chore(deps): update astral-sh/setup-uv action to v8

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
astral-sh/setup-uv	action	major	v7 → v8.2.0

---

Release Notes

astral-sh/setup-uv (astral-sh/setup-uv)

v8.2.0: 🌈 New inputs quiet and download-from-astral-mirror

Compare Source

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details.
In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes

• fix: report unexpected cache save failures @​eifinger (#​896)
• fix: report unexpected setup failures @​eifinger (#​895)
• fix: add timeout to fetch to prevent silent hangs @​eifinger-bot (#​883)
• Limit GitHub tokens to github.com download URLs @​zsol (#​878)
• increase libuv-workaround timeout to 100ms @​eifinger (#​880)

🚀 Enhancements

• Add quiet input to suppress info-level log output @​eifinger (#​898)
• feat: add download-from-astral-mirror input @​eifinger (#​897)

🧰 Maintenance

• docs: update dependabot rollup biome guidance @​eifinger (#​902)
• chore: update known checksums for 0.11.18 @​github-actions[bot] (#​899)
• chore: update known checksums for 0.11.17 @​github-actions[bot] (#​892)
• chore: update known checksums for 0.11.16 @​github-actions[bot] (#​889)
• chore: update known checksums for 0.11.15 @​github-actions[bot] (#​885)
• chore: update known checksums for 0.11.14 @​github-actions[bot] (#​879)
• chore: update known checksums for 0.11.13 @​github-actions[bot] (#​877)
• chore: update known checksums for 0.11.12 @​github-actions[bot] (#​876)
• chore: update known checksums for 0.11.11 @​github-actions[bot] (#​873)
• chore: update known checksums for 0.11.9/0.11.10 @​github-actions[bot] (#​871)
• chore: update known checksums for 0.11.8 @​github-actions[bot] (#​867)
• Bump setup-uv references to v8.1.0 SHA in docs @​eifinger (#​862)
• Add update-docs.yml workflow @​eifinger (#​861)

⬆️ Dependency updates

• chore(deps): roll up dependabot updates @​eifinger (#​903)
• chore(deps): roll up dependabot updates @​eifinger (#​901)
• chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 @​dependabot[bot] (#​900)
• chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 @​dependabot[bot] (#​842)
• chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 @​dependabot[bot] (#​893)
• chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 @​dependabot[bot] (#​891)
• chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0 @​dependabot[bot] (#​884)
• chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 @​dependabot[bot] (#​888)
• chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 @​dependabot[bot] (#​881)
• chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3 @​dependabot[bot] (#​875)
• chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 @​dependabot[bot] (#​866)
• chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 @​dependabot[bot] (#​864)
• chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 @​dependabot[bot] (#​863)

v8.1.0: 🌈 New input no-project

Compare Source

Changes

This add the a new boolean input no-project.
It only makes sense to use in combination with activate-environment: true and will append --no project to the uv venv call. This is for example useful if you have a pyproject.toml file with parts unparseable by uv

🚀 Enhancements

• Add input no-project in combination with activate-environment @​eifinger (#​856)

🧰 Maintenance

• fix: grant contents:write to validate-release job @​eifinger (#​860)
• Add a release-gate step to the release workflow @​zanieb (#​859)
• Draft commitish releases @​eifinger (#​858)
• Add action-types.yml to instructions @​eifinger (#​857)
• chore: update known checksums for 0.11.7 @​github-actions[bot] (#​853)
• Refactor version resolving @​eifinger (#​852)
• chore: update known checksums for 0.11.6 @​github-actions[bot] (#​850)
• chore: update known checksums for 0.11.5 @​github-actions[bot] (#​845)
• chore: update known checksums for 0.11.4 @​github-actions[bot] (#​843)
• Add a release workflow @​zanieb (#​839)
• chore: update known checksums for 0.11.3 @​github-actions[bot] (#​836)

📚 Documentation

• Update ignore-nothing-to-cache documentation @​eifinger (#​833)
• Pin setup-uv docs to v8 @​eifinger (#​829)

⬆️ Dependency updates

• chore(deps): bump release-drafter/release-drafter from 7.1.1 to 7.2.0 @​dependabot[bot] (#​855)

v8.0.0: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

• Remove update-major-minor-tags workflow @​eifinger (#​826)
• Remove deprecrated custom manifest @​eifinger (#​813)

🧰 Maintenance

• Shortcircuit latest version from manifest @​eifinger (#​828)
• Simplify inputs.ts @​eifinger (#​827)
• Bump release-drafter to v7.1.1 @​eifinger (#​825)
• Refactor inputs @​eifinger (#​823)
• Replace inline compile args with tsconfig @​eifinger (#​824)
• chore: update known checksums for 0.11.2 @​github-actions[bot] (#​821)
• chore: update known checksums for 0.11.1 @​github-actions[bot] (#​817)
• chore: update known checksums for 0.11.0 @​github-actions[bot] (#​815)
• Fix latest-version workflow check @​eifinger (#​812)
• chore: update known checksums for 0.10.11/0.10.12 @​github-actions[bot] (#​811)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 30ec8d5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (5b6275e) to head (30ec8d5).

Additional details and impacted files

@@            Coverage Diff            @@
##             main   #694       +/-   ##
=========================================
- Coverage   92.69%      0   -92.70%     
=========================================
  Files         151      0      -151     
  Lines        2409      0     -2409     
  Branches      758      0      -758     
=========================================
- Hits         2233      0     -2233     
+ Misses        145      0      -145     
+ Partials       31      0       -31     

Flag	Coverage Δ
postgrest-core	?
postgrest-react-query	?
postgrest-server	?
postgrest-swr	?
storage-core	?
storage-react-query	?
storage-swr	?

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.