ci(deps): bump astral-sh/setup-uv from 4 to 6

[dependabot]

Bumps astral-sh/setup-uv from 4 to 6.

Release notes

Sourced from astral-sh/setup-uv's releases.

v6.6.0 🌈 Support for .tools-versions

Changes

This release adds support for asdf .tool-versions in the version-file input

🐛 Bug fixes

• Add log message before long API calls to GitHub @​eifinger (#530)

🚀 Enhancements

• Add support for .tools-versions @​eifinger (#531)

🧰 Maintenance

• Bump dependencies @​eifinger (#532)
• chore: update known versions for 0.8.12 @github-actions[bot] (#529)
• chore: update known versions for 0.8.11 @github-actions[bot] (#526)
• chore: update known versions for 0.8.10 @github-actions[bot] (#525)

v6.2.1 🌈 Fix "No such file or directory version-manifest.json"

Changes

Release v6.2.0 contained a bug that slipped through the automated test. The action tried to look for the default version-manifest.json in the root of the repostory using this action instead of relative to the action itself.

🐛 Bug fixes

• Look for version-manifest.json relative to action path @​eifinger (#456)

v6.0.0 🌈 activate-environment and working-directory

Changes

This version contains some breaking changes which have been gathering up for a while. Lets dive into them:

• Activate environment
• Working Directory
• Default cache-dependency-glob
• Use default cache dir on self hosted runners

Activate environment

In previous versions using the input python-version automatically activated a venv at the repository root. This led to some unwanted side-effects, was sometimes unexpected and not flexible enough.

The venv activation is now explicitly controlled with the new input activate-environment (false by default):

- name: Install the latest version of uv and activate the environment
  uses: astral-sh/setup-uv@v6
  with:
</tr></table> 

... (truncated)

Commits

• 557e51d Bump dependencies (#547)
• 1b46e13 Fix exclusions in cache-dependency-glob (#546)
• 26cf676 chore: update known versions for 0.8.14 (#543)
• 4e1e303 chore: update known versions for 0.8.13 (#536)
• 4959332 Bump dependencies (#532)
• adeb286 Add support for .tools-versions (#531)
• fce199e Add log message before long API calls to GitHub (#530)
• f758a4a chore: update known versions for 0.8.12 (#529)
• c0e7e93 chore: update known versions for 0.8.11 (#526)
• fda2399 chore: update known versions for 0.8.10 (#525)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[claude]

🔍 Pull Request Review

Overview

This is a Dependabot-generated PR that bumps astral-sh/setup-uv from v4 to v6. The change affects only the RFE Builder test workflow.

✅ Code Quality & Best Practices

• Clean dependency update: Single-line change with clear purpose
• Automated approach: Dependabot ensures consistent version tracking
• Semantic versioning: Major version bump from v4 to v6 is correctly handled

⚠️ Potential Issues & Breaking Changes

IMPORTANT: This is a major version bump (v4 → v6) with significant breaking changes according to the release notes:

1. Environment Activation Changes:

   • Previous versions automatically activated venv when using python-version
   • v6 requires explicit activate-environment: true input
   • Current workflow may be affected as it relies on venv activation in steps 42-46

2. Recommended Action:
   Add activate-environment: true to the setup-uv step:

   - name: Install uv
     uses: astral-sh/setup-uv@v6
     with:
       enable-cache: true
       cache-dependency-glob: "demos/rfe-builder/uv.lock"
       activate-environment: true  # Add this line

🚀 Performance Considerations

• Positive: v6 includes performance improvements and better caching
• New features: Support for .tool-versions files and improved dependency globbing
• Cache efficiency: Enhanced cache-dependency-glob functionality

🔒 Security Considerations

• Low risk: This is a well-maintained GitHub Action from Astral (uv maintainers)
• Dependency chain: No additional security concerns introduced
• Provenance: Dependabot provides full change transparency

🧪 Test Coverage

• Current: Existing CI will validate the change
• Recommendation: Monitor first run carefully due to potential environment activation issues
• Fallback: Easy rollback if issues occur

📋 Action Items

1. Before merging: Add activate-environment: true to prevent workflow failures
2. Test: Verify CI passes after the addition
3. Monitor: Watch first few runs for any unexpected behaviors

Overall Assessment: ✅ Approve with modifications

Safe dependency update that brings valuable improvements, but requires the small configuration addition noted above to prevent workflow breakage.

---

Generated with feedback following vTeam repository conventions from CLAUDE.md

[claude]

Code Review: Dependency Update - astral-sh/setup-uv v4 → v6

✅ Overall Assessment

This is a straightforward and safe dependency update from Dependabot. The change is minimal and low-risk.

📋 Review Details

Code Quality & Best Practices

• ✅ Good: Single-line change updating the GitHub Action version
• ✅ Good: Follows semantic versioning and uses pinned major version (@v6)
• ✅ Good: Change aligns with the project's use of uv for Python dependency management

Compatibility Analysis

• ✅ Compatible: Current workflow configuration remains valid with v6
• ✅ Compatible: All existing inputs (enable-cache, cache-dependency-glob) are still supported
• ⚠️ Note: v6 introduces breaking changes but they don't affect this workflow:
  • activate-environment now defaults to false (not used here)
  • cache-dependency-glob behavior unchanged for this use case

Security & Performance

• ✅ Security: Updates to latest version include security patches and bug fixes
• ✅ Performance: v6.6.0 adds optimizations like API call logging and .tools-versions support
• ✅ Performance: Caching configuration remains optimal with specific lock file targeting

Workflow Impact Assessment

• ✅ No Breaking Changes: Current workflow steps will continue working as expected
• ✅ Environment: Manual venv creation and activation approach remains unaffected
• ✅ Dependencies: uv commands and pip installation workflow unchanged

Testing Considerations

• ✅ Low Risk: This is an infrastructure change that doesn't modify application logic
• ✅ Validation: The existing CI pipeline will validate that the update works correctly
• 📝 Recommendation: Monitor the first few CI runs after merge to ensure no regressions

🚀 Recommendation

APPROVE - This is a routine maintenance update that brings security improvements and bug fixes without breaking existing functionality.

📚 Reference

• astral-sh/setup-uv v6 Release Notes: https://github.com/astral-sh/setup-uv/releases/tag/v6.0.0
• Breaking Changes Guide: https://github.com/astral-sh/setup-uv#v6-migration-guide