Use astral-sh/versions as primary version provider (#802)

Closes: #777
Closes: #325

.github/release-drafter.yml

@@ -19,7 +19,7 @@ categories:
     labels:
       - "maintenance"
       - "ci"
-      - "update-known-versions"
+      - "update-known-checksums"
   - title: "📚 Documentation"
     labels:
       - "documentation"

.github/workflows/update-known-checksums.yml

@@ -1,4 +1,4 @@
-name: "Update known versions"
+name: "Update known checksums"
 on:
   workflow_dispatch:
   schedule:
@@ -21,13 +21,11 @@ jobs:
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "20"
-      - name: Update known versions
-        id: update-known-versions
+      - name: Update known checksums
+        id: update-known-checksums
         run:
-          node dist/update-known-versions/index.js
+          node dist/update-known-checksums/index.js
           src/download/checksum/known-checksums.ts
-          version-manifest.json
-          ${{ secrets.GITHUB_TOKEN }}
       - name: Check for changes
         id: changes-exist
         run: |
@@ -48,10 +46,10 @@ jobs:
           git config user.name "$GITHUB_ACTOR"
           git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
           git add .
-          git commit -m "chore: update known versions for $LATEST_VERSION"
+          git commit -m "chore: update known checksums for $LATEST_VERSION"
           git push origin HEAD:refs/heads/main
         env:
-          LATEST_VERSION: ${{ steps.update-known-versions.outputs.latest-version }}
+          LATEST_VERSION: ${{ steps.update-known-checksums.outputs.latest-version }}
 
       - name: Create Pull Request
         if: ${{ steps.changes-exist.outputs.changes-exist == 'true' && steps.commit-and-push.outcome != 'success' }}
@@ -60,11 +58,11 @@ jobs:
           commit-message: "chore: update known checksums"
           title:
             "chore: update known checksums for ${{
-            steps.update-known-versions.outputs.latest-version }}"
+            steps.update-known-checksums.outputs.latest-version }}"
           body:
             "chore: update known checksums for ${{
-            steps.update-known-versions.outputs.latest-version }}"
+            steps.update-known-checksums.outputs.latest-version }}"
           base: main
-          labels: "automated-pr,update-known-versions"
-          branch: update-known-versions-pr
+          labels: "automated-pr,update-known-checksums"
+          branch: update-known-checksums-pr
           delete-branch: true

README.md

@@ -68,7 +68,7 @@ Have a look under [Advanced Configuration](#advanced-configuration) for detailed
     # The checksum of the uv version to install
     checksum: ""
 
-    # Used to increase the rate limit when retrieving versions and downloading uv
+    # Used when downloading uv from GitHub releases
     github-token: ${{ github.token }}
 
     # Enable uploading of the uv cache: true, false, or auto (enabled on GitHub-hosted runners, disabled on self-hosted runners)
@@ -114,7 +114,7 @@ Have a look under [Advanced Configuration](#advanced-configuration) for detailed
     # Custom path to set UV_TOOL_BIN_DIR to
     tool-bin-dir: ""
 
-    # URL to the manifest file containing available versions and download URLs
+    # URL to a custom manifest file (NDJSON preferred, legacy JSON array is deprecated)
     manifest-file: ""
 
     # Add problem matchers
@@ -190,10 +190,12 @@ For more advanced configuration options, see our detailed documentation:
 
 ## How it works
 
-This action downloads uv from the uv repo's official
-[GitHub Releases](https://github.com/astral-sh/uv) and uses the
-[GitHub Actions Toolkit](https://github.com/actions/toolkit) to cache it as a tool to speed up
-consecutive runs on self-hosted runners.
+By default, this action resolves uv versions from
+[`astral-sh/versions`](https://github.com/astral-sh/versions) (NDJSON) and downloads uv from the
+official [GitHub Releases](https://github.com/astral-sh/uv).
+
+It then uses the [GitHub Actions Toolkit](https://github.com/actions/toolkit) to cache uv as a
+tool to speed up consecutive runs on self-hosted runners.
 
 The installed version of uv is then added to the runner PATH, enabling later steps to invoke it
 by name (`uv`).

__tests__/download/checksum/checksum.test.ts

@@ -4,10 +4,11 @@ import {
   validateChecksum,
 } from "../../../src/download/checksum/checksum";
 
+const validChecksum =
+  "f3da96ec7e995debee7f5d52ecd034dfb7074309a1da42f76429ecb814d813a3";
+const filePath = "__tests__/fixtures/checksumfile";
+
 test("checksum should match", async () => {
-  const validChecksum =
-    "f3da96ec7e995debee7f5d52ecd034dfb7074309a1da42f76429ecb814d813a3";
-  const filePath = "__tests__/fixtures/checksumfile";
   // string params don't matter only test the checksum mechanism, not known checksums
   await validateChecksum(
     validChecksum,
@@ -18,6 +19,16 @@ test("checksum should match", async () => {
   );
 });
 
+test("provided checksum beats known checksums", async () => {
+  await validateChecksum(
+    validChecksum,
+    filePath,
+    "x86_64",
+    "unknown-linux-gnu",
+    "0.3.0",
+  );
+});
+
 type KnownVersionFixture = { version: string; known: boolean };
 
 it.each<KnownVersionFixture>([

__tests__/download/download-version.test.ts

@@ -0,0 +1,256 @@
+import { beforeEach, describe, expect, it, jest } from "@jest/globals";
+
+const mockInfo = jest.fn();
+const mockWarning = jest.fn();
+
+jest.mock("@actions/core", () => ({
+  debug: jest.fn(),
+  info: mockInfo,
+  warning: mockWarning,
+}));
+
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockDownloadTool = jest.fn<any>();
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockExtractTar = jest.fn<any>();
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockExtractZip = jest.fn<any>();
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockCacheDir = jest.fn<any>();
+
+jest.mock("@actions/tool-cache", () => {
+  const actual = jest.requireActual("@actions/tool-cache") as Record<
+    string,
+    unknown
+  >;
+
+  return {
+    ...actual,
+    cacheDir: mockCacheDir,
+    downloadTool: mockDownloadTool,
+    extractTar: mockExtractTar,
+    extractZip: mockExtractZip,
+  };
+});
+
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockGetLatestVersionFromNdjson = jest.fn<any>();
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockGetAllVersionsFromNdjson = jest.fn<any>();
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockGetArtifactFromNdjson = jest.fn<any>();
+
+jest.mock("../../src/download/versions-client", () => ({
+  getAllVersions: mockGetAllVersionsFromNdjson,
+  getArtifact: mockGetArtifactFromNdjson,
+  getLatestVersion: mockGetLatestVersionFromNdjson,
+}));
+
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockGetAllManifestVersions = jest.fn<any>();
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockGetLatestVersionInManifest = jest.fn<any>();
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockGetManifestArtifact = jest.fn<any>();
+
+jest.mock("../../src/download/version-manifest", () => ({
+  getAllVersions: mockGetAllManifestVersions,
+  getLatestKnownVersion: mockGetLatestVersionInManifest,
+  getManifestArtifact: mockGetManifestArtifact,
+}));
+
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockValidateChecksum = jest.fn<any>();
+
+jest.mock("../../src/download/checksum/checksum", () => ({
+  validateChecksum: mockValidateChecksum,
+}));
+
+import {
+  downloadVersionFromManifest,
+  downloadVersionFromNdjson,
+  resolveVersion,
+} from "../../src/download/download-version";
+
+describe("download-version", () => {
+  beforeEach(() => {
+    mockInfo.mockReset();
+    mockWarning.mockReset();
+    mockDownloadTool.mockReset();
+    mockExtractTar.mockReset();
+    mockExtractZip.mockReset();
+    mockCacheDir.mockReset();
+    mockGetLatestVersionFromNdjson.mockReset();
+    mockGetAllVersionsFromNdjson.mockReset();
+    mockGetArtifactFromNdjson.mockReset();
+    mockGetAllManifestVersions.mockReset();
+    mockGetLatestVersionInManifest.mockReset();
+    mockGetManifestArtifact.mockReset();
+    mockValidateChecksum.mockReset();
+
+    mockDownloadTool.mockResolvedValue("/tmp/downloaded");
+    mockExtractTar.mockResolvedValue("/tmp/extracted");
+    mockExtractZip.mockResolvedValue("/tmp/extracted");
+    mockCacheDir.mockResolvedValue("/tmp/cached");
+  });
+
+  describe("resolveVersion", () => {
+    it("uses astral-sh/versions to resolve latest", async () => {
+      mockGetLatestVersionFromNdjson.mockResolvedValue("0.9.26");
+
+      const version = await resolveVersion("latest", undefined);
+
+      expect(version).toBe("0.9.26");
+      expect(mockGetLatestVersionFromNdjson).toHaveBeenCalledTimes(1);
+    });
+
+    it("uses astral-sh/versions to resolve available versions", async () => {
+      mockGetAllVersionsFromNdjson.mockResolvedValue(["0.9.26", "0.9.25"]);
+
+      const version = await resolveVersion("^0.9.0", undefined);
+
+      expect(version).toBe("0.9.26");
+      expect(mockGetAllVersionsFromNdjson).toHaveBeenCalledTimes(1);
+    });
+
+    it("does not fall back when astral-sh/versions fails", async () => {
+      mockGetLatestVersionFromNdjson.mockRejectedValue(
+        new Error("NDJSON unavailable"),
+      );
+
+      await expect(resolveVersion("latest", undefined)).rejects.toThrow(
+        "NDJSON unavailable",
+      );
+    });
+
+    it("uses manifest-file when provided", async () => {
+      mockGetAllManifestVersions.mockResolvedValue(["0.9.26", "0.9.25"]);
+
+      const version = await resolveVersion(
+        "^0.9.0",
+        "https://example.com/custom.ndjson",
+      );
+
+      expect(version).toBe("0.9.26");
+      expect(mockGetAllManifestVersions).toHaveBeenCalledWith(
+        "https://example.com/custom.ndjson",
+      );
+    });
+  });
+
+  describe("downloadVersionFromNdjson", () => {
+    it("fails when NDJSON metadata lookup fails", async () => {
+      mockGetArtifactFromNdjson.mockRejectedValue(
+        new Error("NDJSON unavailable"),
+      );
+
+      await expect(
+        downloadVersionFromNdjson(
+          "unknown-linux-gnu",
+          "x86_64",
+          "0.9.26",
+          undefined,
+          "token",
+        ),
+      ).rejects.toThrow("NDJSON unavailable");
+
+      expect(mockDownloadTool).not.toHaveBeenCalled();
+      expect(mockValidateChecksum).not.toHaveBeenCalled();
+    });
+
+    it("fails when no matching artifact exists in NDJSON metadata", async () => {
+      mockGetArtifactFromNdjson.mockResolvedValue(undefined);
+
+      await expect(
+        downloadVersionFromNdjson(
+          "unknown-linux-gnu",
+          "x86_64",
+          "0.9.26",
+          undefined,
+          "token",
+        ),
+      ).rejects.toThrow(
+        "Could not find artifact for version 0.9.26, arch x86_64, platform unknown-linux-gnu in https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson .",
+      );
+
+      expect(mockDownloadTool).not.toHaveBeenCalled();
+      expect(mockValidateChecksum).not.toHaveBeenCalled();
+    });
+
+    it("uses built-in checksums for default NDJSON downloads", async () => {
+      mockGetArtifactFromNdjson.mockResolvedValue({
+        archiveFormat: "tar.gz",
+        sha256: "ndjson-checksum-that-should-be-ignored",
+        url: "https://example.com/uv.tar.gz",
+      });
+
+      await downloadVersionFromNdjson(
+        "unknown-linux-gnu",
+        "x86_64",
+        "0.9.26",
+        undefined,
+        "token",
+      );
+
+      expect(mockValidateChecksum).toHaveBeenCalledWith(
+        undefined,
+        "/tmp/downloaded",
+        "x86_64",
+        "unknown-linux-gnu",
+        "0.9.26",
+      );
+    });
+  });
+
+  describe("downloadVersionFromManifest", () => {
+    it("uses manifest-file checksum metadata when checksum input is unset", async () => {
+      mockGetManifestArtifact.mockResolvedValue({
+        archiveFormat: "tar.gz",
+        checksum: "manifest-checksum",
+        downloadUrl: "https://example.com/custom-uv.tar.gz",
+      });
+
+      await downloadVersionFromManifest(
+        "https://example.com/custom.ndjson",
+        "unknown-linux-gnu",
+        "x86_64",
+        "0.9.26",
+        "",
+        "token",
+      );
+
+      expect(mockValidateChecksum).toHaveBeenCalledWith(
+        "manifest-checksum",
+        "/tmp/downloaded",
+        "x86_64",
+        "unknown-linux-gnu",
+        "0.9.26",
+      );
+    });
+
+    it("prefers checksum input over manifest-file checksum metadata", async () => {
+      mockGetManifestArtifact.mockResolvedValue({
+        archiveFormat: "tar.gz",
+        checksum: "manifest-checksum",
+        downloadUrl: "https://example.com/custom-uv.tar.gz",
+      });
+
+      await downloadVersionFromManifest(
+        "https://example.com/custom.ndjson",
+        "unknown-linux-gnu",
+        "x86_64",
+        "0.9.26",
+        "user-checksum",
+        "token",
+      );
+
+      expect(mockValidateChecksum).toHaveBeenCalledWith(
+        "user-checksum",
+        "/tmp/downloaded",
+        "x86_64",
+        "unknown-linux-gnu",
+        "0.9.26",
+      );
+    });
+  });
+});

