fix(ci): add uv to root tools so semgrep installs via uvx (aws-samples#320) (aws-samples#321)

* fix(ci): add uv to root tools so semgrep installs via uvx (aws-samples#320)

The upgrade-main workflow (and any cold-cache security.yml run) fails at
the mise-action Install step because mise 2026.6.2+ enabled a default
minimum_release_age for the pipx backend, which triggers a shared-pip
venv upgrade that fails on the runner ("Failed to upgrade shared libraries").

mise's pipx.uvx setting defaults to true and routes pipx tools through
`uv tool install` when uv is on PATH — but uv was only declared in
agent/mise.toml, not the root mise.toml that mise-action provisions at
the repo root. Declaring uv here puts it on PATH before semgrep resolves,
so semgrep installs via uvx and bypasses the broken classic-pipx path.

Verified locally under the exact CI mise 2026.6.3: with uv in [tools],
`mise install` runs `uv tool install semgrep==1.165.0` and succeeds.
Preserves the 2026.6.2 supply-chain release-age protection.

Refs aws-samples#320

* docs(ci): cite upstream mise PR in the uv tool comment

No-op content change to route this branch through the freshly installed
prek pre-commit/pre-push hooks, which were missing from the local clone
when 16b0ab6 was created.

Refs aws-samples#320

Author: theagenticguy

mise.toml

@@ -18,6 +18,12 @@ experimental = true
 node = "22"
 prek = "latest"
 gitleaks = "latest"
+# uv must be declared so it is on PATH before semgrep installs: mise's
+# `pipx.uvx` default routes pipx tools through `uv tool install` when uv is
+# present, avoiding the classic-pipx "Failed to upgrade shared libraries" path
+# that breaks under the mise 2026.6.x default `minimum_release_age`
+# (jdx/mise#10279; see #320).
+uv = "latest"
 semgrep = "latest"
 osv-scanner = "latest"
 "grype" = "latest"