From efebc6b9938ce62d29186efb0f778b474e21ea0a Mon Sep 17 00:00:00 2001 From: Laith Al-Saadoon Date: Fri, 12 Jun 2026 12:04:19 +0000 Subject: [PATCH 1/2] fix(ci): add uv to root tools so semgrep installs via uvx (#320) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The upgrade-main workflow (and any cold-cache security.yml run) fails at the mise-action Install step because mise 2026.6.2+ enabled a default minimum_release_age for the pipx backend, which triggers a shared-pip venv upgrade that fails on the runner ("Failed to upgrade shared libraries"). mise's pipx.uvx setting defaults to true and routes pipx tools through `uv tool install` when uv is on PATH — but uv was only declared in agent/mise.toml, not the root mise.toml that mise-action provisions at the repo root. Declaring uv here puts it on PATH before semgrep resolves, so semgrep installs via uvx and bypasses the broken classic-pipx path. Verified locally under the exact CI mise 2026.6.3: with uv in [tools], `mise install` runs `uv tool install semgrep==1.165.0` and succeeds. Preserves the 2026.6.2 supply-chain release-age protection. Refs #320 --- mise.toml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/mise.toml b/mise.toml index 5b5a0aaa..b893a91a 100644 --- a/mise.toml +++ b/mise.toml @@ -18,6 +18,11 @@ experimental = true node = "22" prek = "latest" gitleaks = "latest" +# uv must be declared so it is on PATH before semgrep installs: mise's +# `pipx.uvx` default routes pipx tools through `uv tool install` when uv is +# present, avoiding the classic-pipx "Failed to upgrade shared libraries" path +# that breaks under the mise 2026.6.x default `minimum_release_age` (see #320). +uv = "latest" semgrep = "latest" osv-scanner = "latest" "grype" = "latest" From 996c060ea81821c9d69282abeb3b475891adb2f7 Mon Sep 17 00:00:00 2001 From: Laith Al-Saadoon Date: Fri, 12 Jun 2026 12:33:28 +0000 Subject: [PATCH 2/2] docs(ci): cite upstream mise PR in the uv tool comment No-op content change to route this branch through the freshly installed prek pre-commit/pre-push hooks, which were missing from the local clone when 16b0ab6 was created. Refs #320 --- mise.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/mise.toml b/mise.toml index b893a91a..d61aecc9 100644 --- a/mise.toml +++ b/mise.toml @@ -21,7 +21,8 @@ gitleaks = "latest" # uv must be declared so it is on PATH before semgrep installs: mise's # `pipx.uvx` default routes pipx tools through `uv tool install` when uv is # present, avoiding the classic-pipx "Failed to upgrade shared libraries" path -# that breaks under the mise 2026.6.x default `minimum_release_age` (see #320). +# that breaks under the mise 2026.6.x default `minimum_release_age` +# (jdx/mise#10279; see #320). uv = "latest" semgrep = "latest" osv-scanner = "latest"