Skip to content

chore(deps): update github actions (major)#5558

Merged
davidzhao merged 1 commit intomainfrom
renovate/major-github-actions
Apr 27, 2026
Merged

chore(deps): update github actions (major)#5558
davidzhao merged 1 commit intomainfrom
renovate/major-github-actions

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 27, 2026

This PR contains the following updates:

Package Type Update Change Pending
actions/github-script action major v8v9
actions/upload-artifact action major v6v7
astral-sh/setup-uv action major v7v8.0.0 v8.1.0

Release Notes

actions/github-script (actions/github-script)

v9

Compare Source

v9.0.0

Compare Source

New features:

  • getOctokit factory function — Available directly in the script context. Create additional authenticated Octokit clients with different tokens for multi-token workflows, GitHub App tokens, and cross-org access. See Creating additional clients with getOctokit for details and examples.
  • Orchestration ID in user-agent — The ACTIONS_ORCHESTRATION_ID environment variable is automatically appended to the user-agent string for request tracing.

Breaking changes:

  • require('@​actions/github') no longer works in scripts. The upgrade to @actions/github v9 (ESM-only) means require('@​actions/github') will fail at runtime. If you previously used patterns like const { getOctokit } = require('@​actions/github') to create secondary clients, use the new injected getOctokit function instead — it's available directly in the script context with no imports needed.
  • getOctokit is now an injected function parameter. Scripts that declare const getOctokit = ... or let getOctokit = ... will get a SyntaxError because JavaScript does not allow const/let redeclaration of function parameters. Use the injected getOctokit directly, or use var getOctokit = ... if you need to redeclare it.
  • If your script accesses other @actions/github internals beyond the standard github/octokit client, you may need to update those references for v9 compatibility.
What's Changed
New Contributors

Full Changelog: actions/github-script@v8.0.0...v9.0.0

actions/upload-artifact (actions/upload-artifact)

v7.0.1

Compare Source

What's Changed

Full Changelog: actions/upload-artifact@v7...v7.0.1

v7.0.0

Compare Source

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

New Contributors

Full Changelog: actions/upload-artifact@v6...v7.0.0

v7

Compare Source

astral-sh/setup-uv (astral-sh/setup-uv)

v8.0.0: 🌈 Immutable releases and secure tags

Compare Source

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP]
Use the immutable tag as a version astral-sh/setup-uv@v8.0.0
Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes
🧰 Maintenance

v7.6

Compare Source

v7.6.0: 🌈 Fetch uv from Astral's mirror by default

Compare Source

Changes

We now default to download uv from releases.astral.sh.
This means by default we don't hit the GitHub API at all and shouldn't see any rate limits and timeouts any more.

🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates

v7.5

Compare Source

v7.5.0: 🌈 Use astral-sh/versions as version provider

Compare Source

No more rate-limits

This release addresses a long-standing source of timeouts and rate-limit failures in setup-uv.

Previously, the action resolved version identifiers like 0.5.x by iterating over available uv releases via the GitHub API to find the best match. In contrast, latest and exact versions such as 0.5.0 skipped version resolution entirely and downloaded uv directly.

The manifest-file input was an earlier attempt to improve this. It allows providing an url to a file that lists available versions, checksums, and even custom download URLs. The action also shipped with such a manifest.
However, because that bundled file could become outdated whenever new uv releases were published, the action still had to fall back to the GitHub API in many cases.

This release solves the problem by sourcing version data from Astral’s versions repository via the raw content endpoint:

https://raw.githubusercontent.com/astral-sh/versions/refs/heads/main/v1/uv.ndjson

By using the raw endpoint instead of the GitHub API, version resolution no longer depends on API authentication and is much less likely to run into rate limits or timeouts.

[!TIP]
The next section is only interesting for users of the manifest-file input

The manifest-file input lets you override that source with your own URL, for example to test custom uv builds or alternate download locations.

The manifest file must be in NDJSON format, where each line is a JSON object representing a version and its artifacts. For example:

{"version":"0.10.7","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}
{"version":"0.10.6","artifacts":[{"platform":"x86_64-unknown-linux-gnu","variant":"default","url":"https://example.com/uv-x86_64-unknown-linux-gnu.tar.gz","archive_format":"tar.gz","sha256":"..."}]}

[!WARNING]
The old format still works but is deprecated. A warning will be logged when you use it.

