Skip to content

chore(deps): update all major dependencies (major)#350

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-all-major-dependencies
Open

chore(deps): update all major dependencies (major)#350
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-all-major-dependencies

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 13, 2026
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
astral-sh/setup-uv action major v7v8.1.0
softprops/action-gh-release action major v2v3

Release Notes

astral-sh/setup-uv (astral-sh/setup-uv)

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v8.0.0: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes
🧰 Maintenance

v7.6

Compare Source

v7.6.0: 🌈 Fetch uv from Astral's mirror by default

Compare Source

Changes

We now default to download uv from releases.astral.sh.
This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.

🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates

v7.5

Compare Source

v7.5.0: 🌈 Use astral-sh/versions as version provider

Compare Source

No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.

The manifest-file input was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest.
However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.

This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:

https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson

By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.

[!TIP]
The next section is only interesting for users of the manifest-file input

The manifest-file input lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.

The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:

{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}

[!WARNING]
The old format still works but is deprecated. A warning will be logged when you use it.

Changes
🚀 Enhancements
📚 Documentation

v7.4

Compare Source

v7.4.0: 🌈 Add riscv64 architecture support to platform detection

Compare Source

Changes

Thank you @​luhenry for adding support for riscv64 arch

🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates

v7.3.1: 🌈 fall back to VERSION_CODENAME when VERSION_ID is not available

Compare Source

Changes

This release adds support for running in containers like debian:testing or debian:unstable

🐛 Bug fixes
🧰 Maintenance
⬆️ Dependency updates

v7.3.0: 🌈 New features and bug fixes for activate-environment

Compare Source

Changes

This release contains a few bug fixes and a new feature for the activate-environment functionality.

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v7.3

Compare Source

v7.2.1: 🌈 update known checksums up to 0.9.28

Compare Source

Changes
🧰 Maintenance
📚 Documentation
⬆️ Dependency updates

v7.2.0: 🌈 add outputs python-version and python-cache-hit

Compare Source

Changes

Among some minor typo fixes and quality of life features for developers of actions the main feature of this release are new outputs:

  • python-version: The Python version that was set (same content as existing UV_PYTHON)
  • python-cache-hit: A boolean value to indicate the Python cache entry was found

While implementing this it became clear, that it is easier to handle the Python binaries in a separate cache entry. The added benefit for users is that the "normal" cache containing the dependencies can be used in all runs no matter if these cache the Python binaries or not.

[!NOTE]
This release will invalidate caches that contain the Python binaries. This happens a single time.

🐛 Bug fixes
  • chore: remove stray space from UV_PYTHON_INSTALL_DIR message @​akx (#​720)
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates

v7.2

Compare Source

v7.1.6: 🌈 add OS version to cache key to prevent binary incompatibility

Compare Source

Changes

This release will invalidate your cache existing keys!

The os version e.g. ubuntu-22.04 is now part of the cache key. This prevents failing builds when a cache got populated with wheels built with different tools (e.g. glibc) than are present on the runner where the cache got restored.

🐛 Bug fixes
🧰 Maintenance
⬆️ Dependency updates

v7.1.5: 🌈 allow setting cache-local-path without enable-cache: true

Compare Source

Changes

#​612 fixed a faulty behavior where this action set UV_CACHE_DIR even though enable-cache was false. It also fixed the cases were the cache dir is already configured in a settings file like pyproject.toml or UV_CACHE_DIR was already set. Here the action shouldn't overwrite or set UV_CACHE_DIR.

These fixes introduced an unwanted behavior: You can still set cache-local-path but this action didn't do anything. This release fixes that.

You can now use cache-local-path to automatically set UV_CACHE_DIR even when enable-cache is false (or gets set to false by default e.g. on self-hosted runners)

- name: This is now possible
  uses: astral-sh/setup-uv@v7
  with:
    enable-cache: false
    cache-local-path: "/path/to/cache"
🐛 Bug fixes
🧰 Maintenance
⬆️ Dependency updates

v7.1.4: 🌈 Fix libuv closing bug on Windows

Compare Source

Changes

This release fixes the bug Assertion failed: !(handle->flags & UV_HANDLE_CLOSING) on Windows runners

🐛 Bug fixes
🧰 Maintenance

v7.1.3: 🌈 Support act

Compare Source

Changes

This bug fix release adds support for https://github.com/nektos/act
It was previously broken because of a too new undici version and TS transpilation target.

Compatibility with act is now automatically tested.

🐛 Bug fixes
🧰 Maintenance
📚 Documentation

v7.1.2: 🌈 Speed up extraction on Windows

Compare Source

Changes

@​lazka fixed a bug that caused extracting uv to take up to 30s. Thank you!

🐛 Bug fixes

🧰 Maintenance

⬆️ Dependency updates

v7.1.1: 🌈 Fix empty workdir detection and lowest resolution strategy

Compare Source

Changes

This release fixes a bug where the working-directory input was not used to detect an empty work dir. It also fixes the lowest resolution strategy resolving to latest when only a lower bound was specified.

Special thanks to @​tpgillam for the first contribution!

🐛 Bug fixes
🧰 Maintenance
📚 Documentation
⬆️ Dependency updates

v7.1.0: 🌈 Support all the use cases

Compare Source

Changes

Support all the use cases!!!
... well, that we know of.

This release adds support for some use cases that most users don't encounter but are useful for e.g. people running Gitea.

The input resolution-strategy lets you use the lowest possible version of uv from a version range. Useful if you want to test your tool with different versions of uv.

If you use activate-environment the path to the activated venv is now also exposed under the output venv.

Downloaded python installations can now also be uploaded to the GitHub Actions cache backend. Useful if you are running in act and have configured your own backend and don't want to download python again, and again over a slow internet connection.

Finally the path to installed python interpreters is now added to the PATH on Windows.

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v7.1

Compare Source

softprops/action-gh-release (softprops/action-gh-release)

v3

Compare Source

v3.0.0

Compare Source

3.0.0 is a major release that moves the action runtime from Node 20 to Node 24.
Use v3 on GitHub-hosted runners and self-hosted fleets that already support the
Node 24 Actions runtime. If you still need the last Node 20-compatible line, stay on
v2.6.2.

What's Changed

Other Changes 🔄
  • Move the action runtime and bundle target to Node 24
  • Update @types/node to the Node 24 line and allow future Dependabot updates
  • Keep the floating major tag on v3; v2 remains pinned to the latest 2.x release

v2.6.2

Compare Source

What's Changed

Other Changes 🔄

Full Changelog: softprops/action-gh-release@v2...v2.6.2

v2.6.1

Compare Source

2.6.1 is a patch release focused on restoring linked discussion thread creation when
discussion_category_name is set. It fixes #764, where the draft-first publish flow
stopped carrying the discussion category through the final publish step.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

v2.6.0

Compare Source

2.6.0 is a minor release centered on previous_tag support for generate_release_notes,
which lets workflows pin GitHub's comparison base explicitly instead of relying on the default range.
It also includes the recent concurrent asset upload recovery fix, a working_directory docs sync,
a checked-bundle freshness guard for maintainers, and clearer immutable-prerelease guidance where
GitHub platform behavior imposes constraints on how prerelease asset uploads can be published.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Exciting New Features 🎉
Bug fixes 🐛
Other Changes 🔄

v2.5.3

Compare Source

2.5.3 is a patch release focused on the remaining path-handling and release-selection bugs uncovered after 2.5.2.
It fixes #639, #571, #280, #614, #311, #403, and #368.
It also adds documentation clarifications for #541, #645, #542, #393, and #411,
where the current behavior is either usage-sensitive or constrained by GitHub platform limits rather than an action-side runtime bug.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed
Bug fixes 🐛
Other Changes 🔄
  • docs: clarify token precedence by @​chenrui333 in #​752
  • docs: clarify GitHub release limits by @​chenrui333 in #​758
  • documentation clarifications for empty-token handling, preserve_order, and special-character asset filename behavior

Full Changelog: softprops/action-gh-release@v2...v2.5.3

v2.5.2

Compare Source

2.5.2 is a patch release focused on the remaining release-creation and prerelease regressions in the 2.5.x bug-fix cycle.
It fixes #705, fixes #708, fixes #740, fixes #741, and fixes #722.
Regression testing covers the shared-tag race, prerelease event behavior, dotfile asset labels,
same-filename concurrent uploads, and blocked-tag cleanup behavior.

If you still hit an issue after upgrading, please open a report with the bug template and include a minimal repro or sanitized workflow snippet where possible.

What's Changed

Bug fixes 🐛

New Contributors

Full Changelog: softprops/action-gh-release@v2...v2.5.2

v2.5.1

Compare Source

2.5.1 is a patch release focused on regressions introduced in 2.5.0 and on release lookup reliability.
It fixes #713, addresses #703, and fixes #724. Regression testing shows that
current master no longer reproduces the finalize-race behavior reported in #704 and #709.

What's Changed
Bug fixes 🐛
Other Changes 🔄
  • dependency updates, including the ESM/runtime compatibility refresh in #​731
New Contributors

Full Changelog: softprops/action-gh-release@v2...v2.5.1

v2.5.0

Compare Source

What's Changed

Exciting New Features 🎉
Other Changes 🔄
  • chore(deps): bump the npm group across 1 directory with 5 updates by @​dependabot[bot] in #​697
  • chore(deps): bump actions/checkout from 5.0.0 to 5.0.1 in the github-actions group by @​dependabot[bot] in #​689

New Contributors

Full Changelog: softprops/action-gh-release@v2.4.2...v2.5.0

v2.4.2

Compare Source

What's Changed

Exciting New Features 🎉
  • feat: Ensure generated release notes cannot be over 125000 characters by @​BeryJu in #​684
Other Changes 🔄
  • dependency updates

New Contributors

Full Changelog: softprops/action-gh-release@v2.4.1...v2.4.2

v2.4.1

Compare Source

What's Changed

Other Changes 🔄
  • fix(util): support brace expansion globs containing commas in parseInputFiles by @​Copilot in #​672
  • fix: gracefully fallback to body when body_path cannot be read by @​Copilot in #​671

Full Changelog: softprops/action-gh-release@v2...v2.4.1

v2.4.0

Compare Source

What's Changed

Exciting New Features 🎉
Other Changes 🔄

Full Changelog: softprops/action-gh-release@v2.3.4...v2.4.0

v2.3.4

Compare Source

What's Changed

Bug fixes 🐛
Other Changes 🔄

Full Changelog: softprops/action-gh-release@v2...v2.3.4

v2.3.3

Compare Source

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@greptile-apps
Copy link
Copy Markdown
Contributor

greptile-apps Bot commented Apr 13, 2026
edited
Loading

Greptile Summary

Bumps astral-sh/setup-uv from v7 to v8.1.0 across all four usages in ci.yml and release.yml, and upgrades softprops/action-gh-release from v2 to v3 (Node 20 → Node 24 runtime) in release.yml. All action references remain SHA-pinned, which is the recommended supply-chain security practice.

Confidence Score: 5/5

Safe to merge — routine GitHub Actions version bump with no logic changes and all SHAs pinned.

Both action upgrades are straightforward version bumps with SHA pinning intact. The setup-uv v8 breaking changes (removed deprecated manifest format, dropped floating major tags) don't affect this repo's usage. The action-gh-release v3 only changes the Node runtime from 20 to 24, which is transparent to callers.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/ci.yml Updates astral-sh/setup-uv from v7 to v8.1.0 (commit SHA pinned) in both the lint and test jobs; no functional workflow logic changed.
.github/workflows/release.yml Updates astral-sh/setup-uv to v8.1.0 and softprops/action-gh-release from v2 to v3 (Node 20 → Node 24 runtime); all references are SHA-pinned.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[ci.yml - lint job] -->|uses| B["astral-sh/setup-uv\nv7 → v8.1.0"]
    C[ci.yml - test job] -->|uses| B
    D[release.yml - check-version job] -->|uses| B
    E[release.yml - release job] -->|uses| B
    E -->|uses| F["softprops/action-gh-release\nv2 → v3\nNode20 → Node24"]
Loading

Reviews (21): Last reviewed commit: "chore(deps): update all major dependenci..." | Re-trigger Greptile

@renovate renovate Bot force-pushed the renovate/major-all-major-dependencies branch 15 times, most recently from 68622df to 59cf3a3 Compare April 17, 2026 07:01
@stickerdaniel stickerdaniel force-pushed the renovate/major-all-major-dependencies branch from 59cf3a3 to eed1966 Compare April 17, 2026 09:36
@renovate renovate Bot force-pushed the renovate/major-all-major-dependencies branch 3 times, most recently from 501080e to 3841247 Compare April 19, 2026 12:30
@renovate renovate Bot changed the title chore(deps): update softprops/action-gh-release action to v3 chore(deps): update all major dependencies (major) Apr 19, 2026
@renovate renovate Bot changed the title chore(deps): update all major dependencies (major) chore(deps): update softprops/action-gh-release action to v3 Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/major-all-major-dependencies branch from 3841247 to 75457d4 Compare April 19, 2026 13:36
@renovate renovate Bot force-pushed the renovate/major-all-major-dependencies branch from 75457d4 to 6b33cae Compare April 21, 2026 22:01
@renovate renovate Bot changed the title chore(deps): update softprops/action-gh-release action to v3 chore(deps): update all major dependencies (major) Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants