⬆️(dependencies) update GitHub Actions dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Pending
actions/checkout	action	patch	v6.0.2 → v6.0.3	v7.0.0 (+1)
astral-sh/setup-uv	action	minor	v8.1.0 → v8.2.0
astral-sh/uv	uses-with	patch	0.11.7 → 0.11.21	0.11.23 (+1)
postgres	service	major	16 → 18
zizmorcore/zizmor-action	action	patch	v0.5.3 → v0.5.6	v0.5.7

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

astral-sh/setup-uv (astral-sh/setup-uv)

v8.2.0: 🌈 New inputs quiet and download-from-astral-mirror

Compare Source

Changes

This release brings two new inputs and a few bug fixes.

New inputs

Lets talk about the new inputs first.

quiet

Pretty simple. It turns of all info loggings. Useful if you use this in a composite action and are not interested in all the details.
In the upcoming releases we will add log groups to fully implement support for "less noise"

[!NOTE]
Warnings and errors are always logged.

download-from-astral-mirror

In some cases you may want to directly use the fallback of checking for available versions and downloading releases from GitHub instead of using the astral.sh mirror. Setting download-from-astral-mirror: false allows you to do that.

Bugfixes

When using the astral.sh mirror to query available versions and download releases (done by default) we now stop sending the GitHub token in the header. The mirror never looked at it but we shouldn't be handing out that data even if it is just a short lived token.
All other bugfixes try to limit the impact of failed GitHub queries due to retries and other faults.

We couldn't pinpoint all rootcauses yet but added more logging for error cases to track them down.

🐛 Bug fixes

• fix: report unexpected cache save failures @​eifinger (#​896)
• fix: report unexpected setup failures @​eifinger (#​895)
• fix: add timeout to fetch to prevent silent hangs @​eifinger-bot (#​883)
• Limit GitHub tokens to github.com download URLs @​zsol (#​878)
• increase libuv-workaround timeout to 100ms @​eifinger (#​880)

🚀 Enhancements

• Add quiet input to suppress info-level log output @​eifinger (#​898)
• feat: add download-from-astral-mirror input @​eifinger (#​897)

🧰 Maintenance

• docs: update dependabot rollup biome guidance @​eifinger (#​902)
• chore: update known checksums for 0.11.18 @​github-actions[bot] (#​899)
• chore: update known checksums for 0.11.17 @​github-actions[bot] (#​892)
• chore: update known checksums for 0.11.16 @​github-actions[bot] (#​889)
• chore: update known checksums for 0.11.15 @​github-actions[bot] (#​885)
• chore: update known checksums for 0.11.14 @​github-actions[bot] (#​879)
• chore: update known checksums for 0.11.13 @​github-actions[bot] (#​877)
• chore: update known checksums for 0.11.12 @​github-actions[bot] (#​876)
• chore: update known checksums for 0.11.11 @​github-actions[bot] (#​873)
• chore: update known checksums for 0.11.9/0.11.10 @​github-actions[bot] (#​871)
• chore: update known checksums for 0.11.8 @​github-actions[bot] (#​867)
• Bump setup-uv references to v8.1.0 SHA in docs @​eifinger (#​862)
• Add update-docs.yml workflow @​eifinger (#​861)

⬆️ Dependency updates

• chore(deps): roll up dependabot updates @​eifinger (#​903)
• chore(deps): roll up dependabot updates @​eifinger (#​901)
• chore(deps): bump release-drafter/release-drafter from 7.3.0 to 7.3.1 @​dependabot[bot] (#​900)
• chore(deps): bump eifinger/actionlint-action from 1.10.1 to 1.10.2 @​dependabot[bot] (#​842)
• chore(deps): bump github/codeql-action from 4.35.4 to 4.36.0 @​dependabot[bot] (#​893)
• chore(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 @​dependabot[bot] (#​891)
• chore(deps): bump release-drafter/release-drafter from 7.2.0 to 7.3.0 @​dependabot[bot] (#​884)
• chore(deps): bump zizmorcore/zizmor-action from 0.5.3 to 0.5.5 @​dependabot[bot] (#​888)
• chore(deps): bump github/codeql-action from 4.35.3 to 4.35.4 @​dependabot[bot] (#​881)
• chore(deps): bump github/codeql-action from 4.32.2 to 4.35.3 @​dependabot[bot] (#​875)
• chore(deps): bump actions/setup-node from 6.3.0 to 6.4.0 @​dependabot[bot] (#​866)
• chore(deps): bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 @​dependabot[bot] (#​864)
• chore(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 @​dependabot[bot] (#​863)

astral-sh/uv (astral-sh/uv)

v0.11.21

Compare Source

Released on 2026-06-11.

