From a6253d1e0fc7c669dca814098f5cabfc8d071a17 Mon Sep 17 00:00:00 2001
From: abhicris <175058189+abhicris@users.noreply.github.com>
Date: Wed, 22 Apr 2026 10:30:13 +0530
Subject: [PATCH] ci: fix uv sync flag and bandit install so CI actually runs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The lint/type-check/test jobs call `uv sync --dev`, but polybot
declares dev tooling under `[project.optional-dependencies]` (not
`[dependency-groups]`), so `--dev` is a no-op and `ruff`/`pytest`
never land in the venv. Result: every lint run fails with
`error: Failed to spawn: 'ruff'` before a single check executes.
Switch those three jobs to `uv sync --extra dev`, matching the
pattern already used by `docs.yml` (`uv sync --extra docs`).

The security job separately fails with `No virtual environment
found; run 'uv venv' to create an environment, or pass '--system'`
because `uv pip install bandit` runs before any venv exists.
Replace the two-step install+run with `uvx --from bandit bandit ...`,
which is purpose-built for one-shot tool invocations and drops the
step entirely.

Verified locally:
  uv sync --extra dev        # installs ruff 0.14.10, pytest, mypy
  uv run ruff --version      # ruff 0.14.10 (was: failed to spawn)
  uvx --from bandit bandit   # writes bandit-report.json, exit 0

After this PR the jobs will surface their real signal (ruff lint
errors, pytest results) rather than masking them behind env setup
failures.

— [kcolbchain](https://kcolbchain.com) / [Abhishek Krishna](https://abhishekkrishna.com)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1c39b4c..e6d41bc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -25,7 +25,7 @@ jobs:
         run: uv python install ${{ env.PYTHON_VERSION }}
 
       - name: Install dependencies
-        run: uv sync --dev
+        run: uv sync --extra dev
 
       - name: Run ruff check
         run: uv run ruff check src/ tests/
@@ -48,7 +48,7 @@ jobs:
         run: uv python install ${{ env.PYTHON_VERSION }}
 
       - name: Install dependencies
-        run: uv sync --dev
+        run: uv sync --extra dev
 
       - name: Run mypy
         run: uv run mypy src/polybot/ --ignore-missing-imports
@@ -70,7 +70,7 @@ jobs:
         run: uv python install ${{ env.PYTHON_VERSION }}
 
       - name: Install dependencies
-        run: uv sync --dev
+        run: uv sync --extra dev
 
       - name: Create data directory
         run: mkdir -p data
@@ -111,11 +111,8 @@ jobs:
       - name: Set up Python
         run: uv python install ${{ env.PYTHON_VERSION }}
 
-      - name: Install bandit
-        run: uv pip install bandit
-
       - name: Run bandit security check
-        run: uv run bandit -r src/polybot/ -ll -x tests/ -f json -o bandit-report.json
+        run: uvx --from bandit bandit -r src/polybot/ -ll -x tests/ -f json -o bandit-report.json
         continue-on-error: true
 
       - name: Upload security report