ci: fix astral-sh/setup-uv version comment tags to match v8.0.0 SHA by dependabot[bot] · Pull Request #59 · developmentseed/action-python-security-auditing

dependabot · 2026-04-09T00:47:34Z

The astral-sh/setup-uv SHA cec208311dfd045dd5311c1add060b2062131d57 was pinned correctly to v8.0.0 but the inline version comments still read # v5.3.1, triggering zizmor alerts for mismatched SHA/tag annotations.

Updated all three occurrences to # v8.0.0:
- .github/workflows/ci.yml (pre-commit and test jobs)
- .github/workflows/integration-tests.yml (uv setup step)

.github/workflows/ci.yml

.github/workflows/integration-tests.yml

github-actions · 2026-04-09T00:48:53Z

✅ All test workflows behaved as expected

13 passed, 0 failed

Test	Name	Expected	Actual	Bandit	pip-audit	Result
01	requirements · flat · clean	success	success	—	—	✅
02	requirements · src/ · bandit HIGH	failure	failure	B105, B404, B602	—	✅
03	requirements · src/+scripts/ · bandit HIGH + pip-audit	failure	failure	B105, B404, B602	cryptography, idna, requests, urllib3	✅
04	uv · flat · clean	success	success	—	—	✅
05	uv · src/ · pip-audit vuln	failure	failure	—	idna, requests, urllib3	✅
06	uv · src/+scripts/ · bandit MEDIUM	failure	failure	B324, B506	—	✅
07	poetry · flat · clean	success	success	—	—	✅
08	poetry · src/ · bandit MEDIUM + pip-audit	failure	failure	B105, B324	cryptography, idna, requests, urllib3	✅
09	pipenv · flat · clean	success	success	—	—	✅
10	pipenv · src/+scripts/ · bandit HIGH	failure	failure	B404, B602	—	✅
11	requirements · flat · clean (root working dir)	success	success	—	—	✅
12	uv · flat · bandit-only (no pip-audit)	failure	failure	B404, B602	disabled	✅
14	uv · flat · low threshold (B101 assert)	failure	failure	B101	disabled	✅

lhoupert · 2026-04-09T09:07:10Z

@dependabot rebase

lhoupert · 2026-04-09T09:15:31Z

@copilot fix the version comment tags so they match version associated with the sha-commit

Bumps [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) from 5.4.2 to 8.0.0. - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@v5.4.2...cec2083) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

Agent-Logs-Url: https://github.com/developmentseed/action-python-security-auditing/sessions/06aab771-50dc-4269-81cf-84d7e08df002 Co-authored-by: lhoupert <10154151+lhoupert@users.noreply.github.com>

Copilot · 2026-04-09T10:09:13Z

@copilot fix the version comment tags so they match version associated with the sha-commit

Fixed in 90fcf65. All three astral-sh/setup-uv references now have # v8.0.0 comments that correctly match the SHA cec208311dfd045dd5311c1add060b2062131d57.

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Apr 9, 2026

github-advanced-security bot found potential problems Apr 9, 2026

View reviewed changes

.github/workflows/ci.yml Fixed Show fixed Hide fixed

.github/workflows/ci.yml Fixed Show fixed Hide fixed

.github/workflows/integration-tests.yml Fixed Show fixed Hide fixed

dependabot bot force-pushed the dependabot/github_actions/astral-sh/setup-uv-8.0.0 branch from 49aa2ee to a9ef015 Compare April 9, 2026 09:08

lhoupert self-requested a review April 9, 2026 09:13

dependabot bot force-pushed the dependabot/github_actions/astral-sh/setup-uv-8.0.0 branch from a9ef015 to d7f9697 Compare April 9, 2026 09:17

Copilot started work on behalf of lhoupert April 9, 2026 10:07 View session

ci: fix setup-uv version comment tags to match v8.0.0

90fcf65

Agent-Logs-Url: https://github.com/developmentseed/action-python-security-auditing/sessions/06aab771-50dc-4269-81cf-84d7e08df002 Co-authored-by: lhoupert <10154151+lhoupert@users.noreply.github.com>

Copilot AI changed the title ~~ci: bump astral-sh/setup-uv from 5.4.2 to 8.0.0~~ ci: fix astral-sh/setup-uv version comment tags to match v8.0.0 SHA Apr 9, 2026

Copilot finished work on behalf of lhoupert April 9, 2026 10:11

lhoupert approved these changes Apr 9, 2026

View reviewed changes

lhoupert merged commit 9853eeb into main Apr 9, 2026
20 checks passed

lhoupert deleted the dependabot/github_actions/astral-sh/setup-uv-8.0.0 branch April 9, 2026 19:39

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ci: fix astral-sh/setup-uv version comment tags to match v8.0.0 SHA#59

ci: fix astral-sh/setup-uv version comment tags to match v8.0.0 SHA#59
lhoupert merged 2 commits intomainfrom
dependabot/github_actions/astral-sh/setup-uv-8.0.0

dependabot bot commented on behalf of github Apr 9, 2026 •

edited by Copilot AI

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Apr 9, 2026 •

edited

Loading

Uh oh!

lhoupert commented Apr 9, 2026

Uh oh!

lhoupert commented Apr 9, 2026

Uh oh!

Copilot AI commented Apr 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

dependabot bot commented on behalf of github Apr 9, 2026 • edited by Copilot AI Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Apr 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ All test workflows behaved as expected

Uh oh!

lhoupert commented Apr 9, 2026

Uh oh!

lhoupert commented Apr 9, 2026

Uh oh!

Copilot AI commented Apr 9, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

dependabot bot commented on behalf of github Apr 9, 2026 •

edited by Copilot AI

Loading

github-actions bot commented Apr 9, 2026 •

edited

Loading