Python

• Add CPython 3.13.14 and 3.14.6 (#​19787)

Preview features

• Add environment.root to uv workspace metadata --sync (#​19760)
• Allow uv upgrade to update a single dependency constraint (#​19738)
• Compute and pass uv workspace metadata payload in ty check (#​19763)
• Make packaged applications the default for uv init (#​17841)

Performance

• Add parallel discovery of Python versions for uv python list (#​18684)
• Avoid normalizing source distribution names twice (#​19784)

Bug fixes

• Improve cache robustness and pruning behavior
  • Allow CI cache pruning without an sdist bucket (#​19802)
  • Avoid overflow when reading malformed cache entries (#​19799)
  • Preserve cached Python downloads during cache pruning (#​19795)
  • Reject running inside the cache (#​19659)
• Fix Python discovery and version request edge cases
  • Avoid panics for Unicode Python version requests (#​19797)
  • Fix handling of non-critical errors in uv python list with path requests (#​19774)
  • Fix stop-discovery-at regression (#​19769)
• Harden parsing and validation for package metadata, requirements, markers, URLs, and conflict sets
  • Allow trailing commas in version specifiers (#​19806)
  • Avoid panics for invalid UTF-8 URL credentials (#​19800)
  • Avoid panics for malformed source distribution filenames (#​19776)
  • Avoid panics for trailing extra separators (#​19779)
  • Avoid stack overflow for recursive requirements path aliases (#​19777)
  • Ignore reversed string compatible-release markers (#​19782)
  • Reject duplicate entries in conflict sets (#​19801)
  • Reject malformed hash options in requirements files (#​19783)
  • Reject source distribution filenames without a separator (#​19803)
  • Use UTF-8 lengths for requirement errors (#​19781)
  • Use UTF-8 lengths for trailing marker errors (#​19796)
  • Use byte offsets when peeking over requirements (#​19780)
  • Validate GraalPy ABI suffixes (#​19805)
• Improve wheel entry-point error handling and virtual environment activation quoting
  • Propagate errors when reading wheel entry points (#​19794)
  • Quote virtual environment activation paths with shell metacharacters (#​19798)

v0.11.20

Compare Source

Released on 2026-06-10.

Enhancements

• Add --emit-index-url and --emit-find-links to uv export (#​18370)
• Add --find-links support for uv pip list (#​16103)
• Group executable install errors during uv python install (#​19691)
• Use ICF in macOS release builds to reduce binary sizes (#​19615)

Preview features

• Add initial hidden uv upgrade command (#​19678)
• Reject Git revisions in uv upgrade (#​19742)

Configuration

• Recognize UV_NO_INSTALL_PROJECT, UV_NO_INSTALL_WORKSPACE, UV_NO_INSTALL_LOCAL (#​19323)

Performance

• Speed up discovery of large workspaces (#​18311)

Bug fixes

• Allow unknown preview flags with a warning again (#​19669)
• Apply dependency exclusions to direct requirements (#​19699)
• Avoid following external symlinks during cache clean (#​19682)
• Avoid following symlinks during cache prune (#​19543)
• Fix Git cache keys for worktrees and packed refs (#​19706)
• Make resolver error handling iterative to avoid stack overflows (#​19695)
• Pass VIRTUAL_ENV through cygpath inside fish on Windows (#​19703)
• Rebuild explicit local directory tool installs (#​19591)
• Validate egg top-level entries as identifiers (#​19679)

Documentation

• Document --find-links caching behavior (#​19585)
• Add a small section for malware checks (#​19680)

v0.11.19

Compare Source

Released on 2026-06-03.

Python

• Add CPython 3.15.0b2 (#​19531)

Enhancements

• Always compute SHA256 for remote distributions (#​19662)
• Add PyEmscripten platform (PEP 783) (#​19629)
• Add Pyodide 2025 target triple (#​19653)

Preview features

• Make preview features for commands have names that aren't ambiguous with the command (#​19645)
• Respect --isolated in uv check (#​19666)

Bug fixes

• Continue tool uninstall after dangling receipts (#​19623)
• Skip Unix-specific installation steps when cross-installing Windows Python distributions (#​19424)

v0.11.18

Compare Source

Released on 2026-06-01.

Performance

• Fix performance regression in unzip of local wheels (#​19637)

Preview

• Add uv check to run ty from uv (#​19605)

Bug fixes

• Update activation scripts with upstream fixes (#​19628)

Other changes

• Bump MSRV to 1.94 (#​19600)

v0.11.17

Compare Source

Released on 2026-05-28.

