Problem
The upgrade-main scheduled workflow (added in #309) has failed 3 consecutive runs and is now persistently red:
| Run |
When |
mise version |
Failing step |
27316192716 |
2026-06-11 00:48Z (schedule) |
2026.6.2 |
Install mise |
27379167326 |
2026-06-11 21:40Z (manual dispatch) |
2026.6.2 |
Install mise |
27387178496 |
2026-06-12 00:50Z (schedule) |
2026.6.3 |
Install mise |
All three fail at the jdx/mise-action "Install mise" step — before mise run upgrade runs — when mise provisions semgrep = "latest" (=1.165.0) through its pipx backend:
mise [email protected] [1/3] pipx install semgrep==1.165.0
Failed to upgrade shared libraries
'/home/runner/.local/share/mise/installs/semgrep/1.165.0/shared/bin/python -m pip install ... 23.1' failed
mise ERROR pipx failed
mise ERROR Failed to install pipx:semgrep@latest: pipx exited with non-zero status: exit code 1
Root cause
mise 2026.6.2 (jdx/mise#10279, merged 2026-06-09) turned on a built-in default minimum_release_age = "24h" for every timestamp-capable backend — including pipx. With semgrep = "latest", that age filter activates a date-cutoff install path (the --uploaded-prior-to flow from jdx/mise#10138) that first upgrades the tool's shared pip venv (shared/bin/python -m pip install). That upgrade is the step that fails on the GitHub Actions runner ("Failed to upgrade shared libraries").
- Under mise
2026.5.6, there is no release-age default, so no cutoff path → [email protected] installs cleanly. Verified by local repro.
- mise
2026.6.3 (release notes) fixed a different facet of the release-age regression but not this pipx shared-pip upgrade — the failure persists.
- This is a mise backend regression, not a semgrep version problem. Pinning semgrep does not change the broken install path.
Why only this workflow is red: build.yml already skips semgrep via MISE_DISABLE_TOOLS: "aqua:aquasecurity/trivy,grype,semgrep". upgrade-main (new in #309, first run 06-11) sets no such scope and had a cold mise-action cache, so it is the first job to actually run pipx install semgrep under the new mise.
Why mise uses classic pipx instead of uvx: mise's pipx.uvx setting defaults to true, but it only routes through uv tool install when uv is on PATH. uv = "latest" is declared in agent/mise.toml but not in the root mise.toml that mise-action provisions at the repo root. So when root-level semgrep installs, uv is absent → classic-pipx fallback → the failing path.
Blast radius beyond the canary
security.yml (weekly, next fire Mon 2026-06-15 12:00Z) also needs semgrep and sets no MISE_DISABLE_TOOLS. Once its mise-action cache misses (or the runner image rotates), it will hit the same broken install and the weekly security suite goes red — re-triggering the auto-filed "Security suite failed" bug. deploy/integ on main are unaffected (they had warm caches / don't provision semgrep).
Proposed fix (ranked; root-cause first)
- Add
uv = "latest" to the root mise.toml [tools]. With uv on PATH, mise's already-default pipx.uvx=true routes semgrep through uv tool install, bypassing the broken pip-shared-libs upgrade entirely. Keeps the supply-chain release-age protection. Most robust; addresses root cause.
- Targeted release-age exclude —
MISE_MINIMUM_RELEASE_AGE_EXCLUDES=pipx:* (or semgrep) on the affected workflows. Removes the cutoff path without giving up the 24h delay globally.
- Stopgap — pin mise via
jdx/mise-action version: (e.g. version: 2026.5.6); reliable but freezes behind the regression.
Rejected: MISE_DISABLE_TOOLS only valid where the job genuinely doesn't need semgrep (security.yml does); pinning pipx itself doesn't control the tool's shared-pip venv upgrade.
Verification of the proposed fix
Reproduced the fix locally under the exact CI mise binary (2026.6.3), isolated HOME, with uv + semgrep both in [tools]:
mise [email protected] ✓ installed
mise [email protected] [1/3] uv tool install semgrep==1.165.0
Built semgrep==1.165.0
Installed 2 executables: pysemgrep, semgrep
mise [email protected] ✓ installed (exit 0)
mise resolves uv before semgrep automatically when both are declared, so no explicit ordering step is needed. The uv tool install path replaces the failing classic-pipx path.
