chore(deps-dev): bump jest from 30.3.0 to 30.4.2

Bumps [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) from 30.3.0 to 30.4.2.
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest)

---
updated-dependencies:
- dependency-name: jest
  dependency-version: 30.4.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

.agents/skills/dependabot-pr-rollup/SKILL.md

@@ -26,6 +26,7 @@ Use this skill when the user wants to:
    - Inspect `package.json` before editing.
    - Run `npm ci --ignore-scripts` before applying updates.
    - Use `npm install ... --ignore-scripts` for direct dependency changes so `package-lock.json` stays in sync.
+   - When updating `@biomejs/biome`, also update the Biome schema URL version in `biome.json` to match the installed Biome version.
 7. Run `npm run all`.
 8. If requested, commit the changed source, lockfile, and generated artifacts, then push and open a PR.
 

.github/workflows/codeql-analysis.yml

@@ -47,7 +47,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         with:
           languages: ${{ matrix.language }}
           source-root: src
@@ -59,7 +59,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 https://git.io/JvXDl
@@ -73,4 +73,4 @@ jobs:
       #   make release
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@e46ed2cbd01164d986452f91f178727624ae40d7 # v4.35.3
+        uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0

.github/workflows/release-drafter.yml

@@ -19,7 +19,7 @@ jobs:
       pull-requests: read
     steps:
       - name: 🚀 Run Release Drafter
-        uses: release-drafter/release-drafter@5de93583980a40bd78603b6dfdcda5b4df377b32 # v7.2.0
+        uses: release-drafter/release-drafter@693d20e7c1ce1a81d3a41962f85914253b518449 # v7.3.1
         with:
           commitish: ${{ github.sha }}
         env:

.github/workflows/test.yml

@@ -25,9 +25,9 @@ jobs:
         with:
           persist-credentials: false
       - name: Actionlint
-        uses: eifinger/actionlint-action@7802e0cc3ab3f81cbffb36fb0bf1a3621d994b89 # v1.10.1
+        uses: eifinger/actionlint-action@1fc89649be682d16ec5cf65ea16e269eb88d3982 # v1.10.2
       - name: Run zizmor
-        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version-file: .nvmrc
@@ -861,6 +861,20 @@ jobs:
             exit 1
           fi
 
+  test-download-from-astral-mirror-false:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Install with download-from-astral-mirror disabled
+        id: setup-uv
+        uses: ./
+        with:
+          download-from-astral-mirror: false
+      - name: Verify uv is installed
+        run: uv --version
+
   test-absolute-path:
     runs-on: ubuntu-latest
     steps:
@@ -1119,6 +1133,7 @@ jobs:
       - test-restore-cache-restore-cache-false
       - test-no-python-version
       - test-custom-manifest-file
+      - test-download-from-astral-mirror-false
       - test-absolute-path
       - test-relative-path
       - test-cache-prune-force

README.md

@@ -120,8 +120,14 @@ Have a look under [Advanced Configuration](#advanced-configuration) for detailed
     # URL to a custom manifest file in the astral-sh/versions format
     manifest-file: ""
 
+    # Download uv from the Astral mirror instead of directly from GitHub Releases
+    download-from-astral-mirror: "true"
+
     # Add problem matchers
     add-problem-matchers: "true"
+
+    # Suppress info-level log output. Only warnings and errors are shown
+    quiet: "false"
 ```
 
 ### Outputs

__tests__/download/download-version.test.ts

@@ -223,7 +223,7 @@ describe("download-version", () => {
       );
     });
 
-    it("does not rewrite non-GitHub URLs", async () => {
+    it("does not send the token to non-GitHub URLs from the default manifest", async () => {
       mockGetArtifact.mockResolvedValue({
         archiveFormat: "tar.gz",
         checksum: "abc123",
@@ -241,8 +241,30 @@ describe("download-version", () => {
       expect(mockDownloadTool).toHaveBeenCalledWith(
         "https://example.com/uv.tar.gz",
         undefined,
+        undefined,
+      );
+    });
+
+    it("does not send the token to GitHub lookalike hosts", async () => {
+      mockGetArtifact.mockResolvedValue({
+        archiveFormat: "tar.gz",
+        checksum: "abc123",
+        downloadUrl: "https://github.com.evil.test/uv.tar.gz",
+      });
+
+      await downloadVersion(
+        "unknown-linux-gnu",
+        "x86_64",
+        "0.9.26",
+        undefined,
         "token",
       );
+
+      expect(mockDownloadTool).toHaveBeenCalledWith(
+        "https://github.com.evil.test/uv.tar.gz",
+        undefined,
+        undefined,
+      );
     });
 
     it("falls back to GitHub Releases when the mirror fails", async () => {
@@ -354,6 +376,32 @@ describe("download-version", () => {
         "0.9.26",
       );
     });
+
+    it("skips the Astral mirror when downloadFromAstralMirror is false", async () => {
+      mockGetArtifact.mockResolvedValue({
+        archiveFormat: "tar.gz",
+        checksum: "abc123",
+        downloadUrl:
+          "https://github.com/astral-sh/uv/releases/download/0.9.26/uv-x86_64-unknown-linux-gnu.tar.gz",
+      });
+
+      await downloadVersion(
+        "unknown-linux-gnu",
+        "x86_64",
+        "0.9.26",
+        undefined,
+        "token",
+        undefined,
+        false,
+      );
+
+      expect(mockDownloadTool).toHaveBeenCalledWith(
+        "https://github.com/astral-sh/uv/releases/download/0.9.26/uv-x86_64-unknown-linux-gnu.tar.gz",
+        undefined,
+        "token",
+      );
+      expect(mockDownloadTool).toHaveBeenCalledTimes(1);
+    });
   });
 
   describe("rewriteToMirror", () => {

action-types.yml

@@ -52,8 +52,12 @@ inputs:
     type: string
   manifest-file:
     type: string
+  download-from-astral-mirror:
+    type: boolean
   add-problem-matchers:
     type: boolean
+  quiet:
+    type: boolean
   resolution-strategy:
     type: enum
     allowed-values:

action.yml

@@ -80,9 +80,15 @@ inputs:
   manifest-file:
     description: "URL to a custom manifest file in the astral-sh/versions format."
     required: false
+  download-from-astral-mirror:
+    description: "Download uv from the Astral mirror instead of directly from GitHub Releases."
+    default: "true"
   add-problem-matchers:
     description: "Add problem matchers."
     default: "true"
+  quiet:
+    description: "Suppress info-level log output. Only warnings and errors are shown."
+    default: "false"
   resolution-strategy:
     description: "Resolution strategy to use when resolving version ranges. 'highest' uses the latest compatible version, 'lowest' uses the oldest compatible version."
     default: "highest"

biome.json

@@ -1,5 +1,5 @@
 {
-  "$schema": "https://biomejs.dev/schemas/2.4.7/schema.json",
+  "$schema": "https://biomejs.dev/schemas/2.4.15/schema.json",
   "assist": {
     "actions": {
       "source": {

dist/save-cache/index.cjs

@@ -133,7 +133,7 @@ var require_tunnel = __commonJS({
         connectOptions.headers = connectOptions.headers || {};
         connectOptions.headers["Proxy-Authorization"] = "Basic " + new Buffer(connectOptions.proxyAuth).toString("base64");
       }
-      debug2("making CONNECT request");
+      debug3("making CONNECT request");
       var connectReq = self2.request(connectOptions);
       connectReq.useChunkedEncodingByDefault = false;
       connectReq.once("response", onResponse);
@@ -153,7 +153,7 @@ var require_tunnel = __commonJS({
         connectReq.removeAllListeners();
         socket.removeAllListeners();
         if (res.statusCode !== 200) {
-          debug2(
+          debug3(
             "tunneling socket could not be established, statusCode=%d",
             res.statusCode
           );
@@ -165,7 +165,7 @@ var require_tunnel = __commonJS({
           return;
         }
         if (head.length > 0) {
-          debug2("got illegal response body from proxy");
+          debug3("got illegal response body from proxy");
           socket.destroy();
           var error2 = new Error("got illegal response body from proxy");
           error2.code = "ECONNRESET";
@@ -173,13 +173,13 @@ var require_tunnel = __commonJS({
           self2.removeSocket(placeholder);
           return;
         }
-        debug2("tunneling connection has established");
+        debug3("tunneling connection has established");
         self2.sockets[self2.sockets.indexOf(placeholder)] = socket;
         return cb(socket);
       }
       function onError(cause) {
         connectReq.removeAllListeners();
-        debug2(
+        debug3(
           "tunneling socket could not be established, cause=%s\n",
           cause.message,
           cause.stack
@@ -241,9 +241,9 @@ var require_tunnel = __commonJS({
       }
       return target;
     }
-    var debug2;
+    var debug3;
     if (process.env.NODE_DEBUG && /\btunnel\b/.test(process.env.NODE_DEBUG)) {
-      debug2 = function() {
+      debug3 = function() {
         var args = Array.prototype.slice.call(arguments);
         if (typeof args[0] === "string") {
           args[0] = "TUNNEL: " + args[0];
@@ -253,10 +253,10 @@ var require_tunnel = __commonJS({
         console.error.apply(console, args);
       };
     } else {
-      debug2 = function() {
+      debug3 = function() {
       };
     }
-    exports2.debug = debug2;
+    exports2.debug = debug3;
   }
 });
 
@@ -18936,7 +18936,7 @@ var require_minimatch = __commonJS({
       }
       this.parseNegate();
       var set = this.globSet = this.braceExpand();
-      if (options.debug) this.debug = function debug2() {
+      if (options.debug) this.debug = function debug3() {
         console.error.apply(console, arguments);
       };
       this.debug(this.pattern, set);
@@ -19414,9 +19414,9 @@ var require_constants6 = __commonJS({
 var require_debug = __commonJS({
   "node_modules/@actions/cache/node_modules/semver/internal/debug.js"(exports2, module2) {
     "use strict";
-    var debug2 = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {
+    var debug3 = typeof process === "object" && process.env && process.env.NODE_DEBUG && /\bsemver\b/i.test(process.env.NODE_DEBUG) ? (...args) => console.error("SEMVER", ...args) : () => {
     };
-    module2.exports = debug2;
+    module2.exports = debug3;
   }
 });
 
@@ -19429,7 +19429,7 @@ var require_re = __commonJS({
       MAX_SAFE_BUILD_LENGTH,
       MAX_LENGTH
     } = require_constants6();
-    var debug2 = require_debug();
+    var debug3 = require_debug();
     exports2 = module2.exports = {};
     var re = exports2.re = [];
     var safeRe = exports2.safeRe = [];
@@ -19452,7 +19452,7 @@ var require_re = __commonJS({
     var createToken = (name, value, isGlobal) => {
       const safe = makeSafeRegex(value);
       const index = R++;
-      debug2(name, index, value);
+      debug3(name, index, value);
       t[name] = index;
       src[index] = value;
       safeSrc[index] = safe;
@@ -19556,7 +19556,7 @@ var require_identifiers = __commonJS({
 var require_semver = __commonJS({
   "node_modules/@actions/cache/node_modules/semver/classes/semver.js"(exports2, module2) {
     "use strict";
-    var debug2 = require_debug();
+    var debug3 = require_debug();
     var { MAX_LENGTH, MAX_SAFE_INTEGER } = require_constants6();
     var { safeRe: re, t } = require_re();
     var parseOptions = require_parse_options();
@@ -19578,7 +19578,7 @@ var require_semver = __commonJS({
             `version is longer than ${MAX_LENGTH} characters`
           );
         }
-        debug2("SemVer", version3, options);
+        debug3("SemVer", version3, options);
         this.options = options;
         this.loose = !!options.loose;
         this.includePrerelease = !!options.includePrerelease;
@@ -19626,7 +19626,7 @@ var require_semver = __commonJS({
         return this.version;
       }
       compare(other) {
-        debug2("SemVer.compare", this.version, this.options, other);
+        debug3("SemVer.compare", this.version, this.options, other);
         if (!(other instanceof _SemVer)) {
           if (typeof other === "string" && other === this.version) {
             return 0;
@@ -19677,7 +19677,7 @@ var require_semver = __commonJS({
         do {
           const a = this.prerelease[i];
           const b = other.prerelease[i];
-          debug2("prerelease compare", i, a, b);
+          debug3("prerelease compare", i, a, b);
           if (a === void 0 && b === void 0) {
             return 0;
           } else if (b === void 0) {
@@ -19699,7 +19699,7 @@ var require_semver = __commonJS({
         do {
           const a = this.build[i];
           const b = other.build[i];
-          debug2("build compare", i, a, b);
+          debug3("build compare", i, a, b);
           if (a === void 0 && b === void 0) {
             return 0;
           } else if (b === void 0) {
@@ -20327,21 +20327,21 @@ var require_range = __commonJS({
         const loose = this.options.loose;
         const hr = loose ? re[t.HYPHENRANGELOOSE] : re[t.HYPHENRANGE];
         range2 = range2.replace(hr, hyphenReplace(this.options.includePrerelease));
-        debug2("hyphen replace", range2);
+        debug3("hyphen replace", range2);
         range2 = range2.replace(re[t.COMPARATORTRIM], comparatorTrimReplace);
-        debug2("comparator trim", range2);
+        debug3("comparator trim", range2);
         range2 = range2.replace(re[t.TILDETRIM], tildeTrimReplace);
-        debug2("tilde trim", range2);
+        debug3("tilde trim", range2);
         range2 = range2.replace(re[t.CARETTRIM], caretTrimReplace);
-        debug2("caret trim", range2);
+        debug3("caret trim", range2);
