0.11.9 release missing GitHub Artifact Attestations

[miguelgmcs]

Disclaimer

This summary was created by AI. I validated that the findings were correct.

Summary

The 0.11.9 release artifacts are missing GitHub Artifact Attestations (SLSA provenance). This causes tools that verify attestations before installing (e.g., mise) to fail when attempting to install uv@0.11.9.
The release notes mention:

Note due to a timeout publishing to crates.io, the GitHub portion of this release was published manually by a maintainer using the artifacts built in CI.

This manual publish appears to have skipped the attestation generation step.

Reproduction

Verify 0.11.9 (fails)

$ gh release download 0.11.9 --repo astral-sh/uv --pattern "uv-x86_64-unknown-linux-musl.tar.gz" --dir /tmp/uv-test
$ gh attestation verify /tmp/uv-test/uv-x86_64-unknown-linux-musl.tar.gz --repo astral-sh/uv
Error: HTTP 404: Not Found (https://api.github.com/repos/astral-sh/uv/attestations/sha256:ac3e5051edbf30613b0f90d1c18d4807fea6b246f37490799fee0c1284a658b2?per_page=30&predicate_type=https://slsa.dev/provenance/v1)

Verify 0.11.8 (succeeds)

$ gh release download 0.11.8 --repo astral-sh/uv --pattern "uv-x86_64-unknown-linux-musl.tar.gz" --dir /tmp/uv-test-8
$ gh attestation verify /tmp/uv-test-8/uv-x86_64-unknown-linux-musl.tar.gz --repo astral-sh/uv
# (exits 0, no output — verification successful)

Impact

Tools that rely on GitHub Artifact Attestations for supply-chain verification cannot install uv@0.11.9. For example, mise (which uses the aqua backend to install uv) fails with:

mise ERROR Failed to install aqua:astral-sh/uv@latest: GitHub artifact attestations verification failed:
Verification failed: Workflow verification failed: expected 'astral-sh/uv/.github/workflows/release.yml',
found certificate: None, provenance: None

This breaks CI pipelines that use mise to install uv without pinning to a specific version (i.e., using uv@latest).

Expected behavior

All release artifacts should have GitHub Artifact Attestations attached, as documented in the release notes' "Verifying GitHub Artifact Attestations" section.

Suggested fix

Either:

1. Re-publish the attestations for the existing 0.11.9 artifacts (if possible), or
2. Document this as a known limitation of the 0.11.9 release and recommend pinning to 0.11.8 until 0.11.10 is released through the standard CI pipeline.

[marten-seemann]

I ran into the same issue, and I can confirm that pinning the version to 0.11.8 resolves the issue.

[arromanoff]

https://releases.astral.sh/github/uv/releases/download/0.11.9/uv-x86_64-unknown-linux-gnu.tar.gz 404-s for me as well

[McNull]

Temp fix:

MISE_AQUA_GITHUB_ATTESTATIONS=false mise upgrade --verbose

[PeterBurner]

Temp fix:

MISE_AQUA_GITHUB_ATTESTATIONS=false mise upgrade --verbose

Careful there. This then applies to all mise packages. Not only uv!

To anyone considering using this workaround, please first read up on what artifact attestation is and why it's important. If you do not necessarily need the features and fixes provided by the latest uv release 0.11.9, I would recommend pinning 0.11.8 until we get a proper release with attestation from the uv maintainers. Mise themselves is doing the same: jdx/mise#9618

• GitHub Docs: Artifact attestations
• Mise Docs: GitHub Artifact Attestations

[zsol]

We're planning to make a new release soon that will have attestations, in the meantime feel free to pin to 0.11.8 if lack of these causes issues.

https://releases.astral.sh/github/uv/releases/download/0.11.9/uv-x86_64-unknown-linux-gnu.tar.gz 404-s for me as well

This is covered by #19282 and should be resolved.

[jdx]

just jumping in to say MISE_AQUA_GITHUB_ATTESTATIONS=false is a terrible, terrible idea. NEVER do that especially if a tool just started failing!

In this case uv was not compromised but you better be damn sure that's not the case if it ever happens with other tools in the future. You should pin, not force mise to ignore the issue!

[zanieb]

0.11.10 is out now. We'll probably adjust our partial release policy now that there are consumers of attestations, it doesn't seem worth manually publishing anymore.