Review

.github/copilot-instructions.md

@@ -23,7 +23,7 @@ and configures the environment for subsequent workflow steps.
 **Size**: Small-medium repository (~50 source files, ~400 total files including dependencies)
 **Languages**: TypeScript (primary), JavaScript (compiled output), JSON (configuration)
 **Runtime**: Node.js 24 (GitHub Actions runtime)
-**Key Dependencies**: @actions/core, @actions/cache, @actions/tool-cache, @octokit/core
+**Key Dependencies**: @actions/core, @actions/cache, @actions/tool-cache
 
 ### Core Architecture
 

.github/workflows/update-known-versions.yml

@@ -27,7 +27,6 @@ jobs:
           node dist/update-known-versions/index.js
           src/download/checksum/known-checksums.ts
           version-manifest.json
-          ${{ secrets.GITHUB_TOKEN }}
       - name: Check for changes
         id: changes-exist
         run: |

__tests__/download/versions-client.test.ts

@@ -0,0 +1,142 @@
+import { beforeEach, describe, expect, it, jest } from "@jest/globals";
+
+// biome-ignore lint/suspicious/noExplicitAny: mock needs flexible typing
+const mockFetch = jest.fn<any>();
+jest.mock("../../src/utils/fetch", () => ({
+  fetch: mockFetch,
+}));
+
+import {
+  clearCache,
+  fetchVersionData,
+  getAllVersions,
+  getArtifact,
+  getLatestVersion,
+} from "../../src/download/versions-client";
+
+const sampleNdjsonResponse = `{"version":"0.9.26","artifacts":[{"platform":"aarch64-apple-darwin","variant":"default","url":"https://github.com/astral-sh/uv/releases/download/0.9.26/uv-aarch64-apple-darwin.tar.gz","archive_format":"tar.gz","sha256":"fcf0a9ea6599c6ae28a4c854ac6da76f2c889354d7c36ce136ef071f7ab9721f"},{"platform":"x86_64-pc-windows-msvc","variant":"default","url":"https://github.com/astral-sh/uv/releases/download/0.9.26/uv-x86_64-pc-windows-msvc.zip","archive_format":"zip","sha256":"eb02fd95d8e0eed462b4a67ecdd320d865b38c560bffcda9a0b87ec944bdf036"}]}
+{"version":"0.9.25","artifacts":[{"platform":"aarch64-apple-darwin","variant":"default","url":"https://github.com/astral-sh/uv/releases/download/0.9.25/uv-aarch64-apple-darwin.tar.gz","archive_format":"tar.gz","sha256":"606b3c6949d971709f2526fa0d9f0fd23ccf60e09f117999b406b424af18a6a6"}]}`;
+
+function createMockResponse(
+  ok: boolean,
+  status: number,
+  statusText: string,
+  data: string,
+) {
+  return {
+    ok,
+    status,
+    statusText,
+    text: async () => data,
+  };
+}
+
+describe("versions-client", () => {
+  beforeEach(() => {
+    clearCache();
+    mockFetch.mockReset();
+  });
+
+  describe("fetchVersionData", () => {
+    it("should fetch and parse NDJSON data", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      const versions = await fetchVersionData();
+
+      expect(versions).toHaveLength(2);
+      expect(versions[0].version).toBe("0.9.26");
+      expect(versions[1].version).toBe("0.9.25");
+    });
+
+    it("should throw error on failed fetch", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(false, 500, "Internal Server Error", ""),
+      );
+
+      await expect(fetchVersionData()).rejects.toThrow(
+        "Failed to fetch version data: 500 Internal Server Error",
+      );
+    });
+
+    it("should cache results", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      await fetchVersionData();
+      await fetchVersionData();
+
+      expect(mockFetch).toHaveBeenCalledTimes(1);
+    });
+  });
+
+  describe("getLatestVersion", () => {
+    it("should return the first version (newest)", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      const latest = await getLatestVersion();
+
+      expect(latest).toBe("0.9.26");
+    });
+  });
+
+  describe("getAllVersions", () => {
+    it("should return all version strings", async () => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+
+      const versions = await getAllVersions();
+
+      expect(versions).toEqual(["0.9.26", "0.9.25"]);
+    });
+  });
+
+  describe("getArtifact", () => {
+    beforeEach(() => {
+      mockFetch.mockResolvedValue(
+        createMockResponse(true, 200, "OK", sampleNdjsonResponse),
+      );
+    });
+
+    it("should find artifact by version and platform", async () => {
+      const artifact = await getArtifact("0.9.26", "aarch64", "apple-darwin");
+
+      expect(artifact).toEqual({
+        sha256:
+          "fcf0a9ea6599c6ae28a4c854ac6da76f2c889354d7c36ce136ef071f7ab9721f",
+        url: "https://github.com/astral-sh/uv/releases/download/0.9.26/uv-aarch64-apple-darwin.tar.gz",
+      });
+    });
+
+    it("should find Windows artifact", async () => {
+      const artifact = await getArtifact("0.9.26", "x86_64", "pc-windows-msvc");
+
+      expect(artifact).toEqual({
+        sha256:
+          "eb02fd95d8e0eed462b4a67ecdd320d865b38c560bffcda9a0b87ec944bdf036",
+        url: "https://github.com/astral-sh/uv/releases/download/0.9.26/uv-x86_64-pc-windows-msvc.zip",
+      });
+    });
+
+    it("should return undefined for unknown version", async () => {
+      const artifact = await getArtifact("0.0.1", "aarch64", "apple-darwin");
+
+      expect(artifact).toBeUndefined();
+    });
+
+    it("should return undefined for unknown platform", async () => {
+      const artifact = await getArtifact(
+        "0.9.26",
+        "aarch64",
+        "unknown-linux-musl",
+      );
+
+      expect(artifact).toBeUndefined();
+    });
+  });
+});

dist/save-cache/index.js

@@ -90980,12 +90980,13 @@ function getConfigValueFromTomlFile(filePath, key) {
 "use strict";
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.STATE_UV_VERSION = exports.STATE_UV_PATH = exports.TOOL_CACHE_NAME = exports.OWNER = exports.REPO = void 0;
+exports.VERSIONS_NDJSON_URL = exports.STATE_UV_VERSION = exports.STATE_UV_PATH = exports.TOOL_CACHE_NAME = exports.OWNER = exports.REPO = void 0;
 exports.REPO = "uv";
 exports.OWNER = "astral-sh";
 exports.TOOL_CACHE_NAME = "uv";
 exports.STATE_UV_PATH = "uv-path";
 exports.STATE_UV_VERSION = "uv-version";
+exports.VERSIONS_NDJSON_URL = "https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson";
 
