Update acj/freebsd-firecracker-action action to v0.9.0 ( #18653 )
2026-03-23 01:13:49 +00:00
renovate[bot]
baf0d55c4d
Update dependency astral-sh/uv to v0.10.12 ( #18648 )
2026-03-23 01:09:51 +00:00
William Woodruff
3d4cb95c80
CI: Interpose a template through an environment variable ( #18624 )
2026-03-22 00:03:11 +09:00
Zanie Blue
8093dfcaa9
Add a system test for the chainguard Python image ( #18460 )
...
Should require https://github.com/astral-sh/uv/pull/18457
2026-03-20 13:13:43 -05:00
Zanie Blue
cedae1aa42
Trigger system tests when the system check file changes ( #18590 )
...
Co-authored-by: Claude <noreply@anthropic.com >
2026-03-20 16:22:01 +00:00
Zanie Blue
04bbd6a6ab
Trigger benchmarks when bench workflow changes ( #18589 )
...
Co-authored-by: Claude <noreply@anthropic.com >
2026-03-20 16:19:09 +00:00
Zanie Blue
1597e9f96c
Use a Depot runner for simulated benchmarks ( #18585 )
...
Hopefully, this means we will get consistent hardware and improve
stability
2026-03-20 12:28:10 +00:00
Zanie Blue
f13abc388e
Use a Termux image with Python pre-installed instead ( #18573 )
...
Created at https://github.com/astral-sh/termux-python
Termux's package repositories seem to be horribly unstable.
2026-03-19 20:59:13 +00:00
Zanie Blue
c541a91c85
Add a test case for armv7 uv on aarch64 ( #18532 )
...
Reproduces https://github.com/astral-sh/uv/issues/18509
Related https://github.com/astral-sh/uv/pull/18517
Requires #18530
2026-03-18 18:59:47 -05:00
Zanie Blue
42c85f654f
Add support for using Python 3.6 interpreters ( #18454 )
...
Applies a patch to use Python 3.6 compatible types in our vendored
`packaging` implementation used in the interpreter query script. Adds
Python 3.6 and 3.7 test coverage in CI.
2026-03-18 18:33:30 -05:00
renovate[bot]
165b63d09e
Update docker/metadata-action action to v6 ( #18501 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[docker/metadata-action](https://redirect.github.com/docker/metadata-action )
| action | major | `v5.10.0` → `v6.0.0` |
---
### Release Notes
<details>
<summary>docker/metadata-action (docker/metadata-action)</summary>
###
[`v6.0.0`](https://redirect.github.com/docker/metadata-action/releases/tag/v6.0.0 )
[Compare
Source](https://redirect.github.com/docker/metadata-action/compare/v5.10.0...v6.0.0 )
- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1 )
or later) by [@​crazy-max](https://redirect.github.com/crazy-max )
in
[#​605](https://redirect.github.com/docker/metadata-action/pull/605 )
- List inputs now preserve `#` inside values while still supporting
full-line `#` comments by
[@​crazy-max](https://redirect.github.com/crazy-max ) in
[#​607](https://redirect.github.com/docker/metadata-action/pull/607 )
- Switch to ESM and update config/test wiring by
[@​crazy-max](https://redirect.github.com/crazy-max ) in
[#​602](https://redirect.github.com/docker/metadata-action/pull/602 )
- Bump lodash from 4.17.21 to 4.17.23 in
[#​588](https://redirect.github.com/docker/metadata-action/pull/588 )
- Bump [@​actions/core](https://redirect.github.com/actions/core )
from 1.11.1 to 3.0.0 in
[#​599](https://redirect.github.com/docker/metadata-action/pull/599 )
- Bump
[@​actions/github](https://redirect.github.com/actions/github )
from 6.0.1 to 9.0.0 in
[#​597](https://redirect.github.com/docker/metadata-action/pull/597 )
- Bump
[@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit )
from 0.68.0 to 0.79.0 in
[#​604](https://redirect.github.com/docker/metadata-action/pull/604 )
- Bump
[@​isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion )
from 5.0.0 to 5.0.1 in
[#​600](https://redirect.github.com/docker/metadata-action/pull/600 )
- Bump semver from 7.7.3 to 7.7.4 in
[#​603](https://redirect.github.com/docker/metadata-action/pull/603 )
**Full Changelog**:
<https://github.com/docker/metadata-action/compare/v5.10.0...v6.0.0 >
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-18 13:26:49 +00:00
renovate[bot]
a47ae0cd35
Update docker/login-action action to v4 ( #18500 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [docker/login-action](https://redirect.github.com/docker/login-action )
| action | major | `v3.7.0` → `v4.0.0` |
---
### Release Notes
<details>
<summary>docker/login-action (docker/login-action)</summary>
###
[`v4.0.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.0.0 )
[Compare
Source](https://redirect.github.com/docker/login-action/compare/v3.7.0...v4.0.0 )
- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1 )
or later) by [@​crazy-max](https://redirect.github.com/crazy-max )
in
[#​929](https://redirect.github.com/docker/login-action/pull/929 )
- Switch to ESM and update config/test wiring by
[@​crazy-max](https://redirect.github.com/crazy-max ) in
[#​927](https://redirect.github.com/docker/login-action/pull/927 )
- Bump [@​actions/core](https://redirect.github.com/actions/core )
from 1.11.1 to 3.0.0 in
[#​919](https://redirect.github.com/docker/login-action/pull/919 )
- Bump
[@​aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr )
from 3.890.0 to 3.1000.0 in
[#​909](https://redirect.github.com/docker/login-action/pull/909 )
[#​920](https://redirect.github.com/docker/login-action/pull/920 )
- Bump
[@​aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public )
from 3.890.0 to 3.1000.0 in
[#​909](https://redirect.github.com/docker/login-action/pull/909 )
[#​920](https://redirect.github.com/docker/login-action/pull/920 )
- Bump
[@​docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit )
from 0.63.0 to 0.77.0 in
[#​910](https://redirect.github.com/docker/login-action/pull/910 )
[#​928](https://redirect.github.com/docker/login-action/pull/928 )
- Bump
[@​isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion )
from 5.0.0 to 5.0.1 in
[#​921](https://redirect.github.com/docker/login-action/pull/921 )
- Bump js-yaml from 4.1.0 to 4.1.1 in
[#​901](https://redirect.github.com/docker/login-action/pull/901 )
**Full Changelog**:
<https://github.com/docker/login-action/compare/v3.7.0...v4.0.0 >
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-18 08:15:40 -05:00
Zanie Blue
17afca33e9
Upgrade the release build runners from Windows 2022 -> 2025 ( #18528 )
...
Needed for WinGet in #17543
The `windows-latest` label already changed
https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/
I don't think this should affect users.
2026-03-17 15:13:20 -05:00
renovate[bot]
ebdd2bf4b9
Update zizmorcore/zizmor-action action to v0.5.2 ( #18496 )
2026-03-16 14:44:10 -04:00
renovate[bot]
6bde8a4e63
Update taiki-e/install-action action to v2.68.25 ( #18495 )
2026-03-16 14:43:54 -04:00
renovate[bot]
d52c38980f
Update dependency astral-sh/uv to v0.10.10 ( #18489 )
2026-03-16 14:41:43 -04:00
renovate[bot]
59123af42a
Update CodSpeedHQ/action action to v4.11.1 ( #18488 )
2026-03-16 14:41:37 -04:00
renovate[bot]
24d81d2bf4
Update astral-sh/setup-uv action to v7.6.0 ( #18515 )
...
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-16 17:19:45 +00:00
Zanie Blue
34f967310f
Add an integration test for Intel conda ( #18461 )
...
Reproduces #14267 — see
https://github.com/astral-sh/uv/actions/runs/23076175099/job/67037153580
Which is resolved by https://github.com/astral-sh/uv/pull/18452 — see
https://github.com/astral-sh/uv/actions/runs/23090030294/job/67074278041
2026-03-14 17:57:49 +00:00
Zanie Blue
9753c0991b
Run the integration tests on changes ( #18465 )
2026-03-13 17:45:24 -05:00
Zanie Blue
91b73925e2
Run macOS tests whenever we build release binaries ( #18458 )
2026-03-13 19:47:01 +00:00
renovate[bot]
afd816f3cd
Update astral-sh/setup-uv action to v7.5.0 ( #18432 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv ) |
action | minor | `v7.3.1` → `v7.5.0` |
---
### Release Notes
<details>
<summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary>
###
[`v7.5.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v7.5.0 ):
🌈 Use `astral-sh/versions` as version provider
[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.4.0...v7.5.0 )
### No more rate-limits
This release addresses a long-standing source of timeouts and rate-limit
failures in setup-uv.
Previously, the action resolved version identifiers like 0.5.x by
iterating over available uv releases via the GitHub API to find the best
match. In contrast, latest and exact versions such as 0.5.0 skipped
version resolution entirely and downloaded uv directly.
The `manifest-file` input was an earlier attempt to improve this. It
allows providing an url to a file that lists available versions,
checksums, and even custom download URLs. The action also shipped with
such a manifest.
However, because that bundled file could become outdated whenever new uv
releases were published, the action still had to fall back to the GitHub
API in many cases.
This release solves the problem by sourcing version data from Astral’s
versions repository via the raw content endpoint:
<https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson >
By using the raw endpoint instead of the GitHub API, version resolution
no longer depends on API authentication and is much less likely to run
into rate limits or timeouts.
***
> \[!TIP]
> The next section is only interesting for users of the `manifest-file`
input
The `manifest-file` input lets you override that source with your own
URL, for example to test custom uv builds or alternate download
locations.
The manifest file must be in NDJSON format, where each line is a JSON
object representing a version and its artifacts. For example:
```json
{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz ","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz ","archive_format":"tar.gz","sha256":"..."}]}
```
> \[!WARNING]\
> The old format still works but is deprecated. A warning will be logged
when you use it.
#### Changes
- docs: replace copilot instructions with AGENTS.md
[@​eifinger](https://redirect.github.com/eifinger )
([#​794](https://redirect.github.com/astral-sh/setup-uv/issues/794 ))
#### 🚀 Enhancements
- Use astral-sh/versions as primary version provider
[@​eifinger](https://redirect.github.com/eifinger )
([#​802](https://redirect.github.com/astral-sh/setup-uv/issues/802 ))
#### 📚 Documentation
- docs: add cross-client dependabot rollup skill
[@​eifinger](https://redirect.github.com/eifinger )
([#​793](https://redirect.github.com/astral-sh/setup-uv/issues/793 ))
###
[`v7.4.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v7.4.0 ):
🌈 Add riscv64 architecture support to platform detection
[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.3.1...v7.4.0 )
##### Changes
Thank you [@​luhenry](https://redirect.github.com/luhenry ) for
adding support for riscv64 arch
##### 🚀 Enhancements
- Add riscv64 architecture support to platform detection
[@​luhenry](https://redirect.github.com/luhenry )
([#​791](https://redirect.github.com/astral-sh/setup-uv/issues/791 ))
##### 🧰 Maintenance
- Delete .github/workflows/dependabot-build.yml
[@​eifinger](https://redirect.github.com/eifinger )
([#​789](https://redirect.github.com/astral-sh/setup-uv/issues/789 ))
- Harden Dependabot build workflow
[@​eifinger](https://redirect.github.com/eifinger )
([#​788](https://redirect.github.com/astral-sh/setup-uv/issues/788 ))
- Fix: check PR author instead of event sender for Dependabot detection
[@​eifinger-bot](https://redirect.github.com/eifinger-bot )
([#​787](https://redirect.github.com/astral-sh/setup-uv/issues/787 ))
- chore: update known checksums for 0.10.9
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​783](https://redirect.github.com/astral-sh/setup-uv/issues/783 ))
- Add workflow to auto-build dist on Dependabot PRs
[@​eifinger-bot](https://redirect.github.com/eifinger-bot )
([#​782](https://redirect.github.com/astral-sh/setup-uv/issues/782 ))
- chore: update known checksums for 0.10.8
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​779](https://redirect.github.com/astral-sh/setup-uv/issues/779 ))
- chore: update known checksums for 0.10.7
@​[github-actions\[bot\]](https://redirect.github.com/apps/github-actions )
([#​775](https://redirect.github.com/astral-sh/setup-uv/issues/775 ))
##### ⬆️ Dependency updates
- chore(deps): bump versions
[@​eifinger](https://redirect.github.com/eifinger )
([#​792](https://redirect.github.com/astral-sh/setup-uv/issues/792 ))
- Bump actions/setup-node from 6.2.0 to 6.3.0
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​790](https://redirect.github.com/astral-sh/setup-uv/issues/790 ))
- Bump eifinger/actionlint-action from 1.10.0 to 1.10.1
@​[dependabot\[bot\]](https://redirect.github.com/apps/dependabot )
([#​778](https://redirect.github.com/astral-sh/setup-uv/issues/778 ))
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-13 07:51:23 +00:00
Zanie Blue
273d29b8f2
Allow snapshots to be updated from failures in CI ( #18424 )
...
Persists snapshots as artifacts on test failure in CI and adds a script
to apply them locally
```
❯ ./scripts/apply-ci-snapshots.sh
Found pull request #18424 for branch 'zb/ci-snapshots'...
Found latest CI run 23022983761
Downloading pending snapshot artifacts...
Downloaded 3 artifacts
Applying 2 snapshot changes...
accepted:
crates/uv/tests/it/pip_install.rs:13679 (transitive_dependency_config_settings_invalidation-2)
crates/uv/tests/it/python_install.rs:1694 (python_install_default-5)
```
We infer the target run via the `gh` CLI. You may also provide the run
ID directly.
We'll merge snapshot artifacts from multiple platforms, so if there are
platform-specific failures on both Linux and Windows we'll apply both.
2026-03-12 17:13:28 -05:00
messense
91823b6c11
Add riscv64 musl target to build-release-binaries workflow ( #18228 )
...
## Summary
Closes #16063
## Test Plan
Test on GitHub Actions:
https://github.com/astral-sh/uv/actions/runs/22535106542/job/65281038532?pr=18228
2026-03-10 11:36:46 +01:00
renovate[bot]
e4a4e75e77
Update actions/attest-build-provenance action to v4 ( #18382 )
...
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/attest-build-provenance](https://redirect.github.com/actions/attest-build-provenance )
| action | major | `v3.2.0` → `v4.1.0` |
---
### Release Notes
<details>
<summary>actions/attest-build-provenance
(actions/attest-build-provenance)</summary>
###
[`v4.1.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v4.1.0 )
[Compare
Source](https://redirect.github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0 )
> \[!NOTE]
> As of version 4, `actions/attest-build-provenance` is simply a wrapper
on top of
[`actions/attest`](https://redirect.github.com/actions/attest ).
>
> Existing applications may continue to use the
`attest-build-provenance` action, but new implementations should use
`actions/attest` instead.
#### What's Changed
- Update RELEASE.md docs by
[@​bdehamer](https://redirect.github.com/bdehamer ) in
[#​836](https://redirect.github.com/actions/attest-build-provenance/pull/836 )
- Bump `actions/attest` from 4.0.0 to 4.1.0 by
[@​bdehamer](https://redirect.github.com/bdehamer ) in
[#​838](https://redirect.github.com/actions/attest-build-provenance/pull/838 )
- Bump `@actions/attest` from 3.0.0 to 3.1.0 by
[@​bdehamer](https://redirect.github.com/bdehamer ) in
[actions/attest#362 ](https://redirect.github.com/actions/attest/pull/362 )
- Bump `@actions/attest` from 3.1.0 to 3.2.0 by
[@​bdehamer](https://redirect.github.com/bdehamer ) in
[actions/attest#365 ](https://redirect.github.com/actions/attest/pull/365 )
- Add new `subject-version` input for inclusion in storage record by
[@​bdehamer](https://redirect.github.com/bdehamer ) in
[actions/attest#364 ](https://redirect.github.com/actions/attest/pull/364 )
- Add storage record content to README by
[@​bdehamer](https://redirect.github.com/bdehamer ) in
[actions/attest#366 ](https://redirect.github.com/actions/attest/pull/366 )
**Full Changelog**:
<https://github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0 >
###
[`v4.0.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v4.0.0 )
[Compare
Source](https://redirect.github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0 )
> \[!NOTE]
> As of version 4, `actions/attest-build-provenance` is simply a wrapper
on top of
[`actions/attest`](https://redirect.github.com/actions/attest ).
>
> Existing applications may continue to use the
`attest-build-provenance` action, but new implementations should use
`actions/attest` instead.
#### What's Changed
- Prepare v4 release by
[@​bdehamer](https://redirect.github.com/bdehamer ) in
[#​835](https://redirect.github.com/actions/attest-build-provenance/pull/835 )
**Full Changelog**:
<https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0 >
</details>
---
### Configuration
📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/ ).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-09 21:01:57 +08:00
renovate[bot]
50d5d89079
Update taiki-e/install-action action to v2.68.16 ( #18381 )
2026-03-08 22:47:13 -04:00
renovate[bot]
a653c3d09c
Update crate-ci/typos action to v1.44.0 ( #18379 )
2026-03-08 22:46:57 -04:00
renovate[bot]
cf668efe84
Update CodSpeedHQ/action action to v4.11.0 ( #18378 )
2026-03-08 22:46:49 -04:00
renovate[bot]
0a17ba5406
Update dependency astral-sh/uv to v0.10.9 ( #18374 )
2026-03-08 22:44:34 -04:00
Zanie Blue
8fedd25b41
Use uv 0.10.8 for internal workflows ( #18354 )
...
This should resolve GitHub Python download flakes
2026-03-06 19:45:40 +00:00