Acceptance criteria
upgrade-main scheduled run completes green (mise install + mise run upgrade + patch/PR creation).- The fix survives a mise version newer than
2026.6.3 (removes the broken pipx path, not just pins around it).
security.yml provisions semgrep without hitting "Failed to upgrade shared libraries" on a cold cache.- The supply-chain release-age protection introduced in mise 2026.6.2 is preserved (not globally disabled to
0s).
Drafted by Bonk during the ABCA nightly review; filed via Laith's account.
Problem
The
upgrade-mainscheduled workflow (added in #309) has failed 3 consecutive runs and is now persistently red:273161927162026.6.2273791673262026.6.2273871784962026.6.3All three fail at the
jdx/mise-action"Install mise" step — beforemise run upgraderuns — when mise provisionssemgrep = "latest"(=1.165.0) through its pipx backend:Root cause
mise 2026.6.2 (jdx/mise#10279, merged 2026-06-09) turned on a built-in default
minimum_release_age = "24h"for every timestamp-capable backend — including pipx. Withsemgrep = "latest", that age filter activates a date-cutoff install path (the--uploaded-prior-toflow from jdx/mise#10138) that first upgrades the tool's shared pip venv (shared/bin/python -m pip install). That upgrade is the step that fails on the GitHub Actions runner ("Failed to upgrade shared libraries").2026.5.6, there is no release-age default, so no cutoff path →[email protected]installs cleanly. Verified by local repro.2026.6.3(release notes) fixed a different facet of the release-age regression but not this pipx shared-pip upgrade — the failure persists.Why only this workflow is red:
build.ymlalready skips semgrep viaMISE_DISABLE_TOOLS: "aqua:aquasecurity/trivy,grype,semgrep".upgrade-main(new in #309, first run 06-11) sets no such scope and had a cold mise-action cache, so it is the first job to actually runpipx install semgrepunder the new mise.Why mise uses classic pipx instead of uvx: mise's
pipx.uvxsetting defaults totrue, but it only routes throughuv tool installwhenuvis on PATH.uv = "latest"is declared inagent/mise.tomlbut not in the rootmise.tomlthatmise-actionprovisions at the repo root. So when root-level semgrep installs, uv is absent → classic-pipx fallback → the failing path.Blast radius beyond the canary
security.yml(weekly, next fire Mon 2026-06-15 12:00Z) also needs semgrep and sets noMISE_DISABLE_TOOLS. Once its mise-action cache misses (or the runner image rotates), it will hit the same broken install and the weekly security suite goes red — re-triggering the auto-filed "Security suite failed" bug.deploy/integonmainare unaffected (they had warm caches / don't provision semgrep).Proposed fix (ranked; root-cause first)
uv = "latest"to the rootmise.toml [tools]. With uv on PATH, mise's already-defaultpipx.uvx=trueroutes semgrep throughuv tool install, bypassing the broken pip-shared-libs upgrade entirely. Keeps the supply-chain release-age protection. Most robust; addresses root cause.MISE_MINIMUM_RELEASE_AGE_EXCLUDES=pipx:*(orsemgrep) on the affected workflows. Removes the cutoff path without giving up the 24h delay globally.jdx/mise-actionversion:(e.g.version: 2026.5.6); reliable but freezes behind the regression.Rejected:
MISE_DISABLE_TOOLSonly valid where the job genuinely doesn't need semgrep (security.ymldoes); pinning pipx itself doesn't control the tool's shared-pip venv upgrade.Verification of the proposed fix
Reproduced the fix locally under the exact CI mise binary (
2026.6.3), isolated HOME, withuv+semgrepboth in[tools]:mise resolves
uvbeforesemgrepautomatically when both are declared, so no explicit ordering step is needed. Theuv tool installpath replaces the failing classic-pipx path.Acceptance criteria
upgrade-mainscheduled run completes green (mise install +mise run upgrade+ patch/PR creation).2026.6.3(removes the broken pipx path, not just pins around it).security.ymlprovisions semgrep without hitting "Failed to upgrade shared libraries" on a cold cache.0s).Drafted by Bonk during the ABCA nightly review; filed via Laith's account.