test(e2e): pin uv to 0.11.8 around astral-sh/uv#19278#9618
Merged
Conversation
uv 0.11.9 was manually published due to a crates.io timeout, which skipped GitHub Artifact Attestations generation (astral-sh/uv#19278). Tests that install uv via the aqua backend now fail because mise correctly rejects the unattested release. Pin uv@0.11.8 in the four affected tests to keep CI green without weakening attestation coverage. Revert the pins once 0.11.10 ships with attestations restored. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
Greptile SummaryThis PR pins Confidence Score: 5/5Safe to merge — minimal, well-scoped workaround with clear revert instructions in every modified file. All four changes are identical in pattern, pin to a known-good version, include explanatory comments, and align exactly with the stated goal. No logic changes, no new dependencies, no security implications. No files require special attention. Reviews (1): Last reviewed commit: "test(e2e): pin uv to 0.11.8 in attestati..." | Re-trigger Greptile |
Contributor
There was a problem hiding this comment.
Code Review
This pull request pins the uv tool to version 0.11.8 across several end-to-end test files, including Xonsh activation and Python sync tests. This change is a temporary measure because uv version 0.11.9 was manually published and lacks SLSA attestations. I have no feedback to provide.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.0 x -- echo |
20.2 ± 1.1 | 18.0 | 26.4 | 1.00 |
mise x -- echo |
22.9 ± 2.7 | 18.8 | 34.4 | 1.14 ± 0.15 |
x -- echo is 14% |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.0 env |
21.8 ± 1.3 | 19.2 | 27.8 | 1.00 |
mise env |
22.7 ± 1.2 | 19.9 | 28.3 | 1.04 ± 0.08 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.0 hook-env |
23.0 ± 1.2 | 20.2 | 31.1 | 1.00 |
mise hook-env |
25.4 ± 2.4 | 20.9 | 35.1 | 1.10 ± 0.12 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.5.0 ls |
24.7 ± 1.9 | 20.7 | 32.4 | 1.01 ± 0.12 |
mise ls |
24.6 ± 2.3 | 19.0 | 35.4 | 1.00 |
xtasks/test/perf
| Command | mise-2026.5.0 | mise | Variance |
|---|---|---|---|
| install (cached) | 142ms | 148ms | -4% |
| ls (cached) | 80ms | 79ms | +1% |
| bin-paths (cached) | 79ms | 80ms | -1% |
| task-ls (cached) | 612ms | 615ms | +0% |
mise-en-dev
added a commit
that referenced
this pull request
May 7, 2026
### 🚀 Features - **(aqua)** support registry libc variants by @jdx in [#9652](#9652) - **(bin-paths)** add executable names output by @risu729 in [#9617](#9617) ### 🐛 Bug Fixes - **(aqua)** preserve configured file extensions by @risu729 in [#9611](#9611) - **(aqua)** support registry file links by @risu729 in [#9610](#9610) - **(backend)** reject bare package backend names by @risu729 in [#9608](#9608) - **(backend)** apply inline tool option overrides by @risu729 in [#9306](#9306) - **(backend)** skip versions host for local tool opts by @risu729 in [#9568](#9568) - **(github)** chmod explicit archive bin by @risu729 in [#9609](#9609) - **(install)** skip remote-versions refresh in prefer-offline mode by @jdx in [#9627](#9627) - **(lock)** scope targets to active project root by @risu729 in [#9319](#9319) - **(lockfile)** respect existing platforms during auto-lock by @jdx in [#9621](#9621) - **(pipx)** filter yanked pypi releases by @risu729 in [#9607](#9607) - **(pipx)** declare python as a backend dependency by @jdx in [#9678](#9678) - **(schema)** update refs to $defs in mise-registry-tool.json by @risu729 in [#9671](#9671) - **(task)** terminate parallel siblings on failure via process groups by @jdx in [#9655](#9655) - **(task)** stable MISE_PROJECT_ROOT for monorepo tasks, add MISE_MONOREPO_ROOT by @jdx in [#9657](#9657) - **(trust)** run enter hooks after trusting config by @risu729 in [#9634](#9634) - **(ui)** stop clearing screen for prompts by @jdx in [#9619](#9619) - use /bin/cp on macos by @pdehlke in [#9656](#9656) ### 🚜 Refactor - **(aqua)** store aqua var defaults as strings by @risu729 in [#9645](#9645) - **(config)** support structured TOML values in registry backend options by @risu729 in [#9584](#9584) - **(deps)** remove serde_derive dependency by @risu729 in [#9670](#9670) - **(deps)** remove anyhow dependency by @risu729 in [#9661](#9661) - **(deps)** use std::sync::LazyLock instead of once_cell::Lazy by @risu729 in [#9668](#9668) - **(schema)** generate task schema from mise schema by @risu729 in [#9581](#9581) - **(schema)** reuse task props with unevaluatedProperties by @risu729 in [#9582](#9582) - **(schema)** reuse registry common types by @risu729 in [#9648](#9648) - **(schema)** reuse plugin script config by @risu729 in [#9647](#9647) - **(schema)** use $defs in schema files by @risu729 in [#9646](#9646) ### 📚 Documentation - **(node)** add tips for enabling node idiomatic by @fu050409 in [#9675](#9675) ### 🧪 Testing - **(cli)** remove nondeterministic tool depends assertion by @risu729 in [#9633](#9633) - **(e2e)** pin uv to 0.11.8 around astral-sh/uv#19278 by @jdx in [#9618](#9618) - **(e2e)** wait for docker env cleanup by @risu729 in [#9631](#9631) - **(zig)** use official zig instead of mach mirror by @jdx in [#9659](#9659) ### 📦️ Dependency Updates - fall through to hash check when providers have no outputs by @jdx in [#9622](#9622) - bump Cargo.lock by @jdx in [#9625](#9625) ### 📦 Registry - remove registry depends by @risu729 in [#9571](#9571) - add code-review-graph (pipx:code-review-graph) by @chautruonglong in [#9673](#9673) ### Chore - **(ci)** split large registry test-tool changes by @risu729 in [#9628](#9628) - **(ci)** make perf script robust to runner noise by @jdx in [#9635](#9635) - **(ci)** skip hyperfine comments without permission by @risu729 in [#9629](#9629) ### New Contributors - @chautruonglong made their first contribution in [#9673](#9673) - @pdehlke made their first contribution in [#9656](#9656) ## 📦 Aqua Registry Updates ### New Packages (5) - [`anthropics/anthropic-cli`](https://github.com/anthropics/anthropic-cli) - [`crates.io/wasmi_cli`](https://github.com/wasmi-labs/wasmi) - [`openclaw/gogcli`](https://github.com/openclaw/gogcli) - `racket-lang.org/racket-minimal` - [`runs-on/cli`](https://github.com/runs-on/cli) ### Updated Packages (13) - [`UpCloudLtd/upcloud-cli`](https://github.com/UpCloudLtd/upcloud-cli) - [`aristocratos/btop`](https://github.com/aristocratos/btop) - [`dprint/dprint`](https://github.com/dprint/dprint) - [`j178/prek`](https://github.com/j178/prek) - [`jdx/hk`](https://github.com/jdx/hk) - [`jdx/mise`](https://github.com/jdx/mise) - [`jdx/usage`](https://github.com/jdx/usage) - [`jreleaser/jreleaser`](https://github.com/jreleaser/jreleaser) - [`jreleaser/jreleaser/standalone`](https://github.com/jreleaser/jreleaser) - [`pnpm/pnpm`](https://github.com/pnpm/pnpm) - [`suzuki-shunsuke/cmdx`](https://github.com/suzuki-shunsuke/cmdx) - [`suzuki-shunsuke/ghir`](https://github.com/suzuki-shunsuke/ghir) - [`twpayne/chezmoi`](https://github.com/twpayne/chezmoi)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
uvto0.11.8in the four e2e tests that install it via the aqua backend (shell/test_xonsh,cli/test_activate_multiple_xonsh,cli/test_deactivate_xonsh,sync/test_sync_python_uv).uv 0.11.9was manually published due to a crates.io timeout, which skipped GitHub Artifact Attestations generation. mise's aqua backend correctly rejects the unattested release withWorkflow verification failed: ... found certificate: None, provenance: None, breaking these tests onmainand on every open PR.uv 0.11.10ships with attestations restored.Why pinning instead of disabling attestations
Disabling
MISE_AQUA_GITHUB_ATTESTATIONSin the tests would silently mask the same class of regression in the future. Pinning the only known-bad version keeps attestation coverage intact and is trivially reverted once upstream is fixed.Test plan
shell/test_xonsh,cli/test_activate_multiple_xonsh,cli/test_deactivate_xonsh,sync/test_sync_python_uvnow pass.🤖 Generated with Claude Code
Note
Low Risk
Test-only change that pins a tool version to avoid a known-bad upstream release; no production code paths are affected.
Overview
Pins
uvto0.11.8in four e2e scripts so tests don’t pulluv 0.11.9, which was published without SLSA/GitHub attestations and is rejected by the aqua backend.Adds inline comments referencing
astral-sh/uv#19278and noting the pin should be removed once0.11.10restores attestations.Reviewed by Cursor Bugbot for commit 5e332ef. Bugbot is set up for automated code reviews on this repo. Configure here.