# How to upgrade setup-uv from v7 to v8 If a GitHub Actions workflow uses [`astral-sh/setup-uv`](https://pydevtools.com/handbook/tutorial/setting-up-github-actions-with-uv.md)`@v7`, Dependabot will not bump it to v8 automatically, and `@v8` no longer resolves. Here is the fix. ## What changed in v8.0.0 Version 8.0.0 is the first immutable release of `setup-uv`, published in March 2026. Moving tags are gone: `@v8` and `@v8.0` do not exist, and no major or minor tag will ever be published again. Only full-version tags such as `@v8.0.0` resolve, and each one is immutable once cut. The change follows GitHub's supply-chain guidance for actions, limiting the blast radius if a maintainer account is compromised (see the [v8.0.0 release notes](https://github.com/astral-sh/setup-uv/releases/tag/v8.0.0)). ## Bump the full-version tag Find the `setup-uv` line in every workflow under `.github/workflows/` and replace the moving tag with the current release: ```yaml # Before - uses: astral-sh/setup-uv@v7 # After - uses: astral-sh/setup-uv@v8.1.0 # check the latest release ``` Dependabot's GitHub Actions updater bumps tags at the same "version depth" it already sees, so `@v7` stays on v7 forever. Once a workflow pins a full tag like `@v8.1.0`, subsequent patch and minor releases arrive as normal Dependabot PRs. The root-cause bug is tracked in [dependabot/dependabot-core#14713](https://github.com/dependabot/dependabot-core/issues/14713). > [!TIP] > Check the [releases page](https://github.com/astral-sh/setup-uv/releases) for the newest v8.x.y tag before committing. The examples here use `v8.1.0` (April 2026), the latest release at the time of writing. ## Pin by commit SHA for stronger supply-chain defense GitHub's own hardening guidance recommends pinning third-party actions to a full 40-character commit SHA rather than a tag, because even immutable tags can be deleted and reissued in edge cases. The release notes for v8.0.0 echo this recommendation. ```yaml - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 ``` Keep the trailing comment so the human-readable version stays visible in diffs and PR reviews. Dependabot understands this format and will update both the SHA and the comment in place when a new release lands. For the broader pattern across every action in a Python project, see [how to pin GitHub Actions by SHA for Python projects](https://pydevtools.com/handbook/how-to/how-to-pin-github-actions-by-sha-for-python-projects.md). ## Check the other breaking change The v8.0.0 release also removed the deprecated format for the `manifest-file` and `manifest-url` inputs. The inputs still exist, but any custom version manifest must follow the [new format documented in `customization.md`](https://github.com/astral-sh/setup-uv/blob/main/docs/customization.md#format). Workflows that do not set `manifest-file` or `manifest-url` are unaffected. Review the [full release notes](https://github.com/astral-sh/setup-uv/releases/tag/v8.0.0) before upgrading if a workflow relies on a private mirror or custom manifest. ## Fix "unable to find version v8" errors A workflow that copies `@v8` from an older blog post or a cached snippet will fail with: ```console Error: Unable to resolve action `astral-sh/setup-uv@v8`, unable to find version `v8` ``` Change the reference to the latest full-version tag (currently `@v8.1.0`) or to a commit SHA as shown in the pin-by-SHA section. The same error appears for `@v8.0`, and the fix is identical. Real-world reports of this failure are collected in [astral-sh/setup-uv#830](https://github.com/astral-sh/setup-uv/issues/830). ## Learn More - [setup-uv v8.0.0 release notes](https://github.com/astral-sh/setup-uv/releases/tag/v8.0.0) - [Report on the v8 upgrade friction](https://github.com/astral-sh/setup-uv/issues/830) - [Dependabot tracking issue for moving-tag bumps](https://github.com/dependabot/dependabot-core/issues/14713) - [GitHub docs: security hardening for GitHub Actions](https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions) - [Set up GitHub Actions with uv](https://pydevtools.com/handbook/tutorial/setting-up-github-actions-with-uv.md) - [Pin GitHub Actions by SHA for Python projects](https://pydevtools.com/handbook/how-to/how-to-pin-github-actions-by-sha-for-python-projects.md) - [Protect against Python supply-chain attacks with uv](https://pydevtools.com/handbook/how-to/how-to-protect-against-python-supply-chain-attacks-with-uv.md)