action-allowlist-review: bump astral-sh/setup-uv from 8.1.0 to 8.2.0 in /.github/actions/for-dependabot-triggered-reviews by dependabot[bot] · Pull Request #910 · apache/infrastructure-actions

dependabot · 2026-06-04T01:48:03Z

Bumps astral-sh/setup-uv from 8.1.0 to 8.2.0.

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.2.0 🌈 New inputs quiet and download-from-astral-mirror

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details. In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token. All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes

fix: report unexpected cache save failures @eifinger (#896)

fix: report unexpected setup failures @eifinger (#895)

fix: add timeout to fetch to prevent silent hangs @eifinger-bot (#883)

Limit GitHub tokens to github.com download URLs @zsol (#878)

increase libuv-workaround timeout to 100ms @eifinger (#880)

🚀 Enhancements

Add quiet input to suppress info-level log output @eifinger (#898)

feat: add download-from-astral-mirror input @eifinger (#897)

🧰 Maintenance

docs: update dependabot rollup biome guidance @eifinger (#902)

chore: update known checksums for 0.11.18 @github-actions[bot] (#899)

chore: update known checksums for 0.11.17 @github-actions[bot] (#892)

chore: update known checksums for 0.11.16 @github-actions[bot] (#889)

chore: update known checksums for 0.11.15 @github-actions[bot] (#885)

chore: update known checksums for 0.11.14 @github-actions[bot] (#879)

chore: update known checksums for 0.11.13 @github-actions[bot] (#877)

... (truncated)

Commits

fac544c chore(deps): roll up dependabot updates (#903)
7390f77 docs: update dependabot rollup biome guidance (#902)
363c64a chore(deps): roll up dependabot updates (#901)
c4fcbaf chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 (#900)
8e642c5 chore: update known checksums for 0.11.18 (#899)
a92cb43 Add quiet input to suppress info-level log output (#898)
e07f2ac chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 (#842)
bc4034e chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 (#893)
df42d4f chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 (#891)
b9c8c4c feat: add download-from-astral-mirror input (#897)
Additional commits viewable in compare view

Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 8.1.0 to 8.2.0. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@0880764...fac544c) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

potiuk · 2026-06-05T00:44:29Z

verify-action-build's binary-download check false-flagged this bump. The flagged line — src/download/download-version.ts:128 tc.downloadTool(...) — is verified on the very next line by validateChecksum(checksum, downloadPath, …) (SHA-256 against the provided checksum or the built-in KNOWN_CHECKSUMS table). v8.2.0 just refactored that validation into a sibling module (download/checksum/checksum.ts), which moved the createHash token out of the file and tripped the same-file heuristic. The download itself is verified.

Heuristic fix: #912 (adds the validate* checksum-helper family to the JS verification markers, with a regression test from this exact setup-uv shape). With that patch, verify-action-build --from-pr 910 passes clean.

Approving and merging this bump — the verify red is the false positive, not a real finding.

potiuk

verify red is a known false positive (sibling validateChecksum); fix in #912. Download is checksum-verified.

…#912) astral-sh/setup-uv@v8.2.0 refactored its uv-binary checksum validation out of src/download/download-version.ts into a sibling module (src/download/checksum/checksum.ts). The download site still calls validateChecksum(checksum, downloadPath, …) immediately after tc.downloadTool, but the same-file JS verification heuristic only recognised verify*/compute*/calculate* helper names — so it lost the createHash token and false-flagged the download as unverified, blocking the routine setup-uv bump in #910. Add the validate* checksum-helper family to the JS verification markers, plus a regression test anchored to the real setup-uv source. Generated-by: Claude Opus 4.8 (1M context)

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 4, 2026

dependabot Bot requested review from dfoulks1 and potiuk as code owners June 4, 2026 01:48

dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 4, 2026

dependabot Bot requested a review from ppkarwasz as a code owner June 4, 2026 01:48

dependabot Bot added the github_actions Pull requests that update GitHub Actions code label Jun 4, 2026

dependabot Bot force-pushed the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/astral-sh/setup-uv-8.2.0 branch from c52659c to dd5b189 Compare June 5, 2026 00:38

potiuk mentioned this pull request Jun 5, 2026

verify: accept validate* checksum helpers as JS download verification (unblocks #910) #912

Merged

4 tasks

potiuk approved these changes Jun 5, 2026

View reviewed changes

potiuk merged commit 91fb88c into main Jun 5, 2026
8 of 9 checks passed

potiuk deleted the dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/astral-sh/setup-uv-8.2.0 branch June 5, 2026 00:44

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

action-allowlist-review: bump astral-sh/setup-uv from 8.1.0 to 8.2.0 in /.github/actions/for-dependabot-triggered-reviews#910

action-allowlist-review: bump astral-sh/setup-uv from 8.1.0 to 8.2.0 in /.github/actions/for-dependabot-triggered-reviews#910
potiuk merged 1 commit into
mainfrom
dependabot/github_actions/dot-github/actions/for-dependabot-triggered-reviews/astral-sh/setup-uv-8.2.0

dependabot Bot commented on behalf of github Jun 4, 2026 •

edited

Loading

Uh oh!

potiuk commented Jun 5, 2026

Uh oh!

potiuk left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Jun 4, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v8.2.0 🌈 New inputs quiet and download-from-astral-mirror

Changes

New inputs

quiet

download-from-astral-mirror

Bugfixes

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

Uh oh!

potiuk commented Jun 5, 2026

Uh oh!

potiuk left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Jun 4, 2026 •

edited

Loading

v8.2.0 🌈 New inputs `quiet` and `download-from-astral-mirror`