This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [jdx/mise-action](https://redirect.github.com/jdx/mise-action) |
action | minor | `v4.0.1` → `v4.1.0` |
---
### Release Notes
<details>
<summary>jdx/mise-action (jdx/mise-action)</summary>
###
[`v4.1.0`](https://redirect.github.com/jdx/mise-action/releases/tag/v4.1.0):
: automatic --locked installs
[Compare
Source](https://redirect.github.com/jdx/mise-action/compare/v4.0.1...v4.1.0)
This release adds automatic locked installs when a `mise.lock` is
present, and fixes a long-standing cache-key collision that could poison
tool installs when workflows migrate between runner providers.
#### Added
##### Automatic `--locked` install when `mise.lock` exists
([#​495](https://redirect.github.com/jdx/mise-action/pull/495)) by
[@​zeitlinger](https://redirect.github.com/zeitlinger)
When a repo contains `mise.lock`, the action now automatically passes
`--locked` to `mise install` (on mise versions that support it). This
removes the need to manually set `install_args: --locked` and prevents
`mise install` from silently mutating the lockfile in CI. Explicit
`install_args` and older mise versions are still respected.
Note: workflows with a stale lockfile may now fail earlier and more
explicitly instead of silently updating `mise.lock` mid-run — this
surfaces lockfile drift rather than hiding it.
#### Fixed
- **Cache key collisions across runner providers**
([#​456](https://redirect.github.com/jdx/mise-action/pull/456)) —
the default cache key now includes the runner image (e.g. `macos15`,
`ubuntu24` for GitHub-hosted runners; `self-hosted` otherwise).
Previously, repos migrating between providers like github-hosted,
namespace.so, BuildJet, and self-hosted runners with the same OS/arch
could restore a peer provider's `~/.local/share/mise/installs/*`,
causing failures like `does not have an executable named '…'` or SIGILL
crashes from binaries built against a different glibc/CPU featureset.
Expect a one-time cache miss after upgrading; thereafter the cache stays
scoped per image.
- **`mise-shim.exe` missing on Windows**
([#​476](https://redirect.github.com/jdx/mise-action/pull/476)) by
[@​risu729](https://redirect.github.com/risu729) — the action now
installs `mise-shim.exe` alongside `mise.exe` and repairs restored
caches that lack the shim. Fixes
[#​475](https://redirect.github.com/jdx/mise-action/issues/475).
#### Changed
- Migrated the bundled action build from ncc (CommonJS) to Rollup (ESM)
([#​436](https://redirect.github.com/jdx/mise-action/pull/436)).
No user-facing behavior change.
**Full Changelog**:
<https://github.com/jdx/mise-action/compare/v4.0.1...v4.1.0>
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | patch | `v6.0.2` → `v6.0.3` |
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
###
[`v6.0.3`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v603)
[Compare
Source](https://redirect.github.com/actions/checkout/compare/v6.0.2...v6.0.3)
- Fix checkout init for SHA-256 repositories by
[@​yaananth](https://redirect.github.com/yaananth) in
[#​2439](https://redirect.github.com/actions/checkout/pull/2439)
- fix: expand merge commit SHA regex and add SHA-256 test cases by
[@​yaananth](https://redirect.github.com/yaananth) in
[#​2414](https://redirect.github.com/actions/checkout/pull/2414)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated GitHub Actions checkout dependencies across multiple CI/CD
workflows to the latest version for improved stability and
compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes
## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
>
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
>
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d2335f661c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout)
([changelog](8e8c483db8..de0fac2e45))
| action | digest | `8e8c483` → `de0fac2` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `08eba0b` -> `34e1148` |
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `08c6903` -> `93cb6ef` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNi4xIiwidXBkYXRlZEluVmVyIjoiNDIuMTYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `11bd719` -> `08eba0b` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on Friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuODEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>