fix: roll back setup-uv action bump

[andreatgretel]

Summary

• Roll back astral-sh/setup-uv from v8.2.0 to v8.1.0 across workflows.
• Keep the actions/checkout and FW-CI template bumps from ci: bump the all-actions group across 1 directory with 3 updates #739 intact.

Root Cause

After #739 merged, the Publish Fern devnotes push workflow failed in the Install uv step. setup-uv@v8.2.0 added a hard 5-second fetch timeout around manifest requests; the main run timed out while fetching https://raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson before installing pinned uv 0.9.5.

Rolling back the action pin removes that new timeout behavior while preserving the existing uv versions used by the workflows.

Validation

• make install-dev
• git diff --check
• Parsed all .github/workflows/*.yml with PyYAML
• Commit pre-commit hooks passed: whitespace, EOF, YAML, merge conflicts, line endings

Note: repo-wide .venv/bin/ruff check --fix . && .venv/bin/ruff format . was attempted, but Ruff failed on an unrelated existing notebook error in docs/colab_notebooks/7-nemotron-personas.ipynb (from __future__ import not at the beginning of the cell). No Python files are changed in this PR.

[github-actions]

MkDocs preview: https://44a79abd.dd-docs-preview.pages.dev

Fern preview: https://nvidia-preview-pr-746.docs.buildwithfern.com/nemo/datadesigner

Fern previews include the docs-website version archive with PR changes synced into latest. Notebook tutorials are rendered without execution outputs in previews.

[greptile-apps]

Greptile Summary

Rolls back astral-sh/setup-uv from v8.2.0 to v8.1.0 across all nine workflow files to fix an Install uv step failure introduced by a 5-second fetch timeout added in v8.2.0. The actions/checkout and FW-CI template bumps from #739 are preserved.

• All 13 occurrences of the v8.2.0 commit pin (fac544c0…) have been replaced with the v8.1.0 pin (08807647…) consistently; no instance was missed and no unrelated workflow logic was touched.
• The root-cause analysis in the PR description (new hard timeout in v8.2.0 breaking the manifest fetch for pinned uv 0.9.5) is plausible and the rollback is the correct minimal fix.

Confidence Score: 5/5

The change is a straightforward, fully consistent rollback of a single action pin across every workflow file — safe to merge.

Every instance of the v8.2.0 commit hash has been replaced with the v8.1.0 hash; no workflow logic, script, or unrelated step was modified. The rollback is mechanical and complete.

No files require special attention — all nine workflow files received the same one-line change.

Important Files Changed

Filename	Overview
.github/workflows/build-docs.yml	Rolls back setup-uv from v8.2.0 to v8.1.0 — single mechanical pin change, no logic affected.
.github/workflows/build-fern-docs.yml	Rolls back setup-uv on two job steps from v8.2.0 to v8.1.0 — both hunks updated consistently.
.github/workflows/build-notebooks.yml	Single setup-uv pin rolled back to v8.1.0; no other changes.
.github/workflows/check-colab-notebooks.yml	Single setup-uv pin rolled back to v8.1.0; no other changes.
.github/workflows/ci.yml	Seven setup-uv pin occurrences all rolled back to v8.1.0 consistently across every job.
.github/workflows/docs-preview.yml	Single setup-uv pin rolled back to v8.1.0; no other changes.
.github/workflows/health-checks.yml	Single setup-uv pin rolled back to v8.1.0; no other changes.
.github/workflows/publish-devnotes.yml	Single setup-uv pin rolled back to v8.1.0; no other changes.
.github/workflows/publish-fern-devnotes.yml	Single setup-uv pin rolled back to v8.1.0; the failing workflow that motivated this PR — change looks correct.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["PR #739 merged\nBumped setup-uv v8.1.0 → v8.2.0"] --> B["v8.2.0 adds 5s fetch timeout\nfor manifest requests"]
    B --> C["publish-fern-devnotes workflow fails\n'Install uv' step times out\nfetching uv.ndjson"]
    C --> D["This PR: roll back\nsetup-uv v8.2.0 → v8.1.0\nacross all 9 workflows"]
    D --> E["Pin: fac544c0… → 08807647…\n13 occurrences updated"]
    E --> F["Workflows restored\nactions/checkout & FW-CI\nbumps from #739 preserved"]

Loading

_{Reviews (1): Last reviewed commit: "fix: roll back setup-uv action bump" | Re-trigger Greptile}

[github-actions]

Summary

PR #746 rolls back astral-sh/setup-uv from v8.2.0 (SHA fac544c0...) to v8.1.0 (SHA 08807647...) across all 9 workflow files (16 occurrences total). The bump came in via dependabot PR #739. After #739 merged, the Publish Fern devnotes push workflow began failing in the Install uv step because setup-uv@v8.2.0 introduced a hard 5-second fetch timeout on its manifest request to raw.githubusercontent.com/astral-sh/versions/main/v1/uv.ndjson, which timed out before the pinned uv 0.9.5 could be installed.

The PR keeps the actions/checkout and FW-CI template bumps from #739 intact and only reverts the problematic setup-uv pin.

Findings

Correctness

• Consistent rollback. Verified all 16 setup-uv@ references in .github/workflows/ are now pinned to the v8.1.0 SHA 08807647e7069bb48b6ef5acd8ec9567f424441b. No stale v8.2.0 references remain.
• SHA + tag both updated. Each line correctly updates both the immutable SHA pin and the # v8.1.0 comment, preserving the project's pinning convention.
• uv versions unchanged. The with: version: values ("0.9.5" and "latest") are preserved per workflow, which is the right scope for a fix targeting the action wrapper rather than the tool itself.

Code Quality / Style

• Mechanical, minimal diff — exactly what a revert-style fix should look like. No drive-by changes.
• Commit message and PR body clearly document the root cause (5s manifest fetch timeout in v8.2.0) and explicitly call out what is not being reverted (checkout + FW-CI template bumps from ci: bump the all-actions group across 1 directory with 3 updates #739). This is excellent context for future readers searching for why v8.1.0 is pinned.

Risk / Operational

• Reverts a security-relevant pin. v8.1.0 is older than v8.2.0; if v8.2.0 contained any security-relevant fixes beyond the timeout change, this rollback regresses them. Worth a quick follow-up: track astral-sh/setup-uv releases and re-bump once the timeout behavior is configurable or removed (filing an upstream issue would be ideal).
• No expiration / TODO. Consider adding a tracking issue or a brief code comment near one of the pins (or in dependabot.yml) to prevent dependabot from re-bumping to v8.2.0 again on the next run. Otherwise this fix may need to be reapplied. A dependabot.yml ignore rule for astral-sh/setup-uv versions >= 8.2.0 would be the cleanest forward-looking guard, but is optional for this PR.
• Validation is appropriate for the change. YAML parsing + pre-commit + make install-dev are reasonable smoke checks for a workflow-only change. The Ruff failure noted in the PR body is unrelated (pre-existing notebook issue) and correctly out of scope.

Test Coverage

• N/A — workflow YAML changes are validated by the workflows themselves running on this PR. The original failing job (Publish Fern devnotes) only triggers on push to default branch, so the fix's effectiveness can't be verified pre-merge; landing this and watching the next push is the only practical confirmation.

Security

• Both old and new versions remain pinned by full commit SHA, preserving supply-chain integrity. SHAs match the published v8.2.0 / v8.1.0 tags in astral-sh/setup-uv.
• No secrets, tokens, or credentials touched.

Suggestions

1. (Recommended) Open a tracking issue or add a dependabot.yml rule to prevent the same v8.2.0 bump from re-landing automatically. Without it, the next dependabot run will reopen this exact problem.
2. (Optional) File an upstream issue at astral-sh/setup-uv describing the 5s timeout regression so the project can re-pin to a fixed version.

Verdict

Approve. This is a clean, minimal, well-documented rollback that directly addresses an observed CI failure. Internal consistency verified (all 16 references updated). The only follow-up worth noting is preventing dependabot from immediately re-bumping the same pin.