Bump astral-sh/setup-uv from 7.6.0 to 8.0.0

[dependabot]

Bumps astral-sh/setup-uv from 7.6.0 to 8.0.0.

Release notes

Sourced from astral-sh/setup-uv's releases.

v8.0.0 🌈 Immutable releases and secure tags

This is the first immutable release of setup-uv 🥳

All future releases are also immutable, if you want to know more about what this means checkout the docs.

This release also has two breaking changes

New format for manifest-file

The previously deprecated way of defining a custom version manifest to control which uv versions are available and where to download them from got removed. The functionality is still there but you have to use the new format.

No more major and minor tags

To increase security even more we will stop publishing minor tags. You won't be able to use @v8 or @v8.0 any longer. We do this because pinning to major releases opens up users to supply chain attacks like what happened to tj-actions.

[!TIP] Use the immutable tag as a version astral-sh/setup-uv@8.0.0 Or even better the githash astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57

🚨 Breaking changes

• Remove update-major-minor-tags workflow @​eifinger (#826)
• Remove deprecrated custom manifest @​eifinger (#813)

🧰 Maintenance

• Shortcircuit latest version from manifest @​eifinger (#828)
• Simplify inputs.ts @​eifinger (#827)
• Bump release-drafter to v7.1.1 @​eifinger (#825)
• Refactor inputs @​eifinger (#823)
• Replace inline compile args with tsconfig @​eifinger (#824)
• chore: update known checksums for 0.11.2 @github-actions[bot] (#821)
• chore: update known checksums for 0.11.1 @github-actions[bot] (#817)
• chore: update known checksums for 0.11.0 @github-actions[bot] (#815)
• Fix latest-version workflow check @​eifinger (#812)
• chore: update known checksums for 0.10.11/0.10.12 @github-actions[bot] (#811)

Commits

• cec2083 Shortcircuit latest version from manifest (#828)
• 4dd8ab4 Simplify inputs.ts (#827)
• 7fdbe7c Remove update-major-minor-tags workflow (#826)
• 485abd0 Bump release-drafter to v7.1.1 (#825)
• f82eb19 Refactor inputs (#823)
• 868d1f7 Replace inline compile args with tsconfig (#824)
• 447e6d0 chore: update known checksums for 0.11.2 (#821)
• 5c62c59 chore: update known checksums for 0.11.1 (#817)
• e1a7373 chore: update known checksums for 0.11.0 (#815)
• 8970931 Remove deprecrated custom manifest (#813)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[amrit110]

Security Vulnerabilities — Partial Fix Applied

aieng-bot has fixed 2 of 3 security vulnerabilities reported by pip-audit:

Package	Version	Vulnerability	Status
cryptography	46.0.5 → 46.0.6	GHSA-m959-cc7f-wv43	✅ Fixed
requests	2.32.5 → 2.33.0	GHSA-gc5v-m9x4-r6x2	✅ Fixed
pygments	2.19.2	GHSA-5239-wwwm-4pmq	❌ Cannot auto-fix (see below)

pygments GHSA-5239-wwwm-4pmq — No Safe Fix Available Yet

Why this cannot be auto-fixed:

The only available upgrade is pygments 2.20.0 (released 2026-03-29), which is listed as the fix for GHSA-5239-wwwm-4pmq. However, pygments 2.20.0 introduces a regression that breaks the docs build:

ERROR - Error reading page 'dev_guide.md': 'NoneType' object has no attribute 'replace'
AttributeError in pygments/formatters/html.py:434
    self.filename = html.escape(self._decodeifneeded(options.get('filename', '')))

Root cause: In pygments 2.20.0, HtmlFormatter.__init__ now calls html.escape() on the filename option. When pymdownx.highlight processes code blocks without an explicit filename (which is the common case), it passes filename=None to the formatter. The new html.escape(None) call crashes.

Confirmed: pymdownx-extensions 10.21.2 (also released yesterday) still passes filename=None, so upgrading pymdownx does not resolve the issue.

pygments<2.20.0 is temporarily pinned in the docs dependency group to prevent the regression while preserving a working docs build.

Recommended Next Steps

1. Monitor pygments for a patch release (2.20.1 or later) that handles None filenames gracefully
2. Once a patched pygments is available, remove the pygments<2.20.0 pin and re-run aieng-bot
3. Alternatively, a human can add GHSA-5239-wwwm-4pmq to ignore-vulns in .github/workflows/code_checks.yml with explicit justification pending the upstream fix

This PR will not be auto-merged until the pygments vulnerability is resolved.

[amrit110]

Security Vulnerability — No Safe Patch Available Yet

aieng-bot found the following security vulnerability reported by pip-audit, but cannot fix it automatically because no patched version without a known regression has been released to PyPI:

Package	Version	Vulnerability	Status
pygments	2.19.2	GHSA-5239-wwwm-4pmq	No safe fix available on PyPI

Why this cannot be auto-fixed

While pygments 2.20.0 is technically available on PyPI and patches GHSA-5239-wwwm-4pmq, it introduces a regression (NoneType filename crash) that breaks the docs build. The current pyproject.toml already documents this with the constraint "pygments<2.20.0":

Pinning version to <2.20.0 due to regression (NoneType filename crash) introduced in 2.20.0 that breaks docs build; GHSA-5239-wwwm-4pmq fix awaiting upstream patch

There is no newer pygments release (e.g., 2.20.1+) that resolves both the vulnerability and the regression. The latest available version on PyPI is 2.20.0.

Recommended next steps

1. Monitor the pygments releases for a follow-up patch (e.g., 2.20.1) that fixes the regression introduced in 2.20.0
2. Once a clean release is available, remove the <2.20.0 upper bound and bump to the new version
3. Consider whether GHSA-5239-wwwm-4pmq can be temporarily added to the ignore-vulns list in .github/workflows/code_checks.yml with a justification comment (requires human review/approval)

This PR will not be auto-merged until the vulnerability is resolved.