chore(deps): update astral-sh/setup-uv action to v8 by renovate[bot] · Pull Request #234 · chgl/.github

renovate · 2026-03-30T01:34:15Z

This PR contains the following updates:

Package	Type	Update	Change
astral-sh/setup-uv	action	major	`v7.6.0` → `v8.0.0`

Release Notes

astral-sh/setup-uv (astral-sh/setup-uv)

`v8.0.0`: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of `setup-uv` 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for `manifest-file`

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

Remove update-major-minor-tags workflow @eifinger (#826)
Remove deprecrated custom manifest @eifinger (#813)

🧰 Maintenance

Shortcircuit latest version from manifest @eifinger (#828)
Simplify inputs.ts @eifinger (#827)
Bump release-drafter to v7.1.1 @eifinger (#825)
Refactor inputs @eifinger (#823)
Replace inline compile args with tsconfig @eifinger (#824)
chore: update known checksums for 0.11.2 @github-actions[bot] (#821)
chore: update known checksums for 0.11.1 @github-actions[bot] (#817)
chore: update known checksums for 0.11.0 @github-actions[bot] (#815)
Fix latest-version workflow check @eifinger (#812)
chore: update known checksums for 0.10.11/0.10.12 @github-actions[bot] (#811)

Configuration

📅 Schedule: (UTC)

Branch creation
- Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

github-actions · 2026-03-30T01:38:29Z

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	4	0	0	0.18s
✅ COPYPASTE	jscpd	yes	no	no	1.25s
✅ DOCKERFILE	hadolint	1	0	0	0.16s
✅ JSON	jsonlint	3	0	0	0.21s
✅ JSON	prettier	3	0	0	0.68s
✅ JSON	v8r	3	0	0	2.52s
✅ MARKDOWN	markdownlint	1	0	0	0.66s
✅ MARKDOWN	markdown-table-formatter	1	0	0	0.42s
✅ PYTHON	bandit	1	0	0	2.19s
✅ PYTHON	black	1	0	0	0.86s
✅ PYTHON	flake8	1	0	0	0.47s
✅ PYTHON	isort	1	0	0	0.21s
✅ PYTHON	mypy	1	0	0	3.12s
✅ PYTHON	pylint	1	0	0	3.78s
✅ PYTHON	pyright	1	0	0	1.7s
✅ PYTHON	ruff	1	0	0	0.03s
✅ REPOSITORY	checkov	yes	no	no	23.87s
✅ REPOSITORY	dustilock	yes	no	no	0.03s
✅ REPOSITORY	gitleaks	yes	no	no	0.41s
✅ REPOSITORY	git_diff	yes	no	no	0.01s
✅ REPOSITORY	grype	yes	no	no	40.77s
✅ REPOSITORY	kics	yes	no	no	3.35s
✅ REPOSITORY	kingfisher	yes	no	no	5.94s
✅ REPOSITORY	secretlint	yes	no	no	1.33s
✅ REPOSITORY	syft	yes	no	no	2.22s
✅ REPOSITORY	trivy	yes	no	no	11.67s
✅ REPOSITORY	trivy-sbom	yes	no	no	0.09s
✅ REPOSITORY	trufflehog	yes	no	no	3.39s
✅ YAML	prettier	6	0	0	1.02s
✅ YAML	v8r	6	0	0	6.3s
✅ YAML	yamllint	6	0	0	0.56s

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

Documentation: Custom Flavors
Command: npx mega-linter-runner@9.4.0 --custom-flavor-setup --custom-flavor-linters PYTHON_PYLINT,PYTHON_BLACK,PYTHON_FLAKE8,PYTHON_ISORT,PYTHON_BANDIT,PYTHON_MYPY,PYTHON_PYRIGHT,PYTHON_RUFF,ACTION_ACTIONLINT,COPYPASTE_JSCPD,DOCKERFILE_HADOLINT,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,MARKDOWN_MARKDOWNLINT,MARKDOWN_MARKDOWN_TABLE_FORMATTER,REPOSITORY_CHECKOV,REPOSITORY_DUSTILOCK,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_GRYPE,REPOSITORY_KICS,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,REPOSITORY_KINGFISHER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository

github-actions · 2026-04-08T16:43:34Z

Trivy image scan report

`ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-234 (debian 13.4)`

21 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 3 LOW: 18)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`libssl3t64`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2

