From f6ce517a69bcda887664916df418e2c881800222 Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Tue, 21 Apr 2026 14:03:19 -0400
Subject: [PATCH] ci: use pip-audit --local to avoid internal venv ensurepip
 failure

The standalone Python 3.10 binary's venv ensurepip step exits 127.
Workaround: install requirements + pip-audit into the same env,
then audit with --local (no internal venv creation).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/lint.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/lint.yml b/.gitea/workflows/lint.yml
index 56c7777..5796c62 100644
--- a/.gitea/workflows/lint.yml
+++ b/.gitea/workflows/lint.yml
@@ -60,10 +60,13 @@ jobs:
           # Debian Bullseye only ships Python 3.9; use a prebuilt standalone binary
           curl -sSL "https://github.com/indygreg/python-build-standalone/releases/download/20241002/cpython-3.10.15+20241002-x86_64-unknown-linux-gnu-install_only.tar.gz" \
             | tar -xz -C /opt
-          /opt/python/bin/pip install pip-audit
+          # Install pip-audit + the bot's requirements into the same env.
+          # Using --local avoids pip-audit creating an internal venv (which fails
+          # with ensurepip exit 127 on this standalone build).
+          /opt/python/bin/pip install pip-audit -r matrixbot/requirements.txt
 
       - name: Audit matrixbot dependencies
-        run: /opt/python/bin/pip-audit -r matrixbot/requirements.txt
+        run: /opt/python/bin/pip-audit --local
 
   secret-scan:
     name: Secret scan (gitleaks)