actions/setup-uv
1
0
Fork 0
mirror of https://github.com/astral-sh/setup-uv.git synced 2025-09-08 13:06:53 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

chore(ci): address CI lint findings (#545)
Some checks failed
test / lint (push) Failing after 11s
Details
test / test-default-version (ubuntu-latest) (push) Failing after 11s
Details
test / test-specific-version (0.3.0) (push) Failing after 11s
Details
test / test-specific-version (0.3.2) (push) Failing after 11s
Details
test / test-specific-version (>=0.3.0) (push) Failing after 10s
Details
test / test-semver-range (ubuntu-latest) (push) Failing after 10s
Details
test / test-pyproject-file-version (push) Failing after 10s
Details
test / test-malformed-pyproject-file-fallback (push) Failing after 10s
Details
test / test-version-file-version (push) Failing after 10s
Details
test / test-version-file-hash-version (push) Failing after 10s
Details
test / test-checksum (map[checksum:4d9279ad5ca596b1e2d703901d508430eb07564dc4d8837de9e2fca9c90f8ecd os:ubuntu-latest]) (push) Failing after 10s
Details
test / test-tool-install (ubuntu-latest) (push) Failing after 10s
Details
test / test-with-explicit-token (push) Failing after 10s
Details
test / test-python-version (ubuntu-latest) (push) Failing after 9s
Details
test / test-setup-cache (auto, ubuntu-latest) (push) Failing after 8s
Details
test / test-setup-cache-requirements-txt (push) Failing after 8s
Details
test / test-setup-cache (true, ubuntu-latest) (push) Failing after 8s
Details
test / test-musl (push) Failing after 12s
Details
test / test-cache-local (map[expected-cache-dir:/home/runner/work/_temp/setup-uv-cache os:ubuntu-latest]) (push) Failing after 9s
Details
test / test-no-python-version (push) Failing after 9s
Details
test / test-absolute-path (push) Failing after 9s
Details
test / test-relative-path (push) Failing after 9s
Details
CodeQL / Analyze (TypeScript) (push) Failing after 1m17s
Details
test / test-specific-version (0.3) (push) Failing after 1m29s
Details
test / test-specific-version (0.3.x) (push) Failing after 1m29s
Details
test / test-pep440-version (push) Failing after 1m28s
Details
test / test-uv-file-version (push) Failing after 1m27s
Details
test / test-tool-versions-file-version (push) Failing after 1m27s
Details
test / test-uvx (push) Failing after 1m26s
Details
test / test-activate-environment (ubuntu-latest) (push) Failing after 1m25s
Details
test / test-setup-cache (false, ubuntu-latest) (push) Failing after 1m25s
Details
test / test-setup-cache-dependency-glob (push) Failing after 1m24s
Details
test / test-restore-cache-dependency-glob (push) Has been skipped
Details
test / test-custom-manifest-file (push) Failing after 1m23s
Details
Release Drafter / ✏️ Draft release (push) Has been cancelled
Details
test / test-default-version (macos-14) (push) Has been cancelled
Details
test / test-default-version (macos-latest) (push) Has been cancelled
Details
test / test-default-version (windows-latest) (push) Has been cancelled
Details
test / test-semver-range (selfhosted-ubuntu-arm64) (push) Has been cancelled
Details
test / test-checksum (map[checksum:a70cbfbf3bb5c08b2f84963b4f12c94e08fbb2468ba418a3bfe1066fbe9e7218 os:macos-latest]) (push) Has been cancelled
Details
test / test-tool-install (macos-14) (push) Has been cancelled
Details
test / test-tool-install (macos-latest) (push) Has been cancelled
Details
test / test-tool-install (windows-latest) (push) Has been cancelled
Details
test / test-tilde-expansion-tool-dirs (push) Has been cancelled
Details
test / test-python-version (macos-latest) (push) Has been cancelled
Details
test / test-python-version (windows-latest) (push) Has been cancelled
Details
test / test-activate-environment (macos-latest) (push) Has been cancelled
Details
test / test-activate-environment (windows-latest) (push) Has been cancelled
Details
test / test-setup-cache (auto, selfhosted-ubuntu-arm64) (push) Has been cancelled
Details
test / test-setup-cache (auto, windows-latest) (push) Has been cancelled
Details
test / test-setup-cache (false, selfhosted-ubuntu-arm64) (push) Has been cancelled
Details
test / test-setup-cache (false, windows-latest) (push) Has been cancelled
Details
test / test-setup-cache (true, selfhosted-ubuntu-arm64) (push) Has been cancelled
Details
test / test-setup-cache (true, windows-latest) (push) Has been cancelled
Details
test / test-cache-local (map[expected-cache-dir:/home/ubuntu/.cache/uv os:selfhosted-ubuntu-arm64]) (push) Has been cancelled
Details
test / test-cache-local (map[expected-cache-dir:D:\a\_temp\setup-uv-cache os:windows-latest]) (push) Has been cancelled
Details
test / test-setup-cache-local (push) Has been cancelled
Details
test / test-tilde-expansion-cache-local-path (push) Has been cancelled
Details
test / test-tilde-expansion-cache-dependency-glob (push) Has been cancelled
Details
test / test-restore-cache (auto, selfhosted-ubuntu-arm64) (push) Has been cancelled
Details
test / test-restore-cache (auto, ubuntu-latest) (push) Has been cancelled
Details
test / test-restore-cache (auto, windows-latest) (push) Has been cancelled
Details
test / test-restore-cache (false, selfhosted-ubuntu-arm64) (push) Has been cancelled
Details
test / test-restore-cache (false, ubuntu-latest) (push) Has been cancelled
Details
test / test-restore-cache (false, windows-latest) (push) Has been cancelled
Details
test / test-restore-cache (true, selfhosted-ubuntu-arm64) (push) Has been cancelled
Details
test / test-restore-cache (true, ubuntu-latest) (push) Has been cancelled
Details
test / test-restore-cache (true, windows-latest) (push) Has been cancelled
Details
test / test-restore-cache-requirements-txt (push) Has been cancelled
Details
test / test-restore-cache-local (push) Has been cancelled
Details
test / cleanup-tilde-expansion-tests (push) Has been cancelled
Details
test / all-tests-passed (push) Has been cancelled
Details
Update known versions / build (push) Has been cancelled
Details

Browse Source 
This addresses all of zizmor's non-pedantic findings, and adds a
workflow to proactively flag any more that come in.

Key changes:

* I've hash-pinned all actions references. Dependabot will continue to
keep these updated and will update the hash comments as well.
* I've marked every `actions/checkout` with `persist-credentials: false`
except for one that actually needs persisted credentials (which I've
explicitly enabled with an explanatory comment)
* I've dropped some workflow-level permissions in favor of job-level
permissions that were already provisioned.
* I fixed two small template injections caused by expanding output
contexts. I think these were not exploitable in practice, but fixing
them is good for defense in depth (and makes spellcheck work nicely on
these steps).

---------

Signed-off-by: William Woodruff <william@astral.sh>
This commit is contained in:
William Woodruff
2025-09-02 09:29:06 -04:00
committed by GitHub
parent 557e51de59
commit b1836110f7
5 changed files with 139 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.github/workflows/codeql-analysis.yml vendored
View File

@ -21,6 +21,8 @@ on:
branches:
- main
permissions: {}
jobs:
analyze:
name: Analyze
@ -39,11 +41,13 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v5
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v3
uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
with:
languages: ${{ matrix.language }}
source-root: src
@ -55,7 +59,7 @@ jobs:
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v3
uses: github/codeql-action/autobuild@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@ -69,4 +73,4 @@ jobs:
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11

4
.github/workflows/release-drafter.yml vendored
View File

@ -8,6 +8,8 @@ on:
branches:
- main
permissions: {}
jobs:
update_release_draft:
name: ✏️ Draft release
@ -17,6 +19,6 @@ jobs:
pull-requests: read
steps:
- name: 🚀 Run Release Drafter
uses: release-drafter/release-drafter@v6.1.0
uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