__tests__/download/version-manifest.test.ts

@@ -0,0 +1,136 @@
+import { beforeEach, describe, expect, it, jest } from "@jest/globals";
+
+const mockWarning = jest.fn();
+
+jest.mock("@actions/core", () => ({
+  debug: jest.fn(),
+  info: jest.fn(),
+  warning: mockWarning,
+}));
+
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockFetch = jest.fn<any>();
+jest.mock("../../src/utils/fetch", () => ({
+  fetch: mockFetch,
+}));
+
+import {
+  clearManifestCache,
+  getAllVersions,
+  getLatestKnownVersion,
+  getManifestArtifact,
+} from "../../src/download/version-manifest";
+
+const legacyManifestResponse = JSON.stringify([
+  {
+    arch: "x86_64",
+    artifactName: "uv-x86_64-unknown-linux-gnu.tar.gz",
+    downloadUrl:
+      "https://example.com/releases/download/0.7.12-alpha.1/uv-x86_64-unknown-linux-gnu.tar.gz",
+    platform: "unknown-linux-gnu",
+    version: "0.7.12-alpha.1",
+  },
+  {
+    arch: "x86_64",
+    artifactName: "uv-x86_64-unknown-linux-gnu.tar.gz",
+    downloadUrl:
+      "https://example.com/releases/download/0.7.13/uv-x86_64-unknown-linux-gnu.tar.gz",
+    platform: "unknown-linux-gnu",
+    version: "0.7.13",
+  },
+]);
+
+const ndjsonManifestResponse = `{"version":"0.10.0","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/releases/download/0.10.0/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"checksum-100"}]}
+{"version":"0.9.30","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/releases/download/0.9.30/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"checksum-0930"}]}`;
+
+const multiVariantManifestResponse = `{"version":"0.10.0","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"managed-python","url":"https://example.com/releases/download/0.10.0/uv-x86_64-unknown-linux-gnu-managed-python.tar.gz","archive_format":"tar.gz","sha256":"checksum-managed"},{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/releases/download/0.10.0/uv-x86_64-unknown-linux-gnu-default.zip","archive_format":"zip","sha256":"checksum-default"}]}`;
+
+function createMockResponse(
+  ok: boolean,
+  status: number,
+  statusText: string,
+  data: string,
+) {
+  return {
+    ok,
+    status,
+    statusText,
+    text: async () => data,
+  };
+}
+
+describe("version-manifest", () => {
+  beforeEach(() => {
+    clearManifestCache();
+    mockFetch.mockReset();
+    mockWarning.mockReset();
+  });
+
+  it("supports the legacy JSON manifest format", async () => {
+    mockFetch.mockResolvedValue(
+      createMockResponse(true, 200, "OK", legacyManifestResponse),
+    );
+
+    const latest = await getLatestKnownVersion(
+      "https://example.com/legacy.json",
+    );
+    const artifact = await getManifestArtifact(
+      "https://example.com/legacy.json",
+      "0.7.13",
+      "x86_64",
+      "unknown-linux-gnu",
+    );
+
+    expect(latest).toBe("0.7.13");
+    expect(artifact).toEqual({
+      archiveFormat: undefined,
+      checksum: undefined,
+      downloadUrl:
+        "https://example.com/releases/download/0.7.13/uv-x86_64-unknown-linux-gnu.tar.gz",
+    });
+    expect(mockWarning).toHaveBeenCalledTimes(1);
+  });
+
+  it("supports NDJSON manifests", async () => {
+    mockFetch.mockResolvedValue(
+      createMockResponse(true, 200, "OK", ndjsonManifestResponse),
+    );
+
+    const versions = await getAllVersions("https://example.com/custom.ndjson");
+    const artifact = await getManifestArtifact(
+      "https://example.com/custom.ndjson",
+      "0.10.0",
+      "x86_64",
+      "unknown-linux-gnu",
+    );
+
+    expect(versions).toEqual(["0.10.0", "0.9.30"]);
+    expect(artifact).toEqual({
+      archiveFormat: "tar.gz",
+      checksum: "checksum-100",
+      downloadUrl:
+        "https://example.com/releases/download/0.10.0/uv-x86_64-unknown-linux-gnu.tar.gz",
+    });
+    expect(mockWarning).not.toHaveBeenCalled();
+  });
+
+  it("prefers the default variant when a manifest contains multiple variants", async () => {
+    mockFetch.mockResolvedValue(
+      createMockResponse(true, 200, "OK", multiVariantManifestResponse),
+    );
+
+    const artifact = await getManifestArtifact(
+      "https://example.com/multi-variant.ndjson",
+      "0.10.0",
+      "x86_64",
+      "unknown-linux-gnu",
+    );
+
+    expect(artifact).toEqual({
+      archiveFormat: "zip",
+      checksum: "checksum-default",
+      downloadUrl:
+        "https://example.com/releases/download/0.10.0/uv-x86_64-unknown-linux-gnu-default.zip",
+    });
+  });
+});

__tests__/download/versions-client.test.ts

@@ -0,0 +1,169 @@
+import { beforeEach, describe, expect, it, jest } from "@jest/globals";
+
+// biome-ignore lint/suspicious/noExplicitAny: Mock requires flexible typing in tests.
+const mockFetch = jest.fn<any>();
+jest.mock("../../src/utils/fetch", () => ({
+  fetch: mockFetch,
+}));
+
+import {
+  clearCache,
+  fetchVersionData,
+  getAllVersions,
+  getArtifact,
+  getLatestVersion,
+  parseVersionData,
+} from "../../src/download/versions-client";
+
+const sampleNdjsonResponse = `{"version":"0.9.26","artifacts":[{"platform":"aarch64-apple-darwin","variant":"default","url":"https://github.com/astral-sh/uv/releases/download/0.9.26/uv-aarch64-apple-darwin.tar.gz","archive_format":"tar.gz","sha256":"fcf0a9ea6599c6ae28a4c854ac6da76f2c889354d7c36ce136ef071f7ab9721f"},{"platform":"x86_64-pc-windows-msvc","variant":"default","url":"https://github.com/astral-sh/uv/releases/download/0.9.26/uv-x86_64-pc-windows-msvc.zip","archive_format":"zip","sha256":"eb02fd95d8e0eed462b4a67ecdd320d865b38c560bffcda9a0b87ec944bdf036"}]}
+{"version":"0.9.25","artifacts":[{"platform":"aarch64-apple-darwin","variant":"default","url":"https://github.com/astral-sh/uv/releases/download/0.9.25/uv-aarch64-apple-darwin.tar.gz","archive_format":"tar.gz","sha256":"606b3c6949d971709f2526fa0d9f0fd23ccf60e09f117999b406b424af18a6a6"}]}`;
+
+const multiVariantNdjsonResponse = `{"version":"0.9.26","artifacts":[{"platform":"aarch64-apple-darwin","variant":"python-managed","url":"https://github.com/astral-sh/uv/releases/download/0.9.26/uv-aarch64-apple-darwin-managed.tar.gz","archive_format":"tar.gz","sha256":"managed-checksum"},{"platform":"aarch64-apple-darwin","variant":"default","url":"https://github.com/astral-sh/uv/releases/download/0.9.26/uv-aarch64-apple-darwin.zip","archive_format":"zip","sha256":"default-checksum"}]}`;
+
+function createMockResponse(
+  ok: boolean,
+  status: number,
+  statusText: string,
+  data: string,
+) {
+  return {
+    ok,
+    status,
+    statusText,
+    text: async () => data,
+  };
+}
+
+describe("versions-client", () => {
+  beforeEach(() => {
+    clearCache();
+    mockFetch.mockReset();
+  });
+
+  describe("fetchVersionData", () => {
+    it("should fetch and parse NDJSON data", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      const versions = await fetchVersionData();
+
+      expect(versions).toHaveLength(2);
+      expect(versions[0].version).toBe("0.9.26");
+      expect(versions[1].version).toBe("0.9.25");
+    });
+
+    it("should throw error on failed fetch", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(false, 500, "Internal Server Error", ""),
+      );
+
+      await expect(fetchVersionData()).rejects.toThrow(
+        "Failed to fetch version data: 500 Internal Server Error",
+      );
+    });
+
+    it("should cache results", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      await fetchVersionData();
+      await fetchVersionData();
+
+      expect(mockFetch).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe("getLatestVersion", () => {
+    it("should return the first version (newest)", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      const latest = await getLatestVersion();
+
+      expect(latest).toBe("0.9.26");
+    });
+  });
+
+  describe("getAllVersions", () => {
+    it("should return all version strings", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      const versions = await getAllVersions();
+
+      expect(versions).toEqual(["0.9.26", "0.9.25"]);
+    });
+  });
+
+  describe("getArtifact", () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+    });
+
+    it("should find artifact by version and platform", async () => {
+      const artifact = await getArtifact("0.9.26", "aarch64", "apple-darwin");
+
+      expect(artifact).toEqual({
+        archiveFormat: "tar.gz",
+        sha256:
+          "fcf0a9ea6599c6ae28a4c854ac6da76f2c889354d7c36ce136ef071f7ab9721f",
+        url: "https://github.com/astral-sh/uv/releases/download/0.9.26/uv-aarch64-apple-darwin.tar.gz",
+      });
+    });
+
+    it("should find windows artifact", async () => {
+      const artifact = await getArtifact("0.9.26", "x86_64", "pc-windows-msvc");
+
+      expect(artifact).toEqual({
+        archiveFormat: "zip",
+        sha256:
+          "eb02fd95d8e0eed462b4a67ecdd320d865b38c560bffcda9a0b87ec944bdf036",
+        url: "https://github.com/astral-sh/uv/releases/download/0.9.26/uv-x86_64-pc-windows-msvc.zip",
+      });
+    });
+
+    it("should prefer the default variant when multiple artifacts share a platform", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", multiVariantNdjsonResponse),
+      );
+
+      const artifact = await getArtifact("0.9.26", "aarch64", "apple-darwin");
+
+      expect(artifact).toEqual({
+        archiveFormat: "zip",
+        sha256: "default-checksum",
+        url: "https://github.com/astral-sh/uv/releases/download/0.9.26/uv-aarch64-apple-darwin.zip",
+      });
+    });
+
+    it("should return undefined for unknown version", async () => {
+      const artifact = await getArtifact("0.0.1", "aarch64", "apple-darwin");
+
+      expect(artifact).toBeUndefined();
+    });
+
+    it("should return undefined for unknown platform", async () => {
+      const artifact = await getArtifact(
+        "0.9.26",
+        "aarch64",
+        "unknown-linux-musl",
+      );
+
+      expect(artifact).toBeUndefined();
+    });
+  });
+
+  describe("parseVersionData", () => {
+    it("should throw for malformed NDJSON", () => {
+      expect(() =>
+        parseVersionData('{"version":"0.1.0"', "test-source"),
+      ).toThrow("Failed to parse version data from test-source");
+    });
+  });
+});

action.yml

@@ -26,7 +26,7 @@ inputs:
     required: false
   github-token:
     description:
-      "Used to increase the rate limit when retrieving versions and downloading uv."
+      "Used when downloading uv from GitHub releases."
     required: false
     default: ${{ github.token }}
   enable-cache:
@@ -75,7 +75,7 @@ inputs:
     description: "Custom path to set UV_TOOL_BIN_DIR to."
     required: false
   manifest-file:
-    description: "URL to the manifest file containing available versions and download URLs."
+    description: "URL to a custom manifest file. Supports the astral-sh/versions NDJSON format and the legacy JSON array format (deprecated)."
     required: false
   add-problem-matchers:
     description: "Add problem matchers."

dist/save-cache/index.js

@@ -90979,12 +90979,11 @@ function getConfigValueFromTomlFile(filePath, key) {
 "use strict";
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.STATE_UV_VERSION = exports.STATE_UV_PATH = exports.TOOL_CACHE_NAME = exports.OWNER = exports.REPO = void 0;
-exports.REPO = "uv";
-exports.OWNER = "astral-sh";
+exports.VERSIONS_NDJSON_URL = exports.STATE_UV_VERSION = exports.STATE_UV_PATH = exports.TOOL_CACHE_NAME = void 0;
 exports.TOOL_CACHE_NAME = "uv";
 exports.STATE_UV_PATH = "uv-path";
 exports.STATE_UV_VERSION = "uv-version";
+exports.VERSIONS_NDJSON_URL = "https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson";
 
 
 /***/ }),

docs/customization.md

@@ -18,12 +18,29 @@ are automatically verified by this action. The sha256 hashes can be found on the
 
 ## Manifest file
 
-The `manifest-file` input allows you to specify a JSON manifest that lists available uv versions,
-architectures, and their download URLs. By default, this action uses the manifest file contained
-in this repository, which is automatically updated with each release of uv.
+By default, setup-uv reads version metadata from
+[`astral-sh/versions`](https://github.com/astral-sh/versions) (NDJSON format).
 
-The manifest file contains an array of objects, each describing a version,
-architecture, platform, and the corresponding download URL. For example:
+The `manifest-file` input lets you override that source with your own URL, for example to test
+custom uv builds or alternate download locations.
+
+### Format
+
+The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:
+
+```json
+{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
+{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
+```
+
+setup-uv currently only supports `default` as the `variant`.
+
+The `archive_format` field is currently ignored.
+
+### Legacy format: JSON array (deprecated)
+
+The previous JSON array format is still supported for compatibility, but deprecated and will be
+removed in a future major release.
 
 ```json
 [
@@ -33,26 +50,20 @@ architecture, platform, and the corresponding download URL. For example:
     "arch": "aarch64",
     "platform": "apple-darwin",
     "downloadUrl": "https://github.com/astral-sh/uv/releases/download/0.7.13/uv-aarch64-apple-darwin.tar.gz"
-  },
-  ...
+  }
 ]
 ```
 
-You can supply a custom manifest file URL to define additional versions,
-architectures, or different download URLs.
-This is useful if you maintain your own uv builds or want to override the default sources.
-
 ```yaml
 - name: Use a custom manifest file
   uses: astral-sh/setup-uv@v7
   with:
-    manifest-file: "https://example.com/my-custom-manifest.json"
+    manifest-file: "https://example.com/my-custom-manifest.ndjson"
 ```
 
 > [!NOTE]
-> When you use a custom manifest file and do not set the `version` input, its default value is `latest`.
-> This means the action will install the latest version available in the custom manifest file.
-> This is different from the default behavior of installing the latest version from the official uv releases.
+> When you use a custom manifest file and do not set the `version` input, setup-uv installs the
+> latest version from that custom manifest.
 
 ## Add problem matchers
 

docs/environment-and-tools.md

@@ -38,9 +38,12 @@ You can customize the venv location with `venv-path`, for example to place it in
 
 ## GitHub authentication token
 
-This action uses the GitHub API to fetch the uv release artifacts. To avoid hitting the GitHub API
-rate limit too quickly, an authentication token can be provided via the `github-token` input. By
-default, the `GITHUB_TOKEN` secret is used, which is automatically provided by GitHub Actions.
+By default, this action resolves available uv versions from
+[`astral-sh/versions`](https://github.com/astral-sh/versions), then downloads uv artifacts from
+GitHub Releases.
+
+You can provide a token via `github-token` to authenticate those downloads. By default, the
+`GITHUB_TOKEN` secret is used, which is automatically provided by GitHub Actions.
 
 If the default
 [permissions for the GitHub token](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#permissions-for-the-github_token)

package-lock.json

@@ -15,9 +15,6 @@
         "@actions/glob": "^0.5.0",
         "@actions/io": "^1.1.3",
         "@actions/tool-cache": "^2.0.2",
-        "@octokit/core": "^7.0.6",
-        "@octokit/plugin-paginate-rest": "^14.0.0",
-        "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
         "@renovatebot/pep440": "^4.2.1",
         "smol-toml": "^1.6.0",
         "undici": "5.28.5"
@@ -1589,133 +1586,6 @@
         "@tybys/wasm-util": "^0.10.0"
       }
     },
-    "node_modules/@octokit/auth-token": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
-      "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/core": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
-      "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/auth-token": "^6.0.0",
-        "@octokit/graphql": "^9.0.3",
-        "@octokit/request": "^10.0.6",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "before-after-hook": "^4.0.0",
-        "universal-user-agent": "^7.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/endpoint": {
-      "version": "11.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.2.tgz",
-      "integrity": "sha512-4zCpzP1fWc7QlqunZ5bSEjxc6yLAlRTnDwKtgXfcI/FxxGoqedDG8V2+xJ60bV2kODqcGB+nATdtap/XYq2NZQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/graphql": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
-      "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/request": "^10.0.6",
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/openapi-types": {
-      "version": "27.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
-      "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==",
-      "license": "MIT"
-    },
-    "node_modules/@octokit/plugin-paginate-rest": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-14.0.0.tgz",
-      "integrity": "sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
-    "node_modules/@octokit/plugin-rest-endpoint-methods": {
-      "version": "17.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-17.0.0.tgz",
-      "integrity": "sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
-    "node_modules/@octokit/request": {
-      "version": "10.0.7",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.7.tgz",
-      "integrity": "sha512-v93h0i1yu4idj8qFPZwjehoJx4j3Ntn+JhXsdJrG9pYaX6j/XRz2RmasMUHtNgQD39nrv/VwTWSqK0RNXR8upA==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/endpoint": "^11.0.2",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "fast-content-type-parse": "^3.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/request-error": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
-      "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/types": {
-      "version": "16.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
-      "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/openapi-types": "^27.0.0"
-      }
-    },
     "node_modules/@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -2452,12 +2322,6 @@
       "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
       "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c="
     },
-    "node_modules/before-after-hook": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
-      "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==",
-      "license": "Apache-2.0"
-    },
     "node_modules/brace-expansion": {
       "version": "1.1.12",
       "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
@@ -3067,22 +2931,6 @@
         "node": "^18.14.0 || ^20.0.0 || ^22.0.0 || >=24.0.0"
       }
     },
-    "node_modules/fast-content-type-parse": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-3.0.0.tgz",
-      "integrity": "sha512-ZvLdcY8P+N8mGQJahJV5G4U88CSvT1rP8ApL6uETe88MBXrBHAkZlSEySdUlyztF7ccb+Znos3TFqaepHxdhBg==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/fastify"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/fastify"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/fast-json-stable-stringify": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
@@ -5365,12 +5213,6 @@
       "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
       "license": "MIT"
     },
-    "node_modules/universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
-      "license": "ISC"
-    },
     "node_modules/unrs-resolver": {
       "version": "1.11.1",
       "resolved": "https://registry.npmjs.org/unrs-resolver/-/unrs-resolver-1.11.1.tgz",
@@ -6881,93 +6723,6 @@
         "@tybys/wasm-util": "^0.10.0"
       }
     },
-    "@octokit/auth-token": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
-      "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w=="
-    },
-    "@octokit/core": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
-      "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
-      "requires": {
-        "@octokit/auth-token": "^6.0.0",
-        "@octokit/graphql": "^9.0.3",
-        "@octokit/request": "^10.0.6",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "before-after-hook": "^4.0.0",
-        "universal-user-agent": "^7.0.0"
-      }
-    },
-    "@octokit/endpoint": {
-      "version": "11.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.2.tgz",
-      "integrity": "sha512-4zCpzP1fWc7QlqunZ5bSEjxc6yLAlRTnDwKtgXfcI/FxxGoqedDG8V2+xJ60bV2kODqcGB+nATdtap/XYq2NZQ==",
-      "requires": {
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.2"
-      }
-    },
-    "@octokit/graphql": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
-      "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
-      "requires": {
-        "@octokit/request": "^10.0.6",
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.0"
-      }
-    },
-    "@octokit/openapi-types": {
-      "version": "27.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
-      "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA=="
-    },
-    "@octokit/plugin-paginate-rest": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-14.0.0.tgz",
-      "integrity": "sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==",
-      "requires": {
-        "@octokit/types": "^16.0.0"
-      }
-    },
-    "@octokit/plugin-rest-endpoint-methods": {
-      "version": "17.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-17.0.0.tgz",
-      "integrity": "sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==",
-      "requires": {
-        "@octokit/types": "^16.0.0"
-      }
-    },
-    "@octokit/request": {
-      "version": "10.0.7",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.7.tgz",
-      "integrity": "sha512-v93h0i1yu4idj8qFPZwjehoJx4j3Ntn+JhXsdJrG9pYaX6j/XRz2RmasMUHtNgQD39nrv/VwTWSqK0RNXR8upA==",
-      "requires": {
-        "@octokit/endpoint": "^11.0.2",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "fast-content-type-parse": "^3.0.0",
-        "universal-user-agent": "^7.0.2"
-      }
-    },
-    "@octokit/request-error": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
-      "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
-      "requires": {
-        "@octokit/types": "^16.0.0"
-      }
-    },
-    "@octokit/types": {
-      "version": "16.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
-      "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
-      "requires": {
-        "@octokit/openapi-types": "^27.0.0"
-      }
-    },
     "@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -7468,11 +7223,6 @@
       "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
       "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c="
     },
-    "before-after-hook": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
-      "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ=="
-    },
     "brace-expansion": {
       "version": "1.1.12",
       "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
@@ -7873,11 +7623,6 @@
         "jest-util": "30.2.0"
       }
     },
-    "fast-content-type-parse": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-3.0.0.tgz",
-      "integrity": "sha512-ZvLdcY8P+N8mGQJahJV5G4U88CSvT1rP8ApL6uETe88MBXrBHAkZlSEySdUlyztF7ccb+Znos3TFqaepHxdhBg=="
-    },
     "fast-json-stable-stringify": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
@@ -9411,11 +9156,6 @@
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
       "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="
     },
-    "universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A=="
-    },
     "unrs-resolver": {
       "version": "1.11.1",
       "resolved": "https://registry.npmjs.org/unrs-resolver/-/unrs-resolver-1.11.1.tgz",

package.json

@@ -7,10 +7,10 @@
   "scripts": {
     "build": "tsc",
     "check": "biome check --write",
-    "package": "ncc build -o dist/setup src/setup-uv.ts && ncc build -o dist/save-cache src/save-cache.ts && ncc build -o dist/update-known-versions src/update-known-versions.ts",
+    "package": "ncc build -o dist/setup src/setup-uv.ts && ncc build -o dist/save-cache src/save-cache.ts && ncc build -o dist/update-known-checksums src/update-known-checksums.ts",
     "test": "jest",
     "act": "act pull_request -W .github/workflows/test.yml --container-architecture linux/amd64 -s GITHUB_TOKEN=\"$(gh auth token)\"",
-    "update-known-versions": "RUNNER_TEMP=known_versions node dist/update-known-versions/index.js src/download/checksum/known-versions.ts \"$(gh auth token)\"",
+    "update-known-checksums": "RUNNER_TEMP=known_versions node dist/update-known-checksums/index.js src/download/checksum/known-checksums.ts",
     "all": "npm run build && npm run check && npm run package && npm test"
   },
   "repository": {
@@ -32,9 +32,6 @@
     "@actions/glob": "^0.5.0",
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",
-    "@octokit/core": "^7.0.6",
-    "@octokit/plugin-paginate-rest": "^14.0.0",
-    "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
     "@renovatebot/pep440": "^4.2.1",
     "smol-toml": "^1.6.0",
     "undici": "5.28.5"

src/download/checksum/checksum.ts

@@ -6,33 +6,35 @@ import type { Architecture, Platform } from "../../utils/platforms";
 import { KNOWN_CHECKSUMS } from "./known-checksums";
 
 export async function validateChecksum(
-  checkSum: string | undefined,
+  checksum: string | undefined,
   downloadPath: string,
   arch: Architecture,
   platform: Platform,
   version: string,
 ): Promise<void> {
-  let isValid: boolean | undefined;
-  if (checkSum !== undefined && checkSum !== "") {
-    isValid = await validateFileCheckSum(downloadPath, checkSum);
-  } else {
-    core.debug("Checksum not provided. Checking known checksums.");
-    const key = `${arch}-${platform}-${version}`;
-    if (key in KNOWN_CHECKSUMS) {
-      const knownChecksum = KNOWN_CHECKSUMS[`${arch}-${platform}-${version}`];
-      core.debug(`Checking checksum for ${arch}-${platform}-${version}.`);
-      isValid = await validateFileCheckSum(downloadPath, knownChecksum);
-    } else {
-      core.debug(`No known checksum found for ${key}.`);
-    }
+  const key = `${arch}-${platform}-${version}`;
+  const hasProvidedChecksum = checksum !== undefined && checksum !== "";
+  const checksumToUse = hasProvidedChecksum ? checksum : KNOWN_CHECKSUMS[key];
+
+  if (checksumToUse === undefined) {
+    core.debug(`No checksum found for ${key}.`);
+    return;
   }
 
-  if (isValid === false) {
-    throw new Error(`Checksum for ${downloadPath} did not match ${checkSum}.`);
-  }
-  if (isValid === true) {
-    core.debug(`Checksum for ${downloadPath} is valid.`);
+  const checksumSource = hasProvidedChecksum
+    ? "provided checksum"
+    : `KNOWN_CHECKSUMS entry for ${key}`;
+
+  core.debug(`Validating checksum using ${checksumSource}.`);
+  const isValid = await validateFileCheckSum(downloadPath, checksumToUse);
+
+  if (!isValid) {
+    throw new Error(
+      `Checksum for ${downloadPath} did not match ${checksumToUse}.`,
+    );
   }
+
+  core.debug(`Checksum for ${downloadPath} is valid.`);
 }
 
 async function validateFileCheckSum(

src/download/checksum/update-known-checksums.ts

@@ -1,59 +1,34 @@
 import { promises as fs } from "node:fs";
-import * as tc from "@actions/tool-cache";
-import { KNOWN_CHECKSUMS } from "./known-checksums";
+
+export interface ChecksumEntry {
+  key: string;
+  checksum: string;
+}
+
 export async function updateChecksums(
   filePath: string,
-  downloadUrls: string[],
+  checksumEntries: ChecksumEntry[],
 ): Promise<void> {
-  await fs.rm(filePath);
-  await fs.appendFile(
-    filePath,
-    "// AUTOGENERATED_DO_NOT_EDIT\nexport const KNOWN_CHECKSUMS: { [key: string]: string } = {\n",
-  );
-  let firstLine = true;
-  for (const downloadUrl of downloadUrls) {
-    const key = getKey(downloadUrl);
-    if (key === undefined) {
+  const deduplicatedEntries = new Map<string, string>();
+
+  for (const entry of checksumEntries) {
+    if (deduplicatedEntries.has(entry.key)) {
       continue;
     }
-    const checksum = await getOrDownloadChecksum(key, downloadUrl);
-    if (!firstLine) {
-      await fs.appendFile(filePath, ",\n");
-    }
-    await fs.appendFile(filePath, `  "${key}":\n    "${checksum}"`);
-    firstLine = false;
-  }
-  await fs.appendFile(filePath, ",\n};\n");
-}
 
-function getKey(downloadUrl: string): string | undefined {
-  // https://github.com/astral-sh/uv/releases/download/0.3.2/uv-aarch64-apple-darwin.tar.gz.sha256
-  const parts = downloadUrl.split("/");
-  const fileName = parts[parts.length - 1];
-  if (fileName.startsWith("source")) {
-    return undefined;
+    deduplicatedEntries.set(entry.key, entry.checksum);
   }
-  const name = fileName.split(".")[0].split("uv-")[1];
-  const version = parts[parts.length - 2];
-  return `${name}-${version}`;
-}
 
-async function getOrDownloadChecksum(
-  key: string,
-  downloadUrl: string,
-): Promise<string> {
-  let checksum = "";
-  if (key in KNOWN_CHECKSUMS) {
-    checksum = KNOWN_CHECKSUMS[key];
-  } else {
-    const content = await downloadAssetContent(downloadUrl);
-    checksum = content.split(" ")[0].trim();
-  }
-  return checksum;
-}
+  const body = [...deduplicatedEntries.entries()]
+    .map(([key, checksum]) => `  "${key}":\n    "${checksum}"`)
+    .join(",\n");
 
-async function downloadAssetContent(downloadUrl: string): Promise<string> {
-  const downloadPath = await tc.downloadTool(downloadUrl);
-  const content = await fs.readFile(downloadPath, "utf8");
-  return content;
+  const content =
+    "// AUTOGENERATED_DO_NOT_EDIT\n" +
+    "export const KNOWN_CHECKSUMS: { [key: string]: string } = {\n" +
+    body +
+    (body === "" ? "" : ",\n") +
+    "};\n";
+
+  await fs.writeFile(filePath, content);
 }

src/download/download-version.ts

@@ -2,20 +2,21 @@ import { promises as fs } from "node:fs";
 import * as path from "node:path";
 import * as core from "@actions/core";
 import * as tc from "@actions/tool-cache";
-import type { Endpoints } from "@octokit/types";
 import * as pep440 from "@renovatebot/pep440";
 import * as semver from "semver";
-import { OWNER, REPO, TOOL_CACHE_NAME } from "../utils/constants";
-import { Octokit } from "../utils/octokit";
+import { TOOL_CACHE_NAME, VERSIONS_NDJSON_URL } from "../utils/constants";
 import type { Architecture, Platform } from "../utils/platforms";
 import { validateChecksum } from "./checksum/checksum";
 import {
-  getDownloadUrl,
+  getAllVersions as getAllManifestVersions,
   getLatestKnownVersion as getLatestVersionInManifest,
+  getManifestArtifact,
 } from "./version-manifest";
-
-type Release =
-  Endpoints["GET /repos/{owner}/{repo}/releases"]["response"]["data"][number];
+import {
+  getAllVersions as getAllVersionsFromNdjson,
+  getArtifact as getArtifactFromNdjson,
+  getLatestVersion as getLatestVersionFromNdjson,
+} from "./versions-client";
 
 export function tryGetFromToolCache(
   arch: Architecture,
@@ -32,19 +33,26 @@ export function tryGetFromToolCache(
   return { installedPath, version: resolvedVersion };
 }
 
-export async function downloadVersionFromGithub(
+export async function downloadVersionFromNdjson(
   platform: Platform,
   arch: Architecture,
   version: string,
   checkSum: string | undefined,
   githubToken: string,
 ): Promise<{ version: string; cachedToolDir: string }> {
-  const artifact = `uv-${arch}-${platform}`;
-  const extension = getExtension(platform);
-  const downloadUrl = `https://github.com/${OWNER}/${REPO}/releases/download/${version}/${artifact}${extension}`;
+  const artifact = await getArtifactFromNdjson(version, arch, platform);
+
+  if (!artifact) {
+    throw new Error(
+      `Could not find artifact for version ${version}, arch ${arch}, platform ${platform} in ${VERSIONS_NDJSON_URL} .`,
+    );
+  }
+
+  // For the default astral-sh/versions source, checksum validation relies on
+  // user input or the built-in KNOWN_CHECKSUMS table, not NDJSON sha256 values.
   return await downloadVersion(
-    downloadUrl,
-    artifact,
+    artifact.url,
+    `uv-${arch}-${platform}`,
     platform,
     arch,
     version,
@@ -54,38 +62,32 @@ export async function downloadVersionFromGithub(
 }
 
 export async function downloadVersionFromManifest(
-  manifestUrl: string | undefined,
+  manifestUrl: string,
   platform: Platform,
   arch: Architecture,
   version: string,
   checkSum: string | undefined,
   githubToken: string,
 ): Promise<{ version: string; cachedToolDir: string }> {
-  const downloadUrl = await getDownloadUrl(
+  const artifact = await getManifestArtifact(
     manifestUrl,
     version,
     arch,
     platform,
   );
-  if (!downloadUrl) {
-    core.info(
-      `manifest-file does not contain version ${version}, arch ${arch}, platform ${platform}. Falling back to GitHub releases.`,
-    );
-    return await downloadVersionFromGithub(
-      platform,
-      arch,
-      version,
-      checkSum,
-      githubToken,
+  if (!artifact) {
+    throw new Error(
+      `manifest-file does not contain version ${version}, arch ${arch}, platform ${platform}.`,
     );
   }
+
   return await downloadVersion(
-    downloadUrl,
+    artifact.downloadUrl,
     `uv-${arch}-${platform}`,
     platform,
     arch,
     version,
-    checkSum,
+    resolveChecksum(checkSum, artifact.checksum),
     githubToken,
   );
 }
@@ -96,7 +98,7 @@ async function downloadVersion(
   platform: Platform,
   arch: Architecture,
   version: string,
-  checkSum: string | undefined,
+  checksum: string | undefined,
   githubToken: string,
 ): Promise<{ version: string; cachedToolDir: string }> {
   core.info(`Downloading uv from "${downloadUrl}" ...`);
@@ -105,14 +107,14 @@ async function downloadVersion(
     undefined,
     githubToken,
   );
-  await validateChecksum(checkSum, downloadPath, arch, platform, version);
+  await validateChecksum(checksum, downloadPath, arch, platform, version);
 
   let uvDir: string;
   if (platform === "pc-windows-msvc") {
-    // On windows extracting the zip does not create an intermediate directory
+    // On windows extracting the zip does not create an intermediate directory.
     try {
       // Try tar first as it's much faster, but only bsdtar supports zip files,
-      // so this my fail if another tar, like gnu tar, ends up being used.
+      // so this may fail if another tar, like gnu tar, ends up being used.
       uvDir = await tc.extractTar(downloadPath, undefined, "x");
     } catch (err) {
       core.info(
@@ -127,6 +129,7 @@ async function downloadVersion(
     const extractedDir = await tc.extractTar(downloadPath);
     uvDir = path.join(extractedDir, artifactName);
   }
+
   const cachedToolDir = await tc.cacheDir(
     uvDir,
     TOOL_CACHE_NAME,
@@ -136,14 +139,22 @@ async function downloadVersion(
   return { cachedToolDir, version: version };
 }
 
