From 25e9ed054ea06dc6099a348a18d3129011424f55 Mon Sep 17 00:00:00 2001
From: Jordan Ritter <jpr5@darkridge.com>
Date: Fri, 15 May 2026 16:31:30 -0700
Subject: [PATCH] Harden CI: replace curl-pipe-shell with setup-uv action

Replace `curl -LsSf https://astral.sh/uv/install.sh | sh` with the
official astral-sh/setup-uv GitHub Action, SHA-pinned to v4. This
eliminates a curl-pipe-shell pattern in a public repo where workflow
files are readable by anyone.
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0623f1a4f..c17f4c9de 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -244,7 +244,7 @@ jobs:
           git config --local user.email "github-actions[bot]@users.noreply.github.com"
 
       - name: Install uv for Python tests
-        run: curl -LsSf https://astral.sh/uv/install.sh | sh
+        uses: astral-sh/setup-uv@38f3f104447c67c051c4a08e39b64a148898af3a # v4
 
       - name: Run linter
         run: npm run lint