Update astral-sh/setup-uv action to v8 (#450)

renovate[bot] · web-flow · commit 22bb47af3f4b · 2026-04-06T09:51:19.000-04:00
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [astral-sh/setup-uv](https://redirect.github.com/astral-sh/setup-uv) | action | major | `v7.6.0` → `v8.0.0` | --- ### Release Notes <details> <summary>astral-sh/setup-uv (astral-sh/setup-uv)</summary> ### [`v8.0.0`](https://redirect.github.com/astral-sh/setup-uv/releases/tag/v8.0.0): 🌈 Immutable releases and secure tags [Compare Source](https://redirect.github.com/astral-sh/setup-uv/compare/v7.6.0...v8.0.0) ##### This is the first immutable release of `setup-uv` 🥳 All future releases are also immutable, if you want to know more about what this means checkout [the docs](https://docs.github.com/en/code-security/concepts/supply-chain-security/immutable-releases). This release also has two breaking changes ##### New format for `manifest-file` The previously deprecated way of defining a custom version manifest to control which `uv` versions are available and where to download them from got removed. The functionality is still there but you have to use the [new format](https://redirect.github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format). ##### No more major and minor tags To increase **security** even more we will **stop publishing minor tags**. You won't be able to use `@v8` or `@v8.0` any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to [tj-actions](https://unit42.paloaltonetworks.com/github-actions-supply-chain-attack/). > \[!TIP] > Use the immutable tag as a version `astral-sh/setup-uv@v8.0.0` > Or even better the githash `astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57` ##### 🚨 Breaking changes - Remove update-major-minor-tags workflow [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;826](https://redirect.github.com/astral-sh/setup-uv/issues/826)) - Remove deprecrated custom manifest [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;813](https://redirect.github.com/astral-sh/setup-uv/issues/813)) ##### 🧰 Maintenance - Shortcircuit latest version from manifest [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;828](https://redirect.github.com/astral-sh/setup-uv/issues/828)) - Simplify inputs.ts [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;827](https://redirect.github.com/astral-sh/setup-uv/issues/827)) - Bump release-drafter to v7.1.1 [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;825](https://redirect.github.com/astral-sh/setup-uv/issues/825)) - Refactor inputs [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;823](https://redirect.github.com/astral-sh/setup-uv/issues/823)) - Replace inline compile args with tsconfig [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;824](https://redirect.github.com/astral-sh/setup-uv/issues/824)) - chore: update known checksums for 0.11.2 @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#&#8203;821](https://redirect.github.com/astral-sh/setup-uv/issues/821)) - chore: update known checksums for 0.11.1 @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#&#8203;817](https://redirect.github.com/astral-sh/setup-uv/issues/817)) - chore: update known checksums for 0.11.0 @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#&#8203;815](https://redirect.github.com/astral-sh/setup-uv/issues/815)) - Fix latest-version workflow check [@&#8203;eifinger](https://redirect.github.com/eifinger) ([#&#8203;812](https://redirect.github.com/astral-sh/setup-uv/issues/812)) - chore: update known checksums for 0.10.11/0.10.12 @&#8203;[github-actions\[bot\]](https://redirect.github.com/apps/github-actions) ([#&#8203;811](https://redirect.github.com/astral-sh/setup-uv/issues/811)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/bufbuild/protovalidate-python).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -29,7 +29,7 @@ jobs:
           go-version: stable
           # We use this to install `buf`, and the `buf` version is controlled by the Makefile.
           cache-dependency-path: Makefile
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
         with:
           python-version: ${{ matrix.python-version }}
       - run: make install
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -19,7 +19,7 @@ jobs:
         run: |
           VERSION=${{github.head_ref}}
           echo "VERSION=${VERSION##*/}" >> $GITHUB_ENV
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
       - name: Build release
         run: |
           uv build