Changes
🚀 Enhancements
📚 Documentation

v7.4

Compare Source

v7.4.0: 🌈 Add riscv64 architecture support to platform detection

Compare Source

Changes

Thank you @​luhenry for adding support for riscv64 arch

🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates

v7.3.1: 🌈 fall back to VERSION_CODENAME when VERSION_ID is not available

Compare Source

Changes

This release adds support for running in containers like debian:testing or debian:unstable

🐛 Bug fixes
🧰 Maintenance
⬆️ Dependency updates

v7.3.0: 🌈 New features and bug fixes for activate-environment

Compare Source

Changes

This release contains a few bug fixes and a new feature for the activate-environment functionality.

🐛 Bug fixes

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v7.3

Compare Source

v7.2.1: 🌈 update known checksums up to 0.9.28

Compare Source

Changes
🧰 Maintenance
📚 Documentation
⬆️ Dependency updates

v7.2.0: 🌈 add outputs python-version and python-cache-hit

Compare Source

Changes

Among some minor typo fixes and quality of life features for developers of actions the main feature of this release are new outputs:

  • python-version: The Python version that was set (same content as existing UV_PYTHON)
  • python-cache-hit: A boolean value to indicate the Python cache entry was found

While implementing this it became clear, that it is easier to handle the Python binaries in a separate cache entry. The added benefit for users is that the "normal" cache containing the dependencies can be used in all runs no matter if these cache the Python binaries or not.

[!NOTE]
This release will invalidate caches that contain the Python binaries. This happens a single time.

🐛 Bug fixes
  • chore: remove stray space from UV_PYTHON_INSTALL_DIR message @​akx (#​720)
🚀 Enhancements
🧰 Maintenance
⬆️ Dependency updates

v7.2

Compare Source

v7.1.6: 🌈 add OS version to cache key to prevent binary incompatibility

Compare Source

Changes

This release will invalidate your cache existing keys!

The os version e.g. ubuntu-22.04 is now part of the cache key. This prevents failing builds when a cache got populated with wheels built with different tools (e.g. glibc) than are present on the runner where the cache got restored.

🐛 Bug fixes
🧰 Maintenance
⬆️ Dependency updates

v7.1.5: 🌈 allow setting cache-local-path without enable-cache: true

Compare Source

Changes

#​612 fixed a faulty behavior where this action set UV_CACHE_DIR even though enable-cache was false. It also fixed the cases were the cache dir is already configured in a settings file like pyproject.toml or UV_CACHE_DIR was already set. Here the action shouldn't overwrite or set UV_CACHE_DIR.

These fixes introduced an unwanted behavior: You can still set cache-local-path but this action didn't do anything. This release fixes that.

You can now use cache-local-path to automatically set UV_CACHE_DIR even when enable-cache is false (or gets set to false by default e.g. on self-hosted runners)

- name: This is now possible
  uses: astral-sh/setup-uv@v7
  with:
    enable-cache: false
    cache-local-path: "/path/to/cache"
🐛 Bug fixes
🧰 Maintenance
⬆️ Dependency updates

v7.1.4: 🌈 Fix libuv closing bug on Windows

Compare Source

Changes

This release fixes the bug Assertion failed: !(handle->flags & UV_HANDLE_CLOSING) on Windows runners

🐛 Bug fixes
🧰 Maintenance

v7.1.3: 🌈 Support act

Compare Source

Changes

This bug fix release adds support for https://github.com/nektos/act
It was previously broken because of a too new undici version and TS transpilation target.

Compatibility with act is now automatically tested.

🐛 Bug fixes
🧰 Maintenance
📚 Documentation

v7.1.2: 🌈 Speed up extraction on Windows

Compare Source

Changes

@​lazka fixed a bug that caused extracting uv to take up to 30s. Thank you!

🐛 Bug fixes

🧰 Maintenance

⬆️ Dependency updates

v7.1.1: 🌈 Fix empty workdir detection and lowest resolution strategy

Compare Source

Changes

This release fixes a bug where the working-directory input was not used to detect an empty work dir. It also fixes the lowest resolution strategy resolving to latest when only a lower bound was specified.

Special thanks to @​tpgillam for the first contribution!

🐛 Bug fixes
🧰 Maintenance
📚 Documentation
⬆️ Dependency updates

v7.1.0: 🌈 Support all the use cases

Compare Source

Changes

Support all the use cases!!!
... well, that we know of.

This release adds support for some use cases that most users don't encounter but are useful for e.g. people running Gitea.

The input resolution-strategy lets you use the lowest possible version of uv from a version range. Useful if you want to test your tool with different versions of uv.

If you use activate-environment the path to the activated venv is now also exposed under the output venv.

Downloaded python installations can now also be uploaded to the GitHub Actions cache backend. Useful if you are running in act and have configured your own backend and don't want to download python again, and again over a slow internet connection.

Finally the path to installed python interpreters is now added to the PATH on Windows.

🚀 Enhancements

🧰 Maintenance

📚 Documentation

⬆️ Dependency updates

v7.1

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • "before 9am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
chore(deps): update github actions
ffe1cd7 
Generated by renovateBot
@chenghao-mou chenghao-mou requested a review from a team April 27, 2026 01:58
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

Open in Devin Review

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 27, 2026

STT Test Results

Status: ✗ Some tests failed

Metric Count
✓ Passed 21
✗ Failed 2
× Errors 1
→ Skipped 15
▣ Total 39
⏱ Duration 194.8s
Failed Tests
  • tests.test_stt::test_stream[livekit.plugins.speechmatics] 
    def finalizer() -> None:
        """Yield again, to finalize."""
  
        async def async_finalizer() -> None:
            try:
                await gen_obj.__anext__()
            except StopAsyncIteration:
                pass
            else:
                msg = "Async generator fixture didn't stop."
                msg += "Yield only once."
                raise ValueError(msg)
  
>       runner.run(async_finalizer(), context=context)

.venv/lib/python3.12/site-packages/pytest_asyncio/plugin.py:330: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <asyncio.runners.Runner object at 0x7fac1e3db290>
coro = <coroutine object _wrap_asyncgen_fixture.<locals>._asyncgen_fixture_wrapper.<locals>.finalizer.<locals>.async_finalizer at 0x7fac1e3ebed0>

    def run(self, coro, *, context=None):
        """Run a coroutine inside the embedded event loop."""
        if not coroutines.iscoroutine(coro):
            raise ValueError("a coroutine was expected, got {!r}".format(coro))
  
        if events._get_running_loop() is not None:
            # fail fast with short traceback
            raise RuntimeError(
                "Runner.run() cannot be called from a running event loop")
  
        self._lazy_init()
  
        if context is None:
            context = self._context
        task = self._loop.create_task(coro, context=context)
  
        if (threading.current_thread() is threading.main_thread()
            and signal.getsignal(signal.SIGINT) is signal.default_int_handler
        ):
            sigint_handler = functools.partial(self._on_sigint, main_task=task)
            try:
                signal.signal(signal.SIGINT, sigint_handler)
            except ValueError:
                # `signal.signal` may throw if `threading.main_thread` does
                # not support signals (e.g. embedded interpreter with signals
                # not registered - see gh-91880)
                sigint_handler = None
  • tests.test_stt::test_stream[livekit.plugins.nvidia] 
    stt_factory = <function parameter_factory.<locals>.<lambda> at 0x7fac110b74c0>
request = <FixtureRequest for <Coroutine test_stream[livekit.plugins.nvidia]>>

    @pytest.mark.usefixtures("job_process")
    @pytest.mark.parametrize("stt_factory", STTs)
    async def test_stream(stt_factory: Callable[[], STT], request):
        sample_rate = SAMPLE_RATE
        plugin_id = request.node.callspec.id.split("-")[0]
        frames, transcript, _ = await make_test_speech(chunk_duration_ms=10, sample_rate=sample_rate)
  
