ci: bump setup-uv to v8.2.0 for Node 24 runtime

[hardbyte]

GitHub forces Node.js 20 actions to run on Node 24 starting June 16th, 2026 and removes Node 20 from runners in September 2026. Everything in this repo is already on node24 majors except astral-sh/setup-uv@v6 (node20) in ci.yml and nightly-chaos.yml.

Two notes:

• Pinned to the exact tag v8.2.0 rather than @v8: setup-uv stopped publishing floating major/minor tags in v8 as supply-chain hardening, so @v8 doesn't resolve.
• The v7/v8 breaking changes (removal of server-url and the old manifest-file format) don't apply — both usages install uv with no inputs.

Same sweep as thepartly/reflectapi#172.

Summary by CodeRabbit

• Chores
  • Updated CI/CD workflow infrastructure with the latest build automation tooling to enhance build reliability and consistency across development environments.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

📝 Walkthrough

Walkthrough

The PR updates the astral-sh/setup-uv GitHub Action version from v6 to v8.2.0 across two CI workflow files: ci.yml and nightly-chaos.yml. This is a straightforward dependency version bump in the workflow configuration.

Changes

CI Workflow Dependencies

Layer / File(s)	Summary
setup-uv action version upgrade .github/workflows/ci.yml, .github/workflows/nightly-chaos.yml	Both the python-build-test job in ci.yml and the python-nightly job in nightly-chaos.yml are updated to use astral-sh/setup-uv@v8.2.0 instead of v6.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A rabbit hops through workflows old,
Updates the uv action, brave and bold,
From v6 to v8.2.0 it goes,
CI runs faster now—as every tester knows! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: bumping the setup-uv action from v6 to v8.2.0, which directly corresponds to the actual changes in both workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 144: Replace the mutable GitHub Actions tag "astral-sh/setup-uv@v8.2.0"
with the immutable commit SHA
"astral-sh/setup-uv@fac544c06283516518a20d2d3a778c1837943d2c" wherever it
appears (e.g., the "uses: astral-sh/setup-uv@v8.2.0" entries in the CI and
nightly-chaos workflow files); update both occurrences to ensure the action is
pinned to the provided commit SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2ef7d0f0-df80-490b-9731-8454bdfc16f3

📥 Commits

Reviewing files that changed from the base of the PR and between c40c0e7 and 6e97579.

📒 Files selected for processing (2)

• .github/workflows/ci.yml
• .github/workflows/nightly-chaos.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

rg -n "astral-sh/setup-uv@" .github/workflows || true

echo "---- ci.yml context ----"
nl -ba .github/workflows/ci.yml | sed -n '120,170p'

echo "---- nightly-chaos.yml context ----"
nl -ba .github/workflows/nightly-chaos.yml | sed -n '340,410p'

Repository: hardbyte/awa

Length of output: 291

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== all setup-uv uses =="
rg -n "uses:\s*astral-sh/setup-uv@" .github/workflows

echo
echo "== ci.yml around line 144 =="
sed -n '135,155p' .github/workflows/ci.yml

echo
echo "== nightly-chaos.yml around line 373 =="
sed -n '360,390p' .github/workflows/nightly-chaos.yml

Repository: hardbyte/awa

Length of output: 2249

---

🌐 Web query:

astral-sh/setup-uv v8.2.0 commit sha

💡 Result:

The commit SHA for astral-sh/setup-uv version v8.2.0 is fac544c06283516518a20d2d3a778c1837943d2c [1][2]. This SHA corresponds to the commit titled "chore(deps): roll up dependabot updates" (PR #903), which is the commit associated with the v8.2.0 release [1][2].

Citations:

• 1: https://github.com/astral-sh/setup-uv/releases/tag/v8.2.0
• 2: chore(deps): bump astral-sh/setup-uv from 8.1.0 to 8.2.0 evalops/maestro#776

---

Pin astral-sh/setup-uv to an immutable commit SHA
Both .github/workflows/ci.yml (line 144) and .github/workflows/nightly-chaos.yml (line 373) use the mutable tag astral-sh/setup-uv@v8.2.0. Replace both entries with astral-sh/setup-uv@fac544c06283516518a20d2d3a778c1837943d2c.

🧰 Tools

🪛 zizmor (1.25.2)

[error] 144-144: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 144, Replace the mutable GitHub Actions tag
"astral-sh/setup-uv@v8.2.0" with the immutable commit SHA
"astral-sh/setup-uv@fac544c06283516518a20d2d3a778c1837943d2c" wherever it
appears (e.g., the "uses: astral-sh/setup-uv@v8.2.0" entries in the CI and
nightly-chaos workflow files); update both occurrences to ensure the action is
pinned to the provided commit SHA.

Source: Linters/SAST tools