+function resolveChecksum(
+  checkSum: string | undefined,
+  manifestChecksum?: string,
+): string | undefined {
+  return checkSum !== undefined && checkSum !== ""
+    ? checkSum
+    : manifestChecksum;
+}
+
 function getExtension(platform: Platform): string {
   return platform === "pc-windows-msvc" ? ".zip" : ".tar.gz";
 }
 
 export async function resolveVersion(
   versionInput: string,
-  manifestFile: string | undefined,
-  githubToken: string,
+  manifestUrl: string | undefined,
   resolutionStrategy: "highest" | "lowest" = "highest",
 ): Promise<string> {
   core.debug(`Resolving version: ${versionInput}`);
@@ -155,15 +166,15 @@ export async function resolveVersion(
   if (resolveVersionSpecifierToLatest) {
     core.info("Found minimum version specifier, using latest version");
   }
-  if (manifestFile) {
+  if (manifestUrl !== undefined) {
     version =
       versionInput === "latest" || resolveVersionSpecifierToLatest
-        ? await getLatestVersionInManifest(manifestFile)
+        ? await getLatestVersionInManifest(manifestUrl)
         : versionInput;
   } else {
     version =
       versionInput === "latest" || resolveVersionSpecifierToLatest
-        ? await getLatestVersion(githubToken)
+        ? await getLatestVersionFromNdjson()
         : versionInput;
   }
   if (tc.isExplicitVersion(version)) {
@@ -175,91 +186,33 @@ export async function resolveVersion(
     }
     return version;
   }
-  const availableVersions = await getAvailableVersions(githubToken);
+
+  const availableVersions = await getAvailableVersions(manifestUrl);
   core.debug(`Available versions: ${availableVersions}`);
   const resolvedVersion =
     resolutionStrategy === "lowest"
       ? minSatisfying(availableVersions, version)
       : maxSatisfying(availableVersions, version);
+
   if (resolvedVersion === undefined) {
     throw new Error(`No version found for ${version}`);
   }
+
   return resolvedVersion;
 }
 
-async function getAvailableVersions(githubToken: string): Promise<string[]> {
-  core.info("Getting available versions from GitHub API...");
-  try {
-    const octokit = new Octokit({
-      auth: githubToken,
-    });
-    return await getReleaseTagNames(octokit);
-  } catch (err) {
-    if ((err as Error).message.includes("Bad credentials")) {
-      core.info(
-        "No (valid) GitHub token provided. Falling back to anonymous. Requests might be rate limited.",
-      );
-      const octokit = new Octokit();
-      return await getReleaseTagNames(octokit);
-    }
-    throw err;
-  }
-}
-
-async function getReleaseTagNames(octokit: Octokit): Promise<string[]> {
-  const response: Release[] = await octokit.paginate(
-    octokit.rest.repos.listReleases,
-    {
-      owner: OWNER,
-      repo: REPO,
-    },
-  );
-  const releaseTagNames = response.map((release) => release.tag_name);
-  if (releaseTagNames.length === 0) {
-    throw Error(
-      "Github API request failed while getting releases. Check the GitHub status page for outages. Try again later.",
+async function getAvailableVersions(
+  manifestUrl: string | undefined,
+): Promise<string[]> {
+  if (manifestUrl !== undefined) {
+    core.info(
+      `Getting available versions from manifest-file ${manifestUrl} ...`,
     );
-  }
-  return releaseTagNames;
-}
-
-async function getLatestVersion(githubToken: string) {
-  core.info("Getting latest version from GitHub API...");
-  const octokit = new Octokit({
-    auth: githubToken,
-  });
-
-  let latestRelease: { tag_name: string } | undefined;
-  try {
-    latestRelease = await getLatestRelease(octokit);
-  } catch (err) {
-    if ((err as Error).message.includes("Bad credentials")) {
-      core.info(
-        "No (valid) GitHub token provided. Falling back to anonymous. Requests might be rate limited.",
-      );
-      const octokit = new Octokit();
-      latestRelease = await getLatestRelease(octokit);
-    } else {
-      core.error(
-        "Github API request failed while getting latest release. Check the GitHub status page for outages. Try again later.",
-      );
-      throw err;
-    }
+    return await getAllManifestVersions(manifestUrl);
   }
 
-  if (!latestRelease) {
-    throw new Error("Could not determine latest release.");
-  }
-  core.debug(`Latest version: ${latestRelease.tag_name}`);
-  return latestRelease.tag_name;
-}
-
-async function getLatestRelease(octokit: Octokit) {
-  const { data: latestRelease } = await octokit.rest.repos.getLatestRelease({
-    owner: OWNER,
-    repo: REPO,
-  });
-  return latestRelease;
+  core.info(`Getting available versions from ${VERSIONS_NDJSON_URL} ...`);
+  return await getAllVersionsFromNdjson();
 }
 
 function maxSatisfying(

src/download/legacy-version-manifest.ts

@@ -0,0 +1,80 @@
+import * as core from "@actions/core";
+
+export interface ManifestEntry {
+  arch: string;
+  platform: string;
+  version: string;
+  downloadUrl: string;
+  checksum?: string;
+  variant?: string;
+  archiveFormat?: string;
+}
+
+interface LegacyManifestEntry {
+  arch: string;
+  platform: string;
+  version: string;
+  downloadUrl: string;
+  checksum?: string;
+}
+
+const warnedLegacyManifestUrls = new Set<string>();
+
+export function parseLegacyManifestEntries(
+  parsedEntries: unknown[],
+  manifestUrl: string,
+): ManifestEntry[] {
+  warnAboutLegacyManifestFormat(manifestUrl);
+
+  return parsedEntries.map((entry, index) => {
+    if (!isLegacyManifestEntry(entry)) {
+      throw new Error(
+        `Invalid legacy manifest-file entry at index ${index} in ${manifestUrl}.`,
+      );
+    }
+
+    return {
+      arch: entry.arch,
+      checksum: entry.checksum,
+      downloadUrl: entry.downloadUrl,
+      platform: entry.platform,
+      version: entry.version,
+    };
+  });
+}
+
+export function clearLegacyManifestWarnings(): void {
+  warnedLegacyManifestUrls.clear();
+}
+
+function warnAboutLegacyManifestFormat(manifestUrl: string): void {
+  if (warnedLegacyManifestUrls.has(manifestUrl)) {
+    return;
+  }
+
+  warnedLegacyManifestUrls.add(manifestUrl);
+  core.warning(
+    `manifest-file ${manifestUrl} uses the legacy JSON array format, which is deprecated. Please migrate to the astral-sh/versions NDJSON format before the next major release.`,
+  );
+}
+
+function isLegacyManifestEntry(value: unknown): value is LegacyManifestEntry {
+  if (!isRecord(value)) {
+    return false;
+  }
+
+  const checksumIsValid =
+    typeof value.checksum === "string" || value.checksum === undefined;
+
+  return (
+    typeof value.arch === "string" &&
+    checksumIsValid &&
+    typeof value.downloadUrl === "string" &&
+    typeof value.platform === "string" &&
+    typeof value.version === "string"
+  );
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}

src/download/variant-selection.ts

@@ -0,0 +1,39 @@
+interface VariantAwareEntry {
+  variant?: string;
+}
+
+export function selectDefaultVariant<T extends VariantAwareEntry>(
+  entries: T[],
+  duplicateEntryDescription: string,
+): T {
+  const firstEntry = entries[0];
+  if (firstEntry === undefined) {
+    throw new Error("selectDefaultVariant requires at least one candidate.");
+  }
+
+  if (entries.length === 1) {
+    return firstEntry;
+  }
+
+  const defaultEntries = entries.filter((entry) =>
+    isDefaultVariant(entry.variant),
+  );
+  if (defaultEntries.length === 1) {
+    return defaultEntries[0];
+  }
+
+  throw new Error(
+    `${duplicateEntryDescription} with variants ${formatVariants(entries)}. setup-uv currently requires a single default variant for duplicate platform entries.`,
+  );
+}
+
+function isDefaultVariant(variant: string | undefined): boolean {
+  return variant === undefined || variant === "default";
+}
+
+function formatVariants<T extends VariantAwareEntry>(entries: T[]): string {
+  return entries
+    .map((entry) => entry.variant ?? "default")
+    .sort((left, right) => left.localeCompare(right))
+    .join(", ");
+}

src/download/version-manifest.ts

@@ -1,91 +1,169 @@
-import { promises as fs } from "node:fs";
-import { join } from "node:path";
 import * as core from "@actions/core";
 import * as semver from "semver";
 import { fetch } from "../utils/fetch";
+import {
+  clearLegacyManifestWarnings,
+  type ManifestEntry,
+  parseLegacyManifestEntries,
+} from "./legacy-version-manifest";
+import { selectDefaultVariant } from "./variant-selection";
+import { type NdjsonVersion, parseVersionData } from "./versions-client";
 
-const localManifestFile = join(__dirname, "..", "..", "version-manifest.json");
-
-interface ManifestEntry {
-  version: string;
-  artifactName: string;
-  arch: string;
-  platform: string;
+export interface ManifestArtifact {
   downloadUrl: string;
+  checksum?: string;
+  archiveFormat?: string;
 }
 
+const cachedManifestEntries = new Map<string, ManifestEntry[]>();
+
 export async function getLatestKnownVersion(
-  manifestUrl: string | undefined,
+  manifestUrl: string,
 ): Promise<string> {
-  const manifestEntries = await getManifestEntries(manifestUrl);
-  return manifestEntries.reduce((a, b) =>
-    semver.gt(a.version, b.version) ? a : b,
-  ).version;
+  const versions = await getAllVersions(manifestUrl);
+  const latestVersion = versions.reduce((latest, current) =>
+    semver.gt(current, latest) ? current : latest,
+  );
+
+  return latestVersion;
 }
 
-export async function getDownloadUrl(
-  manifestUrl: string | undefined,
+export async function getAllVersions(manifestUrl: string): Promise<string[]> {
+  const manifestEntries = await getManifestEntries(manifestUrl);
+  return [...new Set(manifestEntries.map((entry) => entry.version))];
+}
+
+export async function getManifestArtifact(
+  manifestUrl: string,
   version: string,
   arch: string,
   platform: string,
-): Promise<string | undefined> {
+): Promise<ManifestArtifact | undefined> {
   const manifestEntries = await getManifestEntries(manifestUrl);
-  const entry = manifestEntries.find(
-    (entry) =>
-      entry.version === version &&
-      entry.arch === arch &&
-      entry.platform === platform,
+  const entry = selectManifestEntry(
+    manifestEntries,
+    manifestUrl,
+    version,
+    arch,
+    platform,
   );
-  return entry ? entry.downloadUrl : undefined;
+
+  if (!entry) {
+    return undefined;
+  }
+
+  return {
+    archiveFormat: entry.archiveFormat,
+    checksum: entry.checksum,
+    downloadUrl: entry.downloadUrl,
+  };
+}
+
+export function clearManifestCache(): void {
+  cachedManifestEntries.clear();
+  clearLegacyManifestWarnings();
 }
 
 async function getManifestEntries(
-  manifestUrl: string | undefined,
-): Promise<ManifestEntry[]> {
-  let data: string;
-  if (manifestUrl !== undefined) {
-    core.info(`Fetching manifest-file from: ${manifestUrl}`);
-    const response = await fetch(manifestUrl, {});
-    if (!response.ok) {
-      throw new Error(
-        `Failed to fetch manifest-file: ${response.status} ${response.statusText}`,
-      );
-    }
-    data = await response.text();
-  } else {
-    core.info("manifest-file not provided, reading from local file.");
-    const fileContent = await fs.readFile(localManifestFile);
-    data = fileContent.toString();
-  }
-
-  return JSON.parse(data);
-}
-
-export async function updateVersionManifest(
   manifestUrl: string,
-  downloadUrls: string[],
-): Promise<void> {
-  const manifest: ManifestEntry[] = [];
-
-  for (const downloadUrl of downloadUrls) {
-    const urlParts = downloadUrl.split("/");
-    const version = urlParts[urlParts.length - 2];
-    const artifactName = urlParts[urlParts.length - 1];
-    if (!artifactName.startsWith("uv-")) {
-      continue;
-    }
-    if (artifactName.startsWith("uv-installer")) {
-      continue;
-    }
-    const artifactParts = artifactName.split(".")[0].split("-");
-    manifest.push({
-      arch: artifactParts[1],
-      artifactName: artifactName,
-      downloadUrl: downloadUrl,
-      platform: artifactName.split(`uv-${artifactParts[1]}-`)[1].split(".")[0],
-      version: version,
-    });
+): Promise<ManifestEntry[]> {
+  const cachedEntries = cachedManifestEntries.get(manifestUrl);
+  if (cachedEntries !== undefined) {
+    core.debug(`Using cached manifest-file from: ${manifestUrl}`);
+    return cachedEntries;
+  }
+
+  core.info(`Fetching manifest-file from: ${manifestUrl}`);
+  const response = await fetch(manifestUrl, {});
+  if (!response.ok) {
+    throw new Error(
+      `Failed to fetch manifest-file: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const data = await response.text();
+  const parsedEntries = parseManifestEntries(data, manifestUrl);
+  cachedManifestEntries.set(manifestUrl, parsedEntries);
+
+  return parsedEntries;
+}
+
+function parseManifestEntries(
+  data: string,
+  manifestUrl: string,
+): ManifestEntry[] {
+  const trimmed = data.trim();
+  if (trimmed === "") {
+    throw new Error(`manifest-file at ${manifestUrl} is empty.`);
+  }
+
+  const parsedAsJson = tryParseJson(trimmed);
+  if (Array.isArray(parsedAsJson)) {
+    return parseLegacyManifestEntries(parsedAsJson, manifestUrl);
+  }
+
+  const versions = parseVersionData(trimmed, manifestUrl);
+  return mapNdjsonVersionsToManifestEntries(versions, manifestUrl);
+}
+
+function mapNdjsonVersionsToManifestEntries(
+  versions: NdjsonVersion[],
+  manifestUrl: string,
+): ManifestEntry[] {
+  const manifestEntries: ManifestEntry[] = [];
+
+  for (const versionData of versions) {
+    for (const artifact of versionData.artifacts) {
+      const [arch, ...platformParts] = artifact.platform.split("-");
+      if (arch === undefined || platformParts.length === 0) {
+        throw new Error(
+          `Invalid artifact platform '${artifact.platform}' in manifest-file ${manifestUrl}.`,
+        );
+      }
+
+      manifestEntries.push({
+        arch,
+        archiveFormat: artifact.archive_format,
+        checksum: artifact.sha256,
+        downloadUrl: artifact.url,
+        platform: platformParts.join("-"),
+        variant: artifact.variant,
+        version: versionData.version,
+      });
+    }
+  }
+
+  return manifestEntries;
+}
+
+function selectManifestEntry(
+  manifestEntries: ManifestEntry[],
+  manifestUrl: string,
+  version: string,
+  arch: string,
+  platform: string,
+): ManifestEntry | undefined {
+  const matches = manifestEntries.filter(
+    (candidate) =>
+      candidate.version === version &&
+      candidate.arch === arch &&
+      candidate.platform === platform,
+  );
+
+  if (matches.length === 0) {
+    return undefined;
+  }
+
+  return selectDefaultVariant(
+    matches,
+    `manifest-file ${manifestUrl} contains multiple artifacts for version ${version}, arch ${arch}, platform ${platform}`,
+  );
+}
+
+function tryParseJson(value: string): unknown {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return undefined;
   }
-  core.debug(`Updating manifest-file: ${JSON.stringify(manifest)}`);
-  await fs.writeFile(manifestUrl, JSON.stringify(manifest));
 }

src/download/versions-client.ts

@@ -0,0 +1,191 @@
+import * as core from "@actions/core";
+import { VERSIONS_NDJSON_URL } from "../utils/constants";
+import { fetch } from "../utils/fetch";
+import { selectDefaultVariant } from "./variant-selection";
+
+export interface NdjsonArtifact {
+  platform: string;
+  variant?: string;
+  url: string;
+  archive_format: string;
+  sha256: string;
+}
+
+export interface NdjsonVersion {
+  version: string;
+  artifacts: NdjsonArtifact[];
+}
+
+export interface ArtifactResult {
+  url: string;
+  sha256: string;
+  archiveFormat: string;
+}
+
+const cachedVersionData = new Map<string, NdjsonVersion[]>();
+
+export async function fetchVersionData(
+  url: string = VERSIONS_NDJSON_URL,
+): Promise<NdjsonVersion[]> {
+  const cachedVersions = cachedVersionData.get(url);
+  if (cachedVersions !== undefined) {
+    core.debug(`Using cached NDJSON version data from ${url}`);
+    return cachedVersions;
+  }
+
+  core.info(`Fetching version data from ${url} ...`);
+  const response = await fetch(url, {});
+  if (!response.ok) {
+    throw new Error(
+      `Failed to fetch version data: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const body = await response.text();
+  const versions = parseVersionData(body, url);
+  cachedVersionData.set(url, versions);
+  return versions;
+}
+
+export function parseVersionData(
+  data: string,
+  sourceDescription: string,
+): NdjsonVersion[] {
+  const versions: NdjsonVersion[] = [];
+
+  for (const [index, line] of data.split("\n").entries()) {
+    const trimmed = line.trim();
+    if (trimmed === "") {
+      continue;
+    }
+
+    let parsed: unknown;
+    try {
+      parsed = JSON.parse(trimmed);
+    } catch (error) {
+      throw new Error(
+        `Failed to parse version data from ${sourceDescription} at line ${index + 1}: ${(error as Error).message}`,
+      );
+    }
+
+    if (!isNdjsonVersion(parsed)) {
+      throw new Error(
+        `Invalid NDJSON record in ${sourceDescription} at line ${index + 1}.`,
+      );
+    }
+
+    versions.push(parsed);
+  }
+
+  if (versions.length === 0) {
+    throw new Error(`No version data found in ${sourceDescription}.`);
+  }
+
+  return versions;
+}
+
+export async function getLatestVersion(): Promise<string> {
+  const versions = await fetchVersionData();
+  const latestVersion = versions[0]?.version;
+  if (!latestVersion) {
+    throw new Error("No versions found in NDJSON data");
+  }
+
+  core.debug(`Latest version from NDJSON: ${latestVersion}`);
+  return latestVersion;
+}
+
+export async function getAllVersions(): Promise<string[]> {
+  const versions = await fetchVersionData();
+  return versions.map((versionData) => versionData.version);
+}
+
+export async function getArtifact(
+  version: string,
+  arch: string,
+  platform: string,
+): Promise<ArtifactResult | undefined> {
+  const versions = await fetchVersionData();
+  const versionData = versions.find(
+    (candidate) => candidate.version === version,
+  );
+  if (!versionData) {
+    core.debug(`Version ${version} not found in NDJSON data`);
+    return undefined;
+  }
+
+  const targetPlatform = `${arch}-${platform}`;
+  const matchingArtifacts = versionData.artifacts.filter(
+    (candidate) => candidate.platform === targetPlatform,
+  );
+
+  if (matchingArtifacts.length === 0) {
+    core.debug(
+      `Artifact for ${targetPlatform} not found in version ${version}. Available platforms: ${versionData.artifacts
+        .map((candidate) => candidate.platform)
+        .join(", ")}`,
+    );
+    return undefined;
+  }
+
+  const artifact = selectArtifact(matchingArtifacts, version, targetPlatform);
+
+  return {
+    archiveFormat: artifact.archive_format,
+    sha256: artifact.sha256,
+    url: artifact.url,
+  };
+}
+
+export function clearCache(url?: string): void {
+  if (url === undefined) {
+    cachedVersionData.clear();
+    return;
+  }
+
+  cachedVersionData.delete(url);
+}
+
+function selectArtifact(
+  artifacts: NdjsonArtifact[],
+  version: string,
+  targetPlatform: string,
+): NdjsonArtifact {
+  return selectDefaultVariant(
+    artifacts,
+    `Multiple artifacts found for ${targetPlatform} in version ${version}`,
+  );
+}
+
+function isNdjsonVersion(value: unknown): value is NdjsonVersion {
+  if (!isRecord(value)) {
+    return false;
+  }
+
+  if (typeof value.version !== "string" || !Array.isArray(value.artifacts)) {
+    return false;
+  }
+
+  return value.artifacts.every(isNdjsonArtifact);
+}
+
+function isNdjsonArtifact(value: unknown): value is NdjsonArtifact {
+  if (!isRecord(value)) {
+    return false;
+  }
+
+  const variantIsValid =
+    typeof value.variant === "string" || value.variant === undefined;
+
+  return (
+    typeof value.archive_format === "string" &&
+    typeof value.platform === "string" &&
+    typeof value.sha256 === "string" &&
+    typeof value.url === "string" &&
+    variantIsValid
+  );
+}
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+  return typeof value === "object" && value !== null;
+}

src/setup-uv.ts

@@ -5,6 +5,7 @@ import * as exec from "@actions/exec";
 import { restoreCache } from "./cache/restore-cache";
 import {
   downloadVersionFromManifest,
+  downloadVersionFromNdjson,
   resolveVersion,
   tryGetFromToolCache,
 } from "./download/download-version";
@@ -139,14 +140,23 @@ async function setupUv(
     };
   }
 
-  const downloadVersionResult = await downloadVersionFromManifest(
-    manifestFile,
-    platform,
-    arch,
-    resolvedVersion,
-    checkSum,
-    githubToken,
-  );
+  const downloadVersionResult =
+    manifestFile !== undefined
+      ? await downloadVersionFromManifest(
+          manifestFile,
+          platform,
+          arch,
+          resolvedVersion,
+          checkSum,
+          githubToken,
+        )
+      : await downloadVersionFromNdjson(
+          platform,
+          arch,
+          resolvedVersion,
+          checkSum,
+          githubToken,
+        );
 
   return {
     uvDir: downloadVersionResult.cachedToolDir,
@@ -158,12 +168,7 @@ async function determineVersion(
   manifestFile: string | undefined,
 ): Promise<string> {
   if (versionInput !== "") {
-    return await resolveVersion(
-      versionInput,
-      manifestFile,
-      githubToken,
-      resolutionStrategy,
-    );
+    return await resolveVersion(versionInput, manifestFile, resolutionStrategy);
   }
   if (versionFileInput !== "") {
     const versionFromFile = getUvVersionFromFile(versionFileInput);
@@ -175,7 +180,6 @@ async function determineVersion(
     return await resolveVersion(
       versionFromFile,
       manifestFile,
-      githubToken,
       resolutionStrategy,
     );
   }
@@ -193,7 +197,6 @@ async function determineVersion(
   return await resolveVersion(
     versionFromUvToml || versionFromPyproject || "latest",
     manifestFile,
-    githubToken,
     resolutionStrategy,
   );
 }

src/update-known-checksums.ts

@@ -0,0 +1,81 @@
+import * as core from "@actions/core";
+import * as semver from "semver";
+import { KNOWN_CHECKSUMS } from "./download/checksum/known-checksums";
+import {
+  type ChecksumEntry,
+  updateChecksums,
+} from "./download/checksum/update-known-checksums";
+import {
+  fetchVersionData,
+  getLatestVersion,
+  type NdjsonVersion,
+} from "./download/versions-client";
+
+const VERSION_IN_CHECKSUM_KEY_PATTERN =
+  /-(\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?)$/;
+
+async function run(): Promise<void> {
+  const checksumFilePath = process.argv.slice(2)[0];
+  if (!checksumFilePath) {
+    throw new Error(
+      "Missing checksum file path. Usage: node dist/update-known-checksums/index.js <checksum-file-path>",
+    );
+  }
+
+  const latestVersion = await getLatestVersion();
+  const latestKnownVersion = getLatestKnownVersionFromChecksums();
+
+  if (semver.lte(latestVersion, latestKnownVersion)) {
+    core.info(
+      `Latest release (${latestVersion}) is not newer than the latest known version (${latestKnownVersion}). Skipping update.`,
+    );
+    return;
+  }
+
+  const versions = await fetchVersionData();
+  const checksumEntries = extractChecksumsFromNdjson(versions);
+  await updateChecksums(checksumFilePath, checksumEntries);
+
+  core.setOutput("latest-version", latestVersion);
+}
+
+function getLatestKnownVersionFromChecksums(): string {
+  const versions = new Set<string>();
+
+  for (const key of Object.keys(KNOWN_CHECKSUMS)) {
+    const version = extractVersionFromChecksumKey(key);
+    if (version !== undefined) {
+      versions.add(version);
+    }
+  }
+
+  const latestVersion = [...versions].sort(semver.rcompare)[0];
+  if (!latestVersion) {
+    throw new Error("Could not determine latest known version from checksums.");
+  }
+
+  return latestVersion;
+}
+
+function extractVersionFromChecksumKey(key: string): string | undefined {
+  return key.match(VERSION_IN_CHECKSUM_KEY_PATTERN)?.[1];
+}
+
+function extractChecksumsFromNdjson(
+  versions: NdjsonVersion[],
+): ChecksumEntry[] {
+  const checksums: ChecksumEntry[] = [];
+
+  for (const version of versions) {
+    for (const artifact of version.artifacts) {
+      checksums.push({
+        checksum: artifact.sha256,
+        key: `${artifact.platform}-${version.version}`,
+      });
+    }
+  }
+
+  return checksums;
+}
+
+run();

src/update-known-versions.ts

@@ -1,63 +0,0 @@
-import * as core from "@actions/core";
-import type { Endpoints } from "@octokit/types";
-import * as semver from "semver";
-import { updateChecksums } from "./download/checksum/update-known-checksums";
-import {
-  getLatestKnownVersion,
-  updateVersionManifest,
-} from "./download/version-manifest";
-import { OWNER, REPO } from "./utils/constants";
-import { Octokit } from "./utils/octokit";
-
-type Release =
-  Endpoints["GET /repos/{owner}/{repo}/releases"]["response"]["data"][number];
-
-async function run(): Promise<void> {
-  const checksumFilePath = process.argv.slice(2)[0];
-  const versionsManifestFile = process.argv.slice(2)[1];
-  const githubToken = process.argv.slice(2)[2];
-
-  const octokit = new Octokit({
-    auth: githubToken,
-  });
-
-  const { data: latestRelease } = await octokit.rest.repos.getLatestRelease({
-    owner: OWNER,
-    repo: REPO,
-  });
-
-  const latestKnownVersion = await getLatestKnownVersion(undefined);
-
-  if (semver.lte(latestRelease.tag_name, latestKnownVersion)) {
-    core.info(
-      `Latest release (${latestRelease.tag_name}) is not newer than the latest known version (${latestKnownVersion}). Skipping update.`,
-    );
-    return;
-  }
-
-  const releases: Release[] = await octokit.paginate(
-    octokit.rest.repos.listReleases,
-    {
-      owner: OWNER,
-      repo: REPO,
-    },
-  );
-  const checksumDownloadUrls: string[] = releases.flatMap((release) =>
-    release.assets
-      .filter((asset) => asset.name.endsWith(".sha256"))
-      .map((asset) => asset.browser_download_url),
-  );
-  await updateChecksums(checksumFilePath, checksumDownloadUrls);
-
-  const artifactDownloadUrls: string[] = releases.flatMap((release) =>
-    release.assets
-      .filter((asset) => !asset.name.endsWith(".sha256"))
-      .map((asset) => asset.browser_download_url),
-  );
-
-  await updateVersionManifest(versionsManifestFile, artifactDownloadUrls);
-
-  core.setOutput("latest-version", latestRelease.tag_name);
-}
-
-run();

src/utils/constants.ts

@@ -1,5 +1,5 @@
-export const REPO = "uv";
-export const OWNER = "astral-sh";
 export const TOOL_CACHE_NAME = "uv";
 export const STATE_UV_PATH = "uv-path";
 export const STATE_UV_VERSION = "uv-version";
+export const VERSIONS_NDJSON_URL =
+  "https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson";

src/utils/octokit.ts

@@ -1,34 +0,0 @@
-import type { OctokitOptions } from "@octokit/core";
-import { Octokit as Core } from "@octokit/core";
-import {
-  type PaginateInterface,
-  paginateRest,
-} from "@octokit/plugin-paginate-rest";
-import { legacyRestEndpointMethods } from "@octokit/plugin-rest-endpoint-methods";
-import { fetch as customFetch } from "./fetch";
-
-export type { RestEndpointMethodTypes } from "@octokit/plugin-rest-endpoint-methods";
-
-const DEFAULTS = {
-  baseUrl: "https://api.github.com",
-  userAgent: "setup-uv",
-};
-
-const OctokitWithPlugins = Core.plugin(paginateRest, legacyRestEndpointMethods);
-
-export const Octokit = OctokitWithPlugins.defaults(function buildDefaults(
-  options: OctokitOptions,
-): OctokitOptions {
-  return {
-    ...DEFAULTS,
-    ...options,
-    request: {
-      fetch: customFetch,
-      ...options.request,
-    },
-  };
-});
-
-export type Octokit = InstanceType<typeof OctokitWithPlugins> & {
-  paginate: PaginateInterface;
-};