Skip to content

chore(deps): Bump jdx/mise-action from 4.0.1 to 4.2.1#315

Open
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/github_actions/jdx/mise-action-4.1.0
Open

chore(deps): Bump jdx/mise-action from 4.0.1 to 4.2.1#315
dependabot[bot] wants to merge 2 commits into
mainfrom
dependabot/github_actions/jdx/mise-action-4.1.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 8, 2026

Copy link
Copy Markdown
Contributor

Bumps jdx/mise-action from 4.0.1 to 4.2.1.

Release notes

Sourced from jdx/mise-action's releases.

v4.2.1: Signed checksums and PATH export fix

A small patch release with two user-facing fixes: mise downloads are now verified against minisign-signed release checksums by default, and the env input no longer leaks the runner's PATH into subsequent steps.

Fixed

Verify mise downloads with signed checksums (#548) by @​jdx

The action now embeds mise's minisign public key and verifies SHASUMS256.txt.minisig before trusting any release checksums, then checks the downloaded mise binary's SHA256 against the verified list. This applies to both GitHub release archives (verified before extraction) and the default mise.jdx.dev CDN path (verified against the signed checksum for the matching release asset). If a CDN download fails verification, the action warns and falls back to the signed GitHub release asset instead of installing an unverified binary.

  • The existing sha256 input still works as an explicit override.
  • Pinned mise versions older than 2024.12.24 (which predate minisign checksums) get a warning and skip signed verification rather than failing.
  • Because tar installs now extract from a verified file on disk, the previous streaming download | tar fast path is replaced with a download-then-verify-then-extract flow.

Thanks to @​potiuk for the detailed threat-model writeup in #547.

Exclude PATH from environment export (#556) by @​jdx

The env input has always documented that "PATH modifications are not part of this", but since the switch to mise env --json in #252 (needed for redaction support), the action was exporting every string value returned by mise — including the computed PATH — into GITHUB_ENV. That effectively snapshotted the runner's entire PATH into subsequent steps and let [env] _.path entries in mise.toml leak past the action's own PATH management.

exportMiseEnv now skips PATH (case-insensitive) when exporting JSON env vars, restoring the documented behavior. Normal mise env vars are still exported, and PATH continues to be managed by the action's own setup (e.g. add_shims_to_path). Fixes #555.

Full Changelog: jdx/mise-action@v4.2.0...v4.2.1

v4.2.0: Bootstrap mode & wget fallback

This release adds an opt-in bootstrap mode for projects that use mise bootstrap, and makes the action work on runner images that ship wget but not curl.

Added

Bootstrap mode (#522) by @​jdx

Three new inputs let the action drive mise bootstrap instead of mise install:

- uses: jdx/mise-action@v4
  with:
    bootstrap: true
    bootstrap_skip: "tools,task"   # comma-separated parts to skip
    bootstrap_args: "--yes"        # extra args forwarded to mise bootstrap
  • When bootstrap: true, the action runs mise bootstrap under the existing install gate and sets MISE_EXPERIMENTAL=1 automatically.
  • If a repo mise lock file is present, it runs mise --locked bootstrap, matching the auto-lock behavior introduced for mise install in v4.1.0.
  • install_args cannot be combined with bootstrap: true — the action fails fast and tells you to use bootstrap_skip / bootstrap_args instead, because full bootstrap doesn't support partial tool install args.
  • A new {{bootstrap_hash}} template variable is included in the default cache key (and available in custom cache_key templates) so bootstrap and non-bootstrap configurations don't share caches.

bootstrap_skip relies on mise bootstrap --skip from jdx/mise#10497, so make sure you're on a recent mise version if you use it.

Fixed

  • Fall back to wget when curl is unavailable (#521) by @​risu729 — The action used to hard-code curl for fetching the mise binary, tar/zip archives, and the latest VERSION lookup, which broke on minimal runner images that only ship wget. It now prefers curl and transparently falls back to wget, preserving the streaming download | tar fast path for .tar.gz and .tar.zst installs on Linux/macOS. Proxy support is unchanged — both tools honor HTTP_PROXY/HTTPS_PROXY. Addresses jdx/mise#10488.

... (truncated)

Changelog

Sourced from jdx/mise-action's changelog.

Changelog


4.2.1 - 2026-07-16

🐛 Bug Fixes

🔍 Other Changes

⚙️ Miscellaneous Tasks


4.2.0 - 2026-06-17

🚀 Features

🐛 Bug Fixes

📚 Documentation

⚙️ Miscellaneous Tasks


4.1.0 - 2026-06-04

🚀 Features

🐛 Bug Fixes

... (truncated)

Commits
  • dad1bfd chore: release v4.2.1 (#530)
  • 1e7bfbb chore(ci): automate weekly releases (#557)
  • b107e20 fix: exclude PATH from environment export (#556)
  • d538618 chore(deps): update dependency prettier to v3.9.4 (#553)
  • 99eca4c chore(deps): update github/codeql-action action to v4.36.3 (#552)
  • 43d01e6 chore(deps): update dependency typescript-eslint to v8.62.1 (#551)
  • d44584d chore(deps): update dependency js-yaml to v5.2.1 (#550)
  • 4b4b9b2 chore(release): skip ai reviews for release prs (#549)
  • 0f03c79 fix: verify mise downloads with signed checksums (#548)
  • 6bd511f chore(deps): update dependency js-yaml to v5.2.0 (#546)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 8, 2026
@dosubot dosubot Bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Jun 8, 2026
mergify[bot]
mergify Bot previously approved these changes Jun 8, 2026

@mergify mergify Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by Mergify

@mergify

mergify Bot commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

Merge Protections

🔴 1 of 3 protections blocking · waiting on 🤖 CI

Protection Waiting on
🔴 Full CI must pass 🤖 CI
🟢 Do not merge outdated PRs
🟢 🚦 Auto-queue

🔴 Full CI must pass

Waiting for

  • check-success = coverage
  • check-success = quality
  • check-success = test
  • check-success = test-cross-platform (macos-latest, macOS)
  • check-success = test-cross-platform (ubuntu-22.04, Linux)
  • check-success = test-cross-platform (ubuntu-latest, Linux)
  • check-success = test-cross-platform (windows-latest, Windows)
This rule is failing.

All CI checks must pass. Release-plz PRs are exempt because they only bump versions and changelogs (code was already tested on main), and GITHUB_TOKEN-triggered force-pushes suppress CI.

  • check-success = coverage
  • check-success = quality
  • check-success = test
  • check-success = test-cross-platform (macos-latest, macOS)
  • check-success = test-cross-platform (ubuntu-22.04, Linux)
  • check-success = test-cross-platform (ubuntu-latest, Linux)
  • check-success = test-cross-platform (windows-latest, Windows)

Show 2 satisfied protections

🟢 Do not merge outdated PRs

Make sure PRs are within 10 commits of the base branch before merging

  • #commits-behind <= 10

🟢 🚦 Auto-queue

When all merge protections are satisfied and these conditions match, this pull request will be queued automatically.

  • any of:
    • all of:
      • author = dependabot[bot]
      • base = main
      • label != do-not-merge
    • all of:
      • author = dosubot[bot]
      • base = main
      • label != do-not-merge
    • all of:
      • author = release-plz[bot]
      • head ~= ^release-plz-
      • base = main
      • label != do-not-merge

@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

A newer version of jdx/mise-action exists, but since this PR has been edited by someone other than Dependabot I haven't updated it. You'll get a PR for the updated version as normal once this PR is merged.

unclesp1d3r added a commit that referenced this pull request Jun 24, 2026
Rebased onto main to resolve conflicts from the actions/checkout v7 bump.

Closes #315

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
@unclesp1d3r
unclesp1d3r force-pushed the dependabot/github_actions/jdx/mise-action-4.1.0 branch from 5c86d82 to 79595b8 Compare June 24, 2026 01:23
mergify[bot]
mergify Bot previously approved these changes Jun 24, 2026

@mergify mergify Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by Mergify

@unclesp1d3r

Copy link
Copy Markdown
Member

Rebased onto current main to resolve the conflicts from the actions/checkout v7 bump (the change is now mergeable).

Heads up: CI here fails at the mise install --locked step because v4.1.0 enforces --locked with the newer mise CLI, and the committed lockfile had no rust@latest entry. Fix is in #342 (regenerated mise.lock). Merge #342 first, then this PR will go green on rebase.

@unclesp1d3r

Copy link
Copy Markdown
Member

@mergify queue

@mergify

mergify Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Merge Queue Status

  • 🟠 Waiting for queue conditions
  • ⏳ Enter queue
  • ⏳ Run checks
  • ⏳ Merge
Waiting for
  • any of: [📌 queue requirement]
    • check-neutral = Mergify Merge Protections
    • check-skipped = Mergify Merge Protections
    • check-success = Mergify Merge Protections
  • any of: [🔀 queue conditions]
    • all of: [📌 queue conditions of queue rule default]
      • check-success = coverage
      • check-success = quality
      • check-success = test
      • check-success = test-cross-platform (macos-latest, macOS)
      • check-success = test-cross-platform (ubuntu-22.04, Linux)
      • check-success = test-cross-platform (ubuntu-latest, Linux)
      • check-success = test-cross-platform (windows-latest, Windows)
      • any of: [🛡 GitHub repository ruleset rule main]
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
    • all of: [📌 queue conditions of queue rule dependabot]
      • check-success = coverage
      • check-success = quality
      • check-success = test
      • check-success = test-cross-platform (macos-latest, macOS)
      • check-success = test-cross-platform (ubuntu-22.04, Linux)
      • check-success = test-cross-platform (ubuntu-latest, Linux)
      • check-success = test-cross-platform (windows-latest, Windows)
      • any of: [🛡 GitHub repository ruleset rule main]
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
    • all of: [📌 queue conditions of queue rule dosubot]
      • check-success = coverage
      • check-success = quality
      • check-success = test
      • check-success = test-cross-platform (macos-latest, macOS)
      • check-success = test-cross-platform (ubuntu-22.04, Linux)
      • check-success = test-cross-platform (ubuntu-latest, Linux)
      • check-success = test-cross-platform (windows-latest, Windows)
      • any of: [🛡 GitHub repository ruleset rule main]
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
    • all of: [📌 queue conditions of queue rule release-plz]
      • check-success = coverage
      • check-success = quality
      • check-success = test
      • check-success = test-cross-platform (macos-latest, macOS)
      • check-success = test-cross-platform (ubuntu-22.04, Linux)
      • check-success = test-cross-platform (ubuntu-latest, Linux)
      • check-success = test-cross-platform (windows-latest, Windows)
      • any of: [🛡 GitHub repository ruleset rule main]
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
All conditions
  • any of [📌 queue requirement]:
    • check-neutral = Mergify Merge Protections
    • check-skipped = Mergify Merge Protections
    • check-success = Mergify Merge Protections
  • any of [🔀 queue conditions]:
    • all of [📌 queue conditions of queue rule default]:
      • all of [🛡 Merge Protections rule Full CI must pass]:
        • check-success = coverage
        • check-success = quality
        • check-success = test
        • check-success = test-cross-platform (macos-latest, macOS)
        • check-success = test-cross-platform (ubuntu-22.04, Linux)
        • check-success = test-cross-platform (ubuntu-latest, Linux)
        • check-success = test-cross-platform (windows-latest, Windows)
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule main]
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule ossf_best_practices]
      • github-review-approved [🛡 GitHub repository ruleset rule main]
      • github-review-approved [🛡 GitHub repository ruleset rule ossf_best_practices]
      • all of [🛡 Merge Protections rule Do not merge outdated PRs]:
        • #commits-behind <= 10
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-success = @dco/DCO
        • check-neutral = @dco/DCO
        • check-skipped = @dco/DCO
    • all of [📌 queue conditions of queue rule dependabot]:
      • all of [🛡 Merge Protections rule Full CI must pass]:
        • check-success = coverage
        • check-success = quality
        • check-success = test
        • check-success = test-cross-platform (macos-latest, macOS)
        • check-success = test-cross-platform (ubuntu-22.04, Linux)
        • check-success = test-cross-platform (ubuntu-latest, Linux)
        • check-success = test-cross-platform (windows-latest, Windows)
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
      • author = dependabot[bot]
      • base = main
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule main]
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule ossf_best_practices]
      • github-review-approved [🛡 GitHub repository ruleset rule main]
      • github-review-approved [🛡 GitHub repository ruleset rule ossf_best_practices]
      • label != do-not-merge
      • all of [🛡 Merge Protections rule Do not merge outdated PRs]:
        • #commits-behind <= 10
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-success = @dco/DCO
        • check-neutral = @dco/DCO
        • check-skipped = @dco/DCO
    • all of [📌 queue conditions of queue rule dosubot]:
      • author = dosubot[bot]
      • all of [🛡 Merge Protections rule Full CI must pass]:
        • check-success = coverage
        • check-success = quality
        • check-success = test
        • check-success = test-cross-platform (macos-latest, macOS)
        • check-success = test-cross-platform (ubuntu-22.04, Linux)
        • check-success = test-cross-platform (ubuntu-latest, Linux)
        • check-success = test-cross-platform (windows-latest, Windows)
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
      • base = main
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule main]
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule ossf_best_practices]
      • github-review-approved [🛡 GitHub repository ruleset rule main]
      • github-review-approved [🛡 GitHub repository ruleset rule ossf_best_practices]
      • label != do-not-merge
      • all of [🛡 Merge Protections rule Do not merge outdated PRs]:
        • #commits-behind <= 10
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-success = @dco/DCO
        • check-neutral = @dco/DCO
        • check-skipped = @dco/DCO
    • all of [📌 queue conditions of queue rule release-plz]:
      • author = release-plz[bot]
      • head ~= ^release-plz-
      • all of [🛡 Merge Protections rule Full CI must pass]:
        • check-success = coverage
        • check-success = quality
        • check-success = test
        • check-success = test-cross-platform (macos-latest, macOS)
        • check-success = test-cross-platform (ubuntu-22.04, Linux)
        • check-success = test-cross-platform (ubuntu-latest, Linux)
        • check-success = test-cross-platform (windows-latest, Windows)
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-neutral = @mergify/Mergify Merge Protections
        • check-skipped = @mergify/Mergify Merge Protections
        • check-success = @mergify/Mergify Merge Protections
      • base = main
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule main]
      • github-code-owner-review-satisfied [🛡 GitHub repository ruleset rule ossf_best_practices]
      • github-review-approved [🛡 GitHub repository ruleset rule main]
      • github-review-approved [🛡 GitHub repository ruleset rule ossf_best_practices]
      • label != do-not-merge
      • all of [🛡 Merge Protections rule Do not merge outdated PRs]:
        • #commits-behind <= 10
      • any of [🛡 GitHub repository ruleset rule main]:
        • check-success = @dco/DCO
        • check-neutral = @dco/DCO
        • check-skipped = @dco/DCO
  • -closed [📌 queue requirement]
  • -conflict [📌 queue requirement]
  • -draft [📌 queue requirement]
  • any of [📌 queue -> configuration change requirements]:
    • -mergify-configuration-changed
    • check-success = Configuration changed

unclesp1d3r added a commit that referenced this pull request Jul 17, 2026
## Summary

Regenerates `mise.lock` with the current mise CLI so `mise install
--locked` succeeds. This **unblocks PR #315** (jdx/mise-action 4.0.1 ->
4.1.0).

### Why

mise-action **v4.1.0** runs `mise install --locked` with the newer mise
CLI (`2026.6.13`, released 2026-06-23). The committed lockfile only
pinned the previously-resolved `rust@1.95.0` and had no entry keyed to
the `latest`/`stable` channels that `mise.toml` (`rust = "latest"`) and
`rust-toolchain.toml` (`channel = "stable"`) declare. Result on #315:

```
core:rust@latest: rust@latest is not in the lockfile
hint: Run `mise install` without --locked to update the lockfile
mise ERROR Version: 2026.6.13
```

v4.0.1 did not enforce `--locked`, so `main` and other open PRs are
unaffected today.

### What

- Ran `mise lock` with mise `2026.6.13` (matching CI)
- `rust` latest now resolves to `1.96.0`; a `stable` entry is derived
from the committed `rust-toolchain.toml`
- Platform entries refreshed for all locked tools (`python` -> 3.14.4,
bun backend, etc.)

### Verification

- `mise install --locked` -> **exit 0** locally (the exact command
failing on #315)
- Lockfile is reproducible from committed config only (no
`mise.local.toml` present)

### Merge order

Merge this first, then PR #315 will rebase onto it and pass.

## Test plan

- [x] `mise install --locked` exits 0 locally
- [ ] CI green on this PR (v4.0.1, unaffected)
- [ ] After merge: #315 CI green

Signed-off-by: UncleSp1d3r <unclesp1d3r@evilbitlabs.io>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
@unclesp1d3r

Copy link
Copy Markdown
Member

@dependabot recreate

Bumps [jdx/mise-action](https://github.com/jdx/mise-action) from 4.0.1 to 4.2.1.
- [Release notes](https://github.com/jdx/mise-action/releases)
- [Changelog](https://github.com/jdx/mise-action/blob/main/CHANGELOG.md)
- [Commits](jdx/mise-action@1648a78...dad1bfd)

---
updated-dependencies:
- dependency-name: jdx/mise-action
  dependency-version: 4.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore(deps): Bump jdx/mise-action from 4.0.1 to 4.1.0 chore(deps): Bump jdx/mise-action from 4.0.1 to 4.2.1 Jul 17, 2026
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/jdx/mise-action-4.1.0 branch from 071ed83 to bdf67d4 Compare July 17, 2026 03:38

@mergify mergify Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by Mergify

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code size:XS This PR changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant