ci(deps): bump astral-sh/setup-uv from 5 to 7

[dependabot]

Bumps astral-sh/setup-uv from 5 to 7.

Release notes

Sourced from astral-sh/setup-uv's releases.

v7.2.1 🌈 update known checksums up to 0.9.28

Changes

🧰 Maintenance

• chore: update known checksums for 0.9.28 @github-actions[bot] (#744)
• chore: update known checksums for 0.9.27 @github-actions[bot] (#742)
• chore: update known checksums for 0.9.26 @github-actions[bot] (#734)
• chore: update known checksums for 0.9.25 @github-actions[bot] (#733)
• chore: update known checksums for 0.9.24 @github-actions[bot] (#730)

📚 Documentation

• Clarify impact of using actions/setup-python @​eifinger (#732)

⬆️ Dependency updates

• Bump zizmorcore/zizmor-action from 0.3.0 to 0.4.1 @dependabot[bot] (#741)

v7.0.0 🌈 node24 and a lot of bugfixes

Changes

This release comes with a load of bug fixes and a speed up. Because of switching from node20 to node24 it is also a breaking change. If you are running on GitHub hosted runners this will just work, if you are using self-hosted runners make sure, that your runners are up to date. If you followed the normal installation instructions your self-hosted runner will keep itself updated.

This release also removes the deprecated input server-url which was used to download uv releases from a different server. The manifest-file input supersedes that functionality by adding a flexible way to define available versions and where they should be downloaded from.

Fixes

• The action now respects when the environment variable UV_CACHE_DIR is already set and does not overwrite it. It now also finds cache-dir settings in config files if you set them.
• Some users encountered problems that cache pruning took forever because they had some uv processes running in the background. Starting with uv version 0.8.24 this action uses uv cache prune --ci --force to ignore the running processes
• If you just want to install uv but not have it available in path, this action now respects UV_NO_MODIFY_PATH
• Some other actions also set the env var UV_CACHE_DIR. This action can now deal with that but as this could lead to unwanted behavior in some edgecases a warning is now displayed.

Improvements

If you are using minimum version specifiers for the version of uv to install for example

[tool.uv]
required-version = ">=0.8.17"

This action now detects that and directly uses the latest version. Previously it would download all available releases from the uv repo to determine the highest matching candidate for the version specifier, which took much more time.

If you are using other specifiers like 0.8.x this action still needs to download all available releases because the specifier defines an upper bound (not 0.9.0 or later) and "latest" would possibly not satisfy that.

🚨 Breaking changes

... (truncated)

Commits

• 37802ad Fetch uv from Astral's mirror by default (#809)
• 9f00d18 chore(deps): bump zizmorcore/zizmor-action from 0.5.0 to 0.5.2 (#808)
• fd8f376 Switch to ESM for source and test, use CommonJS for dist (#806)
• f9070de Bump deps (#805)
• cadb67b chore: update known checksums for 0.10.10 (#804)
• e06108d Use astral-sh/versions as primary version provider (#802)
• 0f6ec07 docs: replace copilot instructions with AGENTS.md (#794)
• 821e5c9 docs: add cross-client dependabot rollup skill (#793)
• 6ee6290 chore(deps): bump versions (#792)
• 9f332a1 Add riscv64 architecture support to platform detection (#791)
• Additional commits viewable in compare view

[kilo-code-bot]

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Files Reviewed (18 files)

• .env.docker
• .env.production.example
• .github/workflows/deploy.yml
• .github/workflows/integration.yml
• .github/workflows/quality.yml
• .github/workflows/release.yml
• .github/workflows/test.yml
• .gitignore
• .spec_system/PRD/phase_00/PRD_phase_00.md
• .spec_system/PRD/phase_00/session_01_project_skeleton_and_config.md
• .spec_system/PRD/phase_00/session_02_composition_schema_and_db_models.md
• .spec_system/PRD/phase_00/session_03_storage_and_asset_service.md
• .spec_system/PRD/phase_00/session_04_editly_renderer_and_segment_compiler.md
• .spec_system/PRD/phase_00/session_05_render_service_and_api_endpoints.md
• .spec_system/PRD/phase_01/PRD_phase_01.md
• .spec_system/PRD/phase_01/session_01_redis_arq_queue_integration.md
• .spec_system/PRD/phase_01/session_02_worker_render_pipeline.md
• .spec_system/PRD/phase_01/session_03_progress_tracking_and_cancellation.md

---

_{Reviewed by nemotron-3-super-120b-a12b-20230311:free · 1,256,417 tokens}

[moshehbenavraham]

@dependabot rebase

(Rebasing after sibling PRs merged. setup-uv 5→7 is a two-major jump, marking as Needs human review per safe-merge policy — will not auto-merge. Reviewing v6 changelog before considering. — Developer agent)

[kilo-code-bot]

Incremental review completed. No new issues found.

[moshehbenavraham]

Reviewed by Developer agent on scheduled GitHub maintenance.

Not eligible for safe auto-merge — this is a TWO-major version bump (v5 → v7), and v7 introduces breaking changes beyond the Node 24 runtime upgrade:

• Removed deprecated input server-url (manifest-file supersedes it)
• Switched to ESM source/test (CommonJS preserved in dist)
• Switched primary version provider to astral-sh/versions
• Default uv source switched to Astral's mirror

If vidapi's workflows don't use server-url and rely on default uv source resolution, the upgrade is likely safe — but this is a deliberate audit step, not auto-merge.

Also flagging base SHA drift (PR base 90ffc71 vs current main fc0d7b8); posting @dependabot rebase to refresh the diff against current main.

@dependabot rebase

---

Recommended action: review v7 release notes (https://github.com/astral-sh/setup-uv/releases/tag/v7.0.0), confirm none of the breaking changes affect this repo's build/test/release pipelines, then merge manually.

🤖 Posted by the Developer agent on a scheduled GitHub maintenance run.

[kilo-code-bot]

Incremental review completed. No new issues found.

[moshehbenavraham]

Agent triage: Needs human review — not eligible for safe auto-merge.

Why not merged: This is a two-major action bump (astral-sh/setup-uv v5 → v7). My single-major Node-24-runtime rule (which makes v5→v6 auto-mergeable on GitHub-hosted runners) does NOT extend across two majors. The second major (v6 → v7) introduced additional breaking changes beyond just the Node 24 runtime upgrade — most relevantly, the server-url input was removed and the action switched to ESM internalization with a new astral-sh/versions source provider.

Recommendation: Read the v6 → v7 changelog at https://github.com/astral-sh/setup-uv/releases/tag/v7.0.0 and confirm none of your workflows (deploy/integration/quality/release/security/test.yml) rely on the removed server-url input or expect the old version-mirror source. If clean, merge manually — the next workflow run will use the new resolver.

Also note: vidapi main has been failing CI on schedule since 2026-05-07 against your Document deployment log locations commit (e7e1bee9). The Security workflow has been red for 2+ days. I'm skipping the vidapi queue overall until that's resolved so I don't pile new merges on a red baseline. Your call whether to revert the docs commit or fix the workflow.

No further auto-action from me on this PR.