mirror of
https://github.com/jdx/mise-action.git
synced 2026-05-15 14:20:32 +00:00
651 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
mise-en-dev
|
a48b320d87 | chore: release v4.1.0 | ||
|
renovate[bot]
|
43db152e9b
|
chore(deps): update dependency aube to v1.9.1 (#478)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.6.2` → `v1.9.1` | `v1.14.1` (+10) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.9.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.1): : Cold install overhaul, HTTP prefetch, and workspace fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.0...v1.9.1) A performance- and correctness-focused patch release. Cold installs get a streaming tarball pipeline, Linux gets an `O_TMPFILE`+`linkat` CAS fast path, and the resolver's cold path overlaps DNS, TLS, and packument prefetch with the manifest/workspace/lockfile work that used to serialize them. On the fix side, `aube run` once again finds `node-gyp` for package scripts, and `aube update` / `aube outdated` stop trying to fetch unpublished `workspace:` deps from the registry. #### Added - **Pre-resolver packument prefetch + shared HTTP utilities** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) — a new `aube-util::http` module consolidates client-side primitives (`prewarm`, `priority`, `race`, `resolve`, `ticket_cache`) so leaf crates share one warm-pool surface with consistent killswitch semantics. On install entry, aube now reads `package.json` and fires fire-and-forget packument GETs for every registry-shaped direct dep before workspace yaml load, settings resolve, lockfile parse, and resolver construction — by the time the resolver pops its first task, the packument cache and reqwest pool are warm. `RegistryClient::prewarm_connection` now covers the default registry **plus** every scoped (`@org:registry=...`) and per-uri auth registry, with parallel DNS preresolve so DNS RTT hides behind the TLS handshake. Abbreviated packument GETs also send `Priority: u=0` (RFC 9218 Critical) so H2 schedulers prioritize resolver-blocking metadata over pending tarball frames. New killswitches: `AUBE_DISABLE_DNS_PRERESOLVE`, `AUBE_DISABLE_REQUEST_RACING`, `AUBE_DISABLE_PREFETCH`, `AUBE_DISABLE_TLS_TICKET_CACHE`. Prefetch is a no-op when offline or when any lockfile is present. - **Cold install pipeline overhaul** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — several overlapping wins on the cold-cache path: - **Streaming tarball pipeline** (opt-in via `AUBE_TARBALL_STREAM=1`, killswitch `AUBE_DISABLE_TARBALL_STREAM`) — HTTP body chunks pipe through SHA-512 + gz + tar + CAS via an mpsc bridge instead of buffering the whole tarball; non-SHA-512 SRI falls back to buffered. Bounded by the registry's `tarball_max_bytes` cap. - **Linux `O_TMPFILE` + `linkat` CAS publish** with `EOPNOTSUPP` fallback to the tempfile path, `posix_fallocate` to avoid ext4 fragmentation, and `posix_fadvise(DONTNEED)` to free page cache after publish. Killswitch: `AUBE_DISABLE_O_TMPFILE`. - **Materialize-stream into the lockfile fast path** — both lockfile and no-lockfile branches now share the GVS prewarm materializer, hiding 30-200ms of GVS reflinks behind the in-flight download tail. - **Resolver tuning** — foldhash on `graph_hash` hot maps, pre-sized resolver caches, thread-local `node_semver::Version` parse cache, `PARALLEL_IMPORT_THRESHOLD` lowered from 256 to 16 (median npm tarball is 7 files), and pinned tokio `worker_threads` (`cpu.min(8)`) / `max_blocking_threads(64)` (tunable via `AUBE_TOKIO_WORKERS` / `AUBE_TOKIO_BLOCKING`). - **Windows** gets `FILE_ATTRIBUTE_NOT_CONTENT_INDEXED` on the store root; cross-volume detection (drive letters on Windows, `dev` id on Unix) is gated per-platform. Reported same-volume Windows cold-install ratios: 1.80x-8.75x faster than Bun across svelte/vite/next/babylon. - **Per-project materialize pipelined into fetch** ([#​527](https://redirect.github.com/endevco/aube/pull/527) by [@​imjustprism](https://redirect.github.com/imjustprism)) — when GVS is off, each fetched `(canonical_key, PackageIndex)` triggers `materialize_into` against `.aube/<dep_path>/` immediately, so by the time fetch finishes the dedicated link phase only has to create top-level `node_modules/<name>` symlinks. The driver now uses `JoinSet` instead of `Vec<JoinHandle>`, so on early-return all in-flight tasks abort instead of detaching and racing install cleanup. \~10% improvement on warm fresh installs in the local benchmark matrix. #### Fixed - **`aube run` / `aube test` find `node-gyp`** ([#​518](https://redirect.github.com/endevco/aube/pull/518) by [@​jdx](https://redirect.github.com/jdx)) — package scripts only had `node_modules/.bin` prepended to `PATH`, so `aube test` would fail with `node-gyp: not found` on hosts that didn't already ship it. Script execution now reuses aube's existing node-gyp bootstrap (via a lazy shim bin dir + `AUBE_NODE_GYP_EXE` / `AUBE_NODE_GYP_PROJECT_DIR`), matching pnpm/npm behavior. Ports pnpm's `lifecycleScripts.ts:128` coverage into the offline node-gyp bootstrap bats suite. - **`workspace:` deps in `aube update` / `aube outdated`** ([#​523](https://redirect.github.com/endevco/aube/pull/523) by [@​jdx](https://redirect.github.com/jdx), fixes [#​520](https://redirect.github.com/endevco/aube/discussions/520)) — `aube update` now discovers workspace package `name`/`version` pairs and passes them into resolver workspace resolution so `workspace:` deps from `package.json#workspaces` resolve locally instead of triggering registry packument fetches. `aube outdated` filters out direct deps with `workspace:` specifiers and reports "no matching dependencies" rather than attempting a packument fetch. Adds a new `WARN_AUBE_WORKSPACE_PACKAGE_MISSING_NAME` warning code for workspace packages without a `name` field. - **Resolver peer-context divergence is fatal** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — `apply_peer_contexts` hitting `MAX_ITERATIONS` used to log a warning and ship a broken graph; it now returns a fatal `Error::PeerContextDivergence(usize)`. `state::remove_state` errors at `--force` and GVS-transition sites also propagate instead of being silently swallowed, so permission-denied or Windows-locked sidecars no longer defeat the freshness check. - **Tarball hardening** ([#​522](https://redirect.github.com/endevco/aube/pull/522) by [@​imjustprism](https://redirect.github.com/imjustprism)) — entries declared as 0 bytes with non-zero stream payload are now rejected (synthetic-entry injection guard), and GNU `LongName` / `LongLink` metadata records are correctly accepted. - **Patches loaded once per cwd** ([#​529](https://redirect.github.com/endevco/aube/pull/529) by [@​imjustprism](https://redirect.github.com/imjustprism)) — `load_patches_for_linker` walked `patches/` from disk 2-3 times per install (lockfile-prewarm, no-lockfile-prewarm, and link-phase sites). Now cached per cwd via `OnceLock<Mutex<HashMap<PathBuf, ...>>>`. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.9.0...v1.9.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.9.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.9.0): : Comment-preserving workspace edits, deploy bundling, and node --inspect [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.8.0...v1.9.0) A focused release: `aube deploy` learns to bundle workspace siblings and local-path deps into the deploy artifact, workspace-yaml writers stop eating user comments, aube-owned settings move out of `.npmrc`, and `aube run` forwards Node debugger flags. #### Added - **Aube settings move out of `.npmrc`** ([#​517](https://redirect.github.com/endevco/aube/pull/517) by [@​jdx](https://redirect.github.com/jdx)) — known aube-owned settings now live in `~/.config/aube/config.toml` (XDG-aware), while registry, auth, and unknown keys keep using `.npmrc`. `aube config get/set/list/delete` reads and writes the right file automatically, and migrating a known setting cleans up the stale `.npmrc` entry. `.npmrc` writes are also atomic against the **symlink target** now, so dotfile setups that symlink `~/.npmrc` into a managed config repo stop having the symlink replaced by a regular file. - **`aube run --inspect` / `--inspect-brk`** ([#​515](https://redirect.github.com/endevco/aube/pull/515) by [@​jdx](https://redirect.github.com/jdx)) — both flags accept an optional `[host:]port` (e.g. `--inspect=9229`, `--inspect-brk=0.0.0.0:9230`) and are forwarded as explicit Node argv when aube can identify a Node-backed target — direct `node ...` scripts in `package.json` and local `node_modules/.bin` fallbacks resolved through shims/symlinks. The flags are passed as argv rather than via `NODE_OPTIONS`, so the debugger doesn't attach to nested Node processes spawned by the script. - **`aube deploy --no-prod`** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) — opt out of the default `--prod` filter for deploys that need devDependencies at runtime (test-harness staging, build-step artifacts). Mutually exclusive with `--prod` / `--dev`; combine with `--no-optional` to keep prod + dev but drop optionals. - **Comment-preserving workspace yaml writes** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) — every workspace-yaml writer (`approve-builds`, `patch-commit`, `patch-remove`, the daily `cleanupUnusedCatalogs` install pass, and `aube config set --location workspace`) now routes through `yamlpatch` instead of round-tripping the file through a serializer. Keys, comments, and whitespace the edit didn't touch land back on disk byte-identical, so user annotations on adjacent entries survive. Empty/missing files still go through the regular serializer since there are no comments to preserve. #### Fixed - **`aube deploy` bundles local dependencies** ([#​507](https://redirect.github.com/endevco/aube/pull/507) by [@​jdx](https://redirect.github.com/jdx)) — fixes two real bugs reported in [#​345](https://redirect.github.com/endevco/aube/discussions/345): - **`workspace:*` siblings tried to fetch from the registry.** Deploy used to rewrite `workspace:*` to a concrete version and ask install to resolve it — fine for published siblings, broken for the (very common) unpublished case. Reachable workspace siblings are now copied into `<target>/.aube-deploy-injected/<id>/` and the manifest spec becomes a relative `file:` pointer. Recursion handles sibling chains where a sibling's own deps are workspace siblings. - **`file:` deps resolved relative to the deploy output dir.** A `file:../local-vendor` spec used to ride along unchanged in the deployed manifest, pointing at `<target>/../local-vendor` instead of the source workspace's `local-vendor`. Local-path deps now go through the same staging pipeline. When bundling occurs the lockfile-subset path is skipped, since the rewritten `file:` pointers don't appear in the source lockfile and would otherwise trip a frozen install. - **`aube remove` preserves dependency order** ([#​511](https://redirect.github.com/endevco/aube/pull/511) by [@​jdx](https://redirect.github.com/jdx)) — dropping one dep used to alphabetize the remaining entries in the affected `package.json` section as a side effect. Surviving entries now stay in their original on-disk order, matching pnpm/npm. (`aube add` is unaffected — sorted inserts there are intentional.) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.8.0...v1.9.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.8.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.8.0): : Stable error codes, smarter run/dlx, and a new install progress UI [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.7.0...v1.8.0) A polish-and-plumbing release: install progress gets a from-scratch redesign, errors and warnings now carry stable identifiers (with bespoke exit codes and dep-chain context), `aube run` / `aube dlx` prefer locally-installed binaries, and a handful of workspace-from-subpackage and `aube add` ergonomics get fixed. #### Added - **Redesigned install progress UI** ([#​501](https://redirect.github.com/endevco/aube/pull/501) by [@​jdx](https://redirect.github.com/jdx)) — fixed 15-char bar on the left, stats on the right, phase-aware label (`resolving` / `fetching` / `linking`), ETA, transfer rate, and an estimated install size derived from the resolve stream: ``` aube 1.8.0 by en.dev █████░░░░░░░░░░ 23/142 pkgs · 4.2 MB / ~13.8 MB · 1.4 MB/s · ETA 5s ███████████████ 1230/1230 pkgs · linking ✓ resolved 1230 · reused 98 · downloaded 1132 (54.6 MB) in 6.8s ``` Installs that finish before the first 2s heartbeat now print a single self-identifying summary line (`✓ installed 5 packages in 423ms`) instead of a partial bar. Also fixes two real bookkeeping bugs (a `2/1 packages` overflow on platform-mismatched non-optional deps, and the "stuck at 90%" undercount caused by `filter_graph` dropping packages after the denominator was inflated). - **Local bins for `aube run` and `aube dlx`** ([#​502](https://redirect.github.com/endevco/aube/pull/502) by [@​jdx](https://redirect.github.com/jdx)) — `aube run <name>` falls back to `node_modules/.bin/<name>` when no `package.json` script matches, and `aube dlx` / `aubx` will execute an already-installed local binary instead of doing a throwaway install. Pass `-p` / `--package` (or a versioned spec) to force the install path. - **Stable error and warning codes** ([#​492](https://redirect.github.com/endevco/aube/pull/492) by [@​jdx](https://redirect.github.com/jdx)) — every error and warning aube emits now carries an `ERR_AUBE_*` or `WARN_AUBE_*` identifier in a structured field, so CI scripts and ndjson consumers can branch on the code instead of substring-matching English messages. A curated subset maps to bespoke Unix exit codes (10–99 in 10-wide ranges by category) so shells can react to specific failures without parsing stderr — e.g. `aube install --frozen-lockfile` in an empty dir exits with `10` (`ERR_AUBE_NO_LOCKFILE`). Post-resolver errors that mention a specific package now also include the dependency chain back to the importer (`chain: a@1 > b@2 > leaf@3`) so a tarball-integrity or fetch failure tells you *why* your install pulled that transitive dep. The full code list lives at `docs/error-codes.md`. #### Fixed - **`aube why` / `list` / `query` from a workspace subpackage** ([#​504](https://redirect.github.com/endevco/aube/pull/504) by [@​jdx](https://redirect.github.com/jdx)) — these commands resolved cwd via the nearest `package.json`, so running them inside `packages/foo/` errored with `No lockfile found. Run aube install first.` even though the workspace lockfile sat one level up. They now walk up to the workspace root when one is present. - **Workspace lifecycle scripts and pnpm-lock npm aliases** ([#​500](https://redirect.github.com/endevco/aube/pull/500) by [@​jdx](https://redirect.github.com/jdx)) — recursive workspace installs now run `preinstall`/`install`/`postinstall`/`prepare` for each linked workspace importer in dependency order (not just the root), and the build-script policy merges `pnpm.allowBuilds` / `onlyBuiltDependencies` / `neverBuiltDependencies` across all participating manifests so a member can approve its own dep's builds. `pnpm-lock.yaml` now writes npm aliases in pnpm's native `<real>@​<version>` encoding instead of leaking aube's internal `aliasOf` field. - **`aube add` auto-detects local paths** ([#​499](https://redirect.github.com/endevco/aube/pull/499) by [@​jdx](https://redirect.github.com/jdx)) — `aube add /path/to/lib`, `./lib`, `~/lib`, `file:./lib`, and `link:./lib` no longer fall through to the registry path with a confusing `HTTP 405 Method Not Allowed`. Bare paths default to `link:` for directories and `file:` for tarballs (pnpm parity); explicit prefixes are preserved. Tarball-suffix paths emit a clear "not yet supported in `aube add`" hint instead of a 405. #### Changed - **Per-command `--help` is bucketed** ([#​505](https://redirect.github.com/endevco/aube/pull/505) by [@​jdx](https://redirect.github.com/jdx)) — `--frozen-lockfile` / `--prefer-frozen-lockfile`, `--registry` + `--fetch-*`, and `--disable/--enable-global-virtual-store` moved off the global flag set into per-command groups under `Lockfile` / `Network` / `Virtual store` headings, and now appear only on commands that consume them. Seven pnpm-compat no-op flags (`--workspace-packages`, `--ignore-workspace`, `--include-workspace-root`, `--aggregate-output`, `--stream`, `--use-stderr`, `--yes`) are still parsed but hidden from `--help`. Pre-subcommand placement still works (`aube --frozen-lockfile install`, `aube --registry=URL install`) via an argv pre-pass. One caveat: implicit-script invocations like `aube --frozen-lockfile dev` (where `dev` is a `package.json` script) no longer apply the flag — write `aube run --frozen-lockfile dev` instead. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.7.0...v1.8.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.7.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.7.0): : Local & git specs in aube add, faster cold installs [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.2...v1.7.0) A feature-heavy release: `aube add` learns git and local-path specs, workspace commands gain support for yaml-only "coordinator" monorepos, `aube update` and `aube rebuild` get pnpm-parity polish, and a deep performance pass speeds up cold installs by up to \~1.9×. #### Highlights - **`aube add` is now a one-stop shop** for git, GitHub-shorthand, and `link:` / `file:` local-path dependencies — not just registry packages. - **Performance pass on the install hot path** ([#​469](https://redirect.github.com/endevco/aube/pull/469)) lands streaming SHA-512, parallel CAS imports, TLS prewarm, fetch reordering, and a long tail of cold-path cleanups, with measured cold-install speedups up to \~1.9× vs v1.6.2. - **Workspace and pnpm parity polish** across `update`, `rebuild`, yaml-only roots, unversioned members, and nested `link:` / `file:` resolution. #### Added - **`aube add file:./pkg` / `link:../sibling`** ([#​487](https://redirect.github.com/endevco/aube/pull/487) by [@​jdx](https://redirect.github.com/jdx)) — local-path specs are routed through a non-registry branch, with the manifest key derived from the path basename (with `.tgz` / `.tar.gz` stripped) or from an explicit alias. `aube add my-bundle@file:./bundle.tgz` works too. - **`aube add` supports git specs** ([#​483](https://redirect.github.com/endevco/aube/pull/483) by [@​jdx](https://redirect.github.com/jdx)) — bare GitHub shorthand, `github:` / `gitlab:` / `bitbucket:` prefixes, full `git+ssh` / `git+https` URLs, and aliases. The verbatim spec is written to `package.json` and the resolver handles the rest: ```bash aube add kevva/is-negative aube add github:kevva/is-positive aube add my-alias@git+https://github.com/kevva/is-negative.git ``` - **Yaml-only workspace roots** ([#​486](https://redirect.github.com/endevco/aube/pull/486) by [@​jdx](https://redirect.github.com/jdx)) — `install`, `list`, `run -r`, `query`, and `why` now work in pure-coordinator monorepos that have `pnpm-workspace.yaml` / `aube-workspace.yaml` at the root but no root `package.json` (Turborepo-style layouts). Single-project commands like `add` / `remove` still hard-error without a manifest. - **`aube update <pkg>` rewrites manifest ranges by default** ([#​479](https://redirect.github.com/endevco/aube/pull/479) by [@​jdx](https://redirect.github.com/jdx)) — caret/tilde ranges (`^1.2.0`, `~1.2.0`) are rewritten to track the resolved in-range max, matching pnpm. Other shapes (`>=`, exact pins, dist-tags, git, `workspace:`) stay frozen. Set `update-rewrites-specifier=false` to keep the previous behavior. - **`aube rebuild <pkg>...`** ([#​477](https://redirect.github.com/endevco/aube/pull/477) by [@​jdx](https://redirect.github.com/jdx)) — runs lifecycle scripts only for the named deps, bypasses the `allowBuilds` / `onlyBuiltDependencies` policy, and skips root hooks. Composes with `--filter`. Bare `aube rebuild` continues to do a full policy-respecting rebuild. - **Persistent unreviewed-builds warning** ([#​476](https://redirect.github.com/endevco/aube/pull/476) by [@​jdx](https://redirect.github.com/jdx)) — repeat warm-path installs no longer swallow the "ignored build scripts for N package(s)" nudge; the spec keys are persisted in `.aube-state` and re-emitted on every install. - **`aube update --depth` no longer silently ignored** ([#​473](https://redirect.github.com/endevco/aube/pull/473) by [@​jdx](https://redirect.github.com/jdx)) — emits a one-line warning pointing at `rm aube-lock.yaml && aube install` for the only useful semantic case. #### Fixed - **Faster cold installs** ([#​469](https://redirect.github.com/endevco/aube/pull/469) by [@​imjustprism](https://redirect.github.com/imjustprism)) — a wide hot-path pass with measurable wins on real registries: | Project | v1.6.2 | v1.7.0 | Speedup | | ----------------- | --------: | ------: | ------: | | svelte (56 pkg) | 1393 ms | 1386 ms | 1.01× | | vue (117 pkg) | 1590 ms | 1360 ms | 1.17× | | next.js (336 pkg) | 14071 ms | 9160 ms | 1.54× | | babylon (21 pkg) | \~6000 ms | 3186 ms | \~1.9× | Highlights: streaming SHA-512 over the wire (no second buffered hash pass), two-phase parallel CAS tar import, speculative TLS/HTTP/2 prewarm behind manifest parse, native-build packages floated to the front of the fetch queue, `Accept-Encoding: gzip, br, zstd` on packuments, in-process DNS cache via `hickory-dns`, mmap+rayon BLAKE3 over 4 MiB, network concurrency default raised 64 → 128, and zero-copy packument parsing. Every change ships with an `AUBE_DISABLE_*` killswitch (`AUBE_DISABLE_STREAMING_SHA512`, `AUBE_DISABLE_SPECULATIVE_TLS`, `AUBE_DISABLE_CRITICAL_PATH`, `AUBE_DISABLE_PARALLEL_IMPORT`, `AUBE_DISABLE_MMAP_BLAKE3`, `AUBE_DISABLE_SNAPSHOTS`) plus an `AUBE_CONCURRENCY=N` clamp. - **Nested `link:` / `file:` resolution** ([#​470](https://redirect.github.com/endevco/aube/pull/470) by [@​jdx](https://redirect.github.com/jdx)) — fixes the `transitive local specifier link:./libs/foo cannot be resolved without the parent package source root` install error in two cases: a `file:` / `link:` parent declaring a transitive `link:`, and a root `pnpm.overrides` rewriting a registry dep to a local path. Override paths now anchor at the project root like pnpm does. - **Workspace members without `version`** ([#​480](https://redirect.github.com/endevco/aube/pull/480) by [@​jdx](https://redirect.github.com/jdx)) — fall back to `0.0.0` instead of hard-erroring. `workspace:*` / `^` / `~` siblings still link locally; specific ranges like `workspace:^2.0.0` still correctly fail to satisfy. Unblocks repos like [tuist/tuist#10584](https://redirect.github.com/tuist/tuist/pull/10584). - **Bare `user/repo` parsed as GitHub shorthand** ([#​472](https://redirect.github.com/endevco/aube/pull/472) by [@​jdx](https://redirect.github.com/jdx)) in lockfile/spec parsing, with `update --latest` now skipping git-spec deps so they can't be silently rewritten into registry pins. - **CLI short help wraps cleanly** ([#​478](https://redirect.github.com/endevco/aube/pull/478) by [@​jdx](https://redirect.github.com/jdx)) — many flags across `add`, `install`, `publish`, `update`, `view`, etc. had multi-line doc comments that clap merged into 120+ char paragraphs for `-h`. Now each flag has a one-line summary followed by the longer prose, restoring readable short help on standard terminals. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.2...v1.7.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzkuMyIsInVwZGF0ZWRJblZlciI6IjQzLjE3OS4zIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
Taku Kodama
|
93ca8a4cef
|
fix: install mise-shim.exe on Windows (#476)
Some checks are pending
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Waiting to run
|
||
|
jdx
|
a0eaf7aa03
|
fix(ci): add gh auth setup-git to release-plz.sh (#473)
Some checks failed
release-plz / release-plz (push) Has been cancelled
build-test / build (push) Has been cancelled
zizmor / zizmor (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
Check dist/ / Check dist/ (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
## Summary
- Follow-up to [#471](https://github.com/jdx/mise-action/pull/471): the
release-plz checkout now uses `persist-credentials: false`, so the token
isn't written to `.git/config` and `git push origin release --force` in
[scripts/release-plz.sh](scripts/release-plz.sh) would 403.
- Mirror the workaround already applied to
[scripts/postversion.sh:9](scripts/postversion.sh:9) by calling `gh auth
setup-git` after the `git config user.{name,email}` block, before any
`git push`.
Flagged by Cursor Bugbot on
https://github.com/jdx/mise-action/pull/471#pullrequestreview-4275760577.
## Test plan
- [ ] Next scheduled release-plz run (or manual `workflow_dispatch`)
successfully pushes the `release` branch without a 403.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that affects the release automation path; main
impact is whether the workflow can successfully push the `release`
branch.
>
> **Overview**
> Fixes the `scripts/release-plz.sh` release automation to run `gh auth
setup-git` after setting the git author, ensuring `git push` works when
`actions/checkout` uses `persist-credentials: false`.
>
> This prevents 403 failures when pushing the forced `release` branch
during automated version bump PR creation.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
46bb674500
|
chore(ci): add zizmor workflow for github actions security analysis (#471)
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
ff58e14023
|
chore(ci): remove autofix.ci workflow (#470)
Removes the autofix.ci workflow.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a standalone CI workflow with no runtime code
changes, but it will stop automatic fix commits on PRs and could
increase manual formatting churn.
>
> **Overview**
> Removes the `.github/workflows/autofix.yml` GitHub Actions workflow
that previously ran on `pull_request`/`main` pushes to install deps,
build/package, and invoke `autofix-ci/action` to push automated fixes
back to branches.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
3b3c8bb538
|
ci: remove pull_request_target workflow (#469)
## Summary
- Deletes the only workflow in this repo triggered by
`pull_request_target`.
- `pull_request_target` runs in the context of the base repo (with
secrets / write tokens) on PRs from forks, which is risky. The workflow
only validated PR titles; not worth the trust footprint.
## Test plan
- [ ] None — workflow file removal only.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a GitHub Actions workflow only; no application code
or runtime behavior changes, and it reduces exposure from
`pull_request_target` workflows.
>
> **Overview**
> Removes the `semantic-pr-lint` GitHub Actions workflow that ran on
`pull_request_target` to validate PR titles.
>
> This eliminates the repo’s only `pull_request_target` workflow,
reducing the trust/secrets footprint for PRs (especially from forks).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
8d3b0ba20a
|
chore(deps): lock file maintenance (#468)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - "before 4am on monday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
590bfd78fa
|
chore(deps): update dependency aube to v1.6.2 (#466)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.5.1` → `v1.6.2` | `v1.9.1` (+3) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.6.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.2): : Engines coverage catches up to pnpm [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.1...v1.6.2) A small patch release that closes engine-validation gaps with pnpm. #### Fixed - **Broader engines coverage** ([#​458](https://redirect.github.com/endevco/aube/pull/458) by [@​jdx](https://redirect.github.com/jdx)) — aube now honors engine constraints it previously skipped: - `engines.aube` and `engines.pnpm` on root and workspace project manifests are checked against the running aube version (aube positions itself as a pnpm-compatible drop-in, so `engines.pnpm` is honored as if aube were that pnpm). - `engines.node` is now enforced on workspace project manifests, not just the root. - Warning output labels which engine triggered the mismatch (e.g. `wanted node >=20`, `wanted aube >=99999`, `wanted pnpm >=8`), and the `engine-strict` error message stays compatible with existing assertions. - `engines.{aube,pnpm}` on transitive deps remain skipped on purpose, since wild packages routinely pin author toolchains. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.1...v1.6.2> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.6.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.0...v1.6.1) ##### Fixed - Unblocked the `v1.6.0` publishing path so missing Linux release assets and downstream package publishes could be backfilled ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Made the resolver build script tolerate environments where the primer generator exists but `node` is not installed, falling back to an empty primer with a Cargo warning instead of panicking ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Moved npm publishing and PPA upload jobs back to GitHub-hosted runners where npm provenance and Launchpad FTP uploads work correctly ([#​460](https://redirect.github.com/endevco/aube/pull/460)). ##### Other - Refreshed benchmarks for the 1.5.2 baseline ([#​459](https://redirect.github.com/endevco/aube/pull/459)). ### [`v1.6.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.1...v1.6.0) ##### Highlights - Added broader pnpm compatibility for `aube add`, `aube update`, pnpmfile hooks, catalog saves, workspace protocol parsing, and lockfile directory configuration. - Added generic `--config.<key>=<value>` overrides plus fetch timeout, retry, backoff, `--pnpmfile`, and `--global-pnpmfile` flags. - Improved install, resolver, registry, linker, manifest, settings, and state hot paths with shared caches, cheaper hashes, fewer repeated filesystem probes, and compressed packument fetches. - Expanded pnpm parity coverage across update, hooks, allow-build review, monorepo filter, prefer-offline, and misc install behavior. ##### Added - `aube update` now parses `<pkg>@​<spec>` arguments and can update indirect dependencies ([#​446](https://redirect.github.com/endevco/aube/pull/446)). - `aube add` can bootstrap a missing `package.json`, matching pnpm behavior covered by newly ported misc tests ([#​417](https://redirect.github.com/endevco/aube/pull/417)). - `--config.<key>=<value>` flags provide generic CLI config overrides ([#​447](https://redirect.github.com/endevco/aube/pull/447)). - `--lockfile-dir` / `lockfileDir` support allows commands to target a foreign lockfile directory when valid ([#​431](https://redirect.github.com/endevco/aube/pull/431)). - Fetch controls were added for timeout, retry count, and retry backoff behavior ([#​436](https://redirect.github.com/endevco/aube/pull/436)). - `--pnpmfile` and `--global-pnpmfile` flags were added, with pnpmfile hooks wired into update and `preResolution` support ([#​439](https://redirect.github.com/endevco/aube/pull/439), [#​423](https://redirect.github.com/endevco/aube/pull/423)). - pnpmfile `ctx.log` records now emit as `pnpm:hook` NDJSON on stdout ([#​440](https://redirect.github.com/endevco/aube/pull/440)). - `--save-catalog`, `workspace:*` parsing, and `sharedWorkspaceLockfile=false` support landed together ([#​418](https://redirect.github.com/endevco/aube/pull/418)). - Empty `--allow-build` values now use pnpm's verbatim error wording ([#​444](https://redirect.github.com/endevco/aube/pull/444)). ##### Fixed - `AUBE_VIRTUAL_STORE_DIR` is honored from the environment, with additional pnpm misc parity coverage ([#​456](https://redirect.github.com/endevco/aube/pull/456)). - `aube update --latest` preserves prerelease pins that are already higher than the latest stable version ([#​445](https://redirect.github.com/endevco/aube/pull/445)). - `.` is rejected as a foreign `--lockfile-dir` importer and the related docs were corrected ([#​442](https://redirect.github.com/endevco/aube/pull/442)). - npm `package-lock.json` workspace importers are preserved when parsing and writing lockfiles ([#​443](https://redirect.github.com/endevco/aube/pull/443)). - Lifecycle script behavior closed three pnpm parity gaps ([#​421](https://redirect.github.com/endevco/aube/pull/421)). - The resolver now ships an empty bundled metadata primer when the generator script cannot run, instead of failing the build ([#​425](https://redirect.github.com/endevco/aube/pull/425)). ##### Performance - Cached hot-path work across install, resolver, registry, linker, manifest parsing, settings lookup, and install state freshness checks ([#​453](https://redirect.github.com/endevco/aube/pull/453)). - Deduplicated and cached repeated install/resolver work, including graph hashing, patch fingerprints, lockfile parsing, env capture, script policy lookup, workspace-root scans, and registry auth token matching ([#​449](https://redirect.github.com/endevco/aube/pull/449)). - Refreshed benchmark results for the 1.5.2 baseline ([#​448](https://redirect.github.com/endevco/aube/pull/448), [#​452](https://redirect.github.com/endevco/aube/pull/452)). ##### Testing and Parity - Ported pnpm monorepo filter tests and wired `--fail-if-no-match` ([#​457](https://redirect.github.com/endevco/aube/pull/457)). - Ported additional pnpm hook, allowBuilds review, update, prefer-offline, circular peer, trust-policy, peer warning, top-level plugin, and registry fixture coverage ([#​455](https://redirect.github.com/endevco/aube/pull/455), [#​441](https://redirect.github.com/endevco/aube/pull/441), [#​438](https://redirect.github.com/endevco/aube/pull/438), [#​454](https://redirect.github.com/endevco/aube/pull/454), [#​434](https://redirect.github.com/endevco/aube/pull/434), [#​433](https://redirect.github.com/endevco/aube/pull/433), [#​424](https://redirect.github.com/endevco/aube/pull/424)). </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
c0cbd12180
|
chore(deps): update dependency globals to v17.6.0 (#465)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`17.5.0` → `17.6.0`](https://renovatebot.com/diffs/npm/globals/17.5.0/17.6.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.6.0`](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...6b15870f1c08b60b5b57afe45a703d9ed0be39bc) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
34cccd8792
|
chore(deps): update dependency eslint to v10.3.0 (#464)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.2.1` → `10.3.0`](https://renovatebot.com/diffs/npm/eslint/10.2.1/10.3.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.3.0`](https://redirect.github.com/eslint/eslint/compare/v10.2.1...78892043a36da4aa7640b59c99344b00c181048a) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.2.1...v10.3.0) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
396ce9daa2
|
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` → `v1.5.1` | `v1.9.1` (+6) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1): : POSIX colon tarball filenames [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1) A small patch release fixing tarball installs that contain `:` in entry filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s `dist/__mocks__/package-json:version.d.ts`). #### Fixed - **POSIX colon tarball filenames** — the store tarball validator and the linker's `validate_index_key` previously rejected `:` on every platform to defend against Windows drive-prefix and NTFS alternate-data-stream ambiguity. That guard was too broad for POSIX, where colon is a valid filename character, and caused installs of packages like `redos-detector@6.1.4` to fail. Both guards are now platform-gated: `:` is still rejected on Windows, but accepted on Linux and macOS. ([#​386](https://redirect.github.com/endevco/aube/pull/386) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.5.0...v1.5.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0): : Dependency graph queries and patch/lockfile fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0) This release adds `aube query` for selector-based dependency graph inspection, fixes patch application against CRLF tarball files, repairs npm-aliased catalog dependencies in pnpm-generated lockfiles, and unifies how aube decides where to write workspace settings. #### Added - **`aube query`** — a vlt-inspired dependency-graph query command. Supply a selector expression (attribute predicates plus pseudo-selectors like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`), optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and emit human-readable, `--parseable`, or `--json` output. Reads only the local lockfile. ([#​380](https://redirect.github.com/endevco/aube/pull/380) by [@​jdx](https://redirect.github.com/jdx)) #### Fixed - **Patches against CRLF text files** — tarballs published from Windows editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but git/pnpm-style patches always emit LF, and diffy refused to match LF hunks against CRLF context. aube now normalizes the original to LF before applying and restores CRLF on write — matching pnpm's approach — with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a second carriage return. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **`aube patch-commit` destination** — previously wrote unconditionally to `pnpm.patchedDependencies` in `package.json` even on projects already using the pnpm v10+ workspace-yaml home. A single rule now applies to every command that mutates a setting which can live in either the workspace yaml or `package.json#{pnpm,aube}.<key>`: 1. If a workspace yaml exists on disk → write there. 2. Otherwise, if `package.json#pnpm` is already declared → write `pnpm.<key>` (preserve the user's namespace). 3. Otherwise → write `aube.<key>`. `aube patch-remove` now strips entries from every place they could live and reports the files actually rewritten. The same rule covers `aube approve-builds` and install-time auto-deny seeding. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **npm-aliased catalog deps from pnpm lockfiles** — `aube install --frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder: npm:beamcoder-prebuild@…` declared via `pnpm-workspace.yaml#catalog` and silently produced an empty `node_modules`, because the importer's specifier was `'catalog:'` and alias detection only fired on `specifier.starts_with("npm:")`. Aliases are now detected purely from the canonical `<real>@​<resolved>` `version:` shape, with a peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't misclassified. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Bounded resolver stream** — the resolved-package stream is now a bounded Tokio channel sized from the same network concurrency used by fetch workers, with awaited sends so resolver/fetch overlap applies backpressure instead of accumulating an unbounded queue. ([#​377](https://redirect.github.com/endevco/aube/pull/377) by [@​jdx](https://redirect.github.com/jdx)) #### Changed - **`aube-workspace.yaml` is the default-write filename** — when neither `aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube approve-builds` (and the install-time auto-seed of unreviewed build scripts) now creates `aube-workspace.yaml` so it pairs with `aube-lock.yaml` instead of leaving mixed vendor namespaces side by side. Existing `pnpm-workspace.yaml` files keep being mutated in place. ([#​382](https://redirect.github.com/endevco/aube/pull/382) by [@​jdx](https://redirect.github.com/jdx)) - **Comment-preserving workspace-yaml writes** — yaml writes now skip the rewrite when the closure produces no structural change, so user comments survive every no-op update to `allowBuilds`, `patchedDependencies`, and catalog cleanup. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Install phase timing sink** — set `AUBE_BENCH_PHASES_FILE` to append per-phase install timings (resolve/fetch/link/scripts/state/sweep) as JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark harness samples aube install-shaped scenarios and `benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown table plus a structured JSON artifact. ([#​381](https://redirect.github.com/endevco/aube/pull/381) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.4.0...v1.5.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8720daa86c
|
chore(deps): update github/codeql-action digest to 68bde55 (#462)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
jdx
|
c6a35e2d7d
|
chore(ci): use !cancelled() instead of always() for final job (#460)
## Summary
- Combined with the workflow's `cancel-in-progress` group, `if:
always()` overrides cancellation and runs the `final` aggregator even on
superseded commits.
- `!cancelled()` still runs on upstream success or failure but skips
when the workflow is cancelled — saves a runner and avoids confusing
error annotations on already-superseded shas.
- Caught by Cursor Bugbot on a sibling repo (endevco/pitchfork#413).
Same `final`-aggregator pattern + `cancel-in-progress: true` here, so
the same fix applies.
## Test plan
- [ ] CI passes on this PR
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that just adjusts when the `final` job runs;
main risk is slightly different status reporting when runs are
cancelled.
>
> **Overview**
> Updates the GitHub Actions `final` aggregator job to use `if: ${{
!cancelled() }}` instead of `always()`, so it still runs for upstream
success/failure but **does not** run for cancelled workflows (e.g.,
superseded runs under `cancel-in-progress`).
>
> Adds clarifying comments to document why cancellation should skip the
aggregator to avoid wasting runners and producing noise on cancelled
commits.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
b9e293457e
|
chore(deps): update github/codeql-action digest to e46ed2c (#459)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
renovate[bot]
|
9839807d80
|
chore(deps): update dependency @types/handlebars to v4.1.0 (#457)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/handlebars](https://redirect.github.com/wycats/handlebars.js) | [`4.0.40` → `4.1.0`](https://renovatebot.com/diffs/npm/@types%2fhandlebars/4.0.40/4.1.0) |  |  | --- ### Release Notes <details> <summary>wycats/handlebars.js (@​types/handlebars)</summary> ### [`v4.1.0`](https://redirect.github.com/wycats/handlebars.js/blob/HEAD/release-notes.md#v410---February-7th-2019) New Features - import TypeScript typings - [`27ac1ee`]( |
||
|
renovate[bot]
|
1a7cfe9372
|
fix(deps): update dependency @actions/glob to ^0.7.0 (#458)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/glob](https://redirect.github.com/actions/toolkit/tree/main/packages/glob) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/glob)) | [`^0.6.0` → `^0.7.0`](https://renovatebot.com/diffs/npm/@actions%2fglob/0.6.1/0.7.0) |  |  | --- ### Release Notes <details> <summary>actions/toolkit (@​actions/glob)</summary> ### [`v0.7.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/glob/RELEASES.md#070) - Bump `minimatch` from `^3.0.4` to `^10.2.5` [#​2355](https://redirect.github.com/actions/toolkit/pull/2355) - Bump `undici` from `6.23.0` to `6.24.0` [#​2345](https://redirect.github.com/actions/toolkit/pull/2345) - Bump `brace-expansion` in `/packages/glob` [#​2369](https://redirect.github.com/actions/toolkit/pull/2369) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
b287efda3d
|
fix: include runner image in cache key to prevent cross-provider collisions (#456)
## Problem
The default cache key was `mise-v1-{os}-{arch}-{file_hash}` — no
runner-image discriminator. Any repo whose CI runs on multiple runner
providers with the same os/arch shares one cache slot:
- github-hosted `macos-latest`
- namespace.so `nscloud-macos-sequoia-arm64-*` /
`namespace-profile-*-macos-arm64`
- self-hosted M-series macs
- BuildJet, blacksmith, etc.
When a repo migrates from one provider to another, the new run restores
the previous provider's tool installs (~200 MB of
`~/.local/share/mise/installs/*`), and tools that loaded fine in the
original image break in the new one.
### Concrete failures observed
Discovered while migrating [jdx/hk](https://github.com/jdx/hk/pull/891)
from github-hosted to namespace.so. Same `mise-v1-macos-arm64-<hash>`
cache hit on namespace; tool resolution fails everywhere:
```
mise ERROR Tool 'ubi:koalaman/shellcheck' does not have an executable named 'shellcheck'
mise ERROR Tool 'gem:asciidoctor' does not have an executable named 'asciidoctor'
mise ERROR Tool 'aqua:betterleaks/betterleaks' does not have an executable named 'betterleaks'
mise ERROR Tool 'biome' does not have an executable named 'biome'
mise ERROR Tool 'buf' does not have an executable named 'buf'
mise ERROR Tool 'github:google/google-java-format' does not have an executable named 'google-java-format'
```
— installs are present (cache restored 185 MB) but the executable layout
from the github-hosted macOS-15 image doesn't match what mise expects on
namespace's macOS arm64 image.
On Linux, cached binaries built against the github-hosted ubuntu
glibc/CPU featureset SIGILL on namespace's image (e.g. `swiftlint` exit
code 132).
## Fix
Append the GitHub Actions hosted-runner `ImageOS` env var (e.g.
`macos15`, `ubuntu24`) to the platform segment of the default cache key.
Other runners pool under `self-hosted`.
```ts
const imageOS = process.env.ImageOS || 'self-hosted'
return `${base}-${imageOS}`
```
After this change:
- `mise-v1-macos-arm64-macos15-<hash>` (github-hosted)
- `mise-v1-macos-arm64-self-hosted-<hash>` (namespace, self-hosted,
etc.)
Users with multiple self-hosted profiles that need finer scoping can set
`cache_key_prefix` per workflow. The README's docs for `{{platform}}`
are updated to reflect the new format.
## Trade-offs
- One-time cache miss for everyone on the next run after upgrade. Cache
rebuilds and stays scoped per-image after that.
- Hosted-runner image rolls (e.g. `macos15` → `macos16`) will invalidate
cache, which is desirable — that's exactly when stale binaries cause
problems.
- Self-hosted users with mixed runner pools all share one `self-hosted`
slot. They'd need `cache_key_prefix` per pool, same as before. This PR
doesn't make that worse.
## Test plan
- [ ] Verify `dist/index.js` rebuilt cleanly (yes, `npm run package`
succeeded with the change visible at `getTarget()` callsite).
- [ ] Run on a github-hosted runner — confirm `ImageOS` is read from env
(e.g. `macos15`) and shows up in the `mise cache restored from key:` log
line.
- [ ] Run on a non-hosted runner — confirm fallback to `-self-hosted`.
- [ ] Verify a workflow that switched providers no longer pulls a
poisoned cache.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Changes cache-key generation and will cause a one-time cache miss plus
different cache partitioning, which can affect build times and cache
reuse across runners.
>
> **Overview**
> Updates the default cache-key `{{platform}}` value to append a runner
image discriminator (`process.env.ImageOS` on GitHub-hosted runners,
otherwise `self-hosted`), reducing cross-provider/image cache collisions
that can restore incompatible tool installs.
>
> Implements this via a new `getRunnerImageId()` helper used during
cache-key template processing, and documents the new `{{platform}}`
format in the README; `dist/index.js` is rebuilt accordingly.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
ac8a6414ec
|
feat: add wings_enabled input (mise-wings cache integration) (#454)
## Summary
Adds two new inputs that gate the mise-wings asset cache for tool
installs. Existing workflows are unaffected: default `wings_enabled:
false` is a no-op.
| Input | Default | Description |
|---|---|---|
| `wings_enabled` | `false` | Route tool-install URLs through the wings
cache when `true` |
## How it works
When `wings_enabled: true`, the action exports `MISE_WINGS_ENABLED=1`.
Authentication is **fully automatic** — mise itself owns the GHA OIDC →
wings session exchange. No `mise wings login` step in workflow YAML, no
long-lived secrets to rotate.
When mise (built with wings support — see
[jdx/mise#9458](https://github.com/jdx/mise/pull/9458)) sees
`MISE_WINGS_ENABLED=1` and detects the GHA OIDC env vars
(`ACTIONS_ID_TOKEN_REQUEST_URL` + `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it:
1. Fetches the runner's OIDC token, scoped to the wings deployment
audience
2. POSTs it to `https://api.<host>/auth` to mint a wings CI session JWT
3. Caches the JWT in-process for the rest of the workflow run
4. Transparently rewrites `registry.npmjs.org` / `github.com` /
`api.github.com` URLs to the corresponding wings cache subdomains and
attaches the JWT as a Bearer header
## Why opt-in (not opt-out)
The default-off posture is deliberate. Many workflows already declare
`permissions: id-token: write` for unrelated reasons (SLSA provenance,
AWS OIDC, Sigstore, npm provenance, etc.). If `wings_enabled` defaulted
to `true`, those workflows would silently send the runner's OIDC
identity claims to a third-party cache without explicit consent. Cursor
Bugbot HIGH + Greptile P1+security correctly flagged the previous
"default true" iteration of this PR as a privacy regression.
Explicit opt-in keeps the gate visible in the workflow YAML.
## Workflow requirements
```yaml
permissions:
id-token: write # required for OIDC
jobs:
build:
steps:
- uses: jdx/mise-action@<sha>
with:
wings_enabled: true
```
The action emits a clear warning when `wings_enabled: true` but
`id-token: write` is missing — without that hint, the user would see
"wings configured but doing nothing" and have no clue why.
## Test plan
- [x] `npm run all` — format + lint + package, clean
- [x] `dist/index.js` rebuilt and contains the wings hook (greppable:
`MISE_WINGS_ENABLED`, `setupWings`)
- [ ] End-to-end: a workflow with `wings_enabled: true`, `permissions:
id-token: write`, an active wings subscription, and a recent enough
`mise` binary. The mise repo's own `docs.yml` will exercise this path
once [jdx/mise#9458](https://github.com/jdx/mise/pull/9458) is merged.
- [ ] Default-off path: a workflow without the `wings_enabled` input
behaves identically to today.
## Out of scope
- Older mise binaries will see `MISE_WINGS_ENABLED` and silently ignore
it (no wings client code) — that's intended; the action doesn't gate on
mise version.
- Self-hosted runners: `permissions: id-token: write` only does anything
on GitHub-hosted runners by default. Self-hosted runners need extra
config; the warning above is conservative enough for both cases.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Introduces an opt-in path that can cause OIDC-based authentication to
a third-party cache and alters tool download routing when enabled.
Default-off behavior limits impact, but misconfiguration could create
confusing cache bypass or unexpected network/token exchange behavior.
>
> **Overview**
> Adds a new **experimental** `wings_enabled` action input (default
`false`) to opt workflows into the mise-wings asset cache by exporting
`MISE_WINGS_ENABLED=1`.
>
> When enabled, the action now runs `setupWings()` early to set the env
var and warn if GitHub OIDC env vars are missing (i.e., `permissions:
id-token: write` not configured), while leaving existing/default
behavior unchanged.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
0a780158e1
|
chore: migrate package manager from npm/pnpm/bun to aube (#455)
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged — aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install — it's the
script-runner shorthand (`aubr <script>` ≡ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && …"`). The literal
`npm` works for both callers — aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` — parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** — single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** — generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean — succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) — succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` — clean
- [x] `aubr lint` — clean
- [x] `aubr package` — produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesn’t change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`’s generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
3cd8ad48b8
|
chore(deps): lock file maintenance (#439)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - "before 4am on monday" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
1c5f70fd40
|
chore(deps): bump communique to 1.1.2 (#453)
## Summary
- add a communique mise lock entry for v1.1.2
- include release asset URLs and checksums, including musl assets
## Validation
- monitored jdx/communique release workflow 24960017639 to success
- `mise install --locked communique`
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: adds an auto-generated tool lockfile entry only, affecting
developer tool installation but not runtime application behavior.
>
> **Overview**
> Pins the `communique` developer tool to **v1.1.2** by adding a
generated `mise.lock` entry.
>
> The lock includes **per-platform download URLs, asset API links, and
SHA-256 checksums**, including *musl* variants for Linux.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
5ad13376e3
|
chore(deps): update autofix-ci/action digest to c5b2d67 (#452)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [autofix-ci/action](https://redirect.github.com/autofix-ci/action)
([changelog](
|
||
|
renovate[bot]
|
6fa7302151
|
chore(deps): update actions/setup-node digest to 48b55a0 (#451)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node)
([changelog](
|
||
|
renovate[bot]
|
db69447ab3
|
chore(deps): update dependency eslint to v10.2.1 (#445)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.2.0` → `10.2.1`](https://renovatebot.com/diffs/npm/eslint/10.2.0/10.2.1) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.2.1`](https://redirect.github.com/eslint/eslint/compare/v10.2.0...4d1d8f9737236603f64bbe83d5bb8001627b5611) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.2.0...v10.2.1) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
89d8187abc
|
chore(deps): update dependency typescript to v6.0.3 (#442)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript](https://www.typescriptlang.org/) ([source](https://redirect.github.com/microsoft/TypeScript)) | [`6.0.2` → `6.0.3`](https://renovatebot.com/diffs/npm/typescript/6.0.2/6.0.3) |  |  | --- ### Release Notes <details> <summary>microsoft/TypeScript (typescript)</summary> ### [`v6.0.3`](https://redirect.github.com/microsoft/TypeScript/compare/v6.0.2...050880ce59e30b356b686bd3144efe24f875ebc8) [Compare Source](https://redirect.github.com/microsoft/TypeScript/compare/v6.0.2...v6.0.3) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4513fc1bd4
|
chore(deps): update dependency typescript-eslint to v8.58.2 (#443)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.58.1` → `8.58.2`](https://renovatebot.com/diffs/npm/typescript-eslint/8.58.1/8.58.2) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.58.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8582-2026-04-13) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.58.1...v8.58.2) ##### 🩹 Fixes - remove tsbuildinfo cache file from published packages ([#​12187](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12187)) ##### ❤️ Thank You - Abhijeet Singh [@​cseas](https://redirect.github.com/cseas) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.58.2) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
2f9976bb5b
|
chore(deps): update dependency prettier to v3.8.3 (#441)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [prettier](https://prettier.io) ([source](https://redirect.github.com/prettier/prettier)) | [`3.8.2` → `3.8.3`](https://renovatebot.com/diffs/npm/prettier/3.8.2/3.8.3) |  |  | --- ### Release Notes <details> <summary>prettier/prettier (prettier)</summary> ### [`v3.8.3`](https://redirect.github.com/prettier/prettier/compare/3.8.2...3.8.3) [Compare Source](https://redirect.github.com/prettier/prettier/compare/3.8.2...3.8.3) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4d6abcf45f
|
chore(deps): update dependency globals to v17.5.0 (#444)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`17.4.0` → `17.5.0`](https://renovatebot.com/diffs/npm/globals/17.4.0/17.5.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.5.0`]() [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.4.0...v17.5.0) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
f1b645161c
|
chore(deps): update github/codeql-action digest to 95e58e9 (#440)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
renovate[bot]
|
d6e9fb75ae
|
chore(deps): update dependency typescript-eslint to v8.58.1 (#422)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.58.0` → `8.58.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.58.0/8.58.1) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.58.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8581-2026-04-08) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.58.0...v8.58.1) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.58.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
a407fefef5
|
ci: add final job to aggregate build-test results (#438)
## Summary
- Add a `final` job to the build-test workflow that depends on all other
jobs
- Fails if any upstream job failed or was skipped
- Provides a single required status check for branch protection
## Test plan
- [ ] `final` job passes when all other jobs pass
- [ ] `final` job fails when any upstream job fails
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: workflow-only change that adds a single aggregator job and
doesn’t affect production code paths. Main risk is misconfiguring branch
protection expectations if the `final` job logic/conditions are wrong.
>
> **Overview**
> Adds a `final` GitHub Actions job to the `build-test` workflow that
depends on all other jobs and runs with `if: always()`.
>
> The `final` job fails the workflow if any upstream job result is
`failure`, `cancelled`, or `skipped`, enabling a single required status
check for branch protection.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
3b61f05fac
|
fix(deps): update dependency @actions/cache to v6 (#432)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/cache](https://redirect.github.com/actions/toolkit/tree/main/packages/cache) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/cache)) | [`^4.0.0` → `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fcache/4.1.0/6.0.0) |  |  | --- ### Release Notes <details> <summary>actions/toolkit (@​actions/cache)</summary> ### [`v6.0.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#600) - **Breaking change**: Package is now ESM-only - CommonJS consumers must use dynamic `import()` instead of `require()` ### [`v5.0.5`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#505) - Bump `@actions/glob` to `0.5.1` ### [`v5.0.4`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#504) - Bump `@actions/http-client` to `3.0.2` ### [`v5.0.3`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#503) Prevent retries for rate limited cache operations [2243](https://redirect.github.com/actions/toolkit/pull/2243). ### [`v5.0.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#501) - Fix Node.js 24 punycode deprecation warning by updating `@azure/storage-blob` from `^12.13.0` to `^12.29.1` [#​2213](https://redirect.github.com/actions/toolkit/pull/2213) - Newer storage-blob uses `@azure/core-rest-pipeline` instead of deprecated `@azure/core-http`, which eliminates the transitive dependency on `node-fetch@2` → `whatwg-url@5` → `tr46@​0.0.3` that used the deprecated punycode module ### [`v5.0.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#500) - Remove `@azure/ms-rest-js` dependency [#​2197](https://redirect.github.com/actions/toolkit/pull/2197) - The `TransferProgressEvent` type is now imported from `@azure/core-rest-pipeline` instead of `@azure/ms-rest-js` - Bump `@actions/core` from `^1.11.1` to `^2.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/exec` from `^1.0.1` to `^2.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/glob` from `^0.1.0` to `^0.5.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/http-client` from `^2.1.1` to `^3.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/io` from `^1.0.1` to `^2.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Add support for Node.js 24 [#​2110](https://redirect.github.com/actions/toolkit/pull/2110) - Add `node-fetch` override to resolve audit vulnerabilities [#​2110](https://redirect.github.com/actions/toolkit/pull/2110) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
6ffba57a54
|
chore(deps): update dependency typescript to v6 (#428)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript](https://www.typescriptlang.org/) ([source](https://redirect.github.com/microsoft/TypeScript)) | [`^5.7.2` → `^6.0.0`](https://renovatebot.com/diffs/npm/typescript/5.9.3/6.0.2) |  |  | --- ### Release Notes <details> <summary>microsoft/TypeScript (typescript)</summary> ### [`v6.0.2`](https://redirect.github.com/microsoft/TypeScript/compare/v5.9.3...607a22a90d1a5a1b507ce01bb8cd7ec020f954e7) [Compare Source](https://redirect.github.com/microsoft/TypeScript/compare/v5.9.3...v6.0.2) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
2a3eb97a03
|
chore: migrate from ncc (CJS) to rollup (ESM) (#436)
## Summary
- Switch bundler from `@vercel/ncc` to `rollup` with
`@rollup/plugin-commonjs`, `@rollup/plugin-node-resolve`,
`@rollup/plugin-json`, and `@rollup/plugin-typescript`
- Add `"type": "module"` to `package.json` for ESM support
- Upgrade all `@actions/*` dependencies to their latest major versions
(`@actions/core` v3, `@actions/exec` v3, `@actions/cache` v6,
`@actions/glob` v0.6, `@actions/io` v3)
- Remove old ncc artifacts (`dist/licenses.txt`,
`dist/sourcemap-register.js`)
## Why
The `@actions/toolkit` packages v3+ are ESM-only and can't be bundled by
ncc (which uses webpack with CJS `require()`). This is what's blocking
#435 (renovate `@actions/exec` v3 upgrade). The official
`actions/typescript-action` template has already migrated to rollup.