Enhancements

• Add a diagnostic for uv add with standard library modules (#​19572)
• Expose uv workspace and its list subcommand in help output (#​19533)
• Improve the "403 forbidden" hint to suggest ignore-error-codes when applicable (#​19521)
• Skip direct URL lock freshness checks while offline (#​19596)
• Add import-names and import-namespaces support to uv-build (PEP 794) (#​19380)
• Add a --no-editable-package flag to various commands (#​19584)
• Infer Python version requests from source trees in uv tool invocations (#​19577)

Preview features

• Add module owners to uv workspace metadata (#​19122)
• Do not allow uv venv --clear to remove non-virtual environments (#​19595)

Bug fixes

• Improve the performance of large entries in tool.uv.conflicts (#​19538)
• Avoid modifying the parent process' env with --env-file in uv run (#​19567)
• Fix script environment creation for scripts with long filenames (#​19539)
• Fix transitive Git archive dependencies in lockfiles (#​19589)
• Preserve Git repository URLs in direct URL metadata (#​19590)
• Support redirects in --check-url (#​19594)
• Accept case-insensitive HTML tags in --find-links parsing (#​19537)
• Reject duplicate script metadata blocks (#​19544)
• Ban names like "python3" as script entry points (#​19535, #​19536)
• Validate Git LFS artifacts for Git archives (#​19592)
• Use a relative path when creating symlinks in cache to improve relocatability (#​19033)

Documentation

• Fix malformed positional anchors in the CLI reference (#​19575)

v0.11.16

Compare Source

Released on 2026-05-21.

Enhancements

• Add support for direct archive dependencies in Git (#​10072)
• Adjust hint rendering (#​18090)

Preview features

• uv audit: specialize malformed OSV error (#​19515)
• Reject locked malware installations (#​18936)

Configuration

• Allow disabling reading the system config with UV_NO_SYSTEM_CONFIG (#​19476)

Bug fixes

• Allow environment variables that take a list to be empty (#​19503)
• Ensure that incompatible wheel hints do not leak secrets (#​19504)
• Reject unsafe entry points in uv-build (#​19495)
• Restrict delimiters in entry point parsing (#​19471)
• uv-netrc: fix multi-word no-space comment lines causing parse errors (#​19494)

Documentation

• Document and test relative exclude-newer support for uv pip (#​19475)

v0.11.15

Compare Source

Released on 2026-05-18.

Security

• Fix a TAR parser differential, see GHSA-3cv2-h65g-fgmm (#​19463)
• Enforce that entry points cannot escape in the scripts directory, see GHSA-4gg8-gxpx-9rph (#​19464)

Enhancements

• Add TOML v1.1 -> v1.0 backwards compatibility for source distributions (#​18741)
• Add support for Azure request signing (#​19421)
• Apply stricter validation to all wheel filename segments (#​19364)
• Reject empty strings as an invalid package name (#​19435)
• Use structured errors for signing authentication failures (#​19422)

Preview

• uv audit: Add JSON output (#​19305)

Configuration

• Respect required-environments in uv pip compile (#​19378)

Performance

• Avoid parsing JSON manifest when local Python is available (#​19398)
• Avoid walking nested directories in linker conflict registration (#​19382)
• Optimize async wheel ZIP writing (#​19383)
• Fix dead "already trimmed" fast-path in Version::only_release_trimmed (#​19425)

Bug fixes

• Apply workspace-member [tool.uv.sources] credentials under uv sync --frozen (#​19423)
• Skip empty directories in uv build outputs (#​19437)
• Fix Git submodule handling when using relative paths (#​12156)
• Fix line number reporting in netrc parsing (#​19452)

Documentation

• Move Bazel auth helper setup into integration guide (#​19392)

v0.11.14

Compare Source

Released on 2026-05-12.

Enhancements

• Add Astral mirror URL override (#​19206)
• Ignore top_level.txt entries in uninstall that are not valid Python identifiers (#​19340)

Bug fixes

• Avoid applying .env files in parent process (#​19343)
• Filter ANSI codes in logging output (#​19311)
• Fix uv tree showing extra-conditional deps for packages required without extras (#​19332)
• Respect build options (e.g., --no-build) during lock validation (#​19366)

v0.11.13

Compare Source

Released on 2026-05-10.

Bug fixes

• Include data files in editable builds (#​19312)
• Respect --require-hashes when installing from pylock.toml files (#​19334)

Python

Python

• Add CPython 3.14.5

v0.11.12

Compare Source

Released on 2026-05-08.

Python

• Add CPython 3.15.0b1

Enhancements

• Add --no-editable support to uv pip install (#​19306)
• Require git refs in URLs to be percent-encoded (#​19320)

Bug fixes

• Respect --no-dev over UV_DEV=1 (#​19313)
• Don't suggest non-existent --no-frozen flag (#​19290) (#​19294)

Documentation

• Fix bug from inconsistent workflow name in GHA-PyPI guide example (#​19309)

v0.11.11

Compare Source

Released on 2026-05-06.

Bug fixes

• Accept legacy ID format from pre-0.11.9 cache entries (#​19301)

v0.11.10

Compare Source

Released on 2026-05-05.

Bug fixes

• Allow pre-release Python requests with non-zero patch versions (#​19286)

v0.11.9

Compare Source

Released on 2026-05-04.

This release includes a special release candidate for the next Python 3.14 patch release. Python 3.14 included a new garbage collection implementation, which reduced pause times but caused significant unexpected memory pressure in production environments. In 3.14.5 and 3.15, the previous garbage collection implementation will be restored.

We would greatly appreciate if you tested the 3.14.5rc1 version included in this release. The stable version is expected to be released soon and any feedback on potential issues would be helpful to the Python development team.

For more context, see the announcement, issue, and pull request.

Issues with the new release can be reported in the uv or CPython issue trackers.

Python

• Upgrade PyPy to v7.3.22
• Add CPython 3.14.5rc1
• On macOS, CPython statically links libpython to match Linux

Enhancements

• Omit compatible release desugaring for pre-release hints (#​19267)
• Fix file locks on Android (#​18323)

Preview

• uv audit add reporting for adverse project statuses (#​19128)

Bug fixes

• Discover versioned Python executables when requires-python pins a version (#​18700)
• Fix URL prefix matching to require path boundaries (#​19154)
• Fix transitive Git path dependencies in lockfiles (#​19269)
• Handle incorrect unlock error in LockedFile::drop on Wine (#​19229)
• Prevent uninstalling site-packages for empty top_level.txt in .egg-info (#​19114)
• Use symlinks instead of junctions on Wine (#​19213)
• Fix floating-point environment handling on ARMv7 (#​19157)
• Redact credentials from remote requirements URL in offline errors (#​19216)
• Windows tramplolines no longer set PYTHONHOME and only set __PYVENV_LAUNCHER__ for virtual environments (#​19199)

Documentation

• Mark --native-tls and UV_NATIVE_TLS as deprecated (#​18705)
• Re-add pytorch-triton-rocm to PyTorch ROCm docs (#​19241)
• Tweak changelog entries for 0.11.8 (#​19188)
• Add 'Exporting lockfiles' to the Concepts->Projects index (#​19209)
• Clarify that uv init creates git files / folders in the projects guide (#​19183)

v0.11.8

Compare Source

Released on 2026-04-27.

Enhancements

• Add --python-downloads-json-url to python pin (#​19092)
• Fetch uv from Astral mirror during self-update (#​18682)
• Support pip uninstall -y (#​19082)
• Allow exclude-newer to be missing from the lockfile when exclude-newer-span is present (#​19024)
• Only show the version number in uv self version --short (#​19019)
• Silence warnings on empty SSL_CERT_DIR directory (#​19018)
• Use a sentinel timestamp for relative exclude-newer and exclude-newer-package values in lockfiles (#​19022, #​19101)

Configuration

• Add UV_PYTHON_NO_REGISTRY (#​19035)
• Add an environment variable for UV_NO_PROJECT (#​19052)
• Expose UV_PYTHON_SEARCH_PATH for Python discovery PATH overrides (#​19034)

Bug fixes

• Add rust-toolchain.toml to uv-build sdist (#​19131)
• Ensure uv invocations of git do not inherit repository location environment variables (#​19088)
• Redact pre-signed upload URLs in verbose output (#​19146)
• Handle transitive URL dependencies in PEP 517 build requirements (#​19076, #​19086)
• Support uv lock on a pyproject.toml that only contains dependency-groups (#​19087)
• Disable transparent Python upgrades in projects when a patch version is requested via .python-version (#​19102)
• Fix Python variant tagging in the Windows registry (#​19012)
• Ban external symlinks in .tar.zst wheels (#​19144)

Distributions

• Remove deprecated license classifiers from uv-build and add Python 3.14 classifier (#​19130)

Documentation

• Bump astral-sh/setup-uv version in docs (#​19030)
• Update PyTorch documentation for PyTorch 2.11 (#​19095)

zizmorcore/zizmor-action (zizmorcore/zizmor-action)

v0.5.6

Compare Source

• 1.25.2 is now available via the action
• 1.25.2 is now the default version of zizmor used by the action

v0.5.5

Compare Source

This is a no-op release.

v0.5.4

Compare Source

• 1.25.0 is now available via the action
• 1.25.0 is now the default version of zizmor used by the action

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • "before 7am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.