Skip to content

chore(deps): update jdx/mise-action action to v4#195

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/jdx-mise-action-4.x
Open

chore(deps): update jdx/mise-action action to v4#195
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/jdx-mise-action-4.x

Conversation

@renovate

@renovate renovate Bot commented Mar 13, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
jdx/mise-action action major v3v4

Release Notes

jdx/mise-action (jdx/mise-action)

v4.2.1: : Signed checksums and PATH export fix

Compare Source

A small patch release with two user-facing fixes: mise downloads are now verified against minisign-signed release checksums by default, and the env input no longer leaks the runner's PATH into subsequent steps.

Fixed
Verify mise downloads with signed checksums (#​548) by @​jdx

The action now embeds mise's minisign public key and verifies SHASUMS256.txt.minisig before trusting any release checksums, then checks the downloaded mise binary's SHA256 against the verified list. This applies to both GitHub release archives (verified before extraction) and the default mise.jdx.dev CDN path (verified against the signed checksum for the matching release asset). If a CDN download fails verification, the action warns and falls back to the signed GitHub release asset instead of installing an unverified binary.

  • The existing sha256 input still works as an explicit override.
  • Pinned mise versions older than 2024.12.24 (which predate minisign checksums) get a warning and skip signed verification rather than failing.
  • Because tar installs now extract from a verified file on disk, the previous streaming download | tar fast path is replaced with a download-then-verify-then-extract flow.

Thanks to @​potiuk for the detailed threat-model writeup in #​547.

Exclude PATH from environment export (#​556) by @​jdx

The env input has always documented that "PATH modifications are not part of this", but since the switch to mise env --json in #​252 (needed for redaction support), the action was exporting every string value returned by mise — including the computed PATH — into GITHUB_ENV. That effectively snapshotted the runner's entire PATH into subsequent steps and let [env] _.path entries in mise.toml leak past the action's own PATH management.

exportMiseEnv now skips PATH (case-insensitive) when exporting JSON env vars, restoring the documented behavior. Normal mise env vars are still exported, and PATH continues to be managed by the action's own setup (e.g. add_shims_to_path). Fixes #​555.

Full Changelog: jdx/mise-action@v4.2.0...v4.2.1

v4.2.0: : Bootstrap mode & wget fallback

Compare Source

This release adds an opt-in bootstrap mode for projects that use mise bootstrap, and makes the action work on runner images that ship wget but not curl.

Added

Bootstrap mode (#​522) by @​jdx

Three new inputs let the action drive mise bootstrap instead of mise install:

- uses: jdx/mise-action@v4
  with:
    bootstrap: true
    bootstrap_skip: "tools,task"   # comma-separated parts to skip
    bootstrap_args: "--yes"        # extra args forwarded to mise bootstrap
  • When bootstrap: true, the action runs mise bootstrap under the existing install gate and sets MISE_EXPERIMENTAL=1 automatically.
  • If a repo mise lock file is present, it runs mise --locked bootstrap, matching the auto-lock behavior introduced for mise install in v4.1.0.
  • install_args cannot be combined with bootstrap: true — the action fails fast and tells you to use bootstrap_skip / bootstrap_args instead, because full bootstrap doesn't support partial tool install args.
  • A new {{bootstrap_hash}} template variable is included in the default cache key (and available in custom cache_key templates) so bootstrap and non-bootstrap configurations don't share caches.

bootstrap_skip relies on mise bootstrap --skip from jdx/mise#10497, so make sure you're on a recent mise version if you use it.

Fixed

  • Fall back to wget when curl is unavailable (#​521) by @​risu729 — The action used to hard-code curl for fetching the mise binary, tar/zip archives, and the latest VERSION lookup, which broke on minimal runner images that only ship wget. It now prefers curl and transparently falls back to wget, preserving the streaming download | tar fast path for .tar.gz and .tar.zst installs on Linux/macOS. Proxy support is unchanged — both tools honor HTTP_PROXY/HTTPS_PROXY. Addresses jdx/mise#10488.

Documentation

Full Changelog: jdx/mise-action@v4.1.0...v4.2.0

v4.1.0: : automatic --locked installs

Compare Source

This release adds automatic locked installs when a mise.lock is present, and fixes a long-standing cache-key collision that could poison tool installs when workflows migrate between runner providers.

Added
Automatic --locked install when mise.lock exists (#​495) by @​zeitlinger

When a repo contains mise.lock, the action now automatically passes --locked to mise install (on mise versions that support it). This removes the need to manually set install_args: --locked and prevents mise install from silently mutating the lockfile in CI. Explicit install_args and older mise versions are still respected.

Note: workflows with a stale lockfile may now fail earlier and more explicitly instead of silently updating mise.lock mid-run — this surfaces lockfile drift rather than hiding it.

Fixed
  • Cache key collisions across runner providers (#​456) — the default cache key now includes the runner image (e.g. macos15, ubuntu24 for GitHub-hosted runners; self-hosted otherwise). Previously, repos migrating between providers like github-hosted, namespace.so, BuildJet, and self-hosted runners with the same OS/arch could restore a peer provider's ~/.local/share/mise/installs/*, causing failures like does not have an executable named '…' or SIGILL crashes from binaries built against a different glibc/CPU featureset. Expect a one-time cache miss after upgrading; thereafter the cache stays scoped per image.
  • mise-shim.exe missing on Windows (#​476) by @​risu729 — the action now installs mise-shim.exe alongside mise.exe and repairs restored caches that lack the shim. Fixes #​475.
Changed
  • Migrated the bundled action build from ncc (CommonJS) to Rollup (ESM) (#​436). No user-facing behavior change.

Full Changelog: jdx/mise-action@v4.0.1...v4.1.0

v4.0.1: : Documentation and Internal Cleanup

Compare Source

A small maintenance release that updates the README documentation to reflect v4 and cleans up internal code. There are no functional changes to the action itself.

Changed
  • Updated all README examples to reference jdx/mise-action@v4, actions/checkout@v6, and current tool versions by @​deining in #​407 and #​408
  • Extracted getCwd() helper to deduplicate working directory resolution logic (internal refactor, no behavior change) by @​altendky in #​403
New Contributors

Full Changelog: jdx/mise-action@v4.0.0...v4.0.1

v4.0.0: : Node.js 24 Runtime

Compare Source

A major version bump that updates the action's runtime from Node.js 20 to Node.js 24. GitHub has deprecated Node.js 20 for Actions and will force Node.js 24 as the default starting June 2, 2026. This release proactively adopts the new runtime to eliminate deprecation warnings and ensure continued compatibility.

Breaking Changes
  • The action now runs on the Node.js 24 runtime instead of Node.js 20. If your workflow pins jdx/mise-action@v3, you will continue to see deprecation warnings. Update to jdx/mise-action@v4 to resolve them:

    - uses: jdx/mise-action@v4

    This should be a seamless upgrade for the vast majority of users — no configuration changes are needed beyond updating the version reference.

Changed
New Contributors

Full Changelog: jdx/mise-action@v3...v4.0.0

v4

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from a team as a code owner March 13, 2026 17:02
@renovate
renovate Bot requested review from ns-vasilev and removed request for a team March 13, 2026 17:02
@spacecode-github-bot

spacecode-github-bot commented Mar 13, 2026

Copy link
Copy Markdown
1 Message
📖 ✅ Great job! All checks passed.

Generated by 🚫 Danger

@codecov

codecov Bot commented Mar 13, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.43%. Comparing base (40abd67) to head (4c29d7c).
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #195      +/-   ##
==========================================
+ Coverage   67.19%   68.43%   +1.24%     
==========================================
  Files         319      319              
  Lines        8001     8002       +1     
==========================================
+ Hits         5376     5476     +100     
+ Misses       2625     2526      -99     

see 12 files with indirect coverage changes

@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch 2 times, most recently from cadf115 to 374c0c3 Compare April 15, 2026 10:32
@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch from 374c0c3 to 50eba01 Compare April 21, 2026 20:00
@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch from 50eba01 to 320123b Compare April 29, 2026 19:28
@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch from 320123b to c9f03cd Compare May 12, 2026 11:01
@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch 2 times, most recently from 6147caa to 7790fb9 Compare May 28, 2026 17:09
@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch 2 times, most recently from 9237a4e to b96cf3e Compare June 18, 2026 00:15
@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch from b96cf3e to fe70884 Compare July 12, 2026 19:04
@renovate
renovate Bot force-pushed the renovate/jdx-mise-action-4.x branch from fe70884 to 4c29d7c Compare July 17, 2026 01:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant