chore(deps): bump @actions/exec from 1.1.1 to 3.0.0

Bumps [@actions/exec](https://github.com/actions/toolkit/tree/HEAD/packages/exec) from 1.1.1 to 3.0.0.
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/exec/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/exec)

---
updated-dependencies:
- dependency-name: "@actions/exec"
  dependency-version: 3.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.agents/skills/dependabot-pr-rollup/SKILL.md

@@ -0,0 +1,48 @@
+---
+name: dependabot-pr-rollup
+description: Find open Dependabot PRs for the current GitHub repo, compare each PR head to its base branch, replay only the net dependency changes in a fresh worktree and branch, run npm validation, and optionally commit, push, and open a PR. Use when you want to batch or manually replicate active Dependabot updates.
+license: MIT
+compatibility: Requires git, git worktree, gh CLI auth, npm, and a GitHub repo with an origin remote.
+---
+
+# Dependabot PR Rollup
+
+## When to use
+
+Use this skill when the user wants to:
+- find all open Dependabot PRs in the current repo
+- reproduce their net effect in one local branch
+- validate the result with the repo's standard npm checks
+- optionally commit, push, and open a PR
+
+## Workflow
+
+1. Inspect the current checkout state, but do not reuse a dirty worktree.
+2. List open Dependabot PRs with `gh pr list --state open --author app/dependabot`.
+3. For each PR, collect the title, base branch, head branch, changed files, and relevant diffs.
+4. Compare each PR head against `origin/<base>` instead of trusting the PR title. Dependabot PRs can already be partially merged, superseded by newer versions, or have no remaining net effect.
+5. Create a new worktree and branch from `origin/<base>`.
+6. Reproduce only the remaining dependency changes in the new worktree.
+   - Inspect `package.json` before editing.
+   - Run `npm ci --ignore-scripts` before applying updates.
+   - Use `npm install ... --ignore-scripts` for direct dependency changes so `package-lock.json` stays in sync.
+7. Run `npm run all`.
+8. If requested, commit the changed source, lockfile, and generated artifacts, then push and open a PR.
+
+## Repo-specific notes
+
+- Use `gh` for GitHub operations.
+- Keep the user's original checkout untouched by working in a separate worktree.
+- In this repo, `npm run all` is the safest validation command because it runs build, check, package, and test.
+- If dependency changes affect bundled output, include the regenerated `dist/` files.
+
+## Report back
+
+Always report:
+- open Dependabot PRs found
+- which PRs required no net changes
+- new branch name
+- new worktree path
+- files changed
+- `npm run all` result
+- if applicable, commit SHA and PR URL

.github/copilot-instructions.md

@@ -1,263 +0,0 @@
-# Copilot Instructions for setup-uv
-
-This document provides essential information for GitHub Copilot coding agents working on the `astral-sh/setup-uv` repository.
-
-## Repository Overview
-
-**setup-uv** is a GitHub Action that sets up the [uv](https://docs.astral.sh/uv/)
-Python package installer in GitHub Actions workflows.
-It's a TypeScript-based action that downloads uv binaries, manages caching, handles version resolution,
-and configures the environment for subsequent workflow steps.
-
-### Key Features
-
-- Downloads and installs specific uv versions from GitHub releases
-- Supports version resolution from config files (pyproject.toml, uv.toml, .tool-versions)
-- Implements intelligent caching for both uv cache and Python installations
-- Provides cross-platform support (Linux, macOS, Windows, including ARM architectures)
-- Includes problem matchers for Python error reporting
-- Supports environment activation and custom tool directories
-
-## Repository Structure
-
-**Size**: Small-medium repository (~50 source files, ~400 total files including dependencies)
-**Languages**: TypeScript (primary), JavaScript (compiled output), JSON (configuration)
-**Runtime**: Node.js 24 (GitHub Actions runtime)
-**Key Dependencies**: @actions/core, @actions/cache, @actions/tool-cache, @octokit/core
-
-### Core Architecture
-
-```
-src/
-├── setup-uv.ts          # Main entry point and orchestration
-├── save-cache.ts        # Post-action cache saving logic
-├── update-known-versions.ts  # Maintenance script for version updates
-├── cache/               # Cache management functionality
-├── download/            # Version resolution and binary downloading
-├── utils/               # Input parsing, platform detection, configuration
-└── version/             # Version resolution from various file formats
-```
-
-### Key Files and Locations
-
-- **Action Definition**: `action.yml` - Defines all inputs/outputs and entry points
-- **Main Source**: `src/setup-uv.ts` - Primary action logic
-- **Configuration**: `biome.json` (linting), `tsconfig.json` (TypeScript), `jest.config.js` (testing)
-- **Compiled Output**: `dist/` - Contains compiled Node.js bundles (auto-generated, committed)
-- **Test Fixtures**: `__tests__/fixtures/` - Sample projects for different configuration scenarios
-- **Workflows**: `.github/workflows/test.yml` - Comprehensive CI/CD pipeline
-
-## Build and Development Process
-
-### Prerequisites
-
-- Node.js 24+ (matches GitHub Actions runtime)
-- npm (included with Node.js)
-
-### Essential Commands (ALWAYS run in this order)
-
-#### 1. Install Dependencies
-
-```bash
-npm ci --ignore-scripts
-```
-
-**Timing**: ~20-30 seconds
-**Note**: Always run this first after cloning or when package.json changes
-
-#### 2. Build TypeScript
-
-```bash
-npm run build
-```
-
-**Timing**: ~5-10 seconds
-**Purpose**: Compiles TypeScript source to JavaScript in `lib/` directory
-
-#### 3. Lint and Format Code
-
-```bash
-npm run check
-```
-
-**Timing**: ~2-5 seconds
-**Tool**: Biome (replaces ESLint/Prettier)
-**Auto-fixes**: Formatting, import organization, basic linting issues
-
-#### 4. Package for Distribution
-
-```bash
-npm run package
-```
-
-**Timing**: ~20-30 seconds
-**Purpose**: Creates bundled distributions in `dist/` using @vercel/ncc
-**Critical**: This step MUST be run before committing - the `dist/` files are used by GitHub Actions
-
-#### 5. Run Tests
-
-```bash
-npm test
-```
-
-**Timing**: ~10-15 seconds
-**Framework**: Jest with TypeScript support
-**Coverage**: Unit tests for version resolution, input parsing, checksum validation
-
-#### 6. Complete Validation (Recommended)
-
-```bash
-npm run all
-```
-
-**Timing**: ~60-90 seconds
-**Purpose**: Runs build → check → package → test in sequence
-**Use**: Before making pull requests or when unsure about build state
-
-### Important Build Notes
-
-**CRITICAL**: Always run `npm run package` after making code changes. The `dist/` directory contains the compiled bundles that GitHub Actions actually executes. Forgetting this step will cause your changes to have no effect.
-
-**TypeScript Warnings**: You may see ts-jest warnings about "isolatedModules" - these are harmless and don't affect functionality.
-
-**Biome**: This project uses Biome instead of ESLint/Prettier. Run `npm run check` to fix formatting and linting issues automatically.
-
-## Testing Strategy
-
-### Unit Tests
-
-- **Location**: `__tests__/` directory
-- **Framework**: Jest with ts-jest transformer
-- **Coverage**: Version resolution, input parsing, checksum validation, utility functions
-
-### Integration Tests
-
-- **Location**: `.github/workflows/test.yml`
-- **Scope**: Full end-to-end testing across multiple platforms and scenarios
-- **Key Test Categories**:
-  - Version installation (specific, latest, semver ranges)
-  - Cache behavior (setup, restore, invalidation)
-  - Cross-platform compatibility (Ubuntu, macOS, Windows, ARM)
-  - Configuration file parsing (pyproject.toml, uv.toml, requirements.txt)
-  - Error handling and edge cases
-
-### Test Fixtures
-
-Located in `__tests__/fixtures/`, these provide sample projects with different configurations:
-- `pyproject-toml-project/` - Standard Python project with uv version specification
-- `uv-toml-project/` - Project using uv.toml configuration
-- `requirements-txt-project/` - Legacy requirements.txt format
-- `cache-dir-defined-project/` - Custom cache directory configuration
-
-## Continuous Integration
-
-### GitHub Workflows
-
-#### Primary Test Suite (`.github/workflows/test.yml`)
-
-- **Triggers**: PRs, pushes to main, manual dispatch
-- **Matrix**: Multiple OS (Ubuntu, macOS, Windows), architecture (x64, ARM), and configuration combinations
-- **Duration**: ~5 minutes for full matrix
-- **Key Validations**:
-  - Cross-platform installation and functionality
-  - Cache behavior and performance
-  - Version resolution from various sources
-  - Tool directory configurations
-  - Problem matcher functionality
-
-#### Maintenance Workflows
-
-- **CodeQL Analysis**: Security scanning on pushes/PRs
-- **Update Known Versions**: Daily job to sync with latest uv releases
-- **Dependabot**: Automated dependency updates
-
-### Pre-commit Validation
-
-The CI runs these checks that you should run locally:
-1. `npm run all` - Complete build and test suite
-2. ActionLint - GitHub Actions workflow validation
-3. Change detection - Ensures no uncommitted build artifacts
-
-## Key Configuration Files
-
-### Action Configuration (`action.yml`)
-
-Defines 20+ inputs including version specifications,
-cache settings, tool directories, and environment options.
-This file is the authoritative source for understanding available action parameters.
-
-### TypeScript Configuration (`tsconfig.json`)
-
-- Target: ES2024
-- Module: nodenext (Node.js modules)
-- Strict mode enabled
-- Output directory: `lib/`
-
-### Linting Configuration (`biome.json`)
-
-- Formatter and linter combined
-- Enforces consistent code style
-- Automatically organizes imports and sorts object keys
-
-## Common Development Patterns
-
-### Making Code Changes
-
-1. Edit TypeScript source files in `src/`
-2. Run `npm run build` to compile
-3. Run `npm run check` to format and lint
-4. Run `npm run package` to update distribution bundles
-5. Run `npm test` to verify functionality
-6. Commit all changes including `dist/` files
-
-### Adding New Features
-
-- Follow existing patterns in `src/utils/inputs.ts` for new action inputs
-- Update `action.yml` to declare new inputs/outputs
-- Add corresponding tests in `__tests__/`
-- Add a test in `.github/workflows/test.yml` if it affects integration
-- Update README.md with usage examples
-
-### Cache-Related Changes
-
-- Cache logic is complex and affects performance significantly
-- Test with multiple cache scenarios (hit, miss, invalidation)
-- Consider impact on both GitHub-hosted and self-hosted runners
-- Validate cache key generation and dependency detection
-
-### Version Resolution Changes
-
-- Version resolution supports multiple file formats and precedence rules
-- Test with fixtures in `__tests__/fixtures/`
-- Consider backward compatibility with existing projects
-- Validate semver and PEP 440 specification handling
-
-## Troubleshooting
-
-### Build Failures
-
-- **"Module not found"**: Run `npm ci --ignore-scripts` to ensure dependencies are installed
-- **TypeScript errors**: Check `tsconfig.json` and ensure all imports are valid
-- **Test failures**: Check if test fixtures have been modified or if logic changes broke assumptions
-
-### Action Failures in Workflows
-
-- **Changes not taking effect**: Ensure `npm run package` was run and `dist/` files committed
-- **Version resolution issues**: Check version specification format and file existence
-- **Cache problems**: Verify cache key generation and dependency glob patterns
-
-### Common Gotchas
-
-- **Forgetting to package**: Code changes won't work without running `npm run package`
-- **Platform differences**: Windows paths use backslashes, test cross-platform behavior
-- **Cache invalidation**: Cache keys are sensitive to dependency file changes
-- **Tool directory permissions**: Some platforms require specific directory setups
-
-## Trust These Instructions
-
-These instructions are comprehensive and current. Only search for additional information if:
-- You encounter specific error messages not covered here
-- You need to understand implementation details of specific functions
-- The instructions appear outdated (check repository commit history)
-
-For most development tasks, following the build process and development patterns outlined above will be sufficient.

AGENTS.md

@@ -1 +0,0 @@
-.github/copilot-instructions.md

AGENTS.md

@@ -0,0 +1,13 @@
+# setup-uv agent notes
+
+This repository is a TypeScript-based GitHub Action for installing `uv` in GitHub Actions workflows. It also supports restoring/saving the `uv` cache and optional managed-Python caching.
+
+- The published action runs the committed bundles in `dist/`, not the TypeScript in `src/`. After any code change, run `npm run package` and commit the resulting `dist/` updates.
+- Standard local validation is:
+  1. `npm ci --ignore-scripts`
+  2. `npm run all`
+- `npm run check` uses Biome (not ESLint/Prettier) and rewrites files in place.
+- User-facing changes are usually multi-file changes. If you add or change inputs, outputs, or behavior, update `action.yml`, the implementation in `src/`, tests in `__tests__/`, relevant docs/README, and then re-package.
+- The easiest areas to regress are version resolution and caching. When touching them, add or update tests for precedence, cache invalidation, and cross-platform path behavior.
+- Workflow edits have extra CI-only checks (`actionlint` and `zizmor`); `npm run all` does not cover them.
+- Before finishing, make sure validation does not leave generated or formatting-only diffs behind.

package-lock.json

@@ -11,7 +11,7 @@
       "dependencies": {
         "@actions/cache": "^4.1.0",
         "@actions/core": "^1.11.1",
-        "@actions/exec": "^1.1.1",
+        "@actions/exec": "^3.0.0",
         "@actions/glob": "^0.5.0",
         "@actions/io": "^1.1.3",
         "@actions/tool-cache": "^2.0.2",
@@ -52,6 +52,14 @@
         "semver": "^6.3.1"
       }
     },
+    "node_modules/@actions/cache/node_modules/@actions/exec": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "dependencies": {
+        "@actions/io": "^1.0.1"
+      }
+    },
     "node_modules/@actions/cache/node_modules/@actions/glob": {
       "version": "0.1.2",
       "resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.1.2.tgz",
@@ -70,7 +78,7 @@
         "@actions/http-client": "^2.0.1"
       }
     },
-    "node_modules/@actions/exec": {
+    "node_modules/@actions/core/node_modules/@actions/exec": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
       "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
@@ -78,6 +86,19 @@
         "@actions/io": "^1.0.1"
       }
     },
+    "node_modules/@actions/exec": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
+      "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
+      "dependencies": {
+        "@actions/io": "^3.0.2"
+      }
+    },
+    "node_modules/@actions/exec/node_modules/@actions/io": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
+      "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw=="
+    },
     "node_modules/@actions/glob": {
       "version": "0.5.0",
       "resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.5.0.tgz",
@@ -113,6 +134,14 @@
         "semver": "^6.1.0"
       }
     },
+    "node_modules/@actions/tool-cache/node_modules/@actions/exec": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "dependencies": {
+        "@actions/io": "^1.0.1"
+      }
+    },
     "node_modules/@ampproject/remapping": {
       "version": "2.2.0",
       "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.2.0.tgz",
@@ -5756,6 +5785,14 @@
         "semver": "^6.3.1"
       },
       "dependencies": {
+        "@actions/exec": {
+          "version": "1.1.1",
+          "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+          "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+          "requires": {
+            "@actions/io": "^1.0.1"
+          }
+        },
         "@actions/glob": {
           "version": "0.1.2",
           "resolved": "https://registry.npmjs.org/@actions/glob/-/glob-0.1.2.tgz",
@@ -5774,14 +5811,31 @@
       "requires": {
         "@actions/exec": "^1.1.1",
         "@actions/http-client": "^2.0.1"
+      },
+      "dependencies": {
+        "@actions/exec": {
+          "version": "1.1.1",
+          "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+          "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+          "requires": {
+            "@actions/io": "^1.0.1"
+          }
+        }
       }
     },
     "@actions/exec": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
-      "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-3.0.0.tgz",
+      "integrity": "sha512-6xH/puSoNBXb72VPlZVm7vQ+svQpFyA96qdDBvhB8eNZOE8LtPf9L4oAsfzK/crCL8YZ+19fKYVnM63Sl+Xzlw==",
       "requires": {
-        "@actions/io": "^1.0.1"
+        "@actions/io": "^3.0.2"
+      },
+      "dependencies": {
+        "@actions/io": {
+          "version": "3.0.2",
+          "resolved": "https://registry.npmjs.org/@actions/io/-/io-3.0.2.tgz",
+          "integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw=="
+        }
       }
     },
     "@actions/glob": {
@@ -5817,6 +5871,16 @@
         "@actions/http-client": "^2.0.1",
         "@actions/io": "^1.1.1",
         "semver": "^6.1.0"
+      },
+      "dependencies": {
+        "@actions/exec": {
+          "version": "1.1.1",
+          "resolved": "https://registry.npmjs.org/@actions/exec/-/exec-1.1.1.tgz",
+          "integrity": "sha512-+sCcHHbVdk93a0XT19ECtO/gIXoxvdsgQLzb2fE2/5sIZmWQuluYyjPQtrtTHdU1YzTZ7bAPN4sITq2xi1679w==",
+          "requires": {
+            "@actions/io": "^1.0.1"
+          }
+        }
       }
     },
     "@ampproject/remapping": {

package.json

@@ -28,7 +28,7 @@
   "dependencies": {
     "@actions/cache": "^4.1.0",
     "@actions/core": "^1.11.1",
-    "@actions/exec": "^1.1.1",
+    "@actions/exec": "^3.0.0",
     "@actions/glob": "^0.5.0",
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",