         let rangeList = range2.split(" ").map((comp26) => parseComparator(comp26, this.options)).join(" ").split(/\s+/).map((comp26) => replaceGTE0(comp26, this.options));
         if (loose) {
           rangeList = rangeList.filter((comp26) => {
-            debug2("loose invalid filter", comp26, this.options);
+            debug3("loose invalid filter", comp26, this.options);
             return !!comp26.match(re[t.COMPARATORLOOSE]);
           });
         }
-        debug2("range list", rangeList);
+        debug3("range list", rangeList);
         const rangeMap = /* @__PURE__ */ new Map();
         const comparators = rangeList.map((comp26) => new Comparator(comp26, this.options));
         for (const comp26 of comparators) {
@@ -20396,7 +20396,7 @@ var require_range = __commonJS({
     var cache = new LRU();
     var parseOptions = require_parse_options();
     var Comparator = require_comparator();
-    var debug2 = require_debug();
+    var debug3 = require_debug();
     var SemVer = require_semver();
     var {
       safeRe: re,
@@ -20422,15 +20422,15 @@ var require_range = __commonJS({
     };
     var parseComparator = (comp26, options) => {
       comp26 = comp26.replace(re[t.BUILD], "");
-      debug2("comp", comp26, options);
+      debug3("comp", comp26, options);
       comp26 = replaceCarets(comp26, options);
-      debug2("caret", comp26);
+      debug3("caret", comp26);
       comp26 = replaceTildes(comp26, options);
-      debug2("tildes", comp26);
+      debug3("tildes", comp26);
       comp26 = replaceXRanges(comp26, options);
-      debug2("xrange", comp26);
+      debug3("xrange", comp26);
       comp26 = replaceStars(comp26, options);
-      debug2("stars", comp26);
+      debug3("stars", comp26);
       return comp26;
     };
     var isX = (id) => !id || id.toLowerCase() === "x" || id === "*";
@@ -20440,7 +20440,7 @@ var require_range = __commonJS({
     var replaceTilde = (comp26, options) => {
       const r = options.loose ? re[t.TILDELOOSE] : re[t.TILDE];
       return comp26.replace(r, (_, M, m, p, pr) => {
-        debug2("tilde", comp26, _, M, m, p, pr);
+        debug3("tilde", comp26, _, M, m, p, pr);
         let ret;
         if (isX(M)) {
           ret = "";
@@ -20449,12 +20449,12 @@ var require_range = __commonJS({
         } else if (isX(p)) {
           ret = `>=${M}.${m}.0 <${M}.${+m + 1}.0-0`;
         } else if (pr) {
-          debug2("replaceTilde pr", pr);
+          debug3("replaceTilde pr", pr);
           ret = `>=${M}.${m}.${p}-${pr} <${M}.${+m + 1}.0-0`;
         } else {
           ret = `>=${M}.${m}.${p} <${M}.${+m + 1}.0-0`;
         }
-        debug2("tilde return", ret);
+        debug3("tilde return", ret);
         return ret;
       });
     };
@@ -20462,11 +20462,11 @@ var require_range = __commonJS({
       return comp26.trim().split(/\s+/).map((c) => replaceCaret(c, options)).join(" ");
     };
     var replaceCaret = (comp26, options) => {
-      debug2("caret", comp26, options);
+      debug3("caret", comp26, options);
       const r = options.loose ? re[t.CARETLOOSE] : re[t.CARET];
       const z = options.includePrerelease ? "-0" : "";
       return comp26.replace(r, (_, M, m, p, pr) => {
-        debug2("caret", comp26, _, M, m, p, pr);
+        debug3("caret", comp26, _, M, m, p, pr);
         let ret;
         if (isX(M)) {
           ret = "";
@@ -20479,7 +20479,7 @@ var require_range = __commonJS({
             ret = `>=${M}.${m}.0${z} <${+M + 1}.0.0-0`;
           }
         } else if (pr) {
-          debug2("replaceCaret pr", pr);
+          debug3("replaceCaret pr", pr);
           if (M === "0") {
             if (m === "0") {
               ret = `>=${M}.${m}.${p}-${pr} <${M}.${m}.${+p + 1}-0`;
@@ -20490,7 +20490,7 @@ var require_range = __commonJS({
             ret = `>=${M}.${m}.${p}-${pr} <${+M + 1}.0.0-0`;
           }
         } else {
-          debug2("no pr");
+          debug3("no pr");
           if (M === "0") {
             if (m === "0") {
               ret = `>=${M}.${m}.${p}${z} <${M}.${m}.${+p + 1}-0`;
@@ -20501,19 +20501,19 @@ var require_range = __commonJS({
             ret = `>=${M}.${m}.${p} <${+M + 1}.0.0-0`;
           }
         }
-        debug2("caret return", ret);
+        debug3("caret return", ret);
         return ret;
       });
     };
     var replaceXRanges = (comp26, options) => {
-      debug2("replaceXRanges", comp26, options);
+      debug3("replaceXRanges", comp26, options);
       return comp26.split(/\s+/).map((c) => replaceXRange(c, options)).join(" ");
     };
     var replaceXRange = (comp26, options) => {
       comp26 = comp26.trim();
       const r = options.loose ? re[t.XRANGELOOSE] : re[t.XRANGE];
       return comp26.replace(r, (ret, gtlt, M, m, p, pr) => {
-        debug2("xRange", comp26, ret, gtlt, M, m, p, pr);
+        debug3("xRange", comp26, ret, gtlt, M, m, p, pr);
         const xM = isX(M);
         const xm = xM || isX(m);
         const xp = xm || isX(p);
@@ -20560,16 +20560,16 @@ var require_range = __commonJS({
         } else if (xp) {
           ret = `>=${M}.${m}.0${pr} <${M}.${+m + 1}.0-0`;
         }
-        debug2("xRange return", ret);
+        debug3("xRange return", ret);
         return ret;
       });
     };
     var replaceStars = (comp26, options) => {
-      debug2("replaceStars", comp26, options);
+      debug3("replaceStars", comp26, options);
       return comp26.trim().replace(re[t.STAR], "");
     };
     var replaceGTE0 = (comp26, options) => {
-      debug2("replaceGTE0", comp26, options);
+      debug3("replaceGTE0", comp26, options);
       return comp26.trim().replace(re[options.includePrerelease ? t.GTE0PRE : t.GTE0], "");
     };
     var hyphenReplace = (incPr) => ($0, from, fM, fm, fp, fpr, fb, to, tM, tm, tp, tpr) => {
@@ -20607,7 +20607,7 @@ var require_range = __commonJS({
       }
       if (version3.prerelease.length && !options.includePrerelease) {
         for (let i = 0; i < set.length; i++) {
-          debug2(set[i].semver);
+          debug3(set[i].semver);
           if (set[i].semver === Comparator.ANY) {
             continue;
           }
@@ -20644,7 +20644,7 @@ var require_comparator = __commonJS({
           }
         }
         comp26 = comp26.trim().split(/\s+/).join(" ");
-        debug2("comparator", comp26, options);
+        debug3("comparator", comp26, options);
         this.options = options;
         this.loose = !!options.loose;
         this.parse(comp26);
@@ -20653,7 +20653,7 @@ var require_comparator = __commonJS({
         } else {
           this.value = this.operator + this.semver.version;
         }
-        debug2("comp", this);
+        debug3("comp", this);
       }
       parse(comp26) {
         const r = this.options.loose ? re[t.COMPARATORLOOSE] : re[t.COMPARATOR];
@@ -20675,7 +20675,7 @@ var require_comparator = __commonJS({
         return this.value;
       }
       test(version3) {
-        debug2("Comparator.test", version3, this.options.loose);
+        debug3("Comparator.test", version3, this.options.loose);
         if (this.semver === ANY || version3 === ANY) {
           return true;
         }
@@ -20732,7 +20732,7 @@ var require_comparator = __commonJS({
     var parseOptions = require_parse_options();
     var { safeRe: re, t } = require_re();
     var cmp = require_cmp();
-    var debug2 = require_debug();
+    var debug3 = require_debug();
     var SemVer = require_semver();
     var Range = require_range();
   }
@@ -21456,11 +21456,11 @@ var require_common = __commonJS({
         let enableOverride = null;
         let namespacesCache;
         let enabledCache;
-        function debug2(...args) {
-          if (!debug2.enabled) {
+        function debug3(...args) {
+          if (!debug3.enabled) {
             return;
           }
-          const self2 = debug2;
+          const self2 = debug3;
           const curr = Number(/* @__PURE__ */ new Date());
           const ms = curr - (prevTime || curr);
           self2.diff = ms;
@@ -21490,12 +21490,12 @@ var require_common = __commonJS({
           const logFn = self2.log || createDebug.log;
           logFn.apply(self2, args);
         }
-        debug2.namespace = namespace;
-        debug2.useColors = createDebug.useColors();
-        debug2.color = createDebug.selectColor(namespace);
-        debug2.extend = extend2;
-        debug2.destroy = createDebug.destroy;
-        Object.defineProperty(debug2, "enabled", {
+        debug3.namespace = namespace;
+        debug3.useColors = createDebug.useColors();
+        debug3.color = createDebug.selectColor(namespace);
+        debug3.extend = extend2;
+        debug3.destroy = createDebug.destroy;
+        Object.defineProperty(debug3, "enabled", {
           enumerable: true,
           configurable: false,
           get: () => {
@@ -21513,9 +21513,9 @@ var require_common = __commonJS({
           }
         });
         if (typeof createDebug.init === "function") {
-          createDebug.init(debug2);
+          createDebug.init(debug3);
         }
-        return debug2;
+        return debug3;
       }
       function extend2(namespace, delimiter3) {
         const newDebug = createDebug(this.namespace + (typeof delimiter3 === "undefined" ? ":" : delimiter3) + namespace);
@@ -22025,11 +22025,11 @@ var require_node = __commonJS({
     function load() {
       return process.env.DEBUG;
     }
-    function init(debug2) {
-      debug2.inspectOpts = {};
+    function init(debug3) {
+      debug3.inspectOpts = {};
       const keys = Object.keys(exports2.inspectOpts);
       for (let i = 0; i < keys.length; i++) {
-        debug2.inspectOpts[keys[i]] = exports2.inspectOpts[keys[i]];
+        debug3.inspectOpts[keys[i]] = exports2.inspectOpts[keys[i]];
       }
     }
     module2.exports = require_common()(exports2);
@@ -22292,7 +22292,7 @@ var require_parse_proxy_response = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.parseProxyResponse = void 0;
     var debug_1 = __importDefault(require_src());
-    var debug2 = (0, debug_1.default)("https-proxy-agent:parse-proxy-response");
+    var debug3 = (0, debug_1.default)("https-proxy-agent:parse-proxy-response");
     function parseProxyResponse(socket) {
       return new Promise((resolve2, reject) => {
         let buffersLength = 0;
@@ -22311,12 +22311,12 @@ var require_parse_proxy_response = __commonJS({
         }
         function onend() {
           cleanup();
-          debug2("onend");
+          debug3("onend");
           reject(new Error("Proxy connection ended before receiving CONNECT response"));
         }
         function onerror(err) {
           cleanup();
-          debug2("onerror %o", err);
+          debug3("onerror %o", err);
           reject(err);
         }
         function ondata(b) {
@@ -22325,7 +22325,7 @@ var require_parse_proxy_response = __commonJS({
           const buffered = Buffer.concat(buffers, buffersLength);
           const endOfHeaders = buffered.indexOf("\r\n\r\n");
           if (endOfHeaders === -1) {
-            debug2("have not received end of HTTP headers yet...");
+            debug3("have not received end of HTTP headers yet...");
             read();
             return;
           }
@@ -22358,7 +22358,7 @@ var require_parse_proxy_response = __commonJS({
               headers[key] = value;
             }
           }
-          debug2("got proxy server response: %o %o", firstLine, headers);
+          debug3("got proxy server response: %o %o", firstLine, headers);
           cleanup();
           resolve2({
             connect: {
@@ -22421,7 +22421,7 @@ var require_dist2 = __commonJS({
     var agent_base_1 = require_dist();
     var url_1 = require("url");
     var parse_proxy_response_1 = require_parse_proxy_response();
-    var debug2 = (0, debug_1.default)("https-proxy-agent");
+    var debug3 = (0, debug_1.default)("https-proxy-agent");
     var setServernameFromNonIpHost = (options) => {
       if (options.servername === void 0 && options.host && !net.isIP(options.host)) {
         return {
@@ -22437,7 +22437,7 @@ var require_dist2 = __commonJS({
         this.options = { path: void 0 };
         this.proxy = typeof proxy === "string" ? new url_1.URL(proxy) : proxy;
         this.proxyHeaders = opts?.headers ?? {};
-        debug2("Creating new HttpsProxyAgent instance: %o", this.proxy.href);
+        debug3("Creating new HttpsProxyAgent instance: %o", this.proxy.href);
         const host = (this.proxy.hostname || this.proxy.host).replace(/^\[|\]$/g, "");
         const port = this.proxy.port ? parseInt(this.proxy.port, 10) : this.proxy.protocol === "https:" ? 443 : 80;
         this.connectOpts = {
@@ -22459,10 +22459,10 @@ var require_dist2 = __commonJS({
         }
         let socket;
         if (proxy.protocol === "https:") {
-          debug2("Creating `tls.Socket`: %o", this.connectOpts);
+          debug3("Creating `tls.Socket`: %o", this.connectOpts);
           socket = tls.connect(setServernameFromNonIpHost(this.connectOpts));
         } else {
-          debug2("Creating `net.Socket`: %o", this.connectOpts);
+          debug3("Creating `net.Socket`: %o", this.connectOpts);
           socket = net.connect(this.connectOpts);
         }
         const headers = typeof this.proxyHeaders === "function" ? this.proxyHeaders() : { ...this.proxyHeaders };
@@ -22490,7 +22490,7 @@ var require_dist2 = __commonJS({
         if (connect.statusCode === 200) {
           req.once("socket", resume);
           if (opts.secureEndpoint) {
-            debug2("Upgrading socket connection to TLS");
+            debug3("Upgrading socket connection to TLS");
             return tls.connect({
               ...omit(setServernameFromNonIpHost(opts), "host", "path", "port"),
