How to upgrade setup-uv from v7 to v8

If a GitHub Actions workflow uses astral-sh/setup-uv@v7, Dependabot will not bump it to v8 automatically, and @v8 no longer resolves. Here is the fix.

What changed in v8.0.0

Version 8.0.0 is the first immutable release of setup-uv, published in March 2026. Moving tags are gone: @v8 and @v8.0 do not exist, and no major or minor tag will ever be published again. Only full-version tags such as @v8.0.0 resolve, and each one is immutable once cut. The change follows GitHub’s supply-chain guidance for actions, limiting the blast radius if a maintainer account is compromised (see the v8.0.0 release notes).

Bump the full-version tag

Find the setup-uv line in every workflow under .github/workflows/ and replace the moving tag with the current release:

# Before
- uses: astral-sh/setup-uv@v7

# After
- uses: astral-sh/[email protected]  # check the latest release

Dependabot’s GitHub Actions updater bumps tags at the same “version depth” it already sees, so @v7 stays on v7 forever. Once a workflow pins a full tag like @v8.0.0, subsequent patch and minor releases arrive as normal Dependabot PRs. The root-cause bug is tracked in dependabot/dependabot-core#14713.

Pin by commit SHA for stronger supply-chain defense

GitHub’s own hardening guidance recommends pinning third-party actions to a full 40-character commit SHA rather than a tag, because even immutable tags can be deleted and reissued in edge cases. The release notes for v8.0.0 echo this recommendation.

- uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57  # v8.0.0

Keep the trailing comment so the human-readable version stays visible in diffs and PR reviews. Dependabot understands this format and will update both the SHA and the comment in place when a new release lands. For the broader pattern across every action in a Python project, see how to pin GitHub Actions by SHA for Python projects.

Check the other breaking change

The v8.0.0 release also removed the deprecated format for the manifest-file and manifest-url inputs. The inputs still exist, but any custom version manifest must follow the new format documented in customization.md. Workflows that do not set manifest-file or manifest-url are unaffected. Review the full release notes before upgrading if a workflow relies on a private mirror or custom manifest.

Fix “unable to find version v8” errors

A workflow that copies @v8 from an older blog post or a cached snippet will fail with:

Error: Unable to resolve action `astral-sh/setup-uv@v8`, unable to find version `v8`

Change the reference to the latest full-version tag (currently @v8.0.0) or to a commit SHA as shown in the pin-by-SHA section. The same error appears for @v8.0, and the fix is identical. Real-world reports of this failure are collected in astral-sh/setup-uv#830.

Learn More

• setup-uv v8.0.0 release notes
• Report on the v8 upgrade friction
• Dependabot tracking issue for moving-tag bumps
• GitHub docs: security hardening for GitHub Actions
• Set up GitHub Actions with uv
• Pin GitHub Actions by SHA for Python projects
• Protect against Python supply-chain attacks with uv