chore(deps): bump astral-sh/setup-uv from 7.6.0 to 8.1.0 in the github-actions group across 1 directory

.github/workflows/ci.yml

@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: "3.12"
       - run: uv sync --extra dev
@@ -43,7 +43,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: "3.12"
       - run: uv sync --extra dev
@@ -57,7 +57,7 @@ jobs:
         python-version: ["3.11", "3.12", "3.13"]
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: ${{ matrix.python-version }}
       - run: uv sync --extra dev

.github/workflows/publish.yml

@@ -14,7 +14,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: "3.12"
 

.github/workflows/test-publish.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: "3.12"
 

.github/workflows/vdsm.yml

@@ -35,7 +35,7 @@ jobs:
           sudo chmod 666 /dev/kvm
           echo "KVM available"
 
-      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
+      - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           python-version: "3.12"
 

CHANGELOG.md

@@ -24,6 +24,7 @@
 
 ### Changed
 
+- **Bump github-actions group: astral-sh/setup-uv 7.6.0→8.1.0** (#98)
 - **Pin third-party GitHub Actions to commit SHAs** (#94) — closes #46. Every external action in `.github/workflows/*.yml` was previously pinned to a major-version tag (`actions/checkout@v6`, `astral-sh/setup-uv@v7`, etc.) — and `pypa/gh-action-pypi-publish@release/v1` was even pinned to a *branch* ref, which can move under us. A minor release within a major can introduce security or behavior regressions without detection on a tag-only pin. Now every third-party `uses:` line carries an immutable 40-char commit SHA with a trailing `# v<version>` comment for human readability (the GitHub-recommended supply-chain pattern). Eight actions pinned across `ci.yml`, `publish.yml`, `test-publish.yml`, `vdsm.yml`: `actions/checkout` v6.0.2, `astral-sh/setup-uv` v7.6.0, `actions/setup-python` v6.2.0, `actions/upload-artifact` v7.0.1, `actions/download-artifact` v8.0.1, `actions/cache` v5.0.5, `codecov/codecov-action` v6.0.0, `pypa/gh-action-pypi-publish` v1.14.0. Local composite actions under `./.github/actions/*` are deliberately not pinned (in-repo, reviewed on merge — pinning them would produce stale-SHA noise on every internal change). `dependabot-changelog.yml` was already SHA-pinned (PR #60 work) and serves as the template the rest of the workflows now match. Dependabot's existing `github-actions` ecosystem in `.github/dependabot.yml` will propose SHA bump PRs weekly so the pins stay fresh.
 
 - **Restructure debug-logging docs by use case in CLAUDE.md** (#91) — closes #43. The "three ways to enable debug" bullet under `## Key Conventions → Logging` framed activation by *mechanism* (`-v` flag, env var, config) and only acknowledged in a second-bullet parenthetical that `serve` doesn't accept the flag — readers skimmed and walked away thinking they could pass `-v` to `serve`. Bullet is now reframed by *subcommand*: for `serve` (Claude Desktop, no interactive flag) → env var or config; for `setup` / `check` (interactive CLI) → `-v`/`--verbose` or either of the above. `README.md`'s parallel section was already correctly scoped (`--verbose flag on setup/check` + `env var, works for all commands`) — no change needed there. `docs/credentials.md` doesn't reference debug logging.