13
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-07-02 17:49:30 +00:00

feat: download mise without requiring curl

Replace curl with @actions/tool-cache downloadTool/extractTar/extractZip
for the mise binary, and use @actions/http-client for the latest-version
check. This drops the curl (and explicit unzip) runtime requirement, so
the action works on clean runners such as bare alpine.

Also includes a pre-existing mise.lock provenance update.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Carlos Precioso 2026-06-17 14:56:52 +02:00
parent 5f61b63aff
commit 2db43f9848
No known key found for this signature in database
8 changed files with 627 additions and 240 deletions

View file

@ -39,7 +39,7 @@ jobs:
- name: alpine
runs-on: ubuntu-latest
container: alpine:3.22@sha256:310c62b5e7ca5b08167e4384c68db0fd2905dd9c7493756d356e893909057601
requirements: apk add --no-cache curl bash
requirements: apk add --no-cache bash
name: ${{ matrix.name }}
runs-on: ${{ matrix.runs-on }}
container: ${{ matrix.container }}

774
dist/index.js generated vendored

File diff suppressed because it is too large Load diff

2
dist/index.js.map generated vendored

File diff suppressed because one or more lines are too long

22
dist/licenses.txt generated vendored
View file

@ -1582,6 +1582,28 @@ License Text:
---
Name: @actions/tool-cache
Version: 4.0.0
License: MIT
Private: false
Description: Actions tool-cache lib
Repository: git+https://github.com/actions/toolkit.git
Homepage: https://github.com/actions/toolkit/tree/main/packages/tool-cache
License Text:
===
The MIT License (MIT)
Copyright 2019 GitHub
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
---
Name: handlebars
Version: 4.7.9
License: MIT

View file

@ -69,6 +69,7 @@ url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964691
checksum = "sha256:459993e31a6c4ccbd09882f5679a2bc1ea5d9068701ecefc411a00fb69ce82e6"
url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-apple-darwin.tar.gz"
url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964098"
provenance = "github-attestations"
[tools.communique."platforms.windows-x64"]
checksum = "sha256:3cc0e880ac2168aed3163223627bbd1eee62e07a9901cb85cb507c6c8927bc93"

15
package-lock.json generated
View file

@ -13,7 +13,9 @@
"@actions/core": "^3.0.0",
"@actions/exec": "^3.0.0",
"@actions/glob": "^0.7.0",
"@actions/http-client": "^4.0.0",
"@actions/io": "^3.0.0",
"@actions/tool-cache": "^4.0.0",
"@types/handlebars": "^4.0.40",
"handlebars": "^4.7.8"
},
@ -139,6 +141,19 @@
"integrity": "sha512-nRBchcMM+QK1pdjO7/idu86rbJI5YHUKCvKs0KxnSYbVe3F51UfGxuZX4Qy/fWlp6l7gWFwIkrOzN+oUK03kfw==",
"license": "MIT"
},
"node_modules/@actions/tool-cache": {
"version": "4.0.0",
"resolved": "https://registry.npmjs.org/@actions/tool-cache/-/tool-cache-4.0.0.tgz",
"integrity": "sha512-L8P9HbXvpvqjZDveb/fdsa55IVC0trfPgQ4ZwGo6r5af6YDVdM9vMGPZ7rgY2fAT9gGj4PSYd6bYlg3p3jD78A==",
"license": "MIT",
"dependencies": {
"@actions/core": "^3.0.0",
"@actions/exec": "^3.0.0",
"@actions/http-client": "^4.0.0",
"@actions/io": "^3.0.0",
"semver": "^7.7.3"
}
},
"node_modules/@azure/abort-controller": {
"version": "2.1.2",
"resolved": "https://registry.npmjs.org/@azure/abort-controller/-/abort-controller-2.1.2.tgz",

View file

@ -34,7 +34,9 @@
"@actions/core": "^3.0.0",
"@actions/exec": "^3.0.0",
"@actions/glob": "^0.7.0",
"@actions/http-client": "^4.0.0",
"@actions/io": "^3.0.0",
"@actions/tool-cache": "^4.0.0",
"@types/handlebars": "^4.0.40",
"handlebars": "^4.7.8"
},

View file

@ -3,6 +3,8 @@ import * as io from '@actions/io'
import * as core from '@actions/core'
import * as exec from '@actions/exec'
import * as glob from '@actions/glob'
import * as tc from '@actions/tool-cache'
import * as httpm from '@actions/http-client'
import * as crypto from 'crypto'
import * as fs from 'fs'
import * as os from 'os'
@ -67,8 +69,9 @@ async function run(): Promise<void> {
// etc.) don't silently send the runner's OIDC token to
// a third-party cache without explicit consent.
//
// Note: `setupMise` fetches the mise binary itself with
// `curl`, which doesn't go through mise's HTTP layer —
// Note: `setupMise` downloads the mise binary itself over
// HTTP (via `@actions/tool-cache`), which doesn't go
// through mise's HTTP layer —
// the wings rewriter only kicks in once the resulting
// mise binary runs `mise install` and friends. Ordering
// here is irrelevant for binary acceleration; we just
@ -340,20 +343,23 @@ async function setupMise(
})
break
}
case '.tar.zst':
await exec.exec('sh', [
'-c',
`curl -fsSL ${url} | tar --zstd -xf - -C ${os.tmpdir()} && mv ${os.tmpdir()}/mise/bin/mise ${miseBinPath}`
case '.tar.zst': {
const archivePath = await tc.downloadTool(url)
const extractDir = await tc.extractTar(archivePath, undefined, [
'--zstd',
'-x'
])
await io.mv(path.join(extractDir, 'mise', 'bin', 'mise'), miseBinPath)
break
case '.tar.gz':
await exec.exec('sh', [
'-c',
`curl -fsSL ${url} | tar -xzf - -C ${os.tmpdir()} && mv ${os.tmpdir()}/mise/bin/mise ${miseBinPath}`
])
}
case '.tar.gz': {
const archivePath = await tc.downloadTool(url)
const extractDir = await tc.extractTar(archivePath)
await io.mv(path.join(extractDir, 'mise', 'bin', 'mise'), miseBinPath)
break
}
default:
await exec.exec('sh', ['-c', `curl -fsSL ${url} > ${miseBinPath}`])
await tc.downloadTool(url, miseBinPath)
await exec.exec('chmod', ['+x', miseBinPath])
break
}
@ -402,9 +408,9 @@ async function withExtractedZip(
const archivePath = path.join(tempDir, archiveName)
const extractDir = path.join(tempDir, 'extract')
await exec.exec('curl', ['-fsSL', url, '--output', archivePath])
await exec.exec('unzip', [archivePath, '-d', extractDir])
await fn(extractDir)
await tc.downloadTool(url, archivePath)
const extracted = await tc.extractZip(archivePath, extractDir)
await fn(extracted)
} finally {
await io.rmRF(tempDir)
}
@ -480,11 +486,14 @@ async function zstdInstalled(): Promise<boolean> {
}
async function latestMiseVersion(): Promise<string> {
const rsp = await exec.getExecOutput('curl', [
'-fsSL',
'https://mise.jdx.dev/VERSION'
])
return rsp.stdout.trim()
const http = new httpm.HttpClient('mise-action')
const rsp = await http.get('https://mise.jdx.dev/VERSION')
if (rsp.message.statusCode !== 200) {
throw new Error(
`Failed to fetch latest mise version: ${rsp.message.statusCode} ${rsp.message.statusMessage}`
)
}
return (await rsp.readBody()).trim()
}
async function setToolVersions(): Promise<void> {