From 28489b05ca646fed722b6de0bba012df48af6cba Mon Sep 17 00:00:00 2001
From: Max Podkorytov <4273004+tenpercent@users.noreply.github.com>
Date: Tue, 13 Jan 2026 23:23:10 -0600
Subject: [PATCH] Use pipx to install uv instead of piping curl to bash

- Install uv via Ubuntu package manager (pipx) for security
- Avoids piping curl to bash which is a security concern
- More reliable and verifiable installation method
- Auto-installs pipx via apt if not already present
- Update documentation to reflect package-based installation

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .claude/skills/ck-build-analysis    | 11 +++++++++--
 .claude/skills/ck-build-analysis.md |  4 +++-
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.claude/skills/ck-build-analysis b/.claude/skills/ck-build-analysis
index a52dd1e3bd..9460f3efac 100755
--- a/.claude/skills/ck-build-analysis
+++ b/.claude/skills/ck-build-analysis
@@ -168,8 +168,15 @@ docker cp "${SCRIPT_DIR}/templates" "${CONTAINER_NAME}:/tmp/ck_build_analysis_te
 
 # Check if uv is available, install if needed, and use for PEP 723 dependency management
 if ! docker exec "${CONTAINER_NAME}" bash -c "command -v uv >/dev/null 2>&1 || test -x \$HOME/.local/bin/uv"; then
-    echo "uv not found, installing..."
-    docker exec "${CONTAINER_NAME}" bash -c "curl -LsSf https://astral.sh/uv/install.sh | sh" >/dev/null 2>&1
+    echo "uv not found, installing via pipx..."
+    docker exec "${CONTAINER_NAME}" bash -c "
+        # Install pipx if not available
+        if ! command -v pipx >/dev/null 2>&1; then
+            apt-get update -qq && apt-get install -y -qq pipx >/dev/null 2>&1
+        fi
+        # Install uv via pipx
+        pipx install uv >/dev/null 2>&1
+    "
     echo "uv installed successfully"
 fi
 
diff --git a/.claude/skills/ck-build-analysis.md b/.claude/skills/ck-build-analysis.md
index 83ff89144d..15744c9fe8 100644
--- a/.claude/skills/ck-build-analysis.md
+++ b/.claude/skills/ck-build-analysis.md
@@ -134,11 +134,13 @@ The analysis script (`analyze_build_trace.py`) is PEP 723 compliant with inline
 
 **No manual setup required!** The first time you run the skill, it will:
 1. Detect if `uv` is installed in the container
-2. If not, automatically install it (takes ~5 seconds)
+2. If not, automatically install it via Ubuntu packages (pipx install uv)
 3. Use `uv run` to execute the analysis with auto-managed dependencies
 
 On subsequent runs, `uv` will already be available and dependencies will be cached.
 
+Installation is done through Ubuntu's package manager for security and reliability.
+
 ### Components
 
 - **ck-build-analysis** - Main bash script that orchestrates Docker, CMake, and analysis