               socket
@@ -22502,7 +22502,7 @@ var require_dist2 = __commonJS({
         const fakeSocket = new net.Socket({ writable: false });
         fakeSocket.readable = true;
         req.once("socket", (s) => {
-          debug2("Replaying proxy buffer for failed request");
+          debug3("Replaying proxy buffer for failed request");
           (0, assert_1.default)(s.listenerCount("data") > 0);
           s.push(buffered);
           s.push(null);
@@ -22570,13 +22570,13 @@ var require_dist3 = __commonJS({
     var events_1 = require("events");
     var agent_base_1 = require_dist();
     var url_1 = require("url");
-    var debug2 = (0, debug_1.default)("http-proxy-agent");
+    var debug3 = (0, debug_1.default)("http-proxy-agent");
     var HttpProxyAgent2 = class extends agent_base_1.Agent {
       constructor(proxy, opts) {
         super(opts);
         this.proxy = typeof proxy === "string" ? new url_1.URL(proxy) : proxy;
         this.proxyHeaders = opts?.headers ?? {};
-        debug2("Creating new HttpProxyAgent instance: %o", this.proxy.href);
+        debug3("Creating new HttpProxyAgent instance: %o", this.proxy.href);
         const host = (this.proxy.hostname || this.proxy.host).replace(/^\[|\]$/g, "");
         const port = this.proxy.port ? parseInt(this.proxy.port, 10) : this.proxy.protocol === "https:" ? 443 : 80;
         this.connectOpts = {
@@ -22622,21 +22622,21 @@ var require_dist3 = __commonJS({
         }
         let first;
         let endOfHeaders;
-        debug2("Regenerating stored HTTP header string for request");
+        debug3("Regenerating stored HTTP header string for request");
         req._implicitHeader();
         if (req.outputData && req.outputData.length > 0) {
-          debug2("Patching connection write() output buffer with updated header");
+          debug3("Patching connection write() output buffer with updated header");
           first = req.outputData[0].data;
           endOfHeaders = first.indexOf("\r\n\r\n") + 4;
           req.outputData[0].data = req._header + first.substring(endOfHeaders);
-          debug2("Output buffer: %o", req.outputData[0].data);
+          debug3("Output buffer: %o", req.outputData[0].data);
         }
         let socket;
         if (this.proxy.protocol === "https:") {
-          debug2("Creating `tls.Socket`: %o", this.connectOpts);
+          debug3("Creating `tls.Socket`: %o", this.connectOpts);
           socket = tls.connect(this.connectOpts);
         } else {
-          debug2("Creating `net.Socket`: %o", this.connectOpts);
+          debug3("Creating `net.Socket`: %o", this.connectOpts);
           socket = net.connect(this.connectOpts);
         }
         await (0, events_1.once)(socket, "connect");
@@ -24039,9 +24039,9 @@ var require_reflection_type_check = __commonJS({
     var reflection_info_1 = require_reflection_info();
     var oneof_1 = require_oneof();
     var ReflectionTypeCheck = class {
-      constructor(info2) {
+      constructor(info3) {
         var _a;
-        this.fields = (_a = info2.fields) !== null && _a !== void 0 ? _a : [];
+        this.fields = (_a = info3.fields) !== null && _a !== void 0 ? _a : [];
       }
       prepare() {
         if (this.data)
@@ -24287,8 +24287,8 @@ var require_reflection_json_reader = __commonJS({
     var assert_1 = require_assert();
     var reflection_long_convert_1 = require_reflection_long_convert();
     var ReflectionJsonReader = class {
-      constructor(info2) {
-        this.info = info2;
+      constructor(info3) {
+        this.info = info3;
       }
       prepare() {
         var _a;
@@ -24584,9 +24584,9 @@ var require_reflection_json_writer = __commonJS({
     var reflection_info_1 = require_reflection_info();
     var assert_1 = require_assert();
     var ReflectionJsonWriter = class {
-      constructor(info2) {
+      constructor(info3) {
         var _a;
-        this.fields = (_a = info2.fields) !== null && _a !== void 0 ? _a : [];
+        this.fields = (_a = info3.fields) !== null && _a !== void 0 ? _a : [];
       }
       /**
        * Converts the message to a JSON object, based on the field descriptors.
@@ -24839,8 +24839,8 @@ var require_reflection_binary_reader = __commonJS({
     var reflection_long_convert_1 = require_reflection_long_convert();
     var reflection_scalar_default_1 = require_reflection_scalar_default();
     var ReflectionBinaryReader = class {
-      constructor(info2) {
-        this.info = info2;
+      constructor(info3) {
+        this.info = info3;
       }
       prepare() {
         var _a;
@@ -25013,8 +25013,8 @@ var require_reflection_binary_writer = __commonJS({
     var assert_1 = require_assert();
     var pb_long_1 = require_pb_long();
     var ReflectionBinaryWriter = class {
-      constructor(info2) {
-        this.info = info2;
+      constructor(info3) {
+        this.info = info3;
       }
       prepare() {
         if (!this.fields) {
@@ -25264,9 +25264,9 @@ var require_reflection_merge_partial = __commonJS({
     "use strict";
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.reflectionMergePartial = void 0;
-    function reflectionMergePartial4(info2, target, source) {
+    function reflectionMergePartial4(info3, target, source) {
       let fieldValue, input = source, output;
-      for (let field of info2.fields) {
+      for (let field of info3.fields) {
         let name = field.localName;
         if (field.oneof) {
           const group = input[field.oneof];
@@ -25335,12 +25335,12 @@ var require_reflection_equals = __commonJS({
     Object.defineProperty(exports2, "__esModule", { value: true });
     exports2.reflectionEquals = void 0;
     var reflection_info_1 = require_reflection_info();
-    function reflectionEquals(info2, a, b) {
+    function reflectionEquals(info3, a, b) {
       if (a === b)
         return true;
       if (!a || !b)
         return false;
-      for (let field of info2.fields) {
+      for (let field of info3.fields) {
         let localName = field.localName;
         let val_a = field.oneof ? a[field.oneof][localName] : a[localName];
         let val_b = field.oneof ? b[field.oneof][localName] : b[localName];
@@ -28045,12 +28045,12 @@ var HttpClient = class {
         throw new Error("Client has already been disposed.");
       }
       const parsedUrl = new URL(requestUrl);
-      let info2 = this._prepareRequest(verb, parsedUrl, headers);
+      let info3 = this._prepareRequest(verb, parsedUrl, headers);
       const maxTries = this._allowRetries && RetryableHttpVerbs.includes(verb) ? this._maxRetries + 1 : 1;
       let numTries = 0;
       let response;
       do {
-        response = yield this.requestRaw(info2, data);
+        response = yield this.requestRaw(info3, data);
         if (response && response.message && response.message.statusCode === HttpCodes.Unauthorized) {
           let authenticationHandler;
           for (const handler of this.handlers) {
@@ -28060,7 +28060,7 @@ var HttpClient = class {
             }
           }
           if (authenticationHandler) {
-            return authenticationHandler.handleAuthentication(this, info2, data);
+            return authenticationHandler.handleAuthentication(this, info3, data);
           } else {
             return response;
           }
@@ -28083,8 +28083,8 @@ var HttpClient = class {
               }
             }
           }
-          info2 = this._prepareRequest(verb, parsedRedirectUrl, headers);
-          response = yield this.requestRaw(info2, data);
+          info3 = this._prepareRequest(verb, parsedRedirectUrl, headers);
+          response = yield this.requestRaw(info3, data);
           redirectsRemaining--;
         }
         if (!response.message.statusCode || !HttpResponseRetryCodes.includes(response.message.statusCode)) {
@@ -28113,7 +28113,7 @@ var HttpClient = class {
    * @param info
    * @param data
    */
-  requestRaw(info2, data) {
+  requestRaw(info3, data) {
     return __awaiter(this, void 0, void 0, function* () {
       return new Promise((resolve2, reject) => {
         function callbackForResult(err, res) {
@@ -28125,7 +28125,7 @@ var HttpClient = class {
             resolve2(res);
           }
         }
-        this.requestRawWithCallback(info2, data, callbackForResult);
+        this.requestRawWithCallback(info3, data, callbackForResult);
       });
     });
   }
@@ -28135,12 +28135,12 @@ var HttpClient = class {
    * @param data
    * @param onResult
    */
-  requestRawWithCallback(info2, data, onResult) {
+  requestRawWithCallback(info3, data, onResult) {
     if (typeof data === "string") {
-      if (!info2.options.headers) {
-        info2.options.headers = {};
+      if (!info3.options.headers) {
+        info3.options.headers = {};
       }
-      info2.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
+      info3.options.headers["Content-Length"] = Buffer.byteLength(data, "utf8");
     }
     let callbackCalled = false;
     function handleResult(err, res) {
@@ -28149,7 +28149,7 @@ var HttpClient = class {
         onResult(err, res);
       }
     }
-    const req = info2.httpModule.request(info2.options, (msg) => {
+    const req = info3.httpModule.request(info3.options, (msg) => {
       const res = new HttpClientResponse(msg);
       handleResult(void 0, res);
     });
@@ -28161,7 +28161,7 @@ var HttpClient = class {
       if (socket) {
         socket.end();
       }
-      handleResult(new Error(`Request timeout: ${info2.options.path}`));
+      handleResult(new Error(`Request timeout: ${info3.options.path}`));
     });
     req.on("error", function(err) {
       handleResult(err);
@@ -28197,27 +28197,27 @@ var HttpClient = class {
     return this._getProxyAgentDispatcher(parsedUrl, proxyUrl);
   }
   _prepareRequest(method, requestUrl, headers) {
-    const info2 = {};
-    info2.parsedUrl = requestUrl;
-    const usingSsl = info2.parsedUrl.protocol === "https:";
-    info2.httpModule = usingSsl ? https : http;
+    const info3 = {};
+    info3.parsedUrl = requestUrl;
+    const usingSsl = info3.parsedUrl.protocol === "https:";
+    info3.httpModule = usingSsl ? https : http;
     const defaultPort = usingSsl ? 443 : 80;
-    info2.options = {};
-    info2.options.host = info2.parsedUrl.hostname;
-    info2.options.port = info2.parsedUrl.port ? parseInt(info2.parsedUrl.port) : defaultPort;
-    info2.options.path = (info2.parsedUrl.pathname || "") + (info2.parsedUrl.search || "");
-    info2.options.method = method;
-    info2.options.headers = this._mergeHeaders(headers);
+    info3.options = {};
+    info3.options.host = info3.parsedUrl.hostname;
+    info3.options.port = info3.parsedUrl.port ? parseInt(info3.parsedUrl.port) : defaultPort;
+    info3.options.path = (info3.parsedUrl.pathname || "") + (info3.parsedUrl.search || "");
+    info3.options.method = method;
+    info3.options.headers = this._mergeHeaders(headers);
     if (this.userAgent != null) {
-      info2.options.headers["user-agent"] = this.userAgent;
+      info3.options.headers["user-agent"] = this.userAgent;
     }
-    info2.options.agent = this._getAgent(info2.parsedUrl);
+    info3.options.agent = this._getAgent(info3.parsedUrl);
     if (this.handlers) {
       for (const handler of this.handlers) {
-        handler.prepareRequest(info2.options);
+        handler.prepareRequest(info3.options);
       }
     }
-    return info2;
+    return info3;
   }
   _mergeHeaders(headers) {
     if (this.requestOptions && this.requestOptions.headers) {
@@ -30601,14 +30601,14 @@ function disable() {
   return result;
 }
 function createDebugger(namespace) {
-  const newDebugger = Object.assign(debug2, {
+  const newDebugger = Object.assign(debug3, {
     enabled: enabled(namespace),
     destroy,
     log: debugObj.log,
     namespace,
     extend
   });
-  function debug2(...args) {
+  function debug3(...args) {
     if (!newDebugger.enabled) {
       return;
     }
@@ -34098,12 +34098,12 @@ function getOperationRequestInfo(request) {
   if (hasOriginalRequest(request)) {
     return getOperationRequestInfo(request[originalRequestSymbol]);
   }
-  let info2 = state2.operationRequestMap.get(request);
-  if (!info2) {
-    info2 = {};
-    state2.operationRequestMap.set(request, info2);
+  let info3 = state2.operationRequestMap.get(request);
+  if (!info3) {
+    info3 = {};
+    state2.operationRequestMap.set(request, info3);
   }
-  return info2;
+  return info3;
 }
 
 // node_modules/@azure/core-client/dist/esm/deserializationPolicy.js
@@ -62241,6 +62241,21 @@ function saveCacheV2(paths_1, key_1, options_1) {
 // src/save-cache.ts
 var pep440 = __toESM(require_pep440(), 1);
 
+// src/utils/logging.ts
+var quiet;
+function isQuiet() {
+  if (quiet === void 0) {
+    quiet = typeof getInput === "function" && getInput("quiet") === "true";
+  }
+  return quiet;
+}
+function info2(msg) {
+  if (!isQuiet()) {
+    info(msg);
+  }
+}
+var warning2 = warning;
+
 // src/cache/restore-cache.ts
 var STATE_CACHE_KEY = "cache-key";
 var STATE_CACHE_MATCHED_KEY = "cache-matched-key";
@@ -62327,9 +62342,14 @@ function skipComment(str, ptr) {
 }
 function skipVoid(str, ptr, banNewLines, banComments) {
   let c;
-  while ((c = str[ptr]) === " " || c === "	" || !banNewLines && (c === "\n" || c === "\r" && str[ptr + 1] === "\n"))
-    ptr++;
-  return banComments || c !== "#" ? ptr : skipVoid(str, skipComment(str, ptr), banNewLines);
+  while (1) {
+    while ((c = str[ptr]) === " " || c === "	" || !banNewLines && (c === "\n" || c === "\r" && str[ptr + 1] === "\n"))
+      ptr++;
+    if (banComments || c !== "#")
+      break;
+    ptr = skipComment(str, ptr);
+  }
+  return ptr;
 }
 function skipUntil(str, ptr, sep7, end, banNewLines = false) {
   if (!end) {
@@ -62990,7 +63010,9 @@ function loadInputs() {
   const pythonDir = getUvPythonDir();
   const githubToken = getInput("github-token");
   const manifestFile = getManifestFile();
+  const downloadFromAstralMirror = getInput("download-from-astral-mirror") === "true";
   const addProblemMatchers = getInput("add-problem-matchers") === "true";
+  const quiet2 = getInput("quiet") === "true";
   const resolutionStrategy = getResolutionStrategy();
   return {
     activateEnvironment,
@@ -63000,6 +63022,7 @@ function loadInputs() {
     cachePython,
     cacheSuffix,
     checksum,
+    downloadFromAstralMirror,
     enableCache,
     githubToken,
     ignoreEmptyWorkdir,
@@ -63009,6 +63032,7 @@ function loadInputs() {
     pruneCache: pruneCache2,
     pythonDir,
     pythonVersion,
+    quiet: quiet2,
     resolutionStrategy,
     restoreCache: restoreCache2,
     saveCache: saveCache4,
@@ -63032,7 +63056,7 @@ function getVenvPath(workingDirectory, activateEnvironment) {
   const venvPathInput = getInput("venv-path");
   if (venvPathInput !== "") {
     if (!activateEnvironment) {
-      warning("venv-path is only used when activate-environment is true");
+      warning2("venv-path is only used when activate-environment is true");
     }
     const tildeExpanded = expandTilde(venvPathInput);
     return normalizePath(resolveRelativePath(workingDirectory, tildeExpanded));
@@ -63095,7 +63119,7 @@ function getCacheLocalPath(workingDirectory, versionFile, enableCache) {
     return { path: cacheDirFromConfig, source: 1 /* Config */ };
   }
   if (process.env.UV_CACHE_DIR !== void 0) {
-    info(`UV_CACHE_DIR is already set to ${process.env.UV_CACHE_DIR}`);
+    info2(`UV_CACHE_DIR is already set to ${process.env.UV_CACHE_DIR}`);
     return { path: process.env.UV_CACHE_DIR, source: 2 /* Env */ };
   }
   if (enableCache) {
@@ -63128,12 +63152,12 @@ function getCacheDirFromConfig(workingDirectory, versionFile) {
     try {
       const cacheDir = getConfigValueFromTomlFile(resolvedPath, "cache-dir");
       if (cacheDir !== void 0) {
-        info(`Found cache-dir in ${resolvedPath}: ${cacheDir}`);
+        info2(`Found cache-dir in ${resolvedPath}: ${cacheDir}`);
         return cacheDir;
       }
     } catch (err) {
       const message = err.message;
-      warning(`Error while parsing ${filePath}: ${message}`);
+      warning2(`Error while parsing ${filePath}: ${message}`);
       return void 0;
     }
   }
@@ -63141,7 +63165,7 @@ function getCacheDirFromConfig(workingDirectory, versionFile) {
 }
 function getUvPythonDir() {
   if (process.env.UV_PYTHON_INSTALL_DIR !== void 0) {
-    info(
+    info2(
       `UV_PYTHON_INSTALL_DIR is already set to ${process.env.UV_PYTHON_INSTALL_DIR}`
     );
     return process.env.UV_PYTHON_INSTALL_DIR;
@@ -63211,6 +63235,22 @@ function getResolutionStrategy() {
 }
 
 // src/save-cache.ts
+function formatUnexpectedFailure(error2) {
+  if (error2 instanceof Error) {
+    return error2.stack ?? error2.message;
+  }
+  return String(error2);
+}
+function failUnexpectedly(event, error2) {
+  setFailed(`${event}: ${formatUnexpectedFailure(error2)}`);
+  process.exit(1);
+}
+process.on("uncaughtException", (error2) => {
+  failUnexpectedly("Uncaught exception", error2);
+});
+process.on("unhandledRejection", (reason) => {
+  failUnexpectedly("Unhandled promise rejection", reason);
+});
 async function run() {
   try {
     const inputs = loadInputs();
@@ -63218,9 +63258,9 @@ async function run() {
       if (inputs.saveCache) {
         await saveCache3(inputs);
       } else {
-        info("save-cache is false. Skipping save cache step.");
+        info2("save-cache is false. Skipping save cache step.");
       }
-      await new Promise((resolve2) => setTimeout(resolve2, 50));
+      await new Promise((resolve2) => setTimeout(resolve2, 100));
       process.exit(0);
     }
   } catch (error2) {
@@ -63232,11 +63272,11 @@ async function saveCache3(inputs) {
   const cacheKey = getState(STATE_CACHE_KEY);
   const matchedKey = getState(STATE_CACHE_MATCHED_KEY);
   if (!cacheKey) {
-    warning("Error retrieving cache key from state.");
+    warning2("Error retrieving cache key from state.");
     return;
   }
   if (matchedKey === cacheKey) {
-    info(`Cache hit occurred on key ${cacheKey}, not saving cache.`);
+    info2(`Cache hit occurred on key ${cacheKey}, not saving cache.`);
   } else {
     if (inputs.pruneCache) {
       await pruneCache();
@@ -63244,7 +63284,7 @@ async function saveCache3(inputs) {
     const actualCachePath = getUvCachePath(inputs);
     if (!fs7.existsSync(actualCachePath)) {
       if (inputs.ignoreNothingToCache) {
-        info(
+        info2(
           "No cacheable uv cache paths were found. Ignoring because ignore-nothing-to-cache is enabled."
         );
       } else {
@@ -63263,7 +63303,7 @@ async function saveCache3(inputs) {
   }
   if (inputs.cachePython) {
     if (!fs7.existsSync(inputs.pythonDir)) {
-      warning(
+      warning2(
         `Python cache path ${inputs.pythonDir} does not exist on disk. Skipping Python cache save because no managed Python installation was found. If you want uv to install managed Python instead of using a system interpreter, set UV_PYTHON_PREFERENCE=only-managed.`
       );
       return;
@@ -63286,7 +63326,7 @@ async function pruneCache() {
   if (forceSupported) {
     execArgs.push("--force");
   }
-  info("Pruning cache...");
+  info2("Pruning cache...");
   const uvPath = getState(STATE_UV_PATH);
   await exec(uvPath, execArgs, options);
 }
@@ -63297,7 +63337,7 @@ function getUvCachePath(inputs) {
     );
   }
   if (process.env.UV_CACHE_DIR && process.env.UV_CACHE_DIR !== inputs.cacheLocalPath.path) {
-    warning(
+    warning2(
       `The environment variable UV_CACHE_DIR has been changed to "${process.env.UV_CACHE_DIR}", by an action or step running after astral-sh/setup-uv. This can lead to unexpected behavior. If you expected this to happen set the cache-local-path input to "${process.env.UV_CACHE_DIR}" instead of "${inputs.cacheLocalPath.path}".`
     );
     return process.env.UV_CACHE_DIR;
@@ -63307,14 +63347,12 @@ function getUvCachePath(inputs) {
 async function saveCacheToKey(cacheKey, cachePath, stateKey, cacheName) {
   const matchedKey = getState(stateKey);
   if (matchedKey === cacheKey) {
-    info(
-      `${cacheName} hit occurred on key ${cacheKey}, not saving cache.`
-    );
+    info2(`${cacheName} hit occurred on key ${cacheKey}, not saving cache.`);
     return;
   }
-  info(`Including ${cacheName} path: ${cachePath}`);
+  info2(`Including ${cacheName} path: ${cachePath}`);
   await saveCache2([cachePath], cacheKey);
-  info(`${cacheName} saved with key: ${cacheKey}`);
+  info2(`${cacheName} saved with key: ${cacheKey}`);
 }
 run();
 // Annotate the CommonJS export names for ESM import in node:

docs/threat-model.md

@@ -1,81 +0,0 @@
-# setup-uv Repository Threat Model
-
-## Overview
-
-`setup-uv` is a GitHub Action that installs or reuses `uv`, changes later-step paths and environment, may discover and execute a Python interpreter, may create or clear a virtual environment, and may restore or save caches. It runs with the workflow job's filesystem, network, token, secrets, OIDC, artifact, and release authority.
-
-The consumer runtime is the selected ref's committed action metadata, bundles, and runner-interpreted companion files; source alone is not evidence of shipped behavior. Privileged automation that generates, updates, or publishes those artifacts is also in scope.
-
-The assets are job credentials; integrity of installed executables, interpreter, environment, checkout, runner, artifacts, and caches; isolation between jobs sharing caches or persistent runners; integrity of published action refs; and workflow compute/storage availability.
-
-Material failures are unauthorized executable selection, credential disclosure, premature execution of lower-authority content, filesystem escape or destructive path use, cross-authority cache/runner persistence, and unauthorized publication.
-
-## Threat Model, Trust Boundaries, and Assumptions
-
-### Authority and trust boundaries
-
-| Actor or input | Trust decision |
-|---|---|
-| Maintainers, repository/configuration administrators, and GitHub infrastructure | Trusted roots for source, bundles, workflows, refs, rulesets, environments, runner protocol, hosted isolation, and cache service. A lower-authority path into these roots is in scope; their compromise alone is not a repository bug. |
-| Consumer workflow authors and runner operators | Control the action ref, trigger, runner, permissions, secrets, proxy, environment, inputs, paths, globs, and custom sources. These are trusted choices unless derived from lower-authority event data. Selecting a custom manifest delegates metadata and executable authority; selecting a path authorizes normal operations on it and intended referents. |
-| Selected checkout, project authors, and pull-request contributors | The consumer delegates project/version files, interpreter discovery state, virtual environments, symlinks, cache inputs, and code execution within `setup-uv`'s process environment. Checkout-controlled behavior is trusted unless it overrides an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary. |
-| Remote metadata and artifacts | Default official endpoints, TLS roots, and an operator proxy are trusted mutable authorities. A custom manifest authorizes its URLs and hashes; a hash supplied by that same authority detects corruption, not malice. |
-| Cache and runner-state producers/consumers | Same-principal state is trusted by default. Integrity attacks require a lower-authority producer and higher-authority consumer. Confidentiality can flow the opposite way because lower-authority refs may read eligible higher-authority caches. Shared self-hosted state creates a boundary only when principals and authority differ. |
-| GitHub-managed automation | Dependency, coding-agent, and review workflows may exist outside the committed tree. Treat them as external principals and obtain their effective trigger, actor, token, environment, ref, and write/secret authority from live evidence. |
-
-### Assumptions
-
-- Running the selected `uv` and checkout-selected Python interpreters is intended. Project execution is out of scope unless it bypasses an explicit workflow choice or crosses an independent cache, runner, remote, or publication boundary.
-- Mutable official manifests, ranges, `latest`, and unprotected refs are not attacker control. A protected ref or independent checksum matters only if the selected bundle actually enforces it.
-- Same-user changes to paths, environment, proxies, or tool/cache state are not separate attacks. Demonstrate a cross-principal or lower-to-higher boundary.
-- Content merged through a trust path that can also merge executable code is not a lower-authority source; require a narrower writer or post-review mutation path.
-- Running `setup-uv` on an untrusted checkout with higher authority is a consumer trust decision; checkout-selected code may inherit the action environment.
-- Authorized paths include expected symlink/junction referents. Absolute paths and paths outside the workspace are supported; an escape requires independent control crossing an unauthorized boundary.
-- Hosted runners are assumed ephemeral and isolated. Persistence or hostile co-tenancy on self-hosted runners must be demonstrated.
-- Branch/tag rules, environments, token defaults, cache visibility, fork policy, dynamic workflows, and runner allocation are external state. Re-query required approvals/checks, bypass actors, tag movement, deployment reviewers/principals, release targets, and effective permissions for each attack path.
-- Web-application classes such as sessions, CSRF, XSS, SQL injection, and tenant isolation are not applicable.
-
-### Security invariants
-
-1. **Published runtime:** review `action.yml`, committed `dist/*.cjs`, and runner-interpreted shipped files; source-only fixes do not protect consumers.
-2. **Executable identity:** precedence is workflow version, version file, project configuration, then `latest`. Manifest authority, platform, variant, URL, checksum, mirror fallback, extraction, and cache placement must bind the intended artifact. A tool-cache hit bypasses download validation and depends on cache provenance.
-3. **Credential recipients:** tokens and URL credentials may reach only workflow-authorized origins, redirects, paths, and logs. Metadata authority does not imply token-recipient authority.
-4. **Executable boundaries:** checkout-selected interpreters are authorized by default. Explicit workflow selections must win, and independent cache, runner, or remote state must not substitute executables or gain additional authority.
-5. **Paths and action channels:** path/environment changes, virtual-environment clearing, outputs, state, and problem matchers must affect only authorized targets and keep untrusted values as data.
-6. **Cache boundaries:** keys, scope, restore paths, and executable content must prevent lower-to-higher poisoning; cache contents and post-action path re-resolution must prevent higher-to-lower disclosure, destructive pruning, or persistence.
-7. **Workflow and release authority:** unreviewed code or mutable tooling must not acquire write, secret, OIDC, artifact, deployment, tag, or publication authority. Only the intended reviewed bundles and commit may be released.
-8. **Availability:** independently controlled manifests, archives, globs, traversal, and caches must stay within the accepted one-job resource-failure model.
-
-### Finding gate
-
-Before reporting, identify the attacker and victim principals; exact controlled input; scanned action and checkout refs; runtime reachability in committed bundles; effective token, secrets/OIDC, environment gates, cache scope, and runner persistence; applicable defaults and opt-ins; validation performed or skipped; declared trust roots; baseline versus incremental capability; and concrete impact. Reproduce platform-specific behavior and distinguish the scanned ref from other versions.
-
-Missing independent attacker control, a violated guarantee, committed-runtime reachability, incremental capability, or practical impact is `NOT_APPLICABLE`, `INTENDED_BEHAVIOR`, `CORRECTNESS`, `DEFENSE_IN_DEPTH`, or `NEEDS_EVIDENCE`, not a security severity.
-
-## Attack Surface, Mitigations, and Attacker Stories
-
-| Surface | Security-relevant behavior and controls | Reportable attacker story |
-|---|---|---|
-| Published action and build/release supply chain | Consumers execute committed bundles and embedded dependencies. Verify source/bundle alignment, lockfile integrity, dependency-install policy, reproducible/generated-diff checks, immutable action pins, branch enforcement, and publication target checks. | A lower-authority contributor or dependency changes shipped code, or release automation publishes a different commit, by bypassing an effective review, branch, or release control. |
-| Version, manifest, proxy, and network selection | Project files may select an official version by documented precedence. Custom manifests may select URLs, hashes, variants, and platforms and may reach arbitrary network locations. Parsing should reject malformed, ambiguous, unsupported, or incorrectly typed records; verify HTTPS, time/size bounds, proxy behavior, and selected-ref defaults. | Lower-authority event/project data violates a promised fixed version, escapes the selected manifest, probes runner-only services, causes material resource use, selects attacker bytes, or redirects later credentials. Operator selection of a custom authority is not itself a finding. |
-| Artifact URL, token, checksum, extraction, and tool cache | Mirror fallback must preserve identity and checksum policy. Origin gating should restrict tokens; redirect handling should strip authorization across unauthorized hosts and reject downgrade. Verify checksum precedence and reject missing/empty hashes when policy requires validation. Independent hashes must precede extraction. Native helpers come from `PATH`; tool-cache hits skip network/hash validation. | An attacker receives a usable token outside delegated authority, bypasses an independent pin, exploits archive/link traversal, substitutes the cached executable, or poisons shared tool state later executed with higher authority. Same-authority manifest hashes and same-user cache changes do not establish the boundary. |
-| Interpreter, PATH, virtual environment, and action channels | Checkout-selected interpreters, virtual environments, paths, symlinks, and helpers are delegated project authority. Explicit workflow choices must bind; the action also changes later-step paths/environment, emits state/outputs, invokes native helpers, and consumes cache/runner state. | Independent cache, runner, or remote content substitutes an executable; an explicit workflow choice is bypassed; or action channels cross an authority boundary. Same-checkout interpreter, path, and helper effects are not findings. |
-| GitHub uv/Python caches and post action | Cache keys should partition platform, interpreter, dependency, and policy state and restore without unsafe fallback. Determine cache defaults, visibility, and the exact hit/miss path from the selected ref and GitHub policy; an exact hit may suppress post save/prune. Post processing re-reads inputs/config/environment and may save re-resolved uv or Python paths. | A lower producer supplies executable content to a higher consumer; a higher producer exposes private data to a lower cache reader; or a later successful step retargets a cache miss toward sensitive files, destructive pruning, or cross-job persistence. Existing equal-authority code with the same secrets often gains no new confidentiality. |
-| CI, updater, dynamic automation, and release workflows | PR workflows intentionally execute contributor code. Verify effective permissions, fork behavior, credential persistence, mutable tooling, security-upload authority, and whether checks are required. Updaters convert remote data into source under write authority. Distinguish ruleset-required deployment from human review present only in a workflow DAG. | Unreviewed code gains write/secret/OIDC/artifact authority; remote metadata becomes executable generated source; a dynamic workflow has unexpected authority; or an actor satisfies a deployment/tag rule without the intended review and publishes a malicious ref. |
-| Availability and logging | Manifests, version enumeration, archives, globs, hashing, caches, and remote strings can consume resources or influence logs. Verify size/count/expansion bounds, timeouts, retries, top-level error handling, and that parsing never executes data. | Independently controlled input causes reliable material workflow cost, disk/memory exhaustion, or meaningful log/output manipulation. A bounded one-job failure or operator-selected broad input is usually Low or correctness. |
-| Lower-priority classes | Shell injection is constrained where child execution uses argv, but workflow shell blocks still require quoting review. Prototype pollution requires a dangerous merge/sink. Secret-shaped strings require proof of a genuine usable secret. Documentation drift, range surprises, malformed trusted config, and test-only code normally lack a security boundary. | Report only when a concrete lower-authority value reaches an execution, credential, persistent-state, publication, or material-availability sink. |
-
-## Severity Calibration (Critical, High, Medium, Low)
-
-Severity follows the complete attack graph and incremental capability, not the presence of words such as token, checksum, cache, manifest, archive, Python, PATH, release, or OIDC.
-
-| Severity | Threshold | Representative examples |
-|---|---|---|
-| **Critical** | A low-prerequisite remote/lower-authority attacker compromises default distribution or installation across many consumers, publishes trusted malicious action artifacts, or gains broad credentials/runner control under safe defaults without first compromising a declared trust root. | Bypass an effective hash/origin control to distribute an automatically executed malicious binary at scale; reach publication authority to ship malicious bundles or move trusted refs without required approval; exploit default-accepted archive content for host overwrite or cross-job execution across hosted runners. |
-| **High** | A demonstrated lower-authority input crosses an execution, confidentiality, integrity, or persistence boundary in a privileged job and gains substantial capability. | Independent shared-state interpreter substitution in a write/OIDC release job; shared cache poisoning later executed with secrets; high-value cache disclosure to an untrusted ref; usable write-token disclosure; independent-pin bypass; archive/cache escape into sensitive state. |
-| **Medium** | A real but constrained crossing causes limited credential/filesystem impact, reliable remote denial of service, scoped persistence, or premature execution in a realistic uncommon configuration. | Limited executable substitution from independent cache/runner state in a read-only job; same-repository cache confusion or disclosure; reliable hosted-runner exhaustion; disclosure of a usable read-only private token; output manipulation without publication or high-value credentials. |
-| **Low** | A genuine weak boundary causes narrow disclosure, log/annotation spoofing, defense-in-depth weakness, exotic cache aliasing without a privileged consumer, or limited waste. | Confusing logs with no execution effect; bounded job failure; limited overwrite of nonexecuted cache data; disclosure of a path/URL without private data or follow-on capability. |
-
-Trust-root compromise may have Critical impact but is not a repository Critical without a lower-authority path into that root or an independent control that should have survived. High requires exact trigger, refs, effective authority, sink, and committed runtime; it cannot rely only on a trusted operator choosing malicious inputs, same-user state changes, or code already intentionally executed with equal authority. A separate privileged consumer, broad secret, persistent trusted state, publication path, or cross-repository boundary can raise Medium to High.
-
-Normally non-reportable without additional evidence: expected mutability of ranges, `latest`, official/custom sources, or unprotected refs; documented project version selection; checkout-selected interpreters, paths, virtual environments, symlinks, and helpers; deliberate operator selection of manifests, proxies, checksums, or paths; same-principal cache/path changes; requested `uv` or dependency execution; trusted-runner `PATH` lookup; test/developer-only code without a shipped or privileged-workflow path; behavior fixed in the scanned ref; and correctness/compatibility/documentation issues without incremental confidentiality, integrity, persistence, or availability impact.

package.json

@@ -35,19 +35,19 @@
     "@actions/io": "^3.0.2",
     "@actions/tool-cache": "^4.0.0",
     "@renovatebot/pep440": "^4.2.2",
-    "smol-toml": "^1.6.0",
-    "undici": "^7.24.2"
+    "smol-toml": "^1.6.1",
+    "undici": "^8.3.0"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.7",
+    "@biomejs/biome": "^2.4.15",
     "@types/js-yaml": "^4.0.9",
     "@types/node": "^25.5.0",
     "@types/semver": "^7.7.1",
     "@vercel/ncc": "^0.38.4",
-    "esbuild": "^0.27.4",
-    "jest": "^30.3.0",
+    "esbuild": "^0.28.0",
+    "jest": "^30.4.2",
     "js-yaml": "^4.1.1",
-    "ts-jest": "^29.4.6",
+    "ts-jest": "^29.4.11",
     "typescript": "^5.9.3"
   }
 }

src/cache/restore-cache.ts

@@ -2,6 +2,7 @@ import * as cache from "@actions/cache";
 import * as core from "@actions/core";
 import { hashFiles } from "../hash/hash-files";
 import type { SetupInputs } from "../utils/inputs";
+import * as log from "../utils/logging";
 import { getArch, getOSNameVersion, getPlatform } from "../utils/platforms";
 
 export const STATE_CACHE_KEY = "cache-key";
@@ -19,7 +20,7 @@ export async function restoreCache(
   core.setOutput("cache-key", cacheKey);
 
   if (!inputs.restoreCache) {
-    core.info("restore-cache is false. Skipping restore cache step.");
+    log.info("restore-cache is false. Skipping restore cache step.");
     core.setOutput("python-cache-hit", false);
     return;
   }
@@ -55,7 +56,7 @@ async function restoreCacheFromKey(
   stateKey: string,
   outputKey: string,
 ): Promise<void> {
-  core.info(
+  log.info(
     `Trying to restore cache from GitHub Actions cache with key: ${cacheKey}`,
   );
   let matchedKey: string | undefined;
@@ -63,7 +64,7 @@ async function restoreCacheFromKey(
     matchedKey = await cache.restoreCache([cachePath], cacheKey);
   } catch (err) {
     const message = (err as Error).message;
-    core.warning(message);
+    log.warning(message);
     core.setOutput(outputKey, false);
     return;
   }
@@ -77,7 +78,7 @@ async function computeKeys(
 ): Promise<string> {
   let cacheDependencyPathHash = "-";
   if (inputs.cacheDependencyGlob !== "") {
-    core.info(
+    log.info(
       `Searching files using cache dependency glob: ${inputs.cacheDependencyGlob.split("\n").join(",")}`,
     );
     cacheDependencyPathHash += await hashFiles(
@@ -85,7 +86,7 @@ async function computeKeys(
       true,
     );
     if (cacheDependencyPathHash === "-") {
-      core.warning(
+      log.warning(
         `No file matched to [${inputs.cacheDependencyGlob.split("\n").join(",")}]. The cache will never get invalidated. Make sure you have checked out the target repository and configured the cache-dependency-glob input correctly.`,
       );
     }
@@ -109,12 +110,12 @@ function handleMatchResult(
   outputKey: string,
 ): void {
   if (!matchedKey) {
-    core.info(`No GitHub Actions cache found for key: ${primaryKey}`);
+    log.info(`No GitHub Actions cache found for key: ${primaryKey}`);
     core.setOutput(outputKey, false);
     return;
   }
 
   core.saveState(stateKey, matchedKey);
-  core.info(`cache restored from GitHub Actions cache with key: ${matchedKey}`);
+  log.info(`cache restored from GitHub Actions cache with key: ${matchedKey}`);
   core.setOutput(outputKey, true);
 }

src/download/checksum/known-checksums.ts

@@ -1,5 +1,185 @@
 // AUTOGENERATED_DO_NOT_EDIT
 export const KNOWN_CHECKSUMS: { [key: string]: string } = {
+  "aarch64-apple-darwin-0.11.18":
+    "1a7adf8dadae3b55853115d13a8bf564d219597ad13824b93b213706933863e5",
+  "aarch64-pc-windows-msvc-0.11.18":
+    "0689e1a40d36b387522d2b1b865cd98a15ddd4a7507e256ad93be6f6a335fec1",
+  "aarch64-unknown-linux-gnu-0.11.18":
+    "0f03c6648df1c159557f4222c0f37250f84733fb88d6fc3c16770e17c177a8c9",
+  "aarch64-unknown-linux-musl-0.11.18":
+    "6d895725333680bf7633ad635baff8e49dc45d3b52e00b2b3adf6ced41f2ebe2",
+  "arm-unknown-linux-musleabihf-0.11.18":
+    "c4fe354b28c489fa6649531808076c43eb3a34122df49b0a3005bb75dbf101c3",
+  "armv7-unknown-linux-gnueabihf-0.11.18":
+    "a70a8b1124dc1fabcce9f2bbe6591c72a05d49df74125d1c327b5745f2becbb6",
+  "armv7-unknown-linux-musleabihf-0.11.18":
+    "f8b6f4df3ff9d142a25892be575ade438672a8353ad71997f7db88e9b9a1062d",
+  "i686-pc-windows-msvc-0.11.18":
+    "7505112a7bf72f50391c50f2aa07950b95b3c43c7d9fd4da5626876407d15dda",
+  "i686-unknown-linux-gnu-0.11.18":
+    "5f3df0d62af1d174a06b82a6faf1a5e9a1f729b87d11c7d9cd87d4241e04f23d",
+  "i686-unknown-linux-musl-0.11.18":
+    "4237cfcd03fb8767a7ec713ab3db14381d83bbd0bf5ccc88cd6f28ac8c2c616f",
+  "powerpc64le-unknown-linux-gnu-0.11.18":
+    "fc8f46a198e540ca2d89fd9480da0648d673ff3e25b4048c82ca5c292a478052",
+  "riscv64gc-unknown-linux-gnu-0.11.18":
+    "cdb0555db7828bbd1dc24e55171b8ac3dbbc24fe17b6a7387783cd4d543a1538",
+  "riscv64gc-unknown-linux-musl-0.11.18":
+    "3d5b533080bb593c82b281b8d289e29d51b97c0994655099845752e948181fe2",
+  "s390x-unknown-linux-gnu-0.11.18":
+    "7a91aa963680f2fe14ebf89291cf8eafcff634eccdeb6d301e0252b282171818",
+  "x86_64-apple-darwin-0.11.18":
+    "00a61e3db99b53c927a7e6c4ccdccb898aa3253d07928822211e9dc570a25661",
+  "x86_64-pc-windows-msvc-0.11.18":
+    "bf8e0021336b7c77bd80a078b612125f385b08f541437edaea8c8ca9e574db0d",
+  "x86_64-unknown-linux-gnu-0.11.18":
+    "588f3e360f69ce02b6982aa99f2240e803933a6b7e176ac01617830adf955add",
+  "x86_64-unknown-linux-musl-0.11.18":
+    "a095a969fc8357f42e35652e0554525a47a29010ddb814bd82650c2ffa7d6d62",
+  "aarch64-apple-darwin-0.11.17":
+    "2a162f6b90ff3691a2f9cae1622e066a3ce592e110f66670cdcc841324b28226",
+  "aarch64-pc-windows-msvc-0.11.17":
+    "f4463aa9671c6d153d32f2a9b272389675a711a9bca806c4ab4a3c7559b045c2",
+  "aarch64-unknown-linux-gnu-0.11.17":
+    "de008880a903ac2c5654647dc19a75c0d6652313c977a2bc5ce05e1e3a93429e",
+  "aarch64-unknown-linux-musl-0.11.17":
+    "9e5eaf16ffad968fc689f18c2733ace914ed417d4e5572e92d807fd51a90228c",
+  "arm-unknown-linux-musleabihf-0.11.17":
+    "201c7d727423095aa4ba39cc79b16cac2465720d4348270a3977824009526179",
+  "armv7-unknown-linux-gnueabihf-0.11.17":
+    "c941377b20fdd4b101376a9c8ce37c209d36655697815a32658a7cbcb3212409",
+  "armv7-unknown-linux-musleabihf-0.11.17":
+    "12606cc40d15c5ab5fd06e434c8ee1b0ef7e3ca3cd4d5b2b135a16dd1a45fed2",
+  "i686-pc-windows-msvc-0.11.17":
+    "be48cd9aa35c8615eff3dba6a24e214edf00885150eacde032a258399131c59d",
+  "i686-unknown-linux-gnu-0.11.17":
+    "89f859f3bfaf3a74733aef671e6a4ade36173623d4539d3559e11caa2c722718",
+  "i686-unknown-linux-musl-0.11.17":
+    "8d2ecb44951b80861570f4a7f732c9f16f3b342450eeb0bd2eef876b10395400",
+  "powerpc64le-unknown-linux-gnu-0.11.17":
+    "714c7b292c805231edbfc77ca14b29e6e469342236ef1cfb58fe7d6f8fed48a4",
+  "riscv64gc-unknown-linux-gnu-0.11.17":
+    "f8bece740520b35f69c82653da77912b38a29a5634a6e0ce7d83122a485c6a6f",
+  "riscv64gc-unknown-linux-musl-0.11.17":
+    "ae07b4e9c2bea3dcba2e3267e9e4229e45de63c15e74eee7fac7ccf9df6e04cd",
+  "s390x-unknown-linux-gnu-0.11.17":
+    "10ec2070644dda19ab9c8dcc3d6f3bbf4b09ad6665b8a8be067d7fdb5a58b56c",
+  "x86_64-apple-darwin-0.11.17":
+    "6c66e41eaf4d15abeda58d3f268161b6e3f742d98390341b174a7cfc1b48841d",
+  "x86_64-pc-windows-msvc-0.11.17":
+    "35fc29e03e62f3cda769bc12773f3cb70ce305d0d36c0d8bd0c117dd0b3fcd14",
+  "x86_64-unknown-linux-gnu-0.11.17":
+    "0017ccecaeb4d431d7f93b583ebff0c5c38e00eb734fcf13d05f72ca419125fe",
+  "x86_64-unknown-linux-musl-0.11.17":
+    "4231a429d4e0f7c1937d8916658c08a7706cd7872afebeb87203a18c2e0dc28e",
+  "aarch64-apple-darwin-0.11.16":
+    "2b25be1af546be330b340b0a76b99f989daa6d92678fdffb87438e661e9d88fb",
+  "aarch64-pc-windows-msvc-0.11.16":
+    "e4f8e70eb21f0f4efd2eeb159ab289f9a16057d59881a4475758be4ce39bc8c5",
+  "aarch64-unknown-linux-gnu-0.11.16":
+    "8c9d0f0ee98166ae6ab198747519ba6f25db29d185bd2ae5960ecebc91a5c22a",
+  "aarch64-unknown-linux-musl-0.11.16":
+    "ac022d96411143b9a2dd75ea711fa8dd4cd14538bf248f2e5df3c10a80f7f6a4",
+  "arm-unknown-linux-musleabihf-0.11.16":
+    "cdd60c84597690139e3696461d1278bf4dcd598cd44e3896a98aa75aa59965bf",
+  "armv7-unknown-linux-gnueabihf-0.11.16":
+    "71cf33cb511c9fe28ae261c0b4789e1fd9bb84d1bc68828db647b77305a15185",
+  "armv7-unknown-linux-musleabihf-0.11.16":
+    "f24fca34326c5b8f7ddc0001a40e5454bc8091ca67f9ce931ffdaef4ea4815e8",
+  "i686-pc-windows-msvc-0.11.16":
+    "7417090298bf202395b9b3d6eefb9230332d8d6c94a5616e531148a0b041c8e2",
+  "i686-unknown-linux-gnu-0.11.16":
+    "0d1e427cd3fcc042e85dfc75f6d95e076dff9b930241686969d6706afda21375",
+  "i686-unknown-linux-musl-0.11.16":
+    "d5e611deffd3f5fd637b2dc89dbe252342ce4a38c8970e63add8029afe2b5629",
+  "powerpc64le-unknown-linux-gnu-0.11.16":
+    "8a3b09ce14d14a75dbbf051cdb78a314fb579e78fb3a02e1ee833c4cb5f6e81e",
+  "riscv64gc-unknown-linux-gnu-0.11.16":
+    "0314895f159ce97bcedac00a4b97fa7e53c16fee911a6a2d9f0b69ee6461b7d5",
+  "riscv64gc-unknown-linux-musl-0.11.16":
+    "8a1aef4261011143f56c964eeaed5e06fa0cb95ff3005386381c610c91784feb",
+  "s390x-unknown-linux-gnu-0.11.16":
+    "d161e914ad552aed83478fe9766061844297dadfa77a43e56285a147bde0021e",
+  "x86_64-apple-darwin-0.11.16":
+    "6b91ae3de155f51bd1f5b74814821c79f016a176561f252cd9ddfb976939af2e",
+  "x86_64-pc-windows-msvc-0.11.16":
+    "dd9d6d6554bfab265bfa98aa8e8a406c5c3a7b97582f93de1f4d48d9154a0395",
+  "x86_64-unknown-linux-gnu-0.11.16":
+    "74947fe2c03315cf07e82ab3acc703eddef01aba4d5232a98e4c6825ec116131",
+  "x86_64-unknown-linux-musl-0.11.16":
+    "1bc4be1be0a000f893b0d1db97906cf392b63fa22fda9a0ecf33d0d4bbb4bc9a",
+  "aarch64-apple-darwin-0.11.15":
+    "7e5b336108f8576eda1939920ca0a805b4a9a3c3d3eb2f6140e38b7092fbe4f3",
+  "aarch64-pc-windows-msvc-0.11.15":
+    "9eac2d68f3a66326c3e1fc97ef28bd54f1d13136ec092c2f0a8173ae12aaaf1e",
+  "aarch64-unknown-linux-gnu-0.11.15":
+    "21a7dd1a03ea17ac0366887455dab15d215b31dba0870dcd65d3714e22f46c81",
+  "aarch64-unknown-linux-musl-0.11.15":
+    "6505075cec3f551fad4fe9026922967ff9c895c9f513c97682b24e7a1c9becd3",
+  "arm-unknown-linux-musleabihf-0.11.15":
+    "f9206848d617b7beec37c346624ad961d8d4110606990653ebbfc4c62b1f1741",
+  "armv7-unknown-linux-gnueabihf-0.11.15":
+    "eb6a12e3e80e1474c1018edc9541bbe71cdf2248fa17b583dcbcc7bb391ad0c0",
+  "armv7-unknown-linux-musleabihf-0.11.15":
+    "a40ee3c41443341846137afc5c7f29be766a9a677bd70c7ff91cbb4273e5383c",
+  "i686-pc-windows-msvc-0.11.15":
+    "6a9431f0044a1ff59fd6920f6f982b691acf336b6e26ac8cd40a02b5ab839cd1",
+  "i686-unknown-linux-gnu-0.11.15":
+    "557e329e76072b513e47bcd8b50ca4bad07ec87cb325cbfc05e6069847af06c4",
+  "i686-unknown-linux-musl-0.11.15":
+    "69490ca5580958cdee3353b54357925913ec0540dc8e09819294b9e5b6d48556",
+  "powerpc64le-unknown-linux-gnu-0.11.15":
+    "6be3637ef86cdee3f5fcfbc66681ecbf6d57c6a123398a1bdd09786d65a06016",
+  "riscv64gc-unknown-linux-gnu-0.11.15":
+    "a43e22243e3f3b1fb136a0998b730367fe2589ea98ce6cd4f0d7d20b9f77fb5b",
+  "riscv64gc-unknown-linux-musl-0.11.15":
+    "2256c9b625d67a55986adda62b09782b5547e28a79fba472e7e93ac3ec0af258",
+  "s390x-unknown-linux-gnu-0.11.15":
+    "df2b69ed893ce00e242d8cfe5b9fdc7b7a42d578df487d09aa624563a9801578",
+  "x86_64-apple-darwin-0.11.15":
+    "42bca7cc879d117ed7139a0e26de8cab0b6f033ad439a32144f324d1f8580d8c",
+  "x86_64-pc-windows-msvc-0.11.15":
+    "04b98d414a9000e25e5e0e7c9f53749e66b790cdaffc582829e6f58c544ee11c",
+  "x86_64-unknown-linux-gnu-0.11.15":
+    "b03e572f010bea94a4a52d42671ba72981e12894f71576181a1d26ff68546da7",
+  "x86_64-unknown-linux-musl-0.11.15":
+    "200ccf2f351849c5d6698714e7e7eb9ead1e8c097dbdbb43730e1a4e059ceb87",
+  "aarch64-apple-darwin-0.11.14":
+    "4333af5c0730d94323a7819bbdf87ce92dd07fc857d67fff0059e0fca31b5c02",
+  "aarch64-pc-windows-msvc-0.11.14":
+    "d66c76ba912ba66fed011e0189dfbc4527dd9e620a2b5d5d5ecd2ad8936601b8",
+  "aarch64-unknown-linux-gnu-0.11.14":
+    "c4958f729e216f1610632574ed927b8cf0af1bd02cb88cb30d948571727aee43",
+  "aarch64-unknown-linux-musl-0.11.14":
+    "d7d3966e46915c5f6932692aaf152a2473eecb1d2517ca4f8e88a07484b380b6",
+  "arm-unknown-linux-musleabihf-0.11.14":
+    "31b07fa8bc5bbc8f22064fc1d4238b53c663bdb4812cbfead0b43719571aec03",
+  "armv7-unknown-linux-gnueabihf-0.11.14":
+    "2aca3925d7ad91d2e02a0f9cf75974ebd077ec5cb939a5eb66aba096d5666819",
+  "armv7-unknown-linux-musleabihf-0.11.14":
+    "988d79544bbf55ebeaf6521d3cbf46957bcfbab998d22092ea860580639e2f30",
+  "i686-pc-windows-msvc-0.11.14":
+    "579408a1134ec3c45dd7b94187978b98b15df4e0c49ebf05c52565e3858d9f2a",
+  "i686-unknown-linux-gnu-0.11.14":
+    "8c93880c54dc7a632f602b7627d4338d80011ecf32e340fd2f67129df5325dc7",
+  "i686-unknown-linux-musl-0.11.14":
+    "c84acf1036767797a7be97a3315122b9565a78bf90b5733741b1abeefa58387f",
+  "powerpc64le-unknown-linux-gnu-0.11.14":
+    "d2da5ba5911b86dfec96f0737b7d1053ed78c0c65e51585db03fb4969b2a3825",
+  "riscv64gc-unknown-linux-gnu-0.11.14":
+    "55731359293842826cd82d5fbd826a6bce542c3fec458214604e308b352560ed",
+  "riscv64gc-unknown-linux-musl-0.11.14":
+    "86b053903d29a2d04441e4cbd05a8f690b8ec56f8959d27f15df13efffb5879b",
+  "s390x-unknown-linux-gnu-0.11.14":
+    "cc7b233541a76dd484516a39c06d9d14100d1048708483e6f49ee20b6cc5761b",
+  "x86_64-apple-darwin-0.11.14":
+    "9836c1440b0bd6aa5f81793648a339bd01d593b7b8f575de3b855dae4ab64654",
+  "x86_64-pc-windows-msvc-0.11.14":
+    "52ba5d19409aaa688a8a1a6ec8dfb6a4817230d20186e75f4006105c3e39a846",
+  "x86_64-unknown-linux-gnu-0.11.14":
+    "f3b623eb0e6141a7053d571d59a0bdc341e0f238ea8f5f0b4815ddbec9a2a296",
+  "x86_64-unknown-linux-musl-0.11.14":
+    "077d36f45a0cc6d440b653b2d5c53e7731121e99e54b0221267eec5d1cae76ce",
   "aarch64-apple-darwin-0.11.13":
     "196a58aa24da89144187670df7c407358028984537fbc2f8f2d8f7a2604980df",
   "aarch64-pc-windows-msvc-0.11.13":

src/download/download-version.ts

@@ -8,6 +8,7 @@ import {
   TOOL_CACHE_NAME,
   VERSIONS_MANIFEST_URL,
 } from "../utils/constants";
+import * as log from "../utils/logging";
 import type { Architecture, Platform } from "../utils/platforms";
 import { validateChecksum } from "./checksum/checksum";
 import { getArtifact } from "./manifest";
@@ -36,6 +37,7 @@ export async function downloadVersion(
   checksum: string | undefined,
   githubToken: string,
   manifestUrl?: string,
+  downloadFromAstralMirror = true,
 ): Promise<{ version: string; cachedToolDir: string }> {
   const artifact = await getArtifact(version, arch, platform, manifestUrl);
 
@@ -52,10 +54,10 @@ export async function downloadVersion(
       ? checksum
       : resolveChecksum(checksum, artifact.checksum);
 
-  const mirrorUrl = rewriteToMirror(artifact.downloadUrl);
+  const mirrorUrl = downloadFromAstralMirror
+    ? rewriteToMirror(artifact.downloadUrl)
+    : undefined;
   const downloadUrl = mirrorUrl ?? artifact.downloadUrl;
-  // Don't send the GitHub token to the Astral mirror.
-  const downloadToken = mirrorUrl !== undefined ? undefined : githubToken;
 
   try {
     return await downloadArtifact(
@@ -65,14 +67,14 @@ export async function downloadVersion(
       arch,
       version,
       resolvedChecksum,
-      downloadToken,
+      githubTokenForUrl(downloadUrl, githubToken),
     );
   } catch (err) {
     if (mirrorUrl === undefined) {
       throw err;
     }
 
-    core.warning(
+    log.warning(
       `Failed to download from mirror, falling back to GitHub Releases: ${(err as Error).message}`,
     );
 
@@ -83,7 +85,7 @@ export async function downloadVersion(
       arch,
       version,
       resolvedChecksum,
-      githubToken,
+      githubTokenForUrl(artifact.downloadUrl, githubToken),
     );
   }
 }
@@ -100,6 +102,19 @@ export function rewriteToMirror(url: string): string | undefined {
   return ASTRAL_MIRROR_PREFIX + url.slice(GITHUB_RELEASES_PREFIX.length);
 }
 
+function githubTokenForUrl(
+  downloadUrl: string,
+  githubToken: string,
+): string | undefined {
+  try {
+    return new URL(downloadUrl).origin === "https://github.com"
+      ? githubToken
+      : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
 async function downloadArtifact(
   downloadUrl: string,
   artifactName: string,
@@ -109,7 +124,7 @@ async function downloadArtifact(
   checksum: string | undefined,
   githubToken: string | undefined,
 ): Promise<{ version: string; cachedToolDir: string }> {
-  core.info(`Downloading uv from "${downloadUrl}" ...`);
+  log.info(`Downloading uv from "${downloadUrl}" ...`);
   const downloadPath = await tc.downloadTool(
     downloadUrl,
     undefined,
@@ -125,7 +140,7 @@ async function downloadArtifact(
       // so this may fail if another tar, like gnu tar, ends up being used.
       uvDir = await tc.extractTar(downloadPath, undefined, "x");
     } catch (err) {
-      core.info(
+      log.info(
         `Extracting with tar failed, falling back to zip extraction: ${(err as Error).message}`,
       );
       const extension = getExtension(platform);

src/download/manifest.ts

@@ -1,6 +1,7 @@
 import * as core from "@actions/core";
 import { VERSIONS_MANIFEST_URL } from "../utils/constants";
 import { fetch } from "../utils/fetch";
+import * as log from "../utils/logging";
 import { selectDefaultVariant } from "./variant-selection";
 
 export interface ManifestArtifact {
@@ -33,7 +34,7 @@ export async function fetchManifest(
     return cachedVersions;
   }
 
-  core.info(`Fetching manifest data from ${manifestUrl} ...`);
+  log.info(`Fetching manifest data from ${manifestUrl} ...`);
   const response = await fetch(manifestUrl, {});
   if (!response.ok) {
     throw new Error(
@@ -111,7 +112,7 @@ export async function getLatestVersion(
 export async function getAllVersions(
   manifestUrl: string = VERSIONS_MANIFEST_URL,
 ): Promise<string[]> {
-  core.info(
+  log.info(
     `Getting available versions from ${manifestSource(manifestUrl)} ...`,
   );
   const versions = await fetchManifest(manifestUrl);

src/hash/hash-files.ts

@@ -2,8 +2,8 @@ import * as crypto from "node:crypto";
 import * as fs from "node:fs";
 import * as stream from "node:stream";
 import * as util from "node:util";
-import * as core from "@actions/core";
 import { create } from "@actions/glob";
+import * as log from "../utils/logging";
 
 /**
  * Hashes files matching the given glob pattern.
@@ -19,7 +19,7 @@ export async function hashFiles(
 ): Promise<string> {
   const globber = await create(pattern);
   let hasMatch = false;
-  const writeDelegate = verbose ? core.info : core.debug;
+  const writeDelegate = verbose ? log.info : log.debug;
   const result = crypto.createHash("sha256");
   let count = 0;
   for await (const file of globber.globGenerator()) {

src/save-cache.ts

@@ -10,6 +10,27 @@ import {
 } from "./cache/restore-cache";
 import { STATE_UV_PATH, STATE_UV_VERSION } from "./utils/constants";
 import { loadInputs, type SetupInputs } from "./utils/inputs";
+import * as log from "./utils/logging";
+
+function formatUnexpectedFailure(error: unknown): string {
+  if (error instanceof Error) {
+    return error.stack ?? error.message;
+  }
+  return String(error);
+}
+
+function failUnexpectedly(event: string, error: unknown): never {
+  core.setFailed(`${event}: ${formatUnexpectedFailure(error)}`);
+  process.exit(1);
+}
+
+process.on("uncaughtException", (error) => {
+  failUnexpectedly("Uncaught exception", error);
+});
+
+process.on("unhandledRejection", (reason) => {
+  failUnexpectedly("Unhandled promise rejection", reason);
+});
 
 export async function run(): Promise<void> {
   try {
@@ -18,10 +39,10 @@ export async function run(): Promise<void> {
       if (inputs.saveCache) {
         await saveCache(inputs);
       } else {
-        core.info("save-cache is false. Skipping save cache step.");
+        log.info("save-cache is false. Skipping save cache step.");
       }
-      // https://github.com/nodejs/node/issues/56645#issuecomment-3077594952
-      await new Promise((resolve) => setTimeout(resolve, 50));
+      // https://github.com/nodejs/node/issues/56645#issuecomment-3924958861
+      await new Promise((resolve) => setTimeout(resolve, 100));
 
       // node will stay alive if any promises are not resolved,
       // which is a possibility if HTTP requests are dangling
@@ -41,11 +62,11 @@ async function saveCache(inputs: SetupInputs): Promise<void> {
   const matchedKey = core.getState(STATE_CACHE_MATCHED_KEY);
 
   if (!cacheKey) {
-    core.warning("Error retrieving cache key from state.");
+    log.warning("Error retrieving cache key from state.");
     return;
   }
   if (matchedKey === cacheKey) {
-    core.info(`Cache hit occurred on key ${cacheKey}, not saving cache.`);
+    log.info(`Cache hit occurred on key ${cacheKey}, not saving cache.`);
   } else {
     if (inputs.pruneCache) {
       await pruneCache();
@@ -54,7 +75,7 @@ async function saveCache(inputs: SetupInputs): Promise<void> {
     const actualCachePath = getUvCachePath(inputs);
     if (!fs.existsSync(actualCachePath)) {
       if (inputs.ignoreNothingToCache) {
-        core.info(
+        log.info(
           "No cacheable uv cache paths were found. Ignoring because ignore-nothing-to-cache is enabled.",
         );
       } else {
@@ -74,7 +95,7 @@ async function saveCache(inputs: SetupInputs): Promise<void> {
 
   if (inputs.cachePython) {
     if (!fs.existsSync(inputs.pythonDir)) {
-      core.warning(
+      log.warning(
         `Python cache path ${inputs.pythonDir} does not exist on disk. Skipping Python cache save because no managed Python installation was found. If you want uv to install managed Python instead of using a system interpreter, set UV_PYTHON_PREFERENCE=only-managed.`,
       );
       return;
@@ -101,7 +122,7 @@ async function pruneCache(): Promise<void> {
     execArgs.push("--force");
   }
 
-  core.info("Pruning cache...");
+  log.info("Pruning cache...");
   const uvPath = core.getState(STATE_UV_PATH);
   await exec.exec(uvPath, execArgs, options);
 }
@@ -116,7 +137,7 @@ function getUvCachePath(inputs: SetupInputs): string {
     process.env.UV_CACHE_DIR &&
     process.env.UV_CACHE_DIR !== inputs.cacheLocalPath.path
   ) {
-    core.warning(
+    log.warning(
       `The environment variable UV_CACHE_DIR has been changed to "${process.env.UV_CACHE_DIR}", by an action or step running after astral-sh/setup-uv. This can lead to unexpected behavior. If you expected this to happen set the cache-local-path input to "${process.env.UV_CACHE_DIR}" instead of "${inputs.cacheLocalPath.path}".`,
     );
     return process.env.UV_CACHE_DIR;
@@ -133,15 +154,13 @@ async function saveCacheToKey(
   const matchedKey = core.getState(stateKey);
 
   if (matchedKey === cacheKey) {
-    core.info(
-      `${cacheName} hit occurred on key ${cacheKey}, not saving cache.`,
-    );
+    log.info(`${cacheName} hit occurred on key ${cacheKey}, not saving cache.`);
     return;
   }
 
-  core.info(`Including ${cacheName} path: ${cachePath}`);
+  log.info(`Including ${cacheName} path: ${cachePath}`);
   await cache.saveCache([cachePath], cacheKey);
-  core.info(`${cacheName} saved with key: ${cacheKey}`);
+  log.info(`${cacheName} saved with key: ${cacheKey}`);
 }
 
 run();

src/setup-uv.ts

@@ -9,6 +9,7 @@ import {
 } from "./download/download-version";
 import { STATE_UV_PATH, STATE_UV_VERSION } from "./utils/constants";
 import { CacheLocalSource, loadInputs, type SetupInputs } from "./utils/inputs";
+import * as log from "./utils/logging";
 import {
   type Architecture,
   getArch,
@@ -19,6 +20,26 @@ import { resolveUvVersion } from "./version/resolve";
 
 const sourceDir = __dirname;
 
+function formatUnexpectedFailure(error: unknown): string {
+  if (error instanceof Error) {
+    return error.stack ?? error.message;
+  }
+  return String(error);
+}
+
+function failUnexpectedly(event: string, error: unknown): never {
+  core.setFailed(`${event}: ${formatUnexpectedFailure(error)}`);
+  process.exit(1);
+}
+
+process.on("uncaughtException", (error) => {
+  failUnexpectedly("Uncaught exception", error);
+});
+
+process.on("unhandledRejection", (reason) => {
+  failUnexpectedly("Unhandled promise rejection", reason);
+});
+
 async function getPythonVersion(inputs: SetupInputs): Promise<string> {
   if (inputs.pythonVersion !== "") {
     return inputs.pythonVersion;
@@ -76,7 +97,7 @@ async function run(): Promise<void> {
 
     core.setOutput("uv-version", setupResult.version);
     core.saveState(STATE_UV_VERSION, setupResult.version);
-    core.info(`Successfully installed uv version ${setupResult.version}`);
+    log.info(`Successfully installed uv version ${setupResult.version}`);
 
     const detectedPythonVersion = await getPythonVersion(inputs);
     core.setOutput("python-version", detectedPythonVersion);
@@ -84,8 +105,8 @@ async function run(): Promise<void> {
     if (inputs.enableCache) {
       await restoreCache(inputs, detectedPythonVersion);
     }
-    // https://github.com/nodejs/node/issues/56645#issuecomment-3077594952
-    await new Promise((resolve) => setTimeout(resolve, 50));
+    // https://github.com/nodejs/node/issues/56645#issuecomment-3924958861
+    await new Promise((resolve) => setTimeout(resolve, 100));
     process.exit(0);
   } catch (err) {
     core.setFailed((err as Error).message);
@@ -95,11 +116,11 @@ async function run(): Promise<void> {
 function detectEmptyWorkdir(inputs: SetupInputs): void {
   if (fs.readdirSync(inputs.workingDirectory).length === 0) {
     if (inputs.ignoreEmptyWorkdir) {
-      core.info(
+      log.info(
         "Empty workdir detected. Ignoring because ignore-empty-workdir is enabled",
       );
     } else {
-      core.warning(
+      log.warning(
         "Empty workdir detected. This may cause unexpected behavior. You can enable ignore-empty-workdir to mute this warning.",
       );
     }
@@ -120,7 +141,7 @@ async function setupUv(
   });
   const toolCacheResult = tryGetFromToolCache(arch, resolvedVersion);
   if (toolCacheResult.installedPath) {
-    core.info(`Found uv in tool-cache for ${toolCacheResult.version}`);
+    log.info(`Found uv in tool-cache for ${toolCacheResult.version}`);
     return {
       uvDir: toolCacheResult.installedPath,
       version: toolCacheResult.version,
@@ -134,6 +155,7 @@ async function setupUv(
     inputs.checksum,
     inputs.githubToken,
     inputs.manifestFile,
+    inputs.downloadFromAstralMirror,
   );
 
   return {
@@ -147,39 +169,39 @@ function addUvToPathAndOutput(cachedPath: string): void {
   core.saveState(STATE_UV_PATH, `${cachedPath}${path.sep}uv`);
   core.setOutput("uvx-path", `${cachedPath}${path.sep}uvx`);
   if (process.env.UV_NO_MODIFY_PATH !== undefined) {
-    core.info("UV_NO_MODIFY_PATH is set, not modifying PATH");