 
 /***/ }),

dist/setup/index.js

@@ -91626,29 +91626,33 @@ const crypto = __importStar(__nccwpck_require__(7598));
 const fs = __importStar(__nccwpck_require__(3024));
 const core = __importStar(__nccwpck_require__(7484));
 const known_checksums_1 = __nccwpck_require__(2764);
-async function validateChecksum(checkSum, downloadPath, arch, platform, version) {
-    let isValid;
+async function validateChecksum(checkSum, downloadPath, arch, platform, version, ndjsonChecksum) {
+    // Priority: user-provided checksum > KNOWN_CHECKSUMS > NDJSON fallback
+    const key = `${arch}-${platform}-${version}`;
+    let checksumToUse;
+    let source;
     if (checkSum !== undefined && checkSum !== "") {
-        isValid = await validateFileCheckSum(downloadPath, checkSum);
+        checksumToUse = checkSum;
+        source = "user-provided";
+    }
+    else if (key in known_checksums_1.KNOWN_CHECKSUMS) {
+        checksumToUse = known_checksums_1.KNOWN_CHECKSUMS[key];
+        source = `known checksum for ${key}`;
+    }
+    else if (ndjsonChecksum !== undefined && ndjsonChecksum !== "") {
+        checksumToUse = ndjsonChecksum;
+        source = "NDJSON version data";
     }
     else {
-        core.debug("Checksum not provided. Checking known checksums.");
-        const key = `${arch}-${platform}-${version}`;
-        if (key in known_checksums_1.KNOWN_CHECKSUMS) {
-            const knownChecksum = known_checksums_1.KNOWN_CHECKSUMS[`${arch}-${platform}-${version}`];
-            core.debug(`Checking checksum for ${arch}-${platform}-${version}.`);
-            isValid = await validateFileCheckSum(downloadPath, knownChecksum);
-        }
-        else {
-            core.debug(`No known checksum found for ${key}.`);
-        }
+        core.debug(`No checksum found for ${key}.`);
+        return;
     }
-    if (isValid === false) {
-        throw new Error(`Checksum for ${downloadPath} did not match ${checkSum}.`);
-    }
-    if (isValid === true) {
-        core.debug(`Checksum for ${downloadPath} is valid.`);
+    core.debug(`Using ${source}.`);
+    const isValid = await validateFileCheckSum(downloadPath, checksumToUse);
+    if (!isValid) {
+        throw new Error(`Checksum for ${downloadPath} did not match ${checksumToUse}.`);
     }
+    core.debug(`Checksum for ${downloadPath} is valid.`);
 }
 async function validateFileCheckSum(filePath, expected) {
     return new Promise((resolve, reject) => {
@@ -95874,7 +95878,7 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
 exports.tryGetFromToolCache = tryGetFromToolCache;
-exports.downloadVersionFromGithub = downloadVersionFromGithub;
+exports.downloadVersionFromNdjson = downloadVersionFromNdjson;
 exports.downloadVersionFromManifest = downloadVersionFromManifest;
 exports.resolveVersion = resolveVersion;
 const node_fs_1 = __nccwpck_require__(3024);
@@ -95886,6 +95890,7 @@ const semver = __importStar(__nccwpck_require__(9318));
 const constants_1 = __nccwpck_require__(6156);
 const checksum_1 = __nccwpck_require__(7772);
 const version_manifest_1 = __nccwpck_require__(4000);
+const versions_client_1 = __nccwpck_require__(203);
 function tryGetFromToolCache(arch, version) {
     core.debug(`Trying to get uv from tool cache for ${version}...`);
     const cachedVersions = tc.findAllVersions(constants_1.TOOL_CACHE_NAME, arch);
@@ -95897,36 +95902,26 @@ function tryGetFromToolCache(arch, version) {
     const installedPath = tc.find(constants_1.TOOL_CACHE_NAME, resolvedVersion, arch);
     return { installedPath, version: resolvedVersion };
 }
-async function downloadVersionFromGithub(platform, arch, version, checkSum, githubToken) {
+async function downloadVersionFromNdjson(platform, arch, version, checkSum, githubToken) {
     const artifact = `uv-${arch}-${platform}`;
     const extension = getExtension(platform);
-    const downloadUrl = `https://github.com/${constants_1.OWNER}/${constants_1.REPO}/releases/download/${version}/${artifact}${extension}`;
-    return await downloadVersion(downloadUrl, artifact, platform, arch, version, checkSum, githubToken);
+    // Get artifact info from NDJSON (includes URL and checksum)
+    const artifactInfo = await (0, versions_client_1.getArtifact)(version, arch, platform);
+    const downloadUrl = artifactInfo?.url ??
+        `https://github.com/${constants_1.OWNER}/${constants_1.REPO}/releases/download/${version}/${artifact}${extension}`;
+    return await downloadVersion(downloadUrl, artifact, platform, arch, version, checkSum, githubToken, artifactInfo?.sha256);
 }
 async function downloadVersionFromManifest(manifestUrl, platform, arch, version, checkSum, githubToken) {
-    // If no user-provided manifest, try remote manifest first (will use cache if already fetched)
-    // then fall back to bundled manifest
-    const manifestSources = manifestUrl !== undefined
-        ? [manifestUrl]
-        : [version_manifest_1.REMOTE_MANIFEST_URL, undefined];
-    for (const source of manifestSources) {
-        try {
-            const downloadUrl = await (0, version_manifest_1.getDownloadUrl)(source, version, arch, platform);
-            if (downloadUrl) {
-                return await downloadVersion(downloadUrl, `uv-${arch}-${platform}`, platform, arch, version, checkSum, githubToken);
-            }
-        }
-        catch (err) {
-            core.debug(`Failed to get download URL from manifest ${source}: ${err}`);
-        }
+    const downloadUrl = await (0, version_manifest_1.getDownloadUrl)(manifestUrl, version, arch, platform);
+    if (!downloadUrl) {
+        throw new Error(`manifest-file does not contain version ${version}, arch ${arch}, platform ${platform}.`);
     }
-    core.info(`Manifest does not contain version ${version}, arch ${arch}, platform ${platform}. Falling back to GitHub releases.`);
-    return await downloadVersionFromGithub(platform, arch, version, checkSum, githubToken);
+    return await downloadVersion(downloadUrl, `uv-${arch}-${platform}`, platform, arch, version, checkSum, githubToken, undefined);
 }
-async function downloadVersion(downloadUrl, artifactName, platform, arch, version, checkSum, githubToken) {
+async function downloadVersion(downloadUrl, artifactName, platform, arch, version, checkSum, githubToken, ndjsonChecksum) {
     core.info(`Downloading uv from "${downloadUrl}" ...`);
     const downloadPath = await tc.downloadTool(downloadUrl, undefined, githubToken);
-    await (0, checksum_1.validateChecksum)(checkSum, downloadPath, arch, platform, version);
+    await (0, checksum_1.validateChecksum)(checkSum, downloadPath, arch, platform, version, ndjsonChecksum);
     let uvDir;
     if (platform === "pc-windows-msvc") {
         // On windows extracting the zip does not create an intermediate directory
@@ -95970,7 +95965,7 @@ async function resolveVersion(versionInput, manifestFile, resolutionStrategy = "
     else {
         version =
             versionInput === "latest" || resolveVersionSpecifierToLatest
-                ? await getLatestVersion()
+                ? await (0, versions_client_1.getLatestVersion)()
                 : versionInput;
     }
     if (tc.isExplicitVersion(version)) {
@@ -95993,34 +95988,8 @@ async function resolveVersion(versionInput, manifestFile, resolutionStrategy = "
     return resolvedVersion;
 }
 async function getAvailableVersions() {
-    // 1. Try remote manifest first (no rate limits, always current)
-    try {
-        core.info("Getting available versions from remote manifest...");
-        const versions = await (0, version_manifest_1.getAvailableVersionsFromManifest)(version_manifest_1.REMOTE_MANIFEST_URL);
-        core.debug(`Found ${versions.length} versions from remote manifest`);
-        return versions;
-    }
-    catch (err) {
-        core.debug(`Remote manifest lookup failed: ${err}`);
-    }
-    // 2. Fall back to bundled manifest (no network, may be stale)
-    core.info("Getting available versions from bundled manifest...");
-    return await (0, version_manifest_1.getAvailableVersionsFromManifest)(undefined);
-}
-async function getLatestVersion() {
-    // 1. Try remote manifest first (no rate limits, always current)
-    try {
-        core.info("Getting latest version from remote manifest...");
-        const version = await (0, version_manifest_1.getLatestKnownVersion)(version_manifest_1.REMOTE_MANIFEST_URL);
-        core.debug(`Latest version from remote manifest: ${version}`);
-        return version;
-    }
-    catch (err) {
-        core.debug(`Remote manifest lookup failed: ${err}`);
-    }
-    // 2. Fall back to bundled manifest (no network, may be stale)
-    core.info("Getting latest version from bundled manifest...");
-    return await (0, version_manifest_1.getLatestKnownVersion)(undefined);
+    core.info("Getting available versions from NDJSON...");
+    return await (0, versions_client_1.getAllVersions)();
 }
 function maxSatisfying(versions, version) {
     const maxSemver = tc.evaluateVersions(versions, version);
@@ -96093,10 +96062,8 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.REMOTE_MANIFEST_URL = void 0;
 exports.getLatestKnownVersion = getLatestKnownVersion;
 exports.getDownloadUrl = getDownloadUrl;
-exports.getAvailableVersionsFromManifest = getAvailableVersionsFromManifest;
 exports.updateVersionManifest = updateVersionManifest;
 const node_fs_1 = __nccwpck_require__(3024);
 const node_path_1 = __nccwpck_require__(6760);
@@ -96104,9 +96071,6 @@ const core = __importStar(__nccwpck_require__(7484));
 const semver = __importStar(__nccwpck_require__(9318));
 const fetch_1 = __nccwpck_require__(3385);
 const localManifestFile = (0, node_path_1.join)(__dirname, "..", "..", "version-manifest.json");
-exports.REMOTE_MANIFEST_URL = "https://raw.githubusercontent.com/astral-sh/setup-uv/main/version-manifest.json";
-// Cache for manifest entries to avoid re-fetching
-const manifestCache = new Map();
 async function getLatestKnownVersion(manifestUrl) {
     const manifestEntries = await getManifestEntries(manifestUrl);
     return manifestEntries.reduce((a, b) => semver.gt(a.version, b.version) ? a : b).version;
@@ -96118,18 +96082,7 @@ async function getDownloadUrl(manifestUrl, version, arch, platform) {
         entry.platform === platform);
     return entry ? entry.downloadUrl : undefined;
 }
-async function getAvailableVersionsFromManifest(manifestUrl) {
-    const manifestEntries = await getManifestEntries(manifestUrl);
-    return [...new Set(manifestEntries.map((entry) => entry.version))];
-}
 async function getManifestEntries(manifestUrl) {
-    const cacheKey = manifestUrl ?? "local";
-    // Return cached entries if available
-    const cached = manifestCache.get(cacheKey);
-    if (cached !== undefined) {
-        core.debug(`Using cached manifest entries for: ${cacheKey}`);
-        return cached;
-    }
     let data;
     if (manifestUrl !== undefined) {
         core.info(`Fetching manifest-file from: ${manifestUrl}`);
@@ -96144,9 +96097,7 @@ async function getManifestEntries(manifestUrl) {
         const fileContent = await node_fs_1.promises.readFile(localManifestFile);
         data = fileContent.toString();
     }
-    const entries = JSON.parse(data);
-    manifestCache.set(cacheKey, entries);
-    return entries;
+    return JSON.parse(data);
 }
 async function updateVersionManifest(manifestUrl, downloadUrls) {
     const manifest = [];
@@ -96174,6 +96125,126 @@ async function updateVersionManifest(manifestUrl, downloadUrls) {
 }
 
 
+/***/ }),
+
+/***/ 203:
+/***/ (function(__unused_webpack_module, exports, __nccwpck_require__) {
+
+"use strict";
+
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", ({ value: true }));
+exports.fetchVersionData = fetchVersionData;
+exports.getLatestVersion = getLatestVersion;
+exports.getAllVersions = getAllVersions;
+exports.getArtifact = getArtifact;
+exports.clearCache = clearCache;
+const core = __importStar(__nccwpck_require__(7484));
+const constants_1 = __nccwpck_require__(6156);
+const fetch_1 = __nccwpck_require__(3385);
+let cachedVersionData = null;
+async function fetchVersionData() {
+    if (cachedVersionData !== null) {
+        core.debug("Using cached NDJSON version data");
+        return cachedVersionData;
+    }
+    core.info(`Fetching version data from ${constants_1.VERSIONS_NDJSON_URL}...`);
+    const response = await (0, fetch_1.fetch)(constants_1.VERSIONS_NDJSON_URL, {});
+    if (!response.ok) {
+        throw new Error(`Failed to fetch version data: ${response.status} ${response.statusText}`);
+    }
+    const body = await response.text();
+    const versions = [];
+    for (const line of body.split("\n")) {
+        const trimmed = line.trim();
+        if (trimmed === "") {
+            continue;
+        }
+        try {
+            const version = JSON.parse(trimmed);
+            versions.push(version);
+        }
+        catch {
+            core.debug(`Failed to parse NDJSON line: ${trimmed}`);
+        }
+    }
+    if (versions.length === 0) {
+        throw new Error("No version data found in NDJSON file");
+    }
+    cachedVersionData = versions;
+    return versions;
+}
+async function getLatestVersion() {
+    const versions = await fetchVersionData();
+    // The NDJSON file lists versions in order, newest first
+    const latestVersion = versions[0]?.version;
+    if (!latestVersion) {
+        throw new Error("No versions found in NDJSON data");
+    }
+    core.debug(`Latest version from NDJSON: ${latestVersion}`);
+    return latestVersion;
+}
+async function getAllVersions() {
+    const versions = await fetchVersionData();
+    return versions.map((v) => v.version);
+}
+async function getArtifact(version, arch, platform) {
+    const versions = await fetchVersionData();
+    const versionData = versions.find((v) => v.version === version);
+    if (!versionData) {
+        core.debug(`Version ${version} not found in NDJSON data`);
+        return undefined;
+    }
+    // The NDJSON artifact platform format is like "x86_64-apple-darwin"
+    // We need to match against arch-platform
+    const targetPlatform = `${arch}-${platform}`;
+    const artifact = versionData.artifacts.find((a) => a.platform === targetPlatform);
+    if (!artifact) {
+        core.debug(`Artifact for ${targetPlatform} not found in version ${version}. Available platforms: ${versionData.artifacts.map((a) => a.platform).join(", ")}`);
+        return undefined;
+    }
+    return {
+        sha256: artifact.sha256,
+        url: artifact.url,
+    };
+}
+function clearCache() {
+    cachedVersionData = null;
+}
+
+
 /***/ }),
 
 /***/ 9660:
@@ -96399,7 +96470,10 @@ async function setupUv(platform, arch, checkSum, githubToken) {
             version: toolCacheResult.version,
         };
     }
-    const downloadVersionResult = await (0, download_version_1.downloadVersionFromManifest)(inputs_1.manifestFile, platform, arch, resolvedVersion, checkSum, githubToken);
+    // Use the same source for download as we used for version resolution
+    const downloadVersionResult = inputs_1.manifestFile
+        ? await (0, download_version_1.downloadVersionFromManifest)(inputs_1.manifestFile, platform, arch, resolvedVersion, checkSum, githubToken)
+        : await (0, download_version_1.downloadVersionFromNdjson)(platform, arch, resolvedVersion, checkSum, githubToken);
     return {
         uvDir: downloadVersionResult.cachedToolDir,
         version: downloadVersionResult.version,
@@ -96595,12 +96669,13 @@ function getConfigValueFromTomlFile(filePath, key) {
 "use strict";
 
 Object.defineProperty(exports, "__esModule", ({ value: true }));
-exports.STATE_UV_VERSION = exports.STATE_UV_PATH = exports.TOOL_CACHE_NAME = exports.OWNER = exports.REPO = void 0;
+exports.VERSIONS_NDJSON_URL = exports.STATE_UV_VERSION = exports.STATE_UV_PATH = exports.TOOL_CACHE_NAME = exports.OWNER = exports.REPO = void 0;
 exports.REPO = "uv";
 exports.OWNER = "astral-sh";
 exports.TOOL_CACHE_NAME = "uv";
 exports.STATE_UV_PATH = "uv-path";
 exports.STATE_UV_VERSION = "uv-version";
+exports.VERSIONS_NDJSON_URL = "https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson";
 
 
 /***/ }),

package-lock.json

@@ -15,9 +15,6 @@
         "@actions/glob": "^0.5.0",
         "@actions/io": "^1.1.3",
         "@actions/tool-cache": "^2.0.2",
-        "@octokit/core": "^7.0.6",
-        "@octokit/plugin-paginate-rest": "^14.0.0",
-        "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
         "@renovatebot/pep440": "^4.2.1",
         "smol-toml": "^1.4.2",
         "undici": "5.28.5"
@@ -412,7 +409,6 @@
       "integrity": "sha512-UlLAnTPrFdNGoFtbSXwcGFQBtQZJCNjaN6hQNP3UPvuNXT1i82N26KL3dZeIpNalWywr9IuQuncaAfUaS1g6sQ==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@ampproject/remapping": "^2.2.0",
         "@babel/code-frame": "^7.27.1",
@@ -1590,134 +1586,6 @@
         "@tybys/wasm-util": "^0.10.0"
       }
     },
-    "node_modules/@octokit/auth-token": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
-      "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w==",
-      "license": "MIT",
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/core": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
-      "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
-      "license": "MIT",
-      "peer": true,
-      "dependencies": {
-        "@octokit/auth-token": "^6.0.0",
-        "@octokit/graphql": "^9.0.3",
-        "@octokit/request": "^10.0.6",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "before-after-hook": "^4.0.0",
-        "universal-user-agent": "^7.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/endpoint": {
-      "version": "11.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.2.tgz",
-      "integrity": "sha512-4zCpzP1fWc7QlqunZ5bSEjxc6yLAlRTnDwKtgXfcI/FxxGoqedDG8V2+xJ60bV2kODqcGB+nATdtap/XYq2NZQ==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/graphql": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
-      "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/request": "^10.0.6",
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/openapi-types": {
-      "version": "27.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
-      "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA==",
-      "license": "MIT"
-    },
-    "node_modules/@octokit/plugin-paginate-rest": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-14.0.0.tgz",
-      "integrity": "sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
-    "node_modules/@octokit/plugin-rest-endpoint-methods": {
-      "version": "17.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-17.0.0.tgz",
-      "integrity": "sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      },
-      "peerDependencies": {
-        "@octokit/core": ">=6"
-      }
-    },
-    "node_modules/@octokit/request": {
-      "version": "10.0.7",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.7.tgz",
-      "integrity": "sha512-v93h0i1yu4idj8qFPZwjehoJx4j3Ntn+JhXsdJrG9pYaX6j/XRz2RmasMUHtNgQD39nrv/VwTWSqK0RNXR8upA==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/endpoint": "^11.0.2",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "fast-content-type-parse": "^3.0.0",
-        "universal-user-agent": "^7.0.2"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/request-error": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
-      "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/types": "^16.0.0"
-      },
-      "engines": {
-        "node": ">= 20"
-      }
-    },
-    "node_modules/@octokit/types": {
-      "version": "16.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
-      "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
-      "license": "MIT",
-      "dependencies": {
-        "@octokit/openapi-types": "^27.0.0"
-      }
-    },
     "node_modules/@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -2454,12 +2322,6 @@
       "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
       "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c="
     },
-    "node_modules/before-after-hook": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
-      "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ==",
-      "license": "Apache-2.0"
-    },
     "node_modules/brace-expansion": {
       "version": "1.1.12",
       "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
@@ -2502,7 +2364,6 @@
         }
       ],
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "caniuse-lite": "^1.0.30001733",
         "electron-to-chromium": "^1.5.199",
@@ -3070,22 +2931,6 @@
         "node": "^18.14.0 || ^20.0.0 || ^22.0.0 || >=24.0.0"
       }
     },
-    "node_modules/fast-content-type-parse": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-3.0.0.tgz",
-      "integrity": "sha512-ZvLdcY8P+N8mGQJahJV5G4U88CSvT1rP8ApL6uETe88MBXrBHAkZlSEySdUlyztF7ccb+Znos3TFqaepHxdhBg==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/fastify"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/fastify"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/fast-json-stable-stringify": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
@@ -3630,7 +3475,6 @@
       "integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==",
       "dev": true,
       "license": "MIT",
-      "peer": true,
       "dependencies": {
         "@jest/core": "30.2.0",
         "@jest/types": "30.2.0",
@@ -5329,7 +5173,6 @@
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
       "dev": true,
       "license": "Apache-2.0",
-      "peer": true,
       "bin": {
         "tsc": "bin/tsc",
         "tsserver": "bin/tsserver"
@@ -5370,12 +5213,6 @@
       "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
       "license": "MIT"
     },
-    "node_modules/universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A==",
-      "license": "ISC"
-    },
     "node_modules/unrs-resolver": {
       "version": "1.11.1",
       "resolved": "https://registry.npmjs.org/unrs-resolver/-/unrs-resolver-1.11.1.tgz",
@@ -6072,7 +5909,6 @@
       "resolved": "https://registry.npmjs.org/@babel/core/-/core-7.28.0.tgz",
       "integrity": "sha512-UlLAnTPrFdNGoFtbSXwcGFQBtQZJCNjaN6hQNP3UPvuNXT1i82N26KL3dZeIpNalWywr9IuQuncaAfUaS1g6sQ==",
       "dev": true,
-      "peer": true,
       "requires": {
         "@ampproject/remapping": "^2.2.0",
         "@babel/code-frame": "^7.27.1",
@@ -6887,94 +6723,6 @@
         "@tybys/wasm-util": "^0.10.0"
       }
     },
-    "@octokit/auth-token": {
-      "version": "6.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/auth-token/-/auth-token-6.0.0.tgz",
-      "integrity": "sha512-P4YJBPdPSpWTQ1NU4XYdvHvXJJDxM6YwpS0FZHRgP7YFkdVxsWcpWGy/NVqlAA7PcPCnMacXlRm1y2PFZRWL/w=="
-    },
-    "@octokit/core": {
-      "version": "7.0.6",
-      "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz",
-      "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==",
-      "peer": true,
-      "requires": {
-        "@octokit/auth-token": "^6.0.0",
-        "@octokit/graphql": "^9.0.3",
-        "@octokit/request": "^10.0.6",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "before-after-hook": "^4.0.0",
-        "universal-user-agent": "^7.0.0"
-      }
-    },
-    "@octokit/endpoint": {
-      "version": "11.0.2",
-      "resolved": "https://registry.npmjs.org/@octokit/endpoint/-/endpoint-11.0.2.tgz",
-      "integrity": "sha512-4zCpzP1fWc7QlqunZ5bSEjxc6yLAlRTnDwKtgXfcI/FxxGoqedDG8V2+xJ60bV2kODqcGB+nATdtap/XYq2NZQ==",
-      "requires": {
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.2"
-      }
-    },
-    "@octokit/graphql": {
-      "version": "9.0.3",
-      "resolved": "https://registry.npmjs.org/@octokit/graphql/-/graphql-9.0.3.tgz",
-      "integrity": "sha512-grAEuupr/C1rALFnXTv6ZQhFuL1D8G5y8CN04RgrO4FIPMrtm+mcZzFG7dcBm+nq+1ppNixu+Jd78aeJOYxlGA==",
-      "requires": {
-        "@octokit/request": "^10.0.6",
-        "@octokit/types": "^16.0.0",
-        "universal-user-agent": "^7.0.0"
-      }
-    },
-    "@octokit/openapi-types": {
-      "version": "27.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/openapi-types/-/openapi-types-27.0.0.tgz",
-      "integrity": "sha512-whrdktVs1h6gtR+09+QsNk2+FO+49j6ga1c55YZudfEG+oKJVvJLQi3zkOm5JjiUXAagWK2tI2kTGKJ2Ys7MGA=="
-    },
-    "@octokit/plugin-paginate-rest": {
-      "version": "14.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-paginate-rest/-/plugin-paginate-rest-14.0.0.tgz",
-      "integrity": "sha512-fNVRE7ufJiAA3XUrha2omTA39M6IXIc6GIZLvlbsm8QOQCYvpq/LkMNGyFlB1d8hTDzsAXa3OKtybdMAYsV/fw==",
-      "requires": {
-        "@octokit/types": "^16.0.0"
-      }
-    },
-    "@octokit/plugin-rest-endpoint-methods": {
-      "version": "17.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/plugin-rest-endpoint-methods/-/plugin-rest-endpoint-methods-17.0.0.tgz",
-      "integrity": "sha512-B5yCyIlOJFPqUUeiD0cnBJwWJO8lkJs5d8+ze9QDP6SvfiXSz1BF+91+0MeI1d2yxgOhU/O+CvtiZ9jSkHhFAw==",
-      "requires": {
-        "@octokit/types": "^16.0.0"
-      }
-    },
-    "@octokit/request": {
-      "version": "10.0.7",
-      "resolved": "https://registry.npmjs.org/@octokit/request/-/request-10.0.7.tgz",
-      "integrity": "sha512-v93h0i1yu4idj8qFPZwjehoJx4j3Ntn+JhXsdJrG9pYaX6j/XRz2RmasMUHtNgQD39nrv/VwTWSqK0RNXR8upA==",
-      "requires": {
-        "@octokit/endpoint": "^11.0.2",
-        "@octokit/request-error": "^7.0.2",
-        "@octokit/types": "^16.0.0",
-        "fast-content-type-parse": "^3.0.0",
-        "universal-user-agent": "^7.0.2"
-      }
-    },
-    "@octokit/request-error": {
-      "version": "7.1.0",
-      "resolved": "https://registry.npmjs.org/@octokit/request-error/-/request-error-7.1.0.tgz",
-      "integrity": "sha512-KMQIfq5sOPpkQYajXHwnhjCC0slzCNScLHs9JafXc4RAJI+9f+jNDlBNaIMTvazOPLgb4BnlhGJOTbnN0wIjPw==",
-      "requires": {
-        "@octokit/types": "^16.0.0"
-      }
-    },
-    "@octokit/types": {
-      "version": "16.0.0",
-      "resolved": "https://registry.npmjs.org/@octokit/types/-/types-16.0.0.tgz",
-      "integrity": "sha512-sKq+9r1Mm4efXW1FCk7hFSeJo4QKreL/tTbR0rz/qx/r1Oa2VV83LTA/H/MuCOX7uCIJmQVRKBcbmWoySjAnSg==",
-      "requires": {
-        "@octokit/openapi-types": "^27.0.0"
-      }
-    },
     "@opentelemetry/api": {
       "version": "1.4.1",
       "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.4.1.tgz",
@@ -7475,11 +7223,6 @@
       "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.0.tgz",
       "integrity": "sha1-ibTRmasr7kneFk6gK4nORi1xt2c="
     },
-    "before-after-hook": {
-      "version": "4.0.0",
-      "resolved": "https://registry.npmjs.org/before-after-hook/-/before-after-hook-4.0.0.tgz",
-      "integrity": "sha512-q6tR3RPqIB1pMiTRMFcZwuG5T8vwp+vUvEG0vuI6B+Rikh5BfPp2fQ82c925FOs+b0lcFQ8CFrL+KbilfZFhOQ=="
-    },
     "brace-expansion": {
       "version": "1.1.12",
       "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz",
@@ -7503,7 +7246,6 @@
       "resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.25.2.tgz",
       "integrity": "sha512-0si2SJK3ooGzIawRu61ZdPCO1IncZwS8IzuX73sPZsXW6EQ/w/DAfPyKI8l1ETTCr2MnvqWitmlCUxgdul45jA==",
       "dev": true,
-      "peer": true,
       "requires": {
         "caniuse-lite": "^1.0.30001733",
         "electron-to-chromium": "^1.5.199",
@@ -7881,11 +7623,6 @@
         "jest-util": "30.2.0"
       }
     },
-    "fast-content-type-parse": {
-      "version": "3.0.0",
-      "resolved": "https://registry.npmjs.org/fast-content-type-parse/-/fast-content-type-parse-3.0.0.tgz",
-      "integrity": "sha512-ZvLdcY8P+N8mGQJahJV5G4U88CSvT1rP8ApL6uETe88MBXrBHAkZlSEySdUlyztF7ccb+Znos3TFqaepHxdhBg=="
-    },
     "fast-json-stable-stringify": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/fast-json-stable-stringify/-/fast-json-stable-stringify-2.1.0.tgz",
@@ -8250,7 +7987,6 @@
       "resolved": "https://registry.npmjs.org/jest/-/jest-30.2.0.tgz",
       "integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==",
       "dev": true,
-      "peer": true,
       "requires": {
         "@jest/core": "30.2.0",
         "@jest/types": "30.2.0",
@@ -9398,8 +9134,7 @@
       "version": "5.9.3",
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
       "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
-      "dev": true,
-      "peer": true
+      "dev": true
     },
     "uglify-js": {
       "version": "3.19.3",
@@ -9421,11 +9156,6 @@
       "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
       "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw=="
     },
-    "universal-user-agent": {
-      "version": "7.0.3",
-      "resolved": "https://registry.npmjs.org/universal-user-agent/-/universal-user-agent-7.0.3.tgz",
-      "integrity": "sha512-TmnEAEAsBJVZM/AADELsK76llnwcf9vMKuPz8JflO1frO8Lchitr0fNaN9d+Ap0BjKtqWqd/J17qeDnXh8CL2A=="
-    },
     "unrs-resolver": {
       "version": "1.11.1",
       "resolved": "https://registry.npmjs.org/unrs-resolver/-/unrs-resolver-1.11.1.tgz",

package.json

@@ -10,7 +10,7 @@
     "package": "ncc build -o dist/setup src/setup-uv.ts && ncc build -o dist/save-cache src/save-cache.ts && ncc build -o dist/update-known-versions src/update-known-versions.ts",
     "test": "jest",
     "act": "act pull_request -W .github/workflows/test.yml --container-architecture linux/amd64 -s GITHUB_TOKEN=\"$(gh auth token)\"",
-    "update-known-versions": "RUNNER_TEMP=known_versions node dist/update-known-versions/index.js src/download/checksum/known-versions.ts \"$(gh auth token)\"",
+    "update-known-versions": "RUNNER_TEMP=known_versions node dist/update-known-versions/index.js src/download/checksum/known-checksums.ts version-manifest.json",
     "all": "npm run build && npm run check && npm run package && npm test"
   },
   "repository": {
@@ -32,9 +32,6 @@
     "@actions/glob": "^0.5.0",
     "@actions/io": "^1.1.3",
     "@actions/tool-cache": "^2.0.2",
-    "@octokit/core": "^7.0.6",
-    "@octokit/plugin-paginate-rest": "^14.0.0",
-    "@octokit/plugin-rest-endpoint-methods": "^17.0.0",
     "@renovatebot/pep440": "^4.2.1",
     "smol-toml": "^1.4.2",
     "undici": "5.28.5"

src/download/checksum/checksum.ts

@@ -11,28 +11,36 @@ export async function validateChecksum(
   arch: Architecture,
   platform: Platform,
   version: string,
+  ndjsonChecksum?: string,
 ): Promise<void> {
-  let isValid: boolean | undefined;
+  // Priority: user-provided checksum > KNOWN_CHECKSUMS > NDJSON fallback
+  const key = `${arch}-${platform}-${version}`;
+  let checksumToUse: string | undefined;
+  let source: string;
+
   if (checkSum !== undefined && checkSum !== "") {
-    isValid = await validateFileCheckSum(downloadPath, checkSum);
+    checksumToUse = checkSum;
+    source = "user-provided";
+  } else if (key in KNOWN_CHECKSUMS) {
+    checksumToUse = KNOWN_CHECKSUMS[key];
+    source = `known checksum for ${key}`;
+  } else if (ndjsonChecksum !== undefined && ndjsonChecksum !== "") {
+    checksumToUse = ndjsonChecksum;
+    source = "NDJSON version data";
   } else {
-    core.debug("Checksum not provided. Checking known checksums.");
-    const key = `${arch}-${platform}-${version}`;
-    if (key in KNOWN_CHECKSUMS) {
-      const knownChecksum = KNOWN_CHECKSUMS[`${arch}-${platform}-${version}`];
-      core.debug(`Checking checksum for ${arch}-${platform}-${version}.`);
-      isValid = await validateFileCheckSum(downloadPath, knownChecksum);
-    } else {
-      core.debug(`No known checksum found for ${key}.`);
-    }
+    core.debug(`No checksum found for ${key}.`);
+    return;
   }
 
-  if (isValid === false) {
-    throw new Error(`Checksum for ${downloadPath} did not match ${checkSum}.`);
-  }
-  if (isValid === true) {
-    core.debug(`Checksum for ${downloadPath} is valid.`);
+  core.debug(`Using ${source}.`);
+  const isValid = await validateFileCheckSum(downloadPath, checksumToUse);
+
+  if (!isValid) {
+    throw new Error(
+      `Checksum for ${downloadPath} did not match ${checksumToUse}.`,
+    );
   }
+  core.debug(`Checksum for ${downloadPath} is valid.`);
 }
 
 async function validateFileCheckSum(

src/download/checksum/update-known-checksums.ts

@@ -1,9 +1,13 @@
 import { promises as fs } from "node:fs";
-import * as tc from "@actions/tool-cache";
-import { KNOWN_CHECKSUMS } from "./known-checksums";
+
+export interface ChecksumEntry {
+  key: string;
+  checksum: string;
+}
+
 export async function updateChecksums(
   filePath: string,
-  downloadUrls: string[],
+  checksumEntries: ChecksumEntry[],
 ): Promise<void> {
   await fs.rm(filePath);
   await fs.appendFile(
@@ -11,49 +15,12 @@ export async function updateChecksums(
     "// AUTOGENERATED_DO_NOT_EDIT\nexport const KNOWN_CHECKSUMS: { [key: string]: string } = {\n",
   );
   let firstLine = true;
-  for (const downloadUrl of downloadUrls) {
-    const key = getKey(downloadUrl);
-    if (key === undefined) {
-      continue;
-    }
-    const checksum = await getOrDownloadChecksum(key, downloadUrl);
+  for (const entry of checksumEntries) {
     if (!firstLine) {
       await fs.appendFile(filePath, ",\n");
     }
-    await fs.appendFile(filePath, `  "${key}":\n    "${checksum}"`);
+    await fs.appendFile(filePath, `  "${entry.key}":\n    "${entry.checksum}"`);
     firstLine = false;
   }
   await fs.appendFile(filePath, ",\n};\n");
 }
-
-function getKey(downloadUrl: string): string | undefined {
-  // https://github.com/astral-sh/uv/releases/download/0.3.2/uv-aarch64-apple-darwin.tar.gz.sha256
-  const parts = downloadUrl.split("/");
-  const fileName = parts[parts.length - 1];
-  if (fileName.startsWith("source")) {
-    return undefined;
-  }
-  const name = fileName.split(".")[0].split("uv-")[1];
-  const version = parts[parts.length - 2];
-  return `${name}-${version}`;
-}
-
-async function getOrDownloadChecksum(
-  key: string,
-  downloadUrl: string,
-): Promise<string> {
-  let checksum = "";
-  if (key in KNOWN_CHECKSUMS) {
-    checksum = KNOWN_CHECKSUMS[key];
-  } else {
-    const content = await downloadAssetContent(downloadUrl);
-    checksum = content.split(" ")[0].trim();
-  }
-  return checksum;
-}
-
-async function downloadAssetContent(downloadUrl: string): Promise<string> {
-  const downloadPath = await tc.downloadTool(downloadUrl);
-  const content = await fs.readFile(downloadPath, "utf8");
-  return content;
-}

src/download/download-version.ts

@@ -8,11 +8,14 @@ import { OWNER, REPO, TOOL_CACHE_NAME } from "../utils/constants";
 import type { Architecture, Platform } from "../utils/platforms";
 import { validateChecksum } from "./checksum/checksum";
 import {
-  getAvailableVersionsFromManifest,
-  getDownloadUrl,
   getLatestKnownVersion as getLatestVersionInManifest,
-  REMOTE_MANIFEST_URL,
+  getDownloadUrl as getManifestDownloadUrl,
 } from "./version-manifest";
+import {
+  getAllVersions,
+  getArtifact,
+  getLatestVersion as getLatestVersionFromNdjson,
+} from "./versions-client";
 
 export function tryGetFromToolCache(
   arch: Architecture,
@@ -29,7 +32,7 @@ export function tryGetFromToolCache(
   return { installedPath, version: resolvedVersion };
 }
 
-export async function downloadVersionFromGithub(
+export async function downloadVersionFromNdjson(
   platform: Platform,
   arch: Architecture,
   version: string,
@@ -38,7 +41,14 @@ export async function downloadVersionFromGithub(
 ): Promise<{ version: string; cachedToolDir: string }> {
   const artifact = `uv-${arch}-${platform}`;
   const extension = getExtension(platform);
-  const downloadUrl = `https://github.com/${OWNER}/${REPO}/releases/download/${version}/${artifact}${extension}`;
+
+  // Get artifact info from NDJSON (includes URL and checksum)
+  const artifactInfo = await getArtifact(version, arch, platform);
+
+  const downloadUrl =
+    artifactInfo?.url ??
+    `https://github.com/${OWNER}/${REPO}/releases/download/${version}/${artifact}${extension}`;
+
   return await downloadVersion(
     downloadUrl,
     artifact,
@@ -47,52 +57,39 @@ export async function downloadVersionFromGithub(
     version,
     checkSum,
     githubToken,
+    artifactInfo?.sha256,
   );
 }
 
 export async function downloadVersionFromManifest(
-  manifestUrl: string | undefined,
+  manifestUrl: string,
   platform: Platform,
   arch: Architecture,
   version: string,
   checkSum: string | undefined,
   githubToken: string,
 ): Promise<{ version: string; cachedToolDir: string }> {
-  // If no user-provided manifest, try remote manifest first (will use cache if already fetched)
-  // then fall back to bundled manifest
-  const manifestSources =
-    manifestUrl !== undefined
-      ? [manifestUrl]
-      : [REMOTE_MANIFEST_URL, undefined];
-
-  for (const source of manifestSources) {
-    try {
-      const downloadUrl = await getDownloadUrl(source, version, arch, platform);
-      if (downloadUrl) {
-        return await downloadVersion(
-          downloadUrl,
-          `uv-${arch}-${platform}`,
-          platform,
-          arch,
-          version,
-          checkSum,
-          githubToken,
-        );
-      }
-    } catch (err) {
-      core.debug(`Failed to get download URL from manifest ${source}: ${err}`);
-    }
+  const downloadUrl = await getManifestDownloadUrl(
+    manifestUrl,
+    version,
+    arch,
+    platform,
+  );
+  if (!downloadUrl) {
+    throw new Error(
+      `manifest-file does not contain version ${version}, arch ${arch}, platform ${platform}.`,
+    );
   }
 
-  core.info(
-    `Manifest does not contain version ${version}, arch ${arch}, platform ${platform}. Falling back to GitHub releases.`,
-  );
-  return await downloadVersionFromGithub(
+  return await downloadVersion(
+    downloadUrl,
+    `uv-${arch}-${platform}`,
     platform,
     arch,
     version,
     checkSum,
     githubToken,
+    undefined, // No NDJSON checksum for manifest downloads
   );
 }
 
