Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: astral-sh/setup-uv
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v7.3.1
Choose a base ref
...
head repository: astral-sh/setup-uv
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v7.4.0
Choose a head ref
  • 11 commits
  • 10 files changed
  • 6 contributors

Commits on Feb 28, 2026

  1. chore: update known checksums for 0.10.7 (#775) 

    chore: update known checksums for 0.10.7

Co-authored-by: eifinger <[email protected]>
    @github-actions @eifinger
    github-actions[bot] and eifinger authored Feb 28, 2026
    Configuration menu
    Copy the full SHA
    f8858e6 View commit details
    Browse the repository at this point in the history

Commits on Mar 2, 2026

  1. Bump eifinger/actionlint-action from 1.10.0 to 1.10.1 (#778) 

    Bumps
[eifinger/actionlint-action](https://github.com/eifinger/actionlint-action)
from 1.10.0 to 1.10.1.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/eifinger/actionlint-action/commit/7802e0cc3ab3f81cbffb36fb0bf1a3621d994b89"><code>7802e0c</code></a>
Remove oracle-aarch64 from workflows (<a
href="https://redirect.github.com/eifinger/actionlint-action/issues/36">#36</a>)</li>
<li><a
href="https://github.com/eifinger/actionlint-action/commit/8d9ad94ef799fdd386147ebbed32e940280f3dcd"><code>8d9ad94</code></a>
set default actionlint version to 1.7.11 (<a
href="https://redirect.github.com/eifinger/actionlint-action/issues/35">#35</a>)</li>
<li><a
href="https://github.com/eifinger/actionlint-action/commit/4863b27ac4c7ab9e9c69405b36b49b7b4d97ead9"><code>4863b27</code></a>
build(deps): bump release-drafter/release-drafter from 6.1.0 to 6.2.0
(<a
href="https://redirect.github.com/eifinger/actionlint-action/issues/33">#33</a>)</li>
<li>See full diff in <a
href="https://github.com/eifinger/actionlint-action/compare/447fbfe7533062b7a9ea55f790f2396fba6d052a...7802e0cc3ab3f81cbffb36fb0bf1a3621d994b89">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=eifinger/actionlint-action&package-manager=github_actions&previous-version=1.10.0&new-version=1.10.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 2, 2026
    Configuration menu
    Copy the full SHA
    bd87019 View commit details
    Browse the repository at this point in the history

Commits on Mar 4, 2026

  1. chore: update known checksums for 0.10.8 (#779) 

    chore: update known checksums for 0.10.8

Co-authored-by: eifinger <[email protected]>
    @github-actions @eifinger
    github-actions[bot] and eifinger authored Mar 4, 2026
    Configuration menu
    Copy the full SHA
    09ff6fe View commit details
    Browse the repository at this point in the history

Commits on Mar 6, 2026

  1. Add workflow to auto-build dist on Dependabot PRs (#782) 

    When Dependabot bumps dependencies in package.json, this workflow
automatically runs `npm run all` to rebuild the dist folder and commits
the changes back to the PR.

This ensures the compiled JavaScript in `dist/` stays in sync with
dependency updates.

**How it works:**
1. Triggers on PRs opened by `dependabot[bot]`
2. Runs `npm ci` and `npm run all` (build, check, package, test)
3. Commits any changes to `dist/` back to the PR branch

Uses `stefanzweifel/git-auto-commit-action` for the commit step.
    @eifinger-bot
    eifinger-bot authored Mar 6, 2026
    Configuration menu
    Copy the full SHA
    950b623 View commit details
    Browse the repository at this point in the history

Commits on Mar 7, 2026

  1. chore: update known checksums for 0.10.9 (#783) 

    chore: update known checksums for 0.10.9

Co-authored-by: eifinger <[email protected]>
    @github-actions @eifinger
    github-actions[bot] and eifinger authored Mar 7, 2026
    Configuration menu
    Copy the full SHA
    4bc8fab View commit details
    Browse the repository at this point in the history

  2. Fix: check PR author instead of event sender for Dependabot detection ( 

    …#787)

The previous implementation checked `github.event.sender.login`, which
is whoever triggered the event (e.g., someone closing/reopening the PR).

This fixes it to check `github.event.pull_request.user.login` instead —
the PR author — so the workflow runs correctly whenever a
Dependabot-created PR is opened, synchronized, or reopened.
    @eifinger-bot
    eifinger-bot authored Mar 7, 2026
    Configuration menu
    Copy the full SHA
    5ba8a7e View commit details
    Browse the repository at this point in the history

  3. Harden Dependabot build workflow (#788) 

    ## Summary
- keep the Dependabot build workflow single-job, but harden it a bit
- replace `git-auto-commit-action` with explicit `git` commands and
step-scoped push auth
- add concurrency, a timeout, stricter Dependabot gating, and a guard
for moved PR heads

## Why
The workflow currently fails in the commit step because
`actions/checkout` uses `persist-credentials: false`, but
`git-auto-commit-action` later tries to push via `origin` without any
credentials:

```
fatal: could not read Username for 'https://github.com': No such device or address
```

This change fixes that failure while keeping credentials scoped to the
push step instead of persisting them for the whole job.

## Details
- require `github.event.pull_request.user.login == 'dependabot[bot]'`
- also require the PR head repo to match `github.repository`
- also require the head ref to start with `dependabot/`
- check out the exact PR head SHA
- run `npm ci --ignore-scripts`
- disable git hooks before commit
- skip the dist commit if the PR head moved during the run

## Validation
- `actionlint .github/workflows/dependabot-build.yml`
    @eifinger
    eifinger authored Mar 7, 2026
    Configuration menu
    Copy the full SHA
    2ff70ee View commit details
    Browse the repository at this point in the history

  4. Delete .github/workflows/dependabot-build.yml (#789) 

    Too many security issues and complex setup. Using a Skill instead
    @eifinger
    eifinger authored Mar 7, 2026
    Configuration menu
    Copy the full SHA
    fe3617d View commit details
    Browse the repository at this point in the history

Commits on Mar 10, 2026

  1. Bump actions/setup-node from 6.2.0 to 6.3.0 (#790) 

    Bumps [actions/setup-node](https://github.com/actions/setup-node) from
6.2.0 to 6.3.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/setup-node/releases">actions/setup-node's
releases</a>.</em></p>
<blockquote>
<h2>v6.3.0</h2>
<h2>What's Changed</h2>
<h3>Enhancements:</h3>
<ul>
<li>Support parsing <code>devEngines</code> field by <a
href="https://github.com/susnux"><code>@​susnux</code></a> in <a
href="https://redirect.github.com/actions/setup-node/pull/1283">actions/setup-node#1283</a></li>
</ul>
<blockquote>
<p>When using node-version-file: package.json, setup-node now
prefers devEngines.runtime over engines.node.</p>
</blockquote>
<h3>Dependency updates:</h3>
<ul>
<li>Fix npm audit issues by <a
href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in
<a
href="https://redirect.github.com/actions/setup-node/pull/1491">actions/setup-node#1491</a></li>
<li>Replace uuid with crypto.randomUUID() by <a
href="https://github.com/trivikr"><code>@​trivikr</code></a> in <a
href="https://redirect.github.com/actions/setup-node/pull/1378">actions/setup-node#1378</a></li>
<li>Upgrade minimatch from 3.1.2 to 3.1.5 by <a
href="https://github.com/dependabot"><code>@​dependabot</code></a> in <a
href="https://redirect.github.com/actions/setup-node/pull/1498">actions/setup-node#1498</a></li>
</ul>
<h3>Bug fixes:</h3>
<ul>
<li>Remove hardcoded bearer for mirror-url <a
href="https://github.com/marco-ippolito"><code>@​marco-ippolito</code></a>
in <a
href="https://redirect.github.com/actions/setup-node/pull/1467">actions/setup-node#1467</a></li>
<li>Scope test lockfiles by package manager and update cache tests by <a
href="https://github.com/gowridurgad"><code>@​gowridurgad</code></a> in
<a
href="https://redirect.github.com/actions/setup-node/pull/1495">actions/setup-node#1495</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/susnux"><code>@​susnux</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/setup-node/pull/1283">actions/setup-node#1283</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/setup-node/compare/v6...v6.3.0">https://github.com/actions/setup-node/compare/v6...v6.3.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/setup-node/commit/53b83947a5a98c8d113130e565377fae1a50d02f"><code>53b8394</code></a>
Bump minimatch from 3.1.2 to 3.1.5 (<a
href="https://redirect.github.com/actions/setup-node/issues/1498">#1498</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/54045abd5dcd3b0fee9ca02fa24c57545834c9cc"><code>54045ab</code></a>
Scope test lockfiles by package manager and update cache tests (<a
href="https://redirect.github.com/actions/setup-node/issues/1495">#1495</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/c882bffdbd4df51ace6b940023952e8669c9932a"><code>c882bff</code></a>
Replace uuid with crypto.randomUUID() (<a
href="https://redirect.github.com/actions/setup-node/issues/1378">#1378</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/774c1d62961e73038a114d59c8847023c003194d"><code>774c1d6</code></a>
feat(node-version-file): support parsing <code>devEngines</code> field
(<a
href="https://redirect.github.com/actions/setup-node/issues/1283">#1283</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/efcb663fc60e97218a2b2d6d827f7830f164739e"><code>efcb663</code></a>
fix: remove hardcoded bearer (<a
href="https://redirect.github.com/actions/setup-node/issues/1467">#1467</a>)</li>
<li><a
href="https://github.com/actions/setup-node/commit/d02c89dce7e1ba9ef629ce0680989b3a1cc72edb"><code>d02c89d</code></a>
Fix npm audit issues (<a
href="https://redirect.github.com/actions/setup-node/issues/1491">#1491</a>)</li>
<li>See full diff in <a
href="https://github.com/actions/setup-node/compare/6044e13b5dc448c55e2357c09f80417699197238...53b83947a5a98c8d113130e565377fae1a50d02f">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/setup-node&package-manager=github_actions&previous-version=6.2.0&new-version=6.3.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
    @dependabot
    dependabot[bot] authored Mar 10, 2026
    Configuration menu
    Copy the full SHA
    0acf970 View commit details
    Browse the repository at this point in the history

  2. Add riscv64 architecture support to platform detection (#791) 

    Add `riscv64gc` as a recognized architecture in the `Architecture` type
union and map Node.js's `riscv64` process.arch value to the `riscv64gc`
uv platform identifier.

This allows the action to correctly detect and download the appropriate
uv binary on RISC-V 64-bit systems (e.g., linux/riscv64 runners).
    @luhenry
    luhenry authored Mar 10, 2026
    Configuration menu
    Copy the full SHA
    9f332a1 View commit details
    Browse the repository at this point in the history

  3. chore(deps): bump versions (#792) 

    ## Summary
- replicate the currently open Dependabot dependency updates in a single
branch
- update `smol-toml` to `^1.6.0`
- update `@biomejs/biome` to `2.3.8`
- regenerate `package-lock.json` and bundled `dist` output

## Notes
- `main` already includes the open Octokit Dependabot bumps, so those
PRs required no additional net changes here
- the open `smol-toml` Dependabot PR currently resolves to `^1.6.0`,
which is what this branch mirrors

## Validation
- `npm run all`
    @eifinger
    eifinger authored Mar 10, 2026
    Configuration menu
    Copy the full SHA
    6ee6290 View commit details
    Browse the repository at this point in the history
Loading