+    log.info("UV_NO_MODIFY_PATH is set, not modifying PATH");
   } else {
     core.addPath(cachedPath);
-    core.info(`Added ${cachedPath} to the path`);
+    log.info(`Added ${cachedPath} to the path`);
   }
 }
 
 function addToolBinToPath(inputs: SetupInputs): void {
   if (inputs.toolBinDir !== undefined) {
     core.exportVariable("UV_TOOL_BIN_DIR", inputs.toolBinDir);
-    core.info(`Set UV_TOOL_BIN_DIR to ${inputs.toolBinDir}`);
+    log.info(`Set UV_TOOL_BIN_DIR to ${inputs.toolBinDir}`);
     if (process.env.UV_NO_MODIFY_PATH !== undefined) {
-      core.info(
+      log.info(
         `UV_NO_MODIFY_PATH is set, not adding ${inputs.toolBinDir} to path`,
       );
     } else {
       core.addPath(inputs.toolBinDir);
-      core.info(`Added ${inputs.toolBinDir} to the path`);
+      log.info(`Added ${inputs.toolBinDir} to the path`);
     }
   } else {
     if (process.env.UV_NO_MODIFY_PATH !== undefined) {
-      core.info("UV_NO_MODIFY_PATH is set, not adding user local bin to path");
+      log.info("UV_NO_MODIFY_PATH is set, not adding user local bin to path");
       return;
     }
     if (process.env.XDG_BIN_HOME !== undefined) {
       core.addPath(process.env.XDG_BIN_HOME);
-      core.info(`Added ${process.env.XDG_BIN_HOME} to the path`);
+      log.info(`Added ${process.env.XDG_BIN_HOME} to the path`);
     } else if (process.env.XDG_DATA_HOME !== undefined) {
       core.addPath(`${process.env.XDG_DATA_HOME}/../bin`);
-      core.info(`Added ${process.env.XDG_DATA_HOME}/../bin to the path`);
+      log.info(`Added ${process.env.XDG_DATA_HOME}/../bin to the path`);
     } else {
       core.addPath(`${process.env.HOME}/.local/bin`);
-      core.info(`Added ${process.env.HOME}/.local/bin to the path`);
+      log.info(`Added ${process.env.HOME}/.local/bin to the path`);
     }
   }
 }
@@ -187,25 +209,25 @@ function addToolBinToPath(inputs: SetupInputs): void {
 function setToolDir(inputs: SetupInputs): void {
   if (inputs.toolDir !== undefined) {
     core.exportVariable("UV_TOOL_DIR", inputs.toolDir);
-    core.info(`Set UV_TOOL_DIR to ${inputs.toolDir}`);
+    log.info(`Set UV_TOOL_DIR to ${inputs.toolDir}`);
   }
 }
 
 function addPythonDirToPath(inputs: SetupInputs): void {
   core.exportVariable("UV_PYTHON_INSTALL_DIR", inputs.pythonDir);
-  core.info(`Set UV_PYTHON_INSTALL_DIR to ${inputs.pythonDir}`);
+  log.info(`Set UV_PYTHON_INSTALL_DIR to ${inputs.pythonDir}`);
   if (process.env.UV_NO_MODIFY_PATH !== undefined) {
-    core.info("UV_NO_MODIFY_PATH is set, not adding python dir to path");
+    log.info("UV_NO_MODIFY_PATH is set, not adding python dir to path");
   } else {
     core.addPath(inputs.pythonDir);
-    core.info(`Added ${inputs.pythonDir} to the path`);
+    log.info(`Added ${inputs.pythonDir} to the path`);
   }
 }
 
 function setupPython(inputs: SetupInputs): void {
   if (inputs.pythonVersion !== "") {
     core.exportVariable("UV_PYTHON", inputs.pythonVersion);
-    core.info(`Set UV_PYTHON to ${inputs.pythonVersion}`);
+    log.info(`Set UV_PYTHON to ${inputs.pythonVersion}`);
   }
 }
 
@@ -217,7 +239,7 @@ async function activateEnvironment(inputs: SetupInputs): Promise<void> {
       );
     }
 
-    core.info(`Creating and activating python venv at ${inputs.venvPath}...`);
+    log.info(`Creating and activating python venv at ${inputs.venvPath}...`);
     const venvArgs = [
       "venv",
       inputs.venvPath,
@@ -243,13 +265,13 @@ async function activateEnvironment(inputs: SetupInputs): Promise<void> {
 function setCacheDir(inputs: SetupInputs): void {
   if (inputs.cacheLocalPath !== undefined) {
     if (inputs.cacheLocalPath.source === CacheLocalSource.Config) {
-      core.info(
+      log.info(
         "Using cache-dir from uv config file, not modifying UV_CACHE_DIR",
       );
       return;
     }
     core.exportVariable("UV_CACHE_DIR", inputs.cacheLocalPath.path);
-    core.info(`Set UV_CACHE_DIR to ${inputs.cacheLocalPath.path}`);
+    log.info(`Set UV_CACHE_DIR to ${inputs.cacheLocalPath.path}`);
   }
 }
 

src/update-known-checksums.ts

@@ -10,6 +10,7 @@ import {
   getLatestVersion,
   type ManifestVersion,
 } from "./download/manifest";
+import * as log from "./utils/logging";
 
 const VERSION_IN_CHECKSUM_KEY_PATTERN =
   /-(\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?)$/;
@@ -26,7 +27,7 @@ async function run(): Promise<void> {
   const latestKnownVersion = getLatestKnownVersionFromChecksums();
 
   if (semver.lte(latestVersion, latestKnownVersion)) {
-    core.info(
+    log.info(
       `Latest release (${latestVersion}) is not newer than the latest known version (${latestKnownVersion}). Skipping update.`,
     );
     return;

src/utils/fetch.ts

@@ -14,8 +14,17 @@ export function getProxyAgent() {
   return undefined;
 }
 
-export const fetch = async (url: string, opts: RequestInit) =>
-  await undiciFetch(url, {
+export const fetch = async (url: string, opts: RequestInit) => {
+  // Merge timeout signal with any existing signal from opts
+  const timeoutSignal = AbortSignal.timeout(5_000);
+  const existingSignal = opts.signal;
+  const mergedSignal = existingSignal
+    ? AbortSignal.any([timeoutSignal, existingSignal])
+    : timeoutSignal;
+
+  return await undiciFetch(url, {
     dispatcher: getProxyAgent(),
     ...opts,
+    signal: mergedSignal,
   });
+};

src/utils/inputs.ts

@@ -1,6 +1,7 @@
 import path from "node:path";
 import * as core from "@actions/core";
 import { getConfigValueFromTomlFile } from "./config-file";
+import * as log from "./logging";
 
 export enum CacheLocalSource {
   Input,
@@ -40,7 +41,9 @@ export interface SetupInputs {
   pythonDir: string;
   githubToken: string;
   manifestFile?: string;
+  downloadFromAstralMirror: boolean;
   addProblemMatchers: boolean;
+  quiet: boolean;
   resolutionStrategy: ResolutionStrategy;
 }
 
@@ -73,7 +76,10 @@ export function loadInputs(): SetupInputs {
   const pythonDir = getUvPythonDir();
   const githubToken = core.getInput("github-token");
   const manifestFile = getManifestFile();
+  const downloadFromAstralMirror =
+    core.getInput("download-from-astral-mirror") === "true";
   const addProblemMatchers = core.getInput("add-problem-matchers") === "true";
+  const quiet = core.getInput("quiet") === "true";
   const resolutionStrategy = getResolutionStrategy();
 
   return {
@@ -84,6 +90,7 @@ export function loadInputs(): SetupInputs {
     cachePython,
     cacheSuffix,
     checksum,
+    downloadFromAstralMirror,
     enableCache,
     githubToken,
     ignoreEmptyWorkdir,
@@ -93,6 +100,7 @@ export function loadInputs(): SetupInputs {
     pruneCache,
     pythonDir,
     pythonVersion,
+    quiet,
     resolutionStrategy,
     restoreCache,
     saveCache,
@@ -121,7 +129,7 @@ function getVenvPath(
   const venvPathInput = core.getInput("venv-path");
   if (venvPathInput !== "") {
     if (!activateEnvironment) {
-      core.warning("venv-path is only used when activate-environment is true");
+      log.warning("venv-path is only used when activate-environment is true");
     }
     const tildeExpanded = expandTilde(venvPathInput);
     return normalizePath(resolveRelativePath(workingDirectory, tildeExpanded));
@@ -192,7 +200,7 @@ function getCacheLocalPath(
     return { path: cacheDirFromConfig, source: CacheLocalSource.Config };
   }
   if (process.env.UV_CACHE_DIR !== undefined) {
-    core.info(`UV_CACHE_DIR is already set to ${process.env.UV_CACHE_DIR}`);
+    log.info(`UV_CACHE_DIR is already set to ${process.env.UV_CACHE_DIR}`);
     return { path: process.env.UV_CACHE_DIR, source: CacheLocalSource.Env };
   }
   if (enableCache) {
@@ -229,12 +237,12 @@ function getCacheDirFromConfig(
     try {
       const cacheDir = getConfigValueFromTomlFile(resolvedPath, "cache-dir");
       if (cacheDir !== undefined) {
-        core.info(`Found cache-dir in ${resolvedPath}: ${cacheDir}`);
+        log.info(`Found cache-dir in ${resolvedPath}: ${cacheDir}`);
         return cacheDir;
       }
     } catch (err) {
       const message = (err as Error).message;
-      core.warning(`Error while parsing ${filePath}: ${message}`);
+      log.warning(`Error while parsing ${filePath}: ${message}`);
       return undefined;
     }
   }
@@ -243,7 +251,7 @@ function getCacheDirFromConfig(
 
 export function getUvPythonDir(): string {
   if (process.env.UV_PYTHON_INSTALL_DIR !== undefined) {
-    core.info(
+    log.info(
       `UV_PYTHON_INSTALL_DIR is already set to ${process.env.UV_PYTHON_INSTALL_DIR}`,
     );
     return process.env.UV_PYTHON_INSTALL_DIR;

src/utils/logging.ts

@@ -0,0 +1,21 @@
+import * as core from "@actions/core";
+
+let quiet: boolean | undefined;
+
+function isQuiet(): boolean {
+  if (quiet === undefined) {
+    quiet =
+      typeof core.getInput === "function" && core.getInput("quiet") === "true";
+  }
+  return quiet;
+}
+
+export function info(msg: string): void {
+  if (!isQuiet()) {
+    core.info(msg);
+  }
+}
+
+export const warning = core.warning;
+export const error = core.error;
+export const debug = core.debug;

src/version/file-parser.ts

@@ -1,6 +1,6 @@
 import fs from "node:fs";
-import * as core from "@actions/core";
 import { getConfigValueFromTomlContent } from "../utils/config-file";
+import * as log from "../utils/logging";
 import {
   getUvVersionFromParsedPyproject,
   getUvVersionFromRequirementsText,
@@ -62,10 +62,10 @@ const VERSION_FILE_PARSERS: VersionFileParser[] = [
 export function getParsedVersionFile(
   filePath: string,
 ): ParsedVersionFile | undefined {
-  core.info(`Trying to find version for uv in: ${filePath}`);
+  log.info(`Trying to find version for uv in: ${filePath}`);
 
   if (!fs.existsSync(filePath)) {
-    core.info(`Could not find file: ${filePath}`);
+    log.info(`Could not find file: ${filePath}`);
     return undefined;
   }
 
@@ -81,15 +81,13 @@ export function getParsedVersionFile(
     }
 
     const normalizedSpecifier = normalizeVersionSpecifier(specifier);
-    core.info(`Found version for uv in ${filePath}: ${normalizedSpecifier}`);
+    log.info(`Found version for uv in ${filePath}: ${normalizedSpecifier}`);
     return {
       format: parser.format,
       specifier: normalizedSpecifier,
     };
   } catch (error) {
-    core.warning(
-      `Error while parsing ${filePath}: ${(error as Error).message}`,
-    );
+    log.warning(`Error while parsing ${filePath}: ${(error as Error).message}`);
     return undefined;
   }
 }

src/version/resolve.ts

@@ -4,6 +4,7 @@ import * as pep440 from "@renovatebot/pep440";
 import * as semver from "semver";
 import { getAllVersions, getLatestVersion } from "../download/manifest";
 import type { ResolutionStrategy } from "../utils/inputs";
+import * as log from "../utils/logging";
 import {
   type ParsedVersionSpecifier,
   parseVersionSpecifier,
@@ -56,7 +57,7 @@ class LatestVersionResolver implements ConcreteVersionResolver {
       context.parsedSpecifier.kind === "range" &&
       context.parsedSpecifier.isSimpleMinimumVersionSpecifier
     ) {
-      core.info("Found minimum version specifier, using latest version");
+      log.info("Found minimum version specifier, using latest version");
     }
 
     const latestVersion = await getLatestVersion(context.manifestUrl);

src/version/version-request-resolver.ts

@@ -1,5 +1,5 @@
 import * as path from "node:path";
-import * as core from "@actions/core";
+import * as log from "../utils/logging";
 import { getParsedVersionFile } from "./file-parser";
 import { normalizeVersionSpecifier } from "./specifier";
 import type {
@@ -111,7 +111,7 @@ export class WorkspaceVersionResolver implements VersionRequestResolver {
       };
     }
 
-    core.info(
+    log.info(
       "Could not determine uv version from uv.toml or pyproject.toml. Falling back to latest.",
     );
     return undefined;