[CI] Update astral-sh/setup-uv to allowed ref v8.2.0#624
Merged
Conversation
The ASF infrastructure-actions allowlist removed the previously pinned astral-sh/setup-uv ref (5a095e7, v7.3.1). Bump to the latest allowed ref fac544c (v8.2.0), which is currently the newest approved ref and carries no expiry in the allowlist.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the astral-sh/setup-uv GitHub Action to a newer commit hash. The review feedback correctly identifies that the version comment is incorrect for the specified commit hash and suggests updating it to # v0.8.2.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
yzh119
approved these changes
Jun 17, 2026
tqchen
pushed a commit
that referenced
this pull request
Jun 18, 2026
## Motivation The ASF `infrastructure-actions` allowlist was updated and the `Jimver/cuda-toolkit` ref currently pinned in our CI was removed: - Removed: `Jimver/cuda-toolkit@6008063726ffe3309d1b22e413d9e88fed91a2f2` Since this ref is no longer on the approved list, the ASF action-allowlist check fails for `torch_c_dlpack.yml`. ## Change Bump `Jimver/cuda-toolkit` to the latest allowed ref: - New: `Jimver/cuda-toolkit@3d45d157f327c09c04b50ee6ccdea2d9d017ec76` (v0.2.35) This is the newest `cuda-toolkit` ref on the allowlist and the only one without an `expires_at`, so it is the most durable choice. The step only consumes the stable `CUDA_PATH` output (no `with:` inputs), so the bump needs no other changes. ## Notes This is a follow-up to the action-ref hygiene sweep. The previously-expired `astral-sh/setup-uv` (#624) and `pypa/cibuildwheel` (#626) refs have already been bumped on `main`; `Jimver/cuda-toolkit` was the only remaining ref flagged by the ASF allowlist checker. Verified with the official `apache/infrastructure-actions` `check_asf_allowlist.py` against the current `approved_patterns.yml`: 0 violations after this change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
The ASF
infrastructure-actionsallowlist was updated and the previously pinnedastral-sh/setup-uvref was removed:astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098(v7.3.1)Since this ref is no longer on the approved list, the action allowlist check will reject our workflows until it is bumped to a currently allowed ref.
Change
Bump all usages of
astral-sh/setup-uvto the latest allowed ref:astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39(v8.2.0)This is the newest ref currently on the allowlist and the only
setup-uventry without anexpires_at, so it is the most durable choice. The v7.x allowed refs expire on 2026-06-27.The change is a straightforward pin update — the workflows only use the stable
python-versionandactivate-environmentinputs, which are unchanged across the v7 → v8 major bump.Files updated (10 occurrences)
.github/actions/build-wheel-for-publish/action.yml.github/workflows/ci_mainline_only.yml.github/workflows/ci_test.yml.github/workflows/torch_c_dlpack.yml