No Misconfigurations found

`Python`

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`pip`	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

github-actions · 2026-04-08T16:43:42Z

Trivy image scan report

`ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.4)`

21 known vulnerabilities found (LOW: 18 CRITICAL: 0 HIGH: 0 MEDIUM: 3)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`libssl3t64`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2

No Misconfigurations found

`Python`

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`pip`	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

github-actions · 2026-04-08T16:43:44Z

Trivy image scan report

`ghcr.io/chgl/github-reusable-workflow:pr-234 (debian 13.4)`

21 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 3 LOW: 18)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`libssl3t64`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`libssl3t64`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-31790	MEDIUM	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-2673	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28387	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28388	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28389	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-28390	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2
`openssl-provider-legacy`	CVE-2026-31789	LOW	3.5.5-1~deb13u1	3.5.5-1~deb13u2

No Misconfigurations found

`Python`

1 known vulnerabilities found (HIGH: 0 MEDIUM: 0 LOW: 1 CRITICAL: 0)

Show detailed table of vulnerabilities

Package	ID	Severity	Installed Version	Fixed Version
`pip`	CVE-2026-1703	LOW	25.3	26.0

No Misconfigurations found

github-actions · 2026-04-08T17:04:21Z

🎉 This PR is included in version 1.11.23 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

chore(deps): update astral-sh/setup-uv action to v8

6174d33

renovate bot force-pushed the renovate/astral-sh-setup-uv-8.x branch from 2ee1a02 to 6174d33 Compare April 8, 2026 16:42

chgl approved these changes Apr 8, 2026

View reviewed changes

chgl merged commit a3b547c into master Apr 8, 2026
41 checks passed

chgl deleted the renovate/astral-sh-setup-uv-8.x branch April 8, 2026 17:02

github-actions bot added the released label Apr 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update astral-sh/setup-uv action to v8#234

chore(deps): update astral-sh/setup-uv action to v8#234
chgl merged 1 commit intomasterfrom
renovate/astral-sh-setup-uv-8.x

renovate bot commented Mar 30, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Mar 30, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate bot commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

v8.0.0: 🌈 Immutable releases and secure tags

This is the first immutable release of setup-uv 🥳

New format for manifest-file

No more major and minor tags

🚨 Breaking changes

🧰 Maintenance

Configuration

Uh oh!

github-actions bot commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅MegaLinter analysis: Success

Uh oh!

github-actions bot commented Apr 8, 2026

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-234 (debian 13.4)

21 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 3 LOW: 18)

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

No Misconfigurations found

Uh oh!

github-actions bot commented Apr 8, 2026

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.4)

21 known vulnerabilities found (LOW: 18 CRITICAL: 0 HIGH: 0 MEDIUM: 3)

No Misconfigurations found

Python

1 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 0 LOW: 1)

No Misconfigurations found

Uh oh!

github-actions bot commented Apr 8, 2026

Trivy image scan report

ghcr.io/chgl/github-reusable-workflow:pr-234 (debian 13.4)

21 known vulnerabilities found (CRITICAL: 0 HIGH: 0 MEDIUM: 3 LOW: 18)

No Misconfigurations found

Python

1 known vulnerabilities found (HIGH: 0 MEDIUM: 0 LOW: 1 CRITICAL: 0)

No Misconfigurations found

Uh oh!

Uh oh!

github-actions bot commented Apr 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

renovate bot commented Mar 30, 2026 •

edited

Loading

`v8.0.0`: 🌈 Immutable releases and secure tags

This is the first immutable release of `setup-uv` 🥳

New format for `manifest-file`

github-actions bot commented Mar 30, 2026 •

edited

Loading

`ghcr.io/chgl/github-reusable-workflow-without-test-image:pr-234 (debian 13.4)`

`Python`

`ghcr.io/chgl/github-reusable-workflow-with-fixed-image-tags:v1.2.3-beta.123 (debian 13.4)`

`Python`

`ghcr.io/chgl/github-reusable-workflow:pr-234 (debian 13.4)`

`Python`