chore(deps): update astral-sh/setup-uv action to v8

[renovate-bot-cbcoutinho]

This PR contains the following updates:

Package	Type	Update	Change
astral-sh/setup-uv	action	major	v7.6.0 → v8.1.0

---

Release Notes

astral-sh/setup-uv (astral-sh/setup-uv)

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#​856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#​860)
• Add a release-gate step to the release workflow @​zanieb (#​859)
• Draft commitish releases @​eifinger (#​858)
• Add action-types.yml to instructions @​eifinger (#​857)
• chore: update known checksums for 0.11.7 @​github-actions[bot] (#​853)
• Refactor version resolving @​eifinger (#​852)
• chore: update known checksums for 0.11.6 @​github-actions[bot] (#​850)
• chore: update known checksums for 0.11.5 @​github-actions[bot] (#​845)
• chore: update known checksums for 0.11.4 @​github-actions[bot] (#​843)
• Add a release workflow @​zanieb (#​839)
• chore: update known checksums for 0.11.3 @​github-actions[bot] (#​836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#​833)
• Pin setup-uv docs to v8 @​eifinger (#​829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @​dependabot[bot] (#​855)

v8.0.0: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

• Remove update-major-minor-tags workflow @​eifinger (#​826)
• Remove deprecrated custom manifest @​eifinger (#​813)

🧰 Maintenance

• Shortcircuit latest version from manifest @​eifinger (#​828)
• Simplify inputs.ts @​eifinger (#​827)
• Bump release-drafter to v7.1.1 @​eifinger (#​825)
• Refactor inputs @​eifinger (#​823)
• Replace inline compile args with tsconfig @​eifinger (#​824)
• chore: update known checksums for 0.11.2 @​github-actions[bot] (#​821)
• chore: update known checksums for 0.11.1 @​github-actions[bot] (#​817)
• chore: update known checksums for 0.11.0 @​github-actions[bot] (#​815)
• Fix latest-version workflow check @​eifinger (#​812)
• chore: update known checksums for 0.10.11/0.10.12 @​github-actions[bot] (#​811)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[claude]

PR Review: chore(deps): update astral-sh/setup-uv action to v8

This is a straightforward, low-risk dependency update from Renovate Bot.

Summary: Updates astral-sh/setup-uv from v7.6.0 to v8.0.0 across 3 workflow files (rag-evaluation.yml, release.yml, test.yml). All 5 occurrences are updated consistently.

Security: This is a security improvement. v8.0.0 introduces immutable releases, preventing supply chain attacks like the tj-actions incident. Major/minor version tags are no longer published by the action maintainers, forcing users to pin to exact versions or commit hashes. The repo was already using commit hash pinning, so the transition is seamless.

Breaking Changes: v8 removes the old manifest-file format. Since the workflows only use setup-uv for basic installation with no custom manifest files configured, this breaking change does not apply here.

Potential Issues: None identified. This is a CI-only change with no impact on application code, tests, or runtime behavior.

Verdict: Safe to merge. Low risk, security-positive update with no application impact.

[claude]

PR Review: chore(deps): update astral-sh/setup-uv action to v8

This is a straightforward Renovate-managed CI dependency update. Here's a quick review:

Summary

Updates astral-sh/setup-uv from v7.6.0 → v8.1.0 across 3 workflow files (test.yml, release.yml, rag-evaluation.yml).

Observations

Security (positive): The action is pinned to a specific commit SHA (08807647e7069bb48b6ef5acd8ec9567f424441b) with the version tag as a comment. This is exactly the right approach, and notably aligns with v8.0.0's own security guidance — it dropped mutable major/minor tags (@v8, @v8.0) to prevent supply chain attacks like the tj-actions incident.

Consistency: All 5 occurrences across the 3 files are updated uniformly — no stragglers left on the old version.

Breaking changes: v8.0.0 removed support for the old manifest-file format and dropped major/minor mutable tags. Neither of these features appear to be used in this repo, so there is no impact.

Functional changes: The new no-project input added in v8.1.0 is not used here — this is a clean version bump with no behavioral changes needed.

Verdict

LGTM. Low-risk, appropriate dependency update. Safe to merge.