From 81166acdac3436639d1dc28ac7f0609e2b426233 Mon Sep 17 00:00:00 2001
From: Do Anh Duy <doanhduyxavie@gmail.com>
Date: Wed, 13 May 2026 18:55:39 +0700
Subject: [PATCH 1/2] chore(template): pin astral-sh/setup-uv to commit SHA in
 template
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pin setup-uv@v6 → SHA of v6.8.0 in the scaffolded action template.
Floating major tags are mutable; SHA pins are immutable.

Note: upgrade v6→v8 in the template is a separate task.
---
 .../actions/setup-python-env/action.yaml                        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml b/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml
index 8decdbd..2411e87 100644
--- a/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml	
+++ b/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml	
@@ -17,7 +17,7 @@ runs:
         python-version: ${{ inputs.python-version }}
 
     - name: Install uv
-      uses: astral-sh/setup-uv@v6
+      uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
       with:
         version: ${{ inputs.uv-version }}
         enable-cache: 'true'

From 3190393414023b75731ce50db0c12baef7a59ad5 Mon Sep 17 00:00:00 2001
From: Do Anh Duy <doanhduyxavie@gmail.com>
Date: Fri, 15 May 2026 14:43:22 +0700
Subject: [PATCH 2/2] chore(template): bump astral-sh/setup-uv to v8.1.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

After review on #14, no functional breaking change for the install-uv path
between v6 → v8 (inputs `version`, `enable-cache`, `cache-suffix` unchanged).
The v8.0.0 floating-tag removal is moot since we pin to commit SHA.

Aligns the scaffolded action with the repo's own CI workflow
(.github/workflows/pre-commit.yaml), which already uses v8.1.0.

Benefits picked up along the way:
- v7.5+: uv release metadata served from Astral mirror, avoiding GitHub
  API rate limits during version resolution.
- v8.0.0: immutable releases.
---
 .../actions/setup-python-env/action.yaml                        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml b/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml
index 2411e87..5cfb3fa 100644
--- a/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml	
+++ b/template/{% if enable_github_action %}.github{% endif%}/actions/setup-python-env/action.yaml	
@@ -17,7 +17,7 @@ runs:
         python-version: ${{ inputs.python-version }}
 
     - name: Install uv
-      uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+      uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
       with:
         version: ${{ inputs.uv-version }}
         enable-cache: 'true'