@@ -104,6 +101,7 @@ async function downloadVersion(
   version: string,
   checkSum: string | undefined,
   githubToken: string,
+  ndjsonChecksum?: string,
 ): Promise<{ version: string; cachedToolDir: string }> {
   core.info(`Downloading uv from "${downloadUrl}" ...`);
   const downloadPath = await tc.downloadTool(
@@ -111,7 +109,14 @@ async function downloadVersion(
     undefined,
     githubToken,
   );
-  await validateChecksum(checkSum, downloadPath, arch, platform, version);
+  await validateChecksum(
+    checkSum,
+    downloadPath,
+    arch,
+    platform,
+    version,
+    ndjsonChecksum,
+  );
 
   let uvDir: string;
   if (platform === "pc-windows-msvc") {
@@ -168,7 +173,7 @@ export async function resolveVersion(
   } else {
     version =
       versionInput === "latest" || resolveVersionSpecifierToLatest
-        ? await getLatestVersion()
+        ? await getLatestVersionFromNdjson()
         : versionInput;
   }
   if (tc.isExplicitVersion(version)) {
@@ -193,36 +198,8 @@ export async function resolveVersion(
 }
 
 async function getAvailableVersions(): Promise<string[]> {
-  // 1. Try remote manifest first (no rate limits, always current)
-  try {
-    core.info("Getting available versions from remote manifest...");
-    const versions =
-      await getAvailableVersionsFromManifest(REMOTE_MANIFEST_URL);
-    core.debug(`Found ${versions.length} versions from remote manifest`);
-    return versions;
-  } catch (err) {
-    core.debug(`Remote manifest lookup failed: ${err}`);
-  }
-
-  // 2. Fall back to bundled manifest (no network, may be stale)
-  core.info("Getting available versions from bundled manifest...");
-  return await getAvailableVersionsFromManifest(undefined);
-}
-
-async function getLatestVersion() {
-  // 1. Try remote manifest first (no rate limits, always current)
-  try {
-    core.info("Getting latest version from remote manifest...");
-    const version = await getLatestVersionInManifest(REMOTE_MANIFEST_URL);
-    core.debug(`Latest version from remote manifest: ${version}`);
-    return version;
-  } catch (err) {
-    core.debug(`Remote manifest lookup failed: ${err}`);
-  }
-
-  // 2. Fall back to bundled manifest (no network, may be stale)
-  core.info("Getting latest version from bundled manifest...");
-  return await getLatestVersionInManifest(undefined);
+  core.info("Getting available versions from NDJSON...");
+  return await getAllVersions();
 }
 
 function maxSatisfying(

src/download/version-manifest.ts

@@ -5,11 +5,6 @@ import * as semver from "semver";
 import { fetch } from "../utils/fetch";
 
 const localManifestFile = join(__dirname, "..", "..", "version-manifest.json");
-export const REMOTE_MANIFEST_URL =
-  "https://raw.githubusercontent.com/astral-sh/setup-uv/main/version-manifest.json";
-
-// Cache for manifest entries to avoid re-fetching
-const manifestCache = new Map<string, ManifestEntry[]>();
 
 interface ManifestEntry {
   version: string;
@@ -44,25 +39,9 @@ export async function getDownloadUrl(
   return entry ? entry.downloadUrl : undefined;
 }
 
-export async function getAvailableVersionsFromManifest(
-  manifestUrl: string | undefined,
-): Promise<string[]> {
-  const manifestEntries = await getManifestEntries(manifestUrl);
-  return [...new Set(manifestEntries.map((entry) => entry.version))];
-}
-
 async function getManifestEntries(
   manifestUrl: string | undefined,
 ): Promise<ManifestEntry[]> {
-  const cacheKey = manifestUrl ?? "local";
-
-  // Return cached entries if available
-  const cached = manifestCache.get(cacheKey);
-  if (cached !== undefined) {
-    core.debug(`Using cached manifest entries for: ${cacheKey}`);
-    return cached;
-  }
-
   let data: string;
   if (manifestUrl !== undefined) {
     core.info(`Fetching manifest-file from: ${manifestUrl}`);
@@ -79,9 +58,7 @@ async function getManifestEntries(
     data = fileContent.toString();
   }
 
-  const entries: ManifestEntry[] = JSON.parse(data);
-  manifestCache.set(cacheKey, entries);
-  return entries;
+  return JSON.parse(data);
 }
 
 export async function updateVersionManifest(

src/download/versions-client.ts

@@ -0,0 +1,113 @@
+import * as core from "@actions/core";
+import { VERSIONS_NDJSON_URL } from "../utils/constants";
+import { fetch } from "../utils/fetch";
+
+export interface NdjsonArtifact {
+  platform: string;
+  variant: string;
+  url: string;
+  archive_format: string;
+  sha256: string;
+}
+
+export interface NdjsonVersion {
+  version: string;
+  artifacts: NdjsonArtifact[];
+}
+
+let cachedVersionData: NdjsonVersion[] | null = null;
+
+export async function fetchVersionData(): Promise<NdjsonVersion[]> {
+  if (cachedVersionData !== null) {
+    core.debug("Using cached NDJSON version data");
+    return cachedVersionData;
+  }
+
+  core.info(`Fetching version data from ${VERSIONS_NDJSON_URL}...`);
+  const response = await fetch(VERSIONS_NDJSON_URL, {});
+  if (!response.ok) {
+    throw new Error(
+      `Failed to fetch version data: ${response.status} ${response.statusText}`,
+    );
+  }
+
+  const body = await response.text();
+  const versions: NdjsonVersion[] = [];
+
+  for (const line of body.split("\n")) {
+    const trimmed = line.trim();
+    if (trimmed === "") {
+      continue;
+    }
+    try {
+      const version = JSON.parse(trimmed) as NdjsonVersion;
+      versions.push(version);
+    } catch {
+      core.debug(`Failed to parse NDJSON line: ${trimmed}`);
+    }
+  }
+
+  if (versions.length === 0) {
+    throw new Error("No version data found in NDJSON file");
+  }
+
+  cachedVersionData = versions;
+  return versions;
+}
+
+export async function getLatestVersion(): Promise<string> {
+  const versions = await fetchVersionData();
+  // The NDJSON file lists versions in order, newest first
+  const latestVersion = versions[0]?.version;
+  if (!latestVersion) {
+    throw new Error("No versions found in NDJSON data");
+  }
+  core.debug(`Latest version from NDJSON: ${latestVersion}`);
+  return latestVersion;
+}
+
+export async function getAllVersions(): Promise<string[]> {
+  const versions = await fetchVersionData();
+  return versions.map((v) => v.version);
+}
+
+export interface ArtifactResult {
+  url: string;
+  sha256: string;
+}
+
+export async function getArtifact(
+  version: string,
+  arch: string,
+  platform: string,
+): Promise<ArtifactResult | undefined> {
+  const versions = await fetchVersionData();
+  const versionData = versions.find((v) => v.version === version);
+  if (!versionData) {
+    core.debug(`Version ${version} not found in NDJSON data`);
+    return undefined;
+  }
+
+  // The NDJSON artifact platform format is like "x86_64-apple-darwin"
+  // We need to match against arch-platform
+  const targetPlatform = `${arch}-${platform}`;
+  const artifact = versionData.artifacts.find(
+    (a) => a.platform === targetPlatform,
+  );
+
+  if (!artifact) {
+    core.debug(
+      `Artifact for ${targetPlatform} not found in version ${version}. Available platforms: ${versionData.artifacts.map((a) => a.platform).join(", ")}`,
+    );
+    return undefined;
+  }
+
+  return {
+    sha256: artifact.sha256,
+    url: artifact.url,
+  };
+}
+
+export function clearCache(): void {
+  cachedVersionData = null;
+}

src/setup-uv.ts

@@ -5,6 +5,7 @@ import * as exec from "@actions/exec";
 import { restoreCache } from "./cache/restore-cache";
 import {
   downloadVersionFromManifest,
+  downloadVersionFromNdjson,
   resolveVersion,
   tryGetFromToolCache,
 } from "./download/download-version";
@@ -138,14 +139,23 @@ async function setupUv(
     };
   }
 
-  const downloadVersionResult = await downloadVersionFromManifest(
-    manifestFile,
-    platform,
-    arch,
-    resolvedVersion,
-    checkSum,
-    githubToken,
-  );
+  // Use the same source for download as we used for version resolution
+  const downloadVersionResult = manifestFile
+    ? await downloadVersionFromManifest(
+        manifestFile,
+        platform,
+        arch,
+        resolvedVersion,
+        checkSum,
+        githubToken,
+      )
+    : await downloadVersionFromNdjson(
+        platform,
+        arch,
+        resolvedVersion,
+        checkSum,
+        githubToken,
+      );
 
   return {
     uvDir: downloadVersionResult.cachedToolDir,

src/update-known-versions.ts

@@ -1,63 +1,116 @@
+import { promises as fs } from "node:fs";
 import * as core from "@actions/core";
-import type { Endpoints } from "@octokit/types";
 import * as semver from "semver";
 import { updateChecksums } from "./download/checksum/update-known-checksums";
+import { getLatestKnownVersion } from "./download/version-manifest";
 import {
-  getLatestKnownVersion,
-  updateVersionManifest,
-} from "./download/version-manifest";
-import { OWNER, REPO } from "./utils/constants";
-import { Octokit } from "./utils/octokit";
+  fetchVersionData,
+  getLatestVersion,
+  type NdjsonVersion,
+} from "./download/versions-client";
 
-type Release =
-  Endpoints["GET /repos/{owner}/{repo}/releases"]["response"]["data"][number];
+interface ChecksumEntry {
+  key: string;
+  checksum: string;
+}
+
+interface ArtifactEntry {
+  version: string;
+  artifactName: string;
+  arch: string;
+  platform: string;
+  downloadUrl: string;
+}
+
+function extractChecksumsFromNdjson(
+  versions: NdjsonVersion[],
+): ChecksumEntry[] {
+  const checksums: ChecksumEntry[] = [];
+
+  for (const version of versions) {
+    for (const artifact of version.artifacts) {
+      // The platform field contains the target triple like "x86_64-apple-darwin"
+      const key = `${artifact.platform}-${version.version}`;
+      checksums.push({
+        checksum: artifact.sha256,
+        key,
+      });
+    }
+  }
+
+  return checksums;
+}
+
+function extractArtifactsFromNdjson(
+  versions: NdjsonVersion[],
+): ArtifactEntry[] {
+  const artifacts: ArtifactEntry[] = [];
+
+  for (const version of versions) {
+    for (const artifact of version.artifacts) {
+      // The platform field contains the target triple like "x86_64-apple-darwin"
+      // Split into arch and platform (e.g., "x86_64-apple-darwin" -> ["x86_64", "apple-darwin"])
+      const parts = artifact.platform.split("-");
+      const arch = parts[0];
+      const platform = parts.slice(1).join("-");
+
+      // Construct artifact name from platform and archive format
+      const artifactName = `uv-${artifact.platform}.${artifact.archive_format}`;
+
+      artifacts.push({
+        arch,
+        artifactName,
+        downloadUrl: artifact.url,
+        platform,
+        version: version.version,
+      });
+    }
+  }
+
+  return artifacts;
+}
 
 async function run(): Promise<void> {
   const checksumFilePath = process.argv.slice(2)[0];
   const versionsManifestFile = process.argv.slice(2)[1];
-  const githubToken = process.argv.slice(2)[2];
-
-  const octokit = new Octokit({
-    auth: githubToken,
-  });
-
-  const { data: latestRelease } = await octokit.rest.repos.getLatestRelease({
-    owner: OWNER,
-    repo: REPO,
-  });
 
+  const latestVersion = await getLatestVersion();
   const latestKnownVersion = await getLatestKnownVersion(undefined);
 
-  if (semver.lte(latestRelease.tag_name, latestKnownVersion)) {
+  if (semver.lte(latestVersion, latestKnownVersion)) {
     core.info(
-      `Latest release (${latestRelease.tag_name}) is not newer than the latest known version (${latestKnownVersion}). Skipping update.`,
+      `Latest release (${latestVersion}) is not newer than the latest known version (${latestKnownVersion}). Skipping update.`,
     );
     return;
   }
 
-  const releases: Release[] = await octokit.paginate(
-    octokit.rest.repos.listReleases,
-    {
-      owner: OWNER,
-      repo: REPO,
-    },
-  );
-  const checksumDownloadUrls: string[] = releases.flatMap((release) =>
-    release.assets
-      .filter((asset) => asset.name.endsWith(".sha256"))
-      .map((asset) => asset.browser_download_url),
-  );
-  await updateChecksums(checksumFilePath, checksumDownloadUrls);
+  const versions = await fetchVersionData();
 
-  const artifactDownloadUrls: string[] = releases.flatMap((release) =>
-    release.assets
-      .filter((asset) => !asset.name.endsWith(".sha256"))
-      .map((asset) => asset.browser_download_url),
-  );
+  // Extract checksums from NDJSON
+  const checksumEntries = extractChecksumsFromNdjson(versions);
+  await updateChecksums(checksumFilePath, checksumEntries);
 
-  await updateVersionManifest(versionsManifestFile, artifactDownloadUrls);
+  // Extract artifact URLs for version manifest
+  const artifactEntries = extractArtifactsFromNdjson(versions);
+  await updateVersionManifestFromEntries(versionsManifestFile, artifactEntries);
 
-  core.setOutput("latest-version", latestRelease.tag_name);
+  core.setOutput("latest-version", latestVersion);
+}
+
+async function updateVersionManifestFromEntries(
+  filePath: string,
+  entries: ArtifactEntry[],
+): Promise<void> {
+  const manifest = entries.map((entry) => ({
+    arch: entry.arch,
+    artifactName: entry.artifactName,
+    downloadUrl: entry.downloadUrl,
+    platform: entry.platform,
+    version: entry.version,
+  }));
+
+  core.debug(`Updating manifest-file: ${JSON.stringify(manifest)}`);
+  await fs.writeFile(filePath, JSON.stringify(manifest));
 }
 
 run();

src/utils/constants.ts

@@ -3,3 +3,5 @@ export const OWNER = "astral-sh";
 export const TOOL_CACHE_NAME = "uv";
 export const STATE_UV_PATH = "uv-path";
 export const STATE_UV_VERSION = "uv-version";
+export const VERSIONS_NDJSON_URL =
+  "https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson";

src/utils/octokit.ts

@@ -1,34 +0,0 @@
-import type { OctokitOptions } from "@octokit/core";
-import { Octokit as Core } from "@octokit/core";
-import {
-  type PaginateInterface,
-  paginateRest,
-} from "@octokit/plugin-paginate-rest";
-import { legacyRestEndpointMethods } from "@octokit/plugin-rest-endpoint-methods";
-import { fetch as customFetch } from "./fetch";
-
-export type { RestEndpointMethodTypes } from "@octokit/plugin-rest-endpoint-methods";
-
-const DEFAULTS = {
-  baseUrl: "https://api.github.com",
-  userAgent: "setup-uv",
-};
-
-const OctokitWithPlugins = Core.plugin(paginateRest, legacyRestEndpointMethods);
-
-export const Octokit = OctokitWithPlugins.defaults(function buildDefaults(
-  options: OctokitOptions,
-): OctokitOptions {
-  return {
-    ...DEFAULTS,
-    ...options,
-    request: {
-      fetch: customFetch,
-      ...options.request,
-    },
-  };
-});
-
-export type Octokit = InstanceType<typeof OctokitWithPlugins> & {
-  paginate: PaginateInterface;
-};