diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml
index 695c4d80e23..10644af1e48 100644
--- a/.github/workflows/bench.yml
+++ b/.github/workflows/bench.yml
@@ -136,17 +136,6 @@ jobs:
       # `continue-on-error` so an OIDC / uv / connect hiccup never breaks the v3
       # pipeline. post-ingest.py mints the RDS IAM token internally (boto3) from
       # the assumed GitHubBenchmarkIngestRole; sslmode=verify-full validates the cert.
-      #
-      # ORDER MATTERS: "Install uv" runs BEFORE "Configure AWS credentials".
-      # configure-aws-credentials persists the assumed ingest-role (rds-db:connect
-      # only) as the job's ambient AWS creds; the uv setup compiles via sccache
-      # (S3-backed), so running it after the role switch fails with S3 AccessDenied.
-      # Installing uv first keeps sccache on the original S3-capable creds; the role
-      # is assumed immediately before the ingest, which needs only rds-db:connect.
-      - name: Install uv for v4 ingest
-        if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
-        continue-on-error: true
-        uses: spiraldb/actions/.github/actions/setup-uv@a746510eafaa926484c354541cfc49b2ec06cc63  # 0.18.6
       - name: Configure AWS credentials for v4 ingest (OIDC)
         if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
         continue-on-error: true
@@ -154,6 +143,15 @@ jobs:
         with:
           role-to-assume: ${{ vars.GH_BENCH_INGEST_ROLE_ARN }}
           aws-region: ${{ vars.RDS_BENCH_REGION }}
+      # Install ONLY the uv binary (no `uv sync`): the ingest runs
+      # `uv run --no-project --with`, which needs just the binary, not a workspace
+      # build. spiraldb's setup-uv ran a full `uv sync` that built vortex-python via
+      # sccache->S3 and failed under the ingest-role creds (which lack S3) -- pure
+      # waste, since the ingest never used the synced workspace.
+      - name: Install uv for v4 ingest
+        if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
+        continue-on-error: true
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
       - name: Ingest results to v4 Postgres (best-effort)
         if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
         continue-on-error: true
diff --git a/.github/workflows/commit-metadata.yml b/.github/workflows/commit-metadata.yml
index 1cd2601736c..8f2816c24fe 100644
--- a/.github/workflows/commit-metadata.yml
+++ b/.github/workflows/commit-metadata.yml
@@ -41,17 +41,6 @@ jobs:
       # a v4 failure never fails the job (promoted to required at cutover, PR-5.1).
       # Gated on the ingest-role ARN var (the assume-role input that MUST exist) so
       # it no-ops until v4 infra is wired.
-      #
-      # ORDER MATTERS: "Install uv" runs BEFORE "Configure AWS credentials".
-      # configure-aws-credentials persists the assumed ingest-role (rds-db:connect
-      # only) as the job's ambient AWS creds; the uv setup compiles via sccache
-      # (S3-backed), so running it after the role switch fails with S3 AccessDenied.
-      # Installing uv first keeps sccache on the original S3-capable creds; the role
-      # is assumed immediately before the ingest, which needs only rds-db:connect.
-      - name: Install uv for v4 ingest
-        if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
-        continue-on-error: true
-        uses: spiraldb/actions/.github/actions/setup-uv@a746510eafaa926484c354541cfc49b2ec06cc63  # 0.18.6
       - name: Configure AWS credentials for v4 ingest (OIDC)
         if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
         continue-on-error: true
@@ -59,6 +48,15 @@ jobs:
         with:
           role-to-assume: ${{ vars.GH_BENCH_INGEST_ROLE_ARN }}
           aws-region: ${{ vars.RDS_BENCH_REGION }}
+      # Install ONLY the uv binary (no `uv sync`): the ingest runs
+      # `uv run --no-project --with`, which needs just the binary, not a workspace
+      # build. spiraldb's setup-uv ran a full `uv sync` that built vortex-python via
+      # sccache->S3 and failed under the ingest-role creds (which lack S3) -- pure
+      # waste, since the ingest never used the synced workspace.
+      - name: Install uv for v4 ingest
+        if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
+        continue-on-error: true
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
       - name: Ingest commit metadata to v4 Postgres (best-effort)
         if: vars.GH_BENCH_INGEST_ROLE_ARN != ''
         continue-on-error: true
diff --git a/.github/workflows/sql-benchmarks.yml b/.github/workflows/sql-benchmarks.yml
index 092b3548510..add44ab5cb6 100644
--- a/.github/workflows/sql-benchmarks.yml
+++ b/.github/workflows/sql-benchmarks.yml
@@ -689,17 +689,6 @@ jobs:
       # input that MUST exist for OIDC to succeed; it no-ops until v4 infra is wired), and
       # every step is continue-on-error. post-ingest.py mints the RDS IAM token (boto3) from
       # the assumed GitHubBenchmarkIngestRole; sslmode=verify-full validates the cert.
-      #
-      # ORDER MATTERS: "Install uv" runs BEFORE "Configure AWS credentials".
-      # configure-aws-credentials persists the assumed ingest-role (rds-db:connect
-      # only) as the job's ambient AWS creds; the uv setup compiles via sccache
-      # (S3-backed), so running it after the role switch fails with S3 AccessDenied.
-      # Installing uv first keeps sccache on the original S3-capable creds; the role
-      # is assumed immediately before the ingest, which needs only rds-db:connect.
-      - name: Install uv for v4 ingest
-        if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != ''
-        continue-on-error: true
-        uses: spiraldb/actions/.github/actions/setup-uv@a746510eafaa926484c354541cfc49b2ec06cc63  # 0.18.6
       - name: Configure AWS credentials for v4 ingest (OIDC)
         if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != ''
         continue-on-error: true
@@ -707,6 +696,15 @@ jobs:
         with:
           role-to-assume: ${{ vars.GH_BENCH_INGEST_ROLE_ARN }}
           aws-region: ${{ vars.RDS_BENCH_REGION }}
+      # Install ONLY the uv binary (no `uv sync`): the ingest runs
+      # `uv run --no-project --with`, which needs just the binary, not a workspace
+      # build. spiraldb's setup-uv ran a full `uv sync` that built vortex-python via
+      # sccache->S3 and failed under the ingest-role creds (which lack S3) -- pure
+      # waste, since the ingest never used the synced workspace.
+      - name: Install uv for v4 ingest
+        if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != ''
+        continue-on-error: true
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78  # v7.6.0
       - name: Ingest results to v4 Postgres (best-effort)
         if: inputs.mode == 'develop' && vars.GH_BENCH_INGEST_ROLE_ARN != ''
         continue-on-error: true