## Test plan
- [ ] CI passes (`npm run all` — format, lint, package)
- [ ] `check-dist` workflow passes (dist/index.js matches build output)
- [ ] Integration tests pass on all platforms (ubuntu, macos, windows,
alpine)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Moderate risk because it changes the action’s build/bundling pipeline
and module format (CJS→ESM), which can break runtime execution or
dependency resolution if the generated `dist/` output differs across
environments.
>
> **Overview**
> Migrates the GitHub Action build from `@vercel/ncc` (CommonJS) to a
Rollup-based ESM bundle, adding `rollup.config.ts` and updating
TypeScript settings to `NodeNext` to support ESM output.
>
> Updates `package.json` to `"type": "module"`, switches the packaging
script to Rollup, and upgrades `@actions/*` dependencies to their latest
major (ESM-only) versions. The checked-in `dist/` artifacts are
regenerated accordingly (including license output) and legacy
ncc-specific artifacts are removed.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
a25e4af358
|
chore(deps): update amannn/action-semantic-pull-request action to v6 (#426)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [amannn/action-semantic-pull-request](https://redirect.github.com/amannn/action-semantic-pull-request) | action | major | `v5` → `v6` | --- ### Release Notes <details> <summary>amannn/action-semantic-pull-request (amannn/action-semantic-pull-request)</summary> ### [`v6`](https://redirect.github.com/amannn/action-semantic-pull-request/compare/v5...v6) [Compare Source](https://redirect.github.com/amannn/action-semantic-pull-request/compare/v5...v6) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8b65f8f4d4
|
chore(deps): update github/codeql-action action to v4 (#430)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | major | `v3` → `v4` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4`](https://redirect.github.com/github/codeql-action/compare/v3...v4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3...v4) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
0b79532206
|
chore(deps): update eslint monorepo to v10 (major) (#429)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@eslint/js](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint/tree/HEAD/packages/js)) | [`^9.15.0` → `^10.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjs/9.39.4/10.0.1) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`^9.15.0` → `^10.0.0`](https://renovatebot.com/diffs/npm/eslint/9.39.4/10.2.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (@​eslint/js)</summary> ### [`v10.0.1`](https://redirect.github.com/eslint/eslint/compare/v10.0.0...84fb885d49ac810e79a9491276b4828b53d913e5) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.0.0...v10.0.1) ### [`v10.0.0`](https://redirect.github.com/eslint/eslint/releases/tag/v10.0.0) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v9.39.4...v10.0.0) #### Breaking Changes - [`f9e54f4`]( |
||
|
renovate[bot]
|
5dd08e1290
|
chore(deps): update dependency globals to v17 (#427)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`^16.0.0` → `^17.0.0`](https://renovatebot.com/diffs/npm/globals/16.5.0/17.4.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.4.0`](https://redirect.github.com/sindresorhus/globals/compare/v17.3.0...a9cfd7493fb701474d4dc946283c7b9d63d64134) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.3.0...v17.4.0) ### [`v17.3.0`](https://redirect.github.com/sindresorhus/globals/releases/tag/v17.3.0) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.2.0...v17.3.0) - Update globals (2026-02-01) ([#​336](https://redirect.github.com/sindresorhus/globals/issues/336)) [`295fba9`]( |
||
|
renovate[bot]
|
ac93c8a0e0
|
chore(deps): update actions/upload-artifact digest to 043fb46 (#434)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
([changelog](
|
||
|
renovate[bot]
|
970e54e062
|
chore(deps): update jdx/mise-action action to v4 (#431)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [jdx/mise-action](https://redirect.github.com/jdx/mise-action) | action | major | `v2` → `v4` | --- ### Release Notes <details> <summary>jdx/mise-action (jdx/mise-action)</summary> ### [`v4`](https://redirect.github.com/jdx/mise-action/compare/v3...v4) [Compare Source](https://redirect.github.com/jdx/mise-action/compare/v3...v4) ### [`v3`](https://redirect.github.com/jdx/mise-action/blob/HEAD/CHANGELOG.md#340---2025-10-31) [Compare Source](https://redirect.github.com/jdx/mise-action/compare/v2...v3) ##### 🚀 Features - use autofix.ci to auto-update dist/ on all PRs by [@​jdx](https://redirect.github.com/jdx) in [ |
||
|
renovate[bot]
|
41a529d4f6
|
chore(deps): update actions/upload-artifact action to v7 (#425)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6` → `v7` | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
f2530f6d59
|
chore(deps): update dependency @types/handlebars to v4.1.0 (#423)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/handlebars](https://redirect.github.com/wycats/handlebars.js) | [`4.0.40` → `4.1.0`](https://renovatebot.com/diffs/npm/@types%2fhandlebars/4.0.40/4.1.0) |  |  | --- ### Release Notes <details> <summary>wycats/handlebars.js (@​types/handlebars)</summary> ### [`v4.1.0`](https://redirect.github.com/wycats/handlebars.js/blob/HEAD/release-notes.md#v410---February-7th-2019) New Features - import TypeScript typings - [`27ac1ee`]( |
||
|
renovate[bot]
|
05f8e725d3
|
chore(deps): update dependency prettier to v3.8.2 (#421)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [prettier](https://prettier.io) ([source](https://redirect.github.com/prettier/prettier)) | [`3.8.1` → `3.8.2`](https://renovatebot.com/diffs/npm/prettier/3.8.1/3.8.2) |  |  | --- ### Release Notes <details> <summary>prettier/prettier (prettier)</summary> ### [`v3.8.2`](https://redirect.github.com/prettier/prettier/compare/3.8.1...fbf300f9d89820364ddc9b2efa05b92b8c01b692) [Compare Source](https://redirect.github.com/prettier/prettier/compare/3.8.1...3.8.2) </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
1c992c2b17
|
chore(deps): lock file maintenance (#420)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
d93325ba61
|
chore(deps): update dependency @types/handlebars to v4.1.0 (#417)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/handlebars](https://redirect.github.com/wycats/handlebars.js) | [`4.0.40` → `4.1.0`](https://renovatebot.com/diffs/npm/@types%2fhandlebars/4.0.40/4.1.0) |  |  | --- ### Release Notes <details> <summary>wycats/handlebars.js (@​types/handlebars)</summary> ### [`v4.1.0`](https://redirect.github.com/wycats/handlebars.js/blob/HEAD/release-notes.md#v410---February-7th-2019) New Features - import TypeScript typings - [`27ac1ee`]( |
||
|
renovate[bot]
|
641a2bcbed
|
chore(deps): update github/codeql-action digest to 5c8a8a6 (#416)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
renovate[bot]
|
ae16675061
|
chore(deps): lock file maintenance (#415)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45NC4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
b106a2f3b6
|
chore(deps): lock file maintenance (#413)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | 🔧 This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration 📅 **Schedule**: Branch creation - "before 4am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
0b4dcb0c10
|
ci: add communique to enhance release notes (#411)
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes
## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
>
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
>
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|