Skip to content

chore(deps): bump astral-sh/setup-uv from 8.3.0 to 8.3.1 in the github-actions group#1757

Merged
wochinge merged 1 commit into
mainfrom
dependabot/github_actions/github-actions-83dbeaf02d
Jul 14, 2026
Merged

chore(deps): bump astral-sh/setup-uv from 8.3.0 to 8.3.1 in the github-actions group#1757
wochinge merged 1 commit into
mainfrom
dependabot/github_actions/github-actions-83dbeaf02d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown
Contributor

Bumps the github-actions group with 1 update: astral-sh/setup-uv.

Updates astral-sh/setup-uv from 8.3.0 to 8.3.1

Commits
  • f98e069 Change update-docs PR labels from 'update-docs' to 'documentation' (#945)
  • cd46263 chore: update known checksums for 0.11.27 (#944)
  • 11245c7 docs: update version references to v8.3.0 (#939)
  • See full diff in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the github-actions group with 1 update: [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv).


Updates `astral-sh/setup-uv` from 8.3.0 to 8.3.1
- [Release notes](https://github.com/astral-sh/setup-uv/releases)
- [Commits](astral-sh/setup-uv@d31148d...f98e069)

---
updated-dependencies:
- dependency-name: astral-sh/setup-uv
  dependency-version: 8.3.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 14, 2026
@dependabot dependabot Bot requested a review from a team as a code owner July 14, 2026 05:56
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 14, 2026

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — routine Dependabot patch bump of astral-sh/setup-uv (8.3.0 → 8.3.1), pinned by immutable commit SHA with matching version comments.

What was reviewed: confirmed the new SHA (f98e069...) corresponds to the v8.3.1 tag per the PR description's compare link, and verified all 5 occurrences across ci.yml and release.yml were updated consistently with correct version comments.

Extended reasoning...

Overview

This PR is an automated Dependabot dependency bump updating the astral-sh/setup-uv GitHub Action from 8.3.0 to 8.3.1 across two workflow files (.github/workflows/ci.yml and .github/workflows/release.yml). The change is purely mechanical: replacing the pinned commit SHA and updating the trailing version comment in 5 total locations (4 in ci.yml, 1 in release.yml). No workflow logic, permissions, secrets handling, or job structure is touched.

Security risks

Minimal. The action reference remains pinned to an immutable commit SHA (not a mutable tag), which is the secure pattern for third-party GitHub Actions and mitigates supply-chain tampering risk. The new SHA (f98e06938123ccabd21905ea5d0069192241f9f1) matches the compare link in the PR description pointing to the upstream astral-sh/setup-uv repository, and the version comment (v8.3.1) is consistent with the SHA across all occurrences. This is a patch-level bump per the changelog (label/checksum/docs updates), not a change with security-relevant release notes.

Level of scrutiny

Low. This is the kind of mechanical, low-risk change (SHA pin bump with matching comment) that fits squarely in the auto-approvable category: no ambiguity, no design decisions, and it follows the exact same pattern as prior setup-uv bumps in this repo's history.

Other factors

No open review threads or prior bot reviews exist on this PR. The change is self-contained, consistent across both files, and does not require CODEOWNER sign-off beyond standard CI config review.

@wochinge wochinge merged commit 8520890 into main Jul 14, 2026
19 of 20 checks passed
@wochinge wochinge deleted the dependabot/github_actions/github-actions-83dbeaf02d branch July 14, 2026 07:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant