ci: make uv action tag explicit

[wochinge]

Changes

• make tag explicit

Disclaimer: Experimental PR review

Greptile Summary

This PR pins astral-sh/setup-uv to an explicit commit SHA (cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0) in both ci.yml and release.yml, completing the supply-chain hardening started in #1623 where other actions were similarly pinned but setup-uv was left with a floating reference.

Confidence Score: 5/5

Safe to merge — pure CI hardening with no functional changes.

The change only pins an already-used GitHub Action to its commit SHA, completing supply-chain hardening already applied to every other action in both workflow files. No logic is altered.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/ci.yml	Pins astral-sh/setup-uv to commit SHA cec208311... (v8.0.0) across all four job steps that invoke it; no functional changes.
.github/workflows/release.yml	Pins astral-sh/setup-uv to the same commit SHA as ci.yml; all other actions (actions/checkout, slackapi/slack-github-action) were already pinned.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Push / PR / workflow_dispatch] --> B[ci.yml jobs]
    A --> C[release.yml job]

    B --> D[linting]
    B --> E[type-checking]
    B --> F[unit-tests Python 3.10-3.14]
    B --> G[e2e-tests shards plus live_provider]

    D & E & F & G --> H[all-tests-passed gate]

    C --> I[release-python-sdk]
    I --> J[Build and publish to PyPI via OIDC]
    J --> K[Create GitHub Release and Slack notify]

    subgraph pinned_action [astral-sh/setup-uv pinned to SHA v8.0.0]
        D
        E
        F
        G
        I
    end

Loading

_{Reviews (1): Last reviewed commit: "ci: make uv action tag explicit" | Re-trigger Greptile}

[github-actions]

@claude review

[claude]

LGTM — purely a comment clarification from # v8 to # v8.0.0 with no functional change.

Extended reasoning...

Overview

This PR updates the human-readable version comment on the pinned astral-sh/setup-uv action reference in both .github/workflows/ci.yml and .github/workflows/release.yml. The SHA (cec208311dfd045dd5311c1add060b2062131d57) is unchanged; only the trailing comment changes from # v8 to # v8.0.0.

Security risks

None. The actual action version is controlled by the SHA, which is identical before and after. Making the comment more explicit (major.minor.patch) is a documentation improvement with zero security impact.

Level of scrutiny

Minimal — this is a pure comment-only change in CI config files. No logic, no permissions, no secrets handling, and no production code paths are affected.

Other factors

No bugs were found by the automated review. The change is consistent across all five occurrences in the two workflow files. This fits squarely in the "trivial clarification" category that warrants auto-approval.