fix(ci): add uv to root tools so semgrep installs via uvx (#320)#321
Draft
theagenticguy wants to merge 2 commits into
Draft
fix(ci): add uv to root tools so semgrep installs via uvx (#320)#321theagenticguy wants to merge 2 commits into
theagenticguy wants to merge 2 commits into
Conversation
The upgrade-main workflow (and any cold-cache security.yml run) fails at
the mise-action Install step because mise 2026.6.2+ enabled a default
minimum_release_age for the pipx backend, which triggers a shared-pip
venv upgrade that fails on the runner ("Failed to upgrade shared libraries").
mise's pipx.uvx setting defaults to true and routes pipx tools through
`uv tool install` when uv is on PATH — but uv was only declared in
agent/mise.toml, not the root mise.toml that mise-action provisions at
the repo root. Declaring uv here puts it on PATH before semgrep resolves,
so semgrep installs via uvx and bypasses the broken classic-pipx path.
Verified locally under the exact CI mise 2026.6.3: with uv in [tools],
`mise install` runs `uv tool install semgrep==1.165.0` and succeeds.
Preserves the 2026.6.2 supply-chain release-age protection.
Refs #320
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
uv = "latest"to the rootmise.toml [tools]sosemgrepinstalls via the uvx backend instead of classic pipx.Fixes the persistently-red
upgrade-mainworkflow (3/3 runs, see #320) and pre-empts the same break insecurity.yml.Why
mise 2026.6.2 (jdx/mise#10279) turned on a built-in default
minimum_release_age = "24h"for timestamp-capable backends including pipx. Withsemgrep = "latest", that activates a date-cutoff install path that first upgrades the tool's shared pip venv — the step that fails on the GitHub runner:mise's
pipx.uvxsetting defaults totrueand routes pipx tools throughuv tool installwhen uv is on PATH — butuvwas only declared inagent/mise.toml, not the rootmise.tomlthatjdx/mise-actionprovisions at the repo root. So root-level semgrep fell back to classic pipx → the failing path.build.ymldodges this today by skipping semgrep viaMISE_DISABLE_TOOLS;upgrade-main(new in #309) andsecurity.ymldon't, so they hit the break on a cold mise-action cache.This is a mise backend regression, not a semgrep version issue — pinning semgrep would not help. Declaring
uvis the root-cause fix and keeps the 2026.6.2 supply-chain release-age protection intact.Verification
Reproduced under the exact CI mise binary (
2026.6.3), isolated HOME, withuv+semgrepboth in[tools]:mise resolves
uvbeforesemgrepautomatically when both are declared, so no explicit ordering step is needed.Test plan
upgrade-mainscheduled/dispatched run goes green (mise install →mise run upgrade→ patch/PR).security.ymlprovisions semgrep without "Failed to upgrade shared libraries" on a cold cache.Closes #320
Drafted by Bonk during the ABCA nightly review; opened via Laith's account.