154
.github/workflows/test.yml vendored
View File

@ -18,11 +18,17 @@ permissions:
jobs:
lint:
runs-on: ubuntu-latest
permissions:
security-events: write # for zizmor
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Actionlint
uses: eifinger/actionlint-action@23c85443d840cd73bbecb9cddfc933cc21649a38 # v1.9.1
- uses: actions/setup-node@v4
- name: Run zizmor
uses: zizmorcore/zizmor-action@5ca5fc7a4779c5263a3ffa0e1f693009994446d1 # v0.1.2
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "20"
- run: |
@ -44,7 +50,9 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, macos-14, windows-latest]
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install latest version
id: setup-uv
uses: ./
@ -52,9 +60,17 @@ jobs:
working-directory: __tests__/fixtures/uv-project
shell: bash
- name: Check uv-path is set
run: ${{ steps.setup-uv.outputs.uv-path }} --version
run: |
"${UV_PATH}" --version
shell: bash
env:
UV_PATH: ${{ steps.setup-uv.outputs.uv-path }}
- name: Check uvx-path is set
run: ${{ steps.setup-uv.outputs.uvx-path }} --version
run: |
"${UVX_PATH}" --version
shell: bash
env:
UVX_PATH: ${{ steps.setup-uv.outputs.uvx-path }}
test-specific-version:
runs-on: ubuntu-latest
@ -62,7 +78,9 @@ jobs:
matrix:
uv-version: ["0.3.0", "0.3.2", "0.3", "0.3.x", ">=0.3.0"]
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install version ${{ matrix.uv-version }}
uses: ./
with:
@ -76,7 +94,9 @@ jobs:
os: [ ubuntu-latest, selfhosted-ubuntu-arm64 ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install version 0.3
id: setup-uv
uses: ./
@ -99,7 +119,9 @@ jobs:
test-pep440-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install version 0.4.30
id: setup-uv
uses: ./
@ -115,7 +137,9 @@ jobs:
test-pyproject-file-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install version 0.5.14
id: setup-uv
uses: ./
@ -131,7 +155,9 @@ jobs:
test-malformed-pyproject-file-fallback:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install using malformed pyproject.toml
id: setup-uv
uses: ./
@ -142,7 +168,9 @@ jobs:
test-uv-file-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install version 0.5.15
id: setup-uv
uses: ./
@ -158,7 +186,9 @@ jobs:
test-version-file-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install from requirements file
id: setup-uv
uses: ./
@ -174,7 +204,9 @@ jobs:
test-version-file-hash-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install from requirements file
id: setup-uv
uses: ./
@ -190,7 +222,9 @@ jobs:
test-tool-versions-file-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install from .tools-versions file
id: setup-uv
uses: ./
@ -213,7 +247,9 @@ jobs:
- os: macos-latest
checksum: "a70cbfbf3bb5c08b2f84963b4f12c94e08fbb2468ba418a3bfe1066fbe9e7218"
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Checksum matches expected
uses: ./
with:
@ -225,7 +261,9 @@ jobs:
test-with-explicit-token:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install default version
uses: ./
with:
@ -236,7 +274,9 @@ jobs:
test-uvx:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install default version
uses: ./
- run: uvx ruff --version
@ -253,7 +293,9 @@ jobs:
windows-latest,
]
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install default version
uses: ./
- run: uv tool install ruff
@ -262,7 +304,9 @@ jobs:
test-tilde-expansion-tool-dirs:
runs-on: selfhosted-ubuntu-arm64
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Setup with cache
uses: ./
with:
@ -285,7 +329,9 @@ jobs:
matrix:
os: [ubuntu-latest, macos-latest, windows-latest]
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install latest version
uses: ./
with:
@ -306,7 +352,9 @@ jobs:
matrix:
os: [ ubuntu-latest, macos-latest, windows-latest ]
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install latest version
uses: ./
with:
@ -327,7 +375,9 @@ jobs:
runs-on: ubuntu-latest
container: alpine
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install latest version
uses: ./
- run: uv sync
@ -340,7 +390,9 @@ jobs:
enable-cache: [ "true", "false", "auto" ]
os: [ "ubuntu-latest", "selfhosted-ubuntu-arm64", "windows-latest" ]
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Setup with cache
uses: ./
with:
@ -357,7 +409,9 @@ jobs:
os: [ "ubuntu-latest", "selfhosted-ubuntu-arm64", "windows-latest" ]
needs: test-setup-cache
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Restore with cache
id: restore
uses: ./
@ -389,7 +443,9 @@ jobs:
test-setup-cache-requirements-txt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Setup with cache
uses: ./
with:
@ -403,7 +459,9 @@ jobs:
runs-on: ubuntu-latest
needs: test-setup-cache
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Restore with cache
id: restore
uses: ./
@ -425,7 +483,9 @@ jobs:
test-setup-cache-dependency-glob:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Setup with cache
uses: ./
with:
@ -440,7 +500,9 @@ jobs:
runs-on: ubuntu-latest
needs: test-setup-cache-dependency-glob
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Change pyproject.toml
run: |
echo '[tool.uv]' >> __tests__/fixtures/uv-project/pyproject.toml
@ -475,7 +537,9 @@ jobs:
expected-cache-dir: "/home/ubuntu/.cache/uv"
runs-on: ${{ matrix.inputs.os }}
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Setup with cache
uses: ./
with:
@ -490,7 +554,9 @@ jobs:
test-setup-cache-local:
runs-on: selfhosted-ubuntu-arm64
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Setup with cache
uses: ./
with:
@ -503,7 +569,9 @@ jobs:
runs-on: selfhosted-ubuntu-arm64
needs: test-setup-cache-local
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Restore with cache
id: restore
uses: ./
@ -524,7 +592,9 @@ jobs:
test-tilde-expansion-cache-local-path:
runs-on: selfhosted-ubuntu-arm64
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Create cache directory
run: mkdir -p ~/uv-cache
shell: bash
@ -538,7 +608,9 @@ jobs:
test-tilde-expansion-cache-dependency-glob:
runs-on: selfhosted-ubuntu-arm64
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Create cache directory
run: mkdir -p ~/uv-cache
shell: bash
@ -571,7 +643,9 @@ jobs:
test-no-python-version:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Fake pyproject.toml at root
run: cp __tests__/fixtures/old-python-constraint-project/pyproject.toml pyproject.toml
- name: Setup with cache
@ -584,7 +658,9 @@ jobs:
test-custom-manifest-file:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Install from custom manifest file
uses: ./
with:
@ -601,7 +677,9 @@ jobs:
test-absolute-path:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: Create requirements.txt
run: echo "uv==0.6.17" > /tmp/setup-uv-requirements.txt
- name: Install from requirements file
@ -619,7 +697,9 @@ jobs:
test-relative-path:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- name: mkdir
run: mkdir -p /tmp/setup-uv-test-relative-path
- name: Create requirements.txt

8
.github/workflows/update-known-versions.yml vendored
View File

@ -4,6 +4,8 @@ on:
schedule:
- cron: "0 4 * * *" # Run every day at 4am UTC
permissions: {}
jobs:
build:
runs-on: ubuntu-24.04-arm
@ -11,8 +13,10 @@ jobs:
contents: write
pull-requests: write
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v4
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: false
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "20"
- name: Update known versions

6
.github/workflows/update-major-minor-tags.yml vendored
View File

@ -8,6 +8,8 @@ on:
tags:
- "v*.*.*"
permissions: {}
jobs:
update_major_minor_tags:
name: Make sure major and minor tags are up to date on a patch release
@ -15,7 +17,9 @@ jobs:
permissions:
contents: write
steps:
- uses: actions/checkout@v5
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
with:
persist-credentials: true # needed for git push below
- name: Update Major Minor Tags
run: |
set -x