Skip to content

build(deps): bump jdx/mise-action from 4.1.0 to 4.2.1#10

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/jdx/mise-action-4.2.0
Open

build(deps): bump jdx/mise-action from 4.1.0 to 4.2.1#10
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/jdx/mise-action-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps jdx/mise-action from 4.1.0 to 4.2.1.

Release notes

Sourced from jdx/mise-action's releases.

v4.2.1: Signed checksums and PATH export fix

A small patch release with two user-facing fixes: mise downloads are now verified against minisign-signed release checksums by default, and the env input no longer leaks the runner's PATH into subsequent steps.

Fixed

Verify mise downloads with signed checksums (#548) by @​jdx

The action now embeds mise's minisign public key and verifies SHASUMS256.txt.minisig before trusting any release checksums, then checks the downloaded mise binary's SHA256 against the verified list. This applies to both GitHub release archives (verified before extraction) and the default mise.jdx.dev CDN path (verified against the signed checksum for the matching release asset). If a CDN download fails verification, the action warns and falls back to the signed GitHub release asset instead of installing an unverified binary.

  • The existing sha256 input still works as an explicit override.
  • Pinned mise versions older than 2024.12.24 (which predate minisign checksums) get a warning and skip signed verification rather than failing.
  • Because tar installs now extract from a verified file on disk, the previous streaming download | tar fast path is replaced with a download-then-verify-then-extract flow.

Thanks to @​potiuk for the detailed threat-model writeup in #547.

Exclude PATH from environment export (#556) by @​jdx

The env input has always documented that "PATH modifications are not part of this", but since the switch to mise env --json in #252 (needed for redaction support), the action was exporting every string value returned by mise — including the computed PATH — into GITHUB_ENV. That effectively snapshotted the runner's entire PATH into subsequent steps and let [env] _.path entries in mise.toml leak past the action's own PATH management.

exportMiseEnv now skips PATH (case-insensitive) when exporting JSON env vars, restoring the documented behavior. Normal mise env vars are still exported, and PATH continues to be managed by the action's own setup (e.g. add_shims_to_path). Fixes #555.

Full Changelog: jdx/mise-action@v4.2.0...v4.2.1

v4.2.0: Bootstrap mode & wget fallback

This release adds an opt-in bootstrap mode for projects that use mise bootstrap, and makes the action work on runner images that ship wget but not curl.

Added

Bootstrap mode (#522) by @​jdx

Three new inputs let the action drive mise bootstrap instead of mise install:

- uses: jdx/mise-action@v4
  with:
    bootstrap: true
    bootstrap_skip: "tools,task"   # comma-separated parts to skip
    bootstrap_args: "--yes"        # extra args forwarded to mise bootstrap
  • When bootstrap: true, the action runs mise bootstrap under the existing install gate and sets MISE_EXPERIMENTAL=1 automatically.
  • If a repo mise lock file is present, it runs mise --locked bootstrap, matching the auto-lock behavior introduced for mise install in v4.1.0.
  • install_args cannot be combined with bootstrap: true — the action fails fast and tells you to use bootstrap_skip / bootstrap_args instead, because full bootstrap doesn't support partial tool install args.
  • A new {{bootstrap_hash}} template variable is included in the default cache key (and available in custom cache_key templates) so bootstrap and non-bootstrap configurations don't share caches.

bootstrap_skip relies on mise bootstrap --skip from jdx/mise#10497, so make sure you're on a recent mise version if you use it.

Fixed

  • Fall back to wget when curl is unavailable (#521) by @​risu729 — The action used to hard-code curl for fetching the mise binary, tar/zip archives, and the latest VERSION lookup, which broke on minimal runner images that only ship wget. It now prefers curl and transparently falls back to wget, preserving the streaming download | tar fast path for .tar.gz and .tar.zst installs on Linux/macOS. Proxy support is unchanged — both tools honor HTTP_PROXY/HTTPS_PROXY. Addresses jdx/mise#10488.

... (truncated)

Changelog

Sourced from jdx/mise-action's changelog.

Changelog


4.2.1 - 2026-07-16

🐛 Bug Fixes

🔍 Other Changes

⚙️ Miscellaneous Tasks


4.2.0 - 2026-06-17

🚀 Features

🐛 Bug Fixes

📚 Documentation

⚙️ Miscellaneous Tasks


4.1.0 - 2026-06-04

🚀 Features

🐛 Bug Fixes

... (truncated)

Commits
  • dad1bfd chore: release v4.2.1 (#530)
  • 1e7bfbb chore(ci): automate weekly releases (#557)
  • b107e20 fix: exclude PATH from environment export (#556)
  • d538618 chore(deps): update dependency prettier to v3.9.4 (#553)
  • 99eca4c chore(deps): update github/codeql-action action to v4.36.3 (#552)
  • 43d01e6 chore(deps): update dependency typescript-eslint to v8.62.1 (#551)
  • d44584d chore(deps): update dependency js-yaml to v5.2.1 (#550)
  • 4b4b9b2 chore(release): skip ai reviews for release prs (#549)
  • 0f03c79 fix: verify mise downloads with signed checksums (#548)
  • 6bd511f chore(deps): update dependency js-yaml to v5.2.0 (#546)
  • Additional commits viewable in compare view


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jun 24, 2026
rustybret added a commit to rustybret/openai-auth-experimental that referenced this pull request Jul 7, 2026
Pull in relevant upstream dependency updates from cortexkit/openai-auth open PRs:

- @opencode-ai/plugin 1.17.8 -> 1.17.12 (PR cortexkit#24)
- @biomejs/biome 2.4.16 -> 2.5.1 (PR cortexkit#11) + biome.json $schema sync
- @earendil-works/pi-ai + pi-coding-agent + pi-tui 0.79.5 -> 0.80.3 (PRs cortexkit#20/cortexkit#19/cortexkit#21, lockstep)

Adapt packages/pi to pi-ai 0.80.3 breaking change: streamSimpleOpenAICodexResponses
is no longer re-exported from the package root; import streamSimple from the
./api/openai-codex-responses subpath instead.

Skipped: ai v7 (PR cortexkit#25 - major bump beyond intentional v6 pin); @opentui/core|solid
0.4.2 (PRs cortexkit#22/cortexkit#23 - already resolved in lockfile via >=0.4.0 range); GitHub Actions
bumps (PRs cortexkit#9/cortexkit#10 - upstream workflows removed from fork).

Verified: typecheck, 460 tests, lint, format, build all pass.
Bumps [jdx/mise-action](https://github.com/jdx/mise-action) from 4.1.0 to 4.2.1.
- [Release notes](https://github.com/jdx/mise-action/releases)
- [Changelog](https://github.com/jdx/mise-action/blob/main/CHANGELOG.md)
- [Commits](jdx/mise-action@dba1968...dad1bfd)

---
updated-dependencies:
- dependency-name: jdx/mise-action
  dependency-version: 4.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title build(deps): bump jdx/mise-action from 4.1.0 to 4.2.0 build(deps): bump jdx/mise-action from 4.1.0 to 4.2.1 Jul 17, 2026
@dependabot
dependabot Bot force-pushed the dependabot/github_actions/jdx/mise-action-4.2.0 branch from 27e77d5 to e4b6566 Compare July 17, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants