Commit Graph

754 Commits

Author SHA1 Message Date
Zanie Blue 8093dfcaa9 Add a system test for the chainguard Python image (#18460)
Should require https://github.com/astral-sh/uv/pull/18457
2026-03-20 13:13:43 -05:00
Zanie Blue cedae1aa42 Trigger system tests when the system check file changes (#18590)
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-20 16:22:01 +00:00
Zanie Blue 04bbd6a6ab Trigger benchmarks when bench workflow changes (#18589)
Co-authored-by: Claude <noreply@anthropic.com>
2026-03-20 16:19:09 +00:00
Zanie Blue 1597e9f96c Use a Depot runner for simulated benchmarks (#18585)
Hopefully, this means we will get consistent hardware and improve
stability
2026-03-20 12:28:10 +00:00
Zanie Blue f13abc388e Use a Termux image with Python pre-installed instead (#18573)
Created at https://github.com/astral-sh/termux-python

Termux's package repositories seem to be horribly unstable.
2026-03-19 20:59:13 +00:00
Zanie Blue c541a91c85 Add a test case for armv7 uv on aarch64 (#18532)
Reproduces https://github.com/astral-sh/uv/issues/18509
Related https://github.com/astral-sh/uv/pull/18517
Requires #18530
2026-03-18 18:59:47 -05:00
Zanie Blue 42c85f654f Add support for using Python 3.6 interpreters (#18454)
Applies a patch to use Python 3.6 compatible types in our vendored
`packaging` implementation used in the interpreter query script. Adds
Python 3.6 and 3.7 test coverage in CI.
2026-03-18 18:33:30 -05:00
renovate[bot] 165b63d09e Update docker/metadata-action action to v6 (#18501)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[docker/metadata-action](https://redirect.github.com/docker/metadata-action)
| action | major | `v5.10.0` → `v6.0.0` |

---

### Release Notes

<details>
<summary>docker/metadata-action (docker/metadata-action)</summary>

###
[`v6.0.0`](https://redirect.github.com/docker/metadata-action/releases/tag/v6.0.0)

[Compare
Source](https://redirect.github.com/docker/metadata-action/compare/v5.10.0...v6.0.0)

- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later) by [@&#8203;crazy-max](https://redirect.github.com/crazy-max)
in
[#&#8203;605](https://redirect.github.com/docker/metadata-action/pull/605)
- List inputs now preserve `#` inside values while still supporting
full-line `#` comments by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;607](https://redirect.github.com/docker/metadata-action/pull/607)
- Switch to ESM and update config/test wiring by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;602](https://redirect.github.com/docker/metadata-action/pull/602)
- Bump lodash from 4.17.21 to 4.17.23 in
[#&#8203;588](https://redirect.github.com/docker/metadata-action/pull/588)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
from 1.11.1 to 3.0.0 in
[#&#8203;599](https://redirect.github.com/docker/metadata-action/pull/599)
- Bump
[@&#8203;actions/github](https://redirect.github.com/actions/github)
from 6.0.1 to 9.0.0 in
[#&#8203;597](https://redirect.github.com/docker/metadata-action/pull/597)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.68.0 to 0.79.0 in
[#&#8203;604](https://redirect.github.com/docker/metadata-action/pull/604)
- Bump
[@&#8203;isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion)
from 5.0.0 to 5.0.1 in
[#&#8203;600](https://redirect.github.com/docker/metadata-action/pull/600)
- Bump semver from 7.7.3 to 7.7.4 in
[#&#8203;603](https://redirect.github.com/docker/metadata-action/pull/603)

**Full Changelog**:
<https://github.com/docker/metadata-action/compare/v5.10.0...v6.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-18 13:26:49 +00:00
renovate[bot] a47ae0cd35 Update docker/login-action action to v4 (#18500)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [docker/login-action](https://redirect.github.com/docker/login-action)
| action | major | `v3.7.0` → `v4.0.0` |

---

### Release Notes

<details>
<summary>docker/login-action (docker/login-action)</summary>

###
[`v4.0.0`](https://redirect.github.com/docker/login-action/releases/tag/v4.0.0)

[Compare
Source](https://redirect.github.com/docker/login-action/compare/v3.7.0...v4.0.0)

- Node 24 as default runtime (requires [Actions Runner
v2.327.1](https://redirect.github.com/actions/runner/releases/tag/v2.327.1)
or later) by [@&#8203;crazy-max](https://redirect.github.com/crazy-max)
in
[#&#8203;929](https://redirect.github.com/docker/login-action/pull/929)
- Switch to ESM and update config/test wiring by
[@&#8203;crazy-max](https://redirect.github.com/crazy-max) in
[#&#8203;927](https://redirect.github.com/docker/login-action/pull/927)
- Bump [@&#8203;actions/core](https://redirect.github.com/actions/core)
from 1.11.1 to 3.0.0 in
[#&#8203;919](https://redirect.github.com/docker/login-action/pull/919)
- Bump
[@&#8203;aws-sdk/client-ecr](https://redirect.github.com/aws-sdk/client-ecr)
from 3.890.0 to 3.1000.0 in
[#&#8203;909](https://redirect.github.com/docker/login-action/pull/909)
[#&#8203;920](https://redirect.github.com/docker/login-action/pull/920)
- Bump
[@&#8203;aws-sdk/client-ecr-public](https://redirect.github.com/aws-sdk/client-ecr-public)
from 3.890.0 to 3.1000.0 in
[#&#8203;909](https://redirect.github.com/docker/login-action/pull/909)
[#&#8203;920](https://redirect.github.com/docker/login-action/pull/920)
- Bump
[@&#8203;docker/actions-toolkit](https://redirect.github.com/docker/actions-toolkit)
from 0.63.0 to 0.77.0 in
[#&#8203;910](https://redirect.github.com/docker/login-action/pull/910)
[#&#8203;928](https://redirect.github.com/docker/login-action/pull/928)
- Bump
[@&#8203;isaacs/brace-expansion](https://redirect.github.com/isaacs/brace-expansion)
from 5.0.0 to 5.0.1 in
[#&#8203;921](https://redirect.github.com/docker/login-action/pull/921)
- Bump js-yaml from 4.1.0 to 4.1.1 in
[#&#8203;901](https://redirect.github.com/docker/login-action/pull/901)

**Full Changelog**:
<https://github.com/docker/login-action/compare/v3.7.0...v4.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-18 08:15:40 -05:00
Zanie Blue 17afca33e9 Upgrade the release build runners from Windows 2022 -> 2025 (#18528)
Needed for WinGet in #17543

The `windows-latest` label already changed
https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/

I don't think this should affect users.
2026-03-17 15:13:20 -05:00
renovate[bot] ebdd2bf4b9 Update zizmorcore/zizmor-action action to v0.5.2 (#18496) 2026-03-16 14:44:10 -04:00
renovate[bot] 6bde8a4e63 Update taiki-e/install-action action to v2.68.25 (#18495) 2026-03-16 14:43:54 -04:00
renovate[bot] d52c38980f Update dependency astral-sh/uv to v0.10.10 (#18489) 2026-03-16 14:41:43 -04:00
renovate[bot] 59123af42a Update CodSpeedHQ/action action to v4.11.1 (#18488) 2026-03-16 14:41:37 -04:00
renovate[bot] 24d81d2bf4 Update astral-sh/setup-uv action to v7.6.0 (#18515)
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-16 17:19:45 +00:00
Zanie Blue 34f967310f Add an integration test for Intel conda (#18461)
Reproduces #14267 — see
https://github.com/astral-sh/uv/actions/runs/23076175099/job/67037153580

Which is resolved by https://github.com/astral-sh/uv/pull/18452 — see
https://github.com/astral-sh/uv/actions/runs/23090030294/job/67074278041
2026-03-14 17:57:49 +00:00
Zanie Blue 9753c0991b Run the integration tests on changes (#18465) 2026-03-13 17:45:24 -05:00
Zanie Blue 91b73925e2 Run macOS tests whenever we build release binaries (#18458) 2026-03-13 19:47:01 +00:00
renovate[bot] afd816f3cd Update astral-sh/setup-uv action to v7.5.0 (#18432)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) |
action | minor | `v7.3.1` → `v7.5.0` |

---

### Release Notes

<details>
<summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary>

###
[`v7.5.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v7.5.0):
🌈 Use &#x60;astral-sh/versions&#x60; as version provider

[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.4.0...v7.5.0)

### No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit
failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by
iterating over available uv releases via the GitHub API to find the best
match. In contrast, latest and exact versions such as 0.5.0 skipped
version resolution entirely and downloaded uv directly.

The `manifest-file` input was an earlier attempt to improve this. It
allows providing an url to a file that lists available versions,
checksums, and even custom download URLs. The action also shipped with
such a manifest.
However, because that bundled file could become outdated whenever new uv
releases were published, the action still had to fall back to the GitHub
API in many cases.

This release solves the problem by sourcing version data from Astral’s
versions repository via the raw content endpoint:


<https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson>

By using the raw endpoint instead of the GitHub API, version resolution
no longer depends on API authentication and is much less likely to run
into rate limits or timeouts.

***

> \[!TIP]
> The next section is only interesting for users of the `manifest-file`
input

The `manifest-file` input lets you override that source with your own
URL, for example to test custom uv builds or alternate download
locations.

The manifest file must be in NDJSON format, where each line is a JSON
object representing a version and its artifacts. For example:

```json
{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
```

> \[!WARNING]\
> The old format still works but is deprecated. A warning will be logged
when you use it.

#### Changes

- docs: replace copilot instructions with AGENTS.md
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;794](https://redirect.github.com/astral-sh/setup-uv/issues/794))

#### 🚀 Enhancements

- Use astral-sh/versions as primary version provider
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;802](https://redirect.github.com/astral-sh/setup-uv/issues/802))

#### 📚 Documentation

- docs: add cross-client dependabot rollup skill
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;793](https://redirect.github.com/astral-sh/setup-uv/issues/793))

###
[`v7.4.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v7.4.0):
🌈 Add riscv64 architecture support to platform detection

[Compare
Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.3.1...v7.4.0)

##### Changes

Thank you [@&#8203;luhenry](https://redirect.github.com/luhenry) for
adding support for riscv64 arch

##### 🚀 Enhancements

- Add riscv64 architecture support to platform detection
[@&#8203;luhenry](https://redirect.github.com/luhenry)
([#&#8203;791](https://redirect.github.com/astral-sh/setup-uv/issues/791))

##### 🧰 Maintenance

- Delete .github/workflows/dependabot-build.yml
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;789](https://redirect.github.com/astral-sh/setup-uv/issues/789))
- Harden Dependabot build workflow
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;788](https://redirect.github.com/astral-sh/setup-uv/issues/788))
- Fix: check PR author instead of event sender for Dependabot detection
[@&#8203;eifinger-bot](https://redirect.github.com/eifinger-bot)
([#&#8203;787](https://redirect.github.com/astral-sh/setup-uv/issues/787))
- chore: update known checksums for 0.10.9
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;783](https://redirect.github.com/astral-sh/setup-uv/issues/783))
- Add workflow to auto-build dist on Dependabot PRs
[@&#8203;eifinger-bot](https://redirect.github.com/eifinger-bot)
([#&#8203;782](https://redirect.github.com/astral-sh/setup-uv/issues/782))
- chore: update known checksums for 0.10.8
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;779](https://redirect.github.com/astral-sh/setup-uv/issues/779))
- chore: update known checksums for 0.10.7
@&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions)
([#&#8203;775](https://redirect.github.com/astral-sh/setup-uv/issues/775))

##### ⬆️ Dependency updates

- chore(deps): bump versions
[@&#8203;eifinger](https://redirect.github.com/eifinger)
([#&#8203;792](https://redirect.github.com/astral-sh/setup-uv/issues/792))
- Bump actions/setup-node from 6.2.0 to 6.3.0
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
([#&#8203;790](https://redirect.github.com/astral-sh/setup-uv/issues/790))
- Bump eifinger/actionlint-action from 1.10.0 to 1.10.1
@&#8203;[dependabot\[bot\]](https://redirect.github.com/apps/dependabot)
([#&#8203;778](https://redirect.github.com/astral-sh/setup-uv/issues/778))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-13 07:51:23 +00:00
Zanie Blue 273d29b8f2 Allow snapshots to be updated from failures in CI (#18424)
Persists snapshots as artifacts on test failure in CI and adds a script
to apply them locally

```
❯ ./scripts/apply-ci-snapshots.sh
Found pull request #18424 for branch 'zb/ci-snapshots'...
Found latest CI run 23022983761
Downloading pending snapshot artifacts...
Downloaded 3 artifacts
Applying 2 snapshot changes...
accepted:
  crates/uv/tests/it/pip_install.rs:13679 (transitive_dependency_config_settings_invalidation-2)
  crates/uv/tests/it/python_install.rs:1694 (python_install_default-5)
```

We infer the target run via the `gh` CLI. You may also provide the run
ID directly.

We'll merge snapshot artifacts from multiple platforms, so if there are
platform-specific failures on both Linux and Windows we'll apply both.
2026-03-12 17:13:28 -05:00
messense 91823b6c11 Add riscv64 musl target to build-release-binaries workflow (#18228)
## Summary

Closes #16063

## Test Plan

Test on GitHub Actions:
https://github.com/astral-sh/uv/actions/runs/22535106542/job/65281038532?pr=18228
2026-03-10 11:36:46 +01:00
renovate[bot] e4a4e75e77 Update actions/attest-build-provenance action to v4 (#18382)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/attest-build-provenance](https://redirect.github.com/actions/attest-build-provenance)
| action | major | `v3.2.0` → `v4.1.0` |

---

### Release Notes

<details>
<summary>actions/attest-build-provenance
(actions/attest-build-provenance)</summary>

###
[`v4.1.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v4.1.0)

[Compare
Source](https://redirect.github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0)

> \[!NOTE]
> As of version 4, `actions/attest-build-provenance` is simply a wrapper
on top of
[`actions/attest`](https://redirect.github.com/actions/attest).
>
> Existing applications may continue to use the
`attest-build-provenance` action, but new implementations should use
`actions/attest` instead.

#### What's Changed

- Update RELEASE.md docs by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[#&#8203;836](https://redirect.github.com/actions/attest-build-provenance/pull/836)
- Bump `actions/attest` from 4.0.0 to 4.1.0 by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[#&#8203;838](https://redirect.github.com/actions/attest-build-provenance/pull/838)
- Bump `@actions/attest` from 3.0.0 to 3.1.0 by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#362](https://redirect.github.com/actions/attest/pull/362)
- Bump `@actions/attest` from 3.1.0 to 3.2.0 by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#365](https://redirect.github.com/actions/attest/pull/365)
- Add new `subject-version` input for inclusion in storage record by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#364](https://redirect.github.com/actions/attest/pull/364)
- Add storage record content to README by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[actions/attest#366](https://redirect.github.com/actions/attest/pull/366)

**Full Changelog**:
<https://github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0>

###
[`v4.0.0`](https://redirect.github.com/actions/attest-build-provenance/releases/tag/v4.0.0)

[Compare
Source](https://redirect.github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0)

> \[!NOTE]
> As of version 4, `actions/attest-build-provenance` is simply a wrapper
on top of
[`actions/attest`](https://redirect.github.com/actions/attest).
>
> Existing applications may continue to use the
`attest-build-provenance` action, but new implementations should use
`actions/attest` instead.

#### What's Changed

- Prepare v4 release by
[@&#8203;bdehamer](https://redirect.github.com/bdehamer) in
[#&#8203;835](https://redirect.github.com/actions/attest-build-provenance/pull/835)

**Full Changelog**:
<https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-09 21:01:57 +08:00
renovate[bot] 50d5d89079 Update taiki-e/install-action action to v2.68.16 (#18381) 2026-03-08 22:47:13 -04:00
renovate[bot] a653c3d09c Update crate-ci/typos action to v1.44.0 (#18379) 2026-03-08 22:46:57 -04:00
renovate[bot] cf668efe84 Update CodSpeedHQ/action action to v4.11.0 (#18378) 2026-03-08 22:46:49 -04:00
renovate[bot] 0a17ba5406 Update dependency astral-sh/uv to v0.10.9 (#18374) 2026-03-08 22:44:34 -04:00
Zanie Blue 8fedd25b41 Use uv 0.10.8 for internal workflows (#18354)
This should resolve GitHub Python download flakes
2026-03-06 19:45:40 +00:00
Zanie Blue 9345450b4c Use cargo auditable to include SBOM in uv builds (#18276)
Inspired by #18252 

This required an upstream change
https://github.com/rust-secure-code/cargo-auditable/pull/245 which is
now released.

