Supporting SHA in with.version field

[rdvansloten]

Hi,

We are trying to minimize our risk of supply chain attacks and found this action in our workflows stick out as one that still demands a static version. It seems to derive version from https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson, which already contains SHA checksums. Some concerns here:

• main is a branch, so any contamination in the supply chain would end up in this file.
• If a version is referenced by number, a potential attacker could simple change the URL field and anyone using this action would pull this on the next run.

- name: Set up UV
  uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57
  with:
    version: "0.x.x"

Example of artifact in https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson:

{
  "version": "0.11.6",
  "date": "2026-04-09T12:12:24Z",
  "artifacts": [
    {
      "platform": "aarch64-apple-darwin",
      "variant": "default",
      "url": "https://github.com/astral-sh/uv/releases/download/0.11.6/uv-aarch64-apple-darwin.tar.gz",
      "archive_format": "tar.gz",
      "sha256": "4b69a4e366ec38cd5f305707de95e12951181c448679a00dce2a78868dfc9f5b"
    }
  ]
}

[eifinger]

Hi.
This action has its own copy of known uv binary checksums which are automatically checked.
I update these checksums for each new version of uv that gets released and a new version of this action then "knows" these checksums.
If you use a version of uv that is "not yet known" to this action you can use the checksum input to make sure the version you want is really downloaded and installed.

[YuriiMotov]

So, before upgrading the version, we need to make sure that current version of action knows the checksum for the version of uv you want to upgrade to.
For example, for action version 8.1.0:
https://github.com/astral-sh/setup-uv/blob/v8.1.0/src/download/checksum/known-checksums.ts