actions/astral-sh-setup-uv
3
0
Fork 0
mirror of https://github.com/astral-sh/setup-uv.git synced 2026-04-17 09:45:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

chore: use npm ci --ignore-scripts everywhere (#699)

Browse source 
Like https://github.com/astral-sh/ruff-action/pull/276 🙂 

This also adds cooldown stanzas to the Dependabot updater rules: this
ensures that we only receive dependency bumps once they're at least a
week old, which should reduce the window of opportunity for an attacker
who temporarily compromises popular packages (like with "Shai-Hulud"
last week).

Signed-off-by: William Woodruff <william@astral.sh>
This commit is contained in:
William Woodruff 2025-12-02 02:08:49 -05:00 committed by GitHub
parent 5ae467fbf9
commit 64f7f4e15f
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/dependabot.yml vendored
View file

@ -4,8 +4,12 @@ updates:
directory: /
schedule:
interval: daily
cooldown:
default-days: 7
- package-ecosystem: npm
directory: /
schedule:
interval: daily
cooldown:
default-days: 7