mirror of
https://github.com/jdx/mise-action.git
synced 2026-05-21 00:31:54 +00:00
3 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
renovate[bot]
|
396ce9daa2
|
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` β `v1.5.1` | `v1.9.1` (+6) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1): : POSIX colon tarball filenames [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1) A small patch release fixing tarball installs that contain `:` in entry filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s `dist/__mocks__/package-json:version.d.ts`). #### Fixed - **POSIX colon tarball filenames** β the store tarball validator and the linker's `validate_index_key` previously rejected `:` on every platform to defend against Windows drive-prefix and NTFS alternate-data-stream ambiguity. That guard was too broad for POSIX, where colon is a valid filename character, and caused installs of packages like `redos-detector@6.1.4` to fail. Both guards are now platform-gated: `:` is still rejected on Windows, but accepted on Linux and macOS. ([#​386](https://redirect.github.com/endevco/aube/pull/386) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.5.0...v1.5.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0): : Dependency graph queries and patch/lockfile fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0) This release adds `aube query` for selector-based dependency graph inspection, fixes patch application against CRLF tarball files, repairs npm-aliased catalog dependencies in pnpm-generated lockfiles, and unifies how aube decides where to write workspace settings. #### Added - **`aube query`** β a vlt-inspired dependency-graph query command. Supply a selector expression (attribute predicates plus pseudo-selectors like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`), optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and emit human-readable, `--parseable`, or `--json` output. Reads only the local lockfile. ([#​380](https://redirect.github.com/endevco/aube/pull/380) by [@​jdx](https://redirect.github.com/jdx)) #### Fixed - **Patches against CRLF text files** β tarballs published from Windows editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but git/pnpm-style patches always emit LF, and diffy refused to match LF hunks against CRLF context. aube now normalizes the original to LF before applying and restores CRLF on write β matching pnpm's approach β with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a second carriage return. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **`aube patch-commit` destination** β previously wrote unconditionally to `pnpm.patchedDependencies` in `package.json` even on projects already using the pnpm v10+ workspace-yaml home. A single rule now applies to every command that mutates a setting which can live in either the workspace yaml or `package.json#{pnpm,aube}.<key>`: 1. If a workspace yaml exists on disk β write there. 2. Otherwise, if `package.json#pnpm` is already declared β write `pnpm.<key>` (preserve the user's namespace). 3. Otherwise β write `aube.<key>`. `aube patch-remove` now strips entries from every place they could live and reports the files actually rewritten. The same rule covers `aube approve-builds` and install-time auto-deny seeding. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **npm-aliased catalog deps from pnpm lockfiles** β `aube install --frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder: npm:beamcoder-prebuild@β¦` declared via `pnpm-workspace.yaml#catalog` and silently produced an empty `node_modules`, because the importer's specifier was `'catalog:'` and alias detection only fired on `specifier.starts_with("npm:")`. Aliases are now detected purely from the canonical `<real>@​<resolved>` `version:` shape, with a peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't misclassified. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Bounded resolver stream** β the resolved-package stream is now a bounded Tokio channel sized from the same network concurrency used by fetch workers, with awaited sends so resolver/fetch overlap applies backpressure instead of accumulating an unbounded queue. ([#​377](https://redirect.github.com/endevco/aube/pull/377) by [@​jdx](https://redirect.github.com/jdx)) #### Changed - **`aube-workspace.yaml` is the default-write filename** β when neither `aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube approve-builds` (and the install-time auto-seed of unreviewed build scripts) now creates `aube-workspace.yaml` so it pairs with `aube-lock.yaml` instead of leaving mixed vendor namespaces side by side. Existing `pnpm-workspace.yaml` files keep being mutated in place. ([#​382](https://redirect.github.com/endevco/aube/pull/382) by [@​jdx](https://redirect.github.com/jdx)) - **Comment-preserving workspace-yaml writes** β yaml writes now skip the rewrite when the closure produces no structural change, so user comments survive every no-op update to `allowBuilds`, `patchedDependencies`, and catalog cleanup. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Install phase timing sink** β set `AUBE_BENCH_PHASES_FILE` to append per-phase install timings (resolve/fetch/link/scripts/state/sweep) as JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark harness samples aube install-shaped scenarios and `benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown table plus a structured JSON artifact. ([#​381](https://redirect.github.com/endevco/aube/pull/381) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.4.0...v1.5.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
0a780158e1
|
chore: migrate package manager from npm/pnpm/bun to aube (#455)
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged β aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install β it's the
script-runner shorthand (`aubr <script>` β‘ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && β¦"`). The literal
`npm` works for both callers β aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` β parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** β single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** β generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean β succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) β succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` β clean
- [x] `aubr lint` β clean
- [x] `aubr package` β produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesnβt change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`βs generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
1c5f70fd40
|
chore(deps): bump communique to 1.1.2 (#453)
## Summary
- add a communique mise lock entry for v1.1.2
- include release asset URLs and checksums, including musl assets
## Validation
- monitored jdx/communique release workflow 24960017639 to success
- `mise install --locked communique`
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: adds an auto-generated tool lockfile entry only, affecting
developer tool installation but not runtime application behavior.
>
> **Overview**
> Pins the `communique` developer tool to **v1.1.2** by adding a
generated `mise.lock` entry.
>
> The lock includes **per-platform download URLs, asset API links, and
SHA-256 checksums**, including *musl* variants for Linux.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|