This increases binary sizes slightly, ~4KB.

The cargo wrapper implementation will be extended in #18280 to code sign
binaries.
2026-03-06 11:38:02 -06:00
Zanie Blue a13ba947c9 Add a development build of aarch64-linux-android to CI (#18333)
Part of https://github.com/astral-sh/uv/issues/14574

Adds a cross-compiled build for the `aarch64-linux-android` target using
the Android NDK available on the runner.

Requires #18324
2026-03-06 16:45:20 +00:00
Zanie Blue bb8970a982 Add a Termux integration test (#18332)
After this, I want to figure out how to unify more of the smoke, system,
and integration tests, but this seems like a sufficient start for Termux
testing.
2026-03-06 16:44:16 +00:00
Zanie Blue ccd1ea99ae Skip building of dhi images in contributor pull requests (#18330)
These require authentication to pull.
2026-03-06 10:22:41 -06:00
renovate[bot] 686f43e67e Update PyO3/maturin-action action to v1.50.1 (#18343)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [PyO3/maturin-action](https://redirect.github.com/PyO3/maturin-action)
| action | patch | `v1.50.0` → `v1.50.1` |

---

### Release Notes

<details>
<summary>PyO3/maturin-action (PyO3/maturin-action)</summary>

###
[`v1.50.1`](https://redirect.github.com/PyO3/maturin-action/releases/tag/v1.50.1)

[Compare
Source](https://redirect.github.com/PyO3/maturin-action/compare/v1.50.0...v1.50.1)

##### What's Changed

- Remove ziglang bound by
[@&#8203;konstin](https://redirect.github.com/konstin) in
[#&#8203;418](https://redirect.github.com/PyO3/maturin-action/pull/418)
- Try reactivating Windows ARM by
[@&#8203;konstin](https://redirect.github.com/konstin) in
[#&#8203;419](https://redirect.github.com/PyO3/maturin-action/pull/419)

**Full Changelog**:
<https://github.com/PyO3/maturin-action/compare/v1...v1.50.1>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-06 15:26:48 +01:00
renovate[bot] 95bc471164 Update maturin to v1.12.6 (#18342)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [maturin](https://redirect.github.com/PyO3/maturin) | patch |
`v1.12.4` → `v1.12.6` |

---

### Release Notes

<details>
<summary>PyO3/maturin (maturin)</summary>

###
[`v1.12.6`](https://redirect.github.com/PyO3/maturin/releases/tag/v1.12.6)

[Compare
Source](https://redirect.github.com/PyO3/maturin/compare/v1.12.5...v1.12.6)

##### What's Changed

- Sync legacy\_py.rs with upstream PyPI warehouse legacy.py
([#&#8203;3053](https://redirect.github.com/PyO3/maturin/pull/3053))
- Keep cargo build artifact at original path after staging
([#&#8203;3054](https://redirect.github.com/PyO3/maturin/pull/3054))

**Full Changelog**:
<https://github.com/PyO3/maturin/compare/v1.12.5...v1.12.6>

###
[`v1.12.5`](https://redirect.github.com/PyO3/maturin/releases/tag/v1.12.5)

[Compare
Source](https://redirect.github.com/PyO3/maturin/compare/v1.12.4...v1.12.5)

##### What's Changed

- feat: include debug info files (.pdb, .dSYM, .dwp) in wheels by
[@&#8203;messense](https://redirect.github.com/messense) in
[#&#8203;3024](https://redirect.github.com/PyO3/maturin/pull/3024)
- Fix wrong abi3 tag for conditional cargo features enabled pyo3 abi3
feature by [@&#8203;messense](https://redirect.github.com/messense) in
[#&#8203;3029](https://redirect.github.com/PyO3/maturin/pull/3029)
- fix: `maturin build --sdist` wheel name/layout for excluded workspace
crates by [@&#8203;messense](https://redirect.github.com/messense) in
[#&#8203;3031](https://redirect.github.com/PyO3/maturin/pull/3031)
- fix: preserve wheel output dir when building from unpacked sdist by
[@&#8203;messense](https://redirect.github.com/messense) in
[#&#8203;3036](https://redirect.github.com/PyO3/maturin/pull/3036)
- feat: add python-implementation condition to conditional features by
[@&#8203;messense](https://redirect.github.com/messense) in
[#&#8203;3038](https://redirect.github.com/PyO3/maturin/pull/3038)
- Update zip to 8.1 by
[@&#8203;musicinmybrain](https://redirect.github.com/musicinmybrain) in
[#&#8203;3039](https://redirect.github.com/PyO3/maturin/pull/3039)
- Use the latest version of github actions by
[@&#8203;Armavica](https://redirect.github.com/Armavica) in
[#&#8203;3040](https://redirect.github.com/PyO3/maturin/pull/3040)
- Use renovate and pinned hashes for GitHub Actions by
[@&#8203;konstin](https://redirect.github.com/konstin) in
[#&#8203;3043](https://redirect.github.com/PyO3/maturin/pull/3043)
- chore(deps): update taiki-e/install-action digest to
[`7410117`](https://redirect.github.com/PyO3/maturin/commit/7410117) by
[@&#8203;renovate](https://redirect.github.com/renovate)\[bot] in
[#&#8203;3046](https://redirect.github.com/PyO3/maturin/pull/3046)
- Fix non-existent comment tag by
[@&#8203;konstin](https://redirect.github.com/konstin) in
[#&#8203;3044](https://redirect.github.com/PyO3/maturin/pull/3044)
- chore(deps): update dtolnay/rust-toolchain digest to
[`efa25f7`](https://redirect.github.com/PyO3/maturin/commit/efa25f7) by
[@&#8203;renovate](https://redirect.github.com/renovate)\[bot] in
[#&#8203;3045](https://redirect.github.com/PyO3/maturin/pull/3045)
- chore(deps): update actions/attest-build-provenance action to v4 by
[@&#8203;renovate](https://redirect.github.com/renovate)\[bot] in
[#&#8203;3047](https://redirect.github.com/PyO3/maturin/pull/3047)
- Use mmap for faster warn\_missing\_py\_init by
[@&#8203;orlp](https://redirect.github.com/orlp) in
[#&#8203;2950](https://redirect.github.com/PyO3/maturin/pull/2950), to
be safe we now move the cargo built artifact to `target/maturin` so this
may cause breakage if you rely on it in standard cargo `target/`
location

##### New Contributors

- [@&#8203;Armavica](https://redirect.github.com/Armavica) made their
first contribution in
[#&#8203;3040](https://redirect.github.com/PyO3/maturin/pull/3040)
- [@&#8203;renovate](https://redirect.github.com/renovate)\[bot] made
their first contribution in
[#&#8203;3046](https://redirect.github.com/PyO3/maturin/pull/3046)
- [@&#8203;orlp](https://redirect.github.com/orlp) made their first
contribution in
[#&#8203;2950](https://redirect.github.com/PyO3/maturin/pull/2950)

**Full Changelog**:
<https://github.com/PyO3/maturin/compare/v1.12.4...v1.12.5>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on
Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule
defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/astral-sh/uv).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41Ni4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTYuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiYnVpbGQ6c2tpcC1kb2NrZXIiLCJidWlsZDpza2lwLXJlbGVhc2UiLCJpbnRlcm5hbCJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-03-06 15:26:02 +01:00
Alessandro Molina 6036575324 Handle the hard link limit gracefully instead of failing (#17699)
## Summary

Handle the case where too many hardlinks were created and thus
installing packages fails.

There are cases where the file system can have a hardlinks limit and
when it's hit `uv` fails,
for example AWS EFS that has a limit of 177 hard links (
https://docs.aws.amazon.com/efs/latest/ug/troubleshooting-efs-fileop-errors.html#hardlinkerror
)

This PR address this by resetting the hardlinks when the limit is
reached (it does this by replacing the file in the cache, so new
hardlinks can be made)

There can be race conditions over the limit, but those are ok, as the
links are reset atomically so in case of race conditions the worst case
will be that the limit is reset twice, but nothing will break.

## Test Plan

Add a `install_hardlink_after_emlink` function, it successfully
reproduced the issue on my system.
The issue is that it's expensive to run as it has to generate a lot of
hardlinks

---------

Co-authored-by: Tomasz Kramkowski <tom@astral.sh>
2026-03-05 23:43:34 +00:00
Zanie Blue 4eed07269b Use --no-project in graalpy integration test (#18314) 2026-03-05 13:01:37 +00:00
Zanie Blue 02e92aed3b Fix debian system test which was building uv by accident (#18294) 2026-03-04 16:38:06 -06:00
Zanie Blue 4ff4720da5 Use uv to manage our Python documentation dependencies (#18263)
I want to lock our Zig build dependencies and this is an incremental
step towards doing so via uv
2026-03-04 09:52:15 -06:00
Zanie Blue b9abe15562 Add SBOM attestations to Docker images (#18252)
Adds SBOM attestations
https://docs.docker.com/build/metadata/attestations/sbom/

Requires https://github.com/rust-secure-code/cargo-auditable/pull/236
for our uv binaries and their dependencies to be included in the SBOM

You can inspect the SBOM with, e.g.:

```
docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427 --format '{{json .SBOM}}' | jq
docker buildx imagetools inspect ghcr.io/astral-sh/uv-dev:sha-ece6427-python3.9-trixie --format '{{json .SBOM}}' | jq
```

Also explicitly sets
https://docs.docker.com/build/metadata/attestations/slsa-provenance/#max
but there appears to be no change as all of the max SLSA data is already
present.
2026-03-03 12:14:06 -06:00
Zanie Blue 74fe4a0431 Vendor mold installation and add more retries (#18271) 2026-03-03 11:59:58 -06:00
Zanie Blue 18391e295f Fix Docker build tests when push is disabled (#18265) 2026-03-03 10:12:59 -06:00
Zanie Blue 33ae43d341 Add Docker images based on Docker Hardened Images (#18247) 2026-03-03 08:45:19 -06:00
Zanie Blue e0f99d1985 Allow pushing Docker images in pull requests for testing (#18253)
I need to test features that require push to a registry, e.g., #18252,
and want to do so without releasing. This adds publish to a `uv-dev`
namespace and uses the sha instead of the version. It requires the
`release-test` environment, which is allowed from non-main but requires
approval from me to run. It is trigged by the `build:push-docker` label.

See https://github.com/astral-sh/uv/pkgs/container/uv-dev
2026-03-03 07:40:23 -06:00
Zanie Blue 10e84d18ff Ensure the astral-test-pypa-gh-action test case fails on script bugs (#18175)
Per https://github.com/astral-sh/uv/pull/18174 this should fail but it
depends on hitting the simple API in the middle of a release being
uploaded.
2026-03-02 08:41:46 -06:00
renovate[bot] f1caf44bcc Update crate-ci/typos action to v1.43.5 (#18234) 2026-03-01 20:59:27 -05:00
renovate[bot] 29e4faf9eb Update maturin to v1.12.4 (#18236) 2026-03-01 20:54:48 -05:00
renovate[bot] 6aed9d626f Update dependency astral-sh/uv to v0.10.7 (#18235) 2026-03-01 20:54:21 -05:00
renovate[bot] cd0589a7bd Update astral-sh/setup-uv action to v7.3.1 (#18233) 2026-03-01 20:54:15 -05:00
Zsolt Dollenstein 474eb05634 Build and test Windows aarch64 binaries natively (#18213)
Previously, aarch64 Windows binaries were cross-compiled on x86_64 hosts
in both build-release-binaries.yml and build-dev-binaries.yml, with the
wheel test steps explicitly skipped for aarch64 targets.

> [!NOTE]
> We need to ensure that the `github-windows-11-aarch64-8` runner exists
in the astral-sh org before this job can run.

Release binaries are now built on `github-windows-11-aarch64-8`, and
tests are enabled.

Dev binaries are now built on `windows-11-arm`, which is a standard
4-core ARM runner, with the timeout reduced from 25 to 10 minutes.
2026-02-27 17:12:13 -06:00
Zsolt Dollenstein c0e7c21980 Upload extra release artifacts to mirror (#18219)
@Gankra pointed out that the installer scripts and sha256 checksums are
helpful to also preserve on the mirror.

This is a followup to #18159.
2026-02-27 20:16:31 +00:00
Zsolt Dollenstein f84b02b870 installers: Download uv releases from a mirror (#18191)
Co-authored-by: Aria Desires <aria.desires@gmail.com>
2026-02-27 11:58:00 -05:00