Skip to content

gateway: add astral-sh/setup-uv#299

Merged
raboof merged 2 commits intoapache:mainfrom
junrushao:add-uv
Sep 19, 2025
Merged

gateway: add astral-sh/setup-uv#299
raboof merged 2 commits intoapache:mainfrom
junrushao:add-uv

Conversation

@junrushao
Copy link
Member

@junrushao junrushao commented Sep 17, 2025
edited
Loading

Request for adding a new GitHub Action to the allow list

Overview

Add astral-sh/setup-uv, the official action to install and cache the uv Python package/project manager, to the org-wide allow list. uv provides fast, reproducible Python environment management, lockfiles, and a pip-compatible interface and can also install Python itself; the action installs uv on the runner and (optionally) persists uv’s cache to speed up subsequent runs. This is broadly useful for ASF projects with Python components (builds, tests, docs).

Name of action: astral-sh/setup-uv

URL of action: https://github.com/astral-sh/setup-uv

Version to pin to (hash only): b75a909f75acd358c2196fb9a5f1299a9a8868a4

Permissions

The action downloads uv release artifacts from the astral-sh/uv GitHub Releases API and adds the binary to PATH. No repository write operations are performed by the action itself.

Related Actions

  • actions/setup-python (already allowed via actions/*) installs Python versions and integrates with runner caches. astral-sh/setup-uv is complementary: it installs uv (and uv can then install Python and manage environments), adds optional uv cache persistence, and supports lockfile-driven workflows for determinism and speed.

Checklist

You should be able to check most of these boxes for an action to be considered for review.
Please check all boxes that currently apply:

  • The action is listed in the GitHub Actions Marketplace
  • The action is not already on the list of approved actions
  • The action has a sufficient number of contributors or has contributors within the ASF community
  • The action has a clearly defined license (MIT license in repo)
  • The action is actively developed or maintained (recent releases incl. v6.7.0 on 2025-09-14)
  • The action has CI/unit tests configured (repo shows CI workflows incl. test)

@junrushao
allowlist: add astral-sh/setup-uv
82fb8e9 
- Adds astral-sh/setup-uv to the org-wide allow list;
- Rationale, alternatives, and security assessment are included in the PR body.
@dave2wave
Copy link
Member

dave2wave commented Sep 17, 2025

Please note that the tooling team is making use of this in one of our sample workflows here: https://github.com/apache/tooling-asf-example/blob/main/.github/workflows/build-dists.yaml#L44-L45

@junrushao junrushao changed the title allowlist: add astral-sh/setup-uv gateway: add astral-sh/setup-uv Sep 18, 2025
raboof
raboof reviewed Sep 18, 2025
View reviewed changes
Copy link
Member

@raboof raboof left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • please allow a specific hash instead of a wildcard and add a tag field
  • please remove keep (#252)
  • it would be nice to keep the order somewhat alphabetical, though that might be something for later (#203)

@junrushao
Update actions.yml with new tags and expirations
cb103ec 
Signed-off-by: Junru Shao <junrushao@apache.org>
@junrushao
Copy link
Member Author

junrushao commented Sep 19, 2025

@raboof Thanks for responding to the request! I've updated the PR accordingly and please review again.

@raboof raboof merged commit 6387862 into apache:main Sep 19, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raboof raboof raboof approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@junrushao @dave2wave @raboof