        # TODO: differentiate missing key vs other errors
        try:
            stt_instance: STT = stt_factory()
        except ValueError as e:
            pytest.skip(f"{plugin_id}: {e}")
  
        async with stt_instance as stt:
            label = f"{stt.model}@{stt.provider}"
            if not stt.capabilities.streaming:
                pytest.skip(f"{label} does not support streaming")
  
            for attempt in range(MAX_RETRIES):
                try:
                    state = {"closing": False}
  
                    async def _stream_input(
                        frames: list[rtc.AudioFrame], stream: RecognizeStream, state: dict = state
                    ):
                        for frame in frames:
                            stream.push_frame(frame)
                            await asyncio.sleep(0.005)
  
                        stream.end_input()
                        state["closing"] = True
  
                    async def _stream_output(stream: RecognizeStream, state: dict = state):
                        text = ""
                        # make sure the events are sent in the right order
                        recv_start, recv_end = False, True
                        start_time = time.time()
                        got_final_transcript = False
  
                        async for event in stream:
                            if event.type == agents.stt.SpeechEventType.START_OF_SPEECH:
  • tests.test_stt::test_stream[livekit.agents.inference] 
    stt_factory = <function parameter_factory.<locals>.<lambda> at 0x7f47b436cea0>
request = <FixtureRequest for <Coroutine test_stream[livekit.agents.inference]>>

    @pytest.mark.usefixtures("job_process")
    @pytest.mark.parametrize("stt_factory", STTs)
    async def test_stream(stt_factory: Callable[[], STT], request):
        sample_rate = SAMPLE_RATE
        plugin_id = request.node.callspec.id.split("-")[0]
        frames, transcript, _ = await make_test_speech(chunk_duration_ms=10, sample_rate=sample_rate)
  
        # TODO: differentiate missing key vs other errors
        try:
            stt_instance: STT = stt_factory()
        except ValueError as e:
            pytest.skip(f"{plugin_id}: {e}")
  
        async with stt_instance as stt:
            label = f"{stt.model}@{stt.provider}"
            if not stt.capabilities.streaming:
                pytest.skip(f"{label} does not support streaming")
  
            for attempt in range(MAX_RETRIES):
                try:
                    state = {"closing": False}
  
                    async def _stream_input(
                        frames: list[rtc.AudioFrame], stream: RecognizeStream, state: dict = state
                    ):
                        for frame in frames:
                            stream.push_frame(frame)
                            await asyncio.sleep(0.005)
  
                        stream.end_input()
                        state["closing"] = True
  
                    async def _stream_output(stream: RecognizeStream, state: dict = state):
                        text = ""
                        # make sure the events are sent in the right order
                        recv_start, recv_end = False, True
                        start_time = time.time()
                        got_final_transcript = False
  
                        async for event in stream:
                            if event.type == agents.stt.SpeechEventType.START_OF_SPEECH:
Skipped Tests
Test Reason
tests.test_stt::test_recognize[livekit.plugins.assemblyai] universal-streaming-english@AssemblyAI does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.speechmatics] enhanced@Speechmatics does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.fireworksai] unknown@FireworksAI does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.cartesia] ink-whisper@Cartesia does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.soniox] stt-rt-v4@Soniox does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.aws] unknown@Amazon Transcribe does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.nvidia] unknown@unknown does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.deepgram.STTv2] flux-general-en@Deepgram does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.gradium.STT] unknown@Gradium does not support batch recognition
tests.test_stt::test_recognize[livekit.agents.inference] unknown@livekit does not support batch recognition
tests.test_stt::test_recognize[livekit.plugins.azure] unknown@Azure STT does not support batch recognition
tests.test_stt::test_stream[livekit.plugins.elevenlabs] scribe_v1@ElevenLabs does not support streaming
tests.test_stt::test_stream[livekit.plugins.mistralai] voxtral-mini-latest@MistralAI does not support streaming
tests.test_stt::test_stream[livekit.plugins.fal] Wizper@Fal does not support streaming
tests.test_stt::test_stream[livekit.plugins.openai] gpt-4o-mini-transcribe@api.openai.com does not support streaming

Triggered by workflow run #1820

@davidzhao davidzhao merged commit af4eb74 into main Apr 27, 2026
30 checks passed
@davidzhao davidzhao deleted the renovate/major-github-actions branch April 27, 2026 05:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

@davidzhao davidzhao davidzhao approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidzhao