mirror of
https://github.com/jdx/mise-action.git
synced 2026-05-14 13:50:33 +00:00
645 commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
autofix-ci[bot]
|
d8a46eeb85
|
[autofix.ci] apply automated fixes | ||
|
renovate[bot]
|
a3e96fd0c3
|
chore(deps): lock file maintenance | ||
|
renovate[bot]
|
590bfd78fa
|
chore(deps): update dependency aube to v1.6.2 (#466)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.5.1` β `v1.6.2` | `v1.9.1` (+3) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.6.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.2): : Engines coverage catches up to pnpm [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.1...v1.6.2) A small patch release that closes engine-validation gaps with pnpm. #### Fixed - **Broader engines coverage** ([#​458](https://redirect.github.com/endevco/aube/pull/458) by [@​jdx](https://redirect.github.com/jdx)) β aube now honors engine constraints it previously skipped: - `engines.aube` and `engines.pnpm` on root and workspace project manifests are checked against the running aube version (aube positions itself as a pnpm-compatible drop-in, so `engines.pnpm` is honored as if aube were that pnpm). - `engines.node` is now enforced on workspace project manifests, not just the root. - Warning output labels which engine triggered the mismatch (e.g. `wanted node >=20`, `wanted aube >=99999`, `wanted pnpm >=8`), and the `engine-strict` error message stays compatible with existing assertions. - `engines.{aube,pnpm}` on transitive deps remain skipped on purpose, since wild packages routinely pin author toolchains. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.6.1...v1.6.2> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.6.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.6.0...v1.6.1) ##### Fixed - Unblocked the `v1.6.0` publishing path so missing Linux release assets and downstream package publishes could be backfilled ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Made the resolver build script tolerate environments where the primer generator exists but `node` is not installed, falling back to an empty primer with a Cargo warning instead of panicking ([#​460](https://redirect.github.com/endevco/aube/pull/460)). - Moved npm publishing and PPA upload jobs back to GitHub-hosted runners where npm provenance and Launchpad FTP uploads work correctly ([#​460](https://redirect.github.com/endevco/aube/pull/460)). ##### Other - Refreshed benchmarks for the 1.5.2 baseline ([#​459](https://redirect.github.com/endevco/aube/pull/459)). ### [`v1.6.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.6.0) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.1...v1.6.0) ##### Highlights - Added broader pnpm compatibility for `aube add`, `aube update`, pnpmfile hooks, catalog saves, workspace protocol parsing, and lockfile directory configuration. - Added generic `--config.<key>=<value>` overrides plus fetch timeout, retry, backoff, `--pnpmfile`, and `--global-pnpmfile` flags. - Improved install, resolver, registry, linker, manifest, settings, and state hot paths with shared caches, cheaper hashes, fewer repeated filesystem probes, and compressed packument fetches. - Expanded pnpm parity coverage across update, hooks, allow-build review, monorepo filter, prefer-offline, and misc install behavior. ##### Added - `aube update` now parses `<pkg>@​<spec>` arguments and can update indirect dependencies ([#​446](https://redirect.github.com/endevco/aube/pull/446)). - `aube add` can bootstrap a missing `package.json`, matching pnpm behavior covered by newly ported misc tests ([#​417](https://redirect.github.com/endevco/aube/pull/417)). - `--config.<key>=<value>` flags provide generic CLI config overrides ([#​447](https://redirect.github.com/endevco/aube/pull/447)). - `--lockfile-dir` / `lockfileDir` support allows commands to target a foreign lockfile directory when valid ([#​431](https://redirect.github.com/endevco/aube/pull/431)). - Fetch controls were added for timeout, retry count, and retry backoff behavior ([#​436](https://redirect.github.com/endevco/aube/pull/436)). - `--pnpmfile` and `--global-pnpmfile` flags were added, with pnpmfile hooks wired into update and `preResolution` support ([#​439](https://redirect.github.com/endevco/aube/pull/439), [#​423](https://redirect.github.com/endevco/aube/pull/423)). - pnpmfile `ctx.log` records now emit as `pnpm:hook` NDJSON on stdout ([#​440](https://redirect.github.com/endevco/aube/pull/440)). - `--save-catalog`, `workspace:*` parsing, and `sharedWorkspaceLockfile=false` support landed together ([#​418](https://redirect.github.com/endevco/aube/pull/418)). - Empty `--allow-build` values now use pnpm's verbatim error wording ([#​444](https://redirect.github.com/endevco/aube/pull/444)). ##### Fixed - `AUBE_VIRTUAL_STORE_DIR` is honored from the environment, with additional pnpm misc parity coverage ([#​456](https://redirect.github.com/endevco/aube/pull/456)). - `aube update --latest` preserves prerelease pins that are already higher than the latest stable version ([#​445](https://redirect.github.com/endevco/aube/pull/445)). - `.` is rejected as a foreign `--lockfile-dir` importer and the related docs were corrected ([#​442](https://redirect.github.com/endevco/aube/pull/442)). - npm `package-lock.json` workspace importers are preserved when parsing and writing lockfiles ([#​443](https://redirect.github.com/endevco/aube/pull/443)). - Lifecycle script behavior closed three pnpm parity gaps ([#​421](https://redirect.github.com/endevco/aube/pull/421)). - The resolver now ships an empty bundled metadata primer when the generator script cannot run, instead of failing the build ([#​425](https://redirect.github.com/endevco/aube/pull/425)). ##### Performance - Cached hot-path work across install, resolver, registry, linker, manifest parsing, settings lookup, and install state freshness checks ([#​453](https://redirect.github.com/endevco/aube/pull/453)). - Deduplicated and cached repeated install/resolver work, including graph hashing, patch fingerprints, lockfile parsing, env capture, script policy lookup, workspace-root scans, and registry auth token matching ([#​449](https://redirect.github.com/endevco/aube/pull/449)). - Refreshed benchmark results for the 1.5.2 baseline ([#​448](https://redirect.github.com/endevco/aube/pull/448), [#​452](https://redirect.github.com/endevco/aube/pull/452)). ##### Testing and Parity - Ported pnpm monorepo filter tests and wired `--fail-if-no-match` ([#​457](https://redirect.github.com/endevco/aube/pull/457)). - Ported additional pnpm hook, allowBuilds review, update, prefer-offline, circular peer, trust-policy, peer warning, top-level plugin, and registry fixture coverage ([#​455](https://redirect.github.com/endevco/aube/pull/455), [#​441](https://redirect.github.com/endevco/aube/pull/441), [#​438](https://redirect.github.com/endevco/aube/pull/438), [#​454](https://redirect.github.com/endevco/aube/pull/454), [#​434](https://redirect.github.com/endevco/aube/pull/434), [#​433](https://redirect.github.com/endevco/aube/pull/433), [#​424](https://redirect.github.com/endevco/aube/pull/424)). </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
c0cbd12180
|
chore(deps): update dependency globals to v17.6.0 (#465)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`17.5.0` β `17.6.0`](https://renovatebot.com/diffs/npm/globals/17.5.0/17.6.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.6.0`](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...6b15870f1c08b60b5b57afe45a703d9ed0be39bc) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.5.0...v17.6.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
34cccd8792
|
chore(deps): update dependency eslint to v10.3.0 (#464)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.2.1` β `10.3.0`](https://renovatebot.com/diffs/npm/eslint/10.2.1/10.3.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.3.0`](https://redirect.github.com/eslint/eslint/compare/v10.2.1...78892043a36da4aa7640b59c99344b00c181048a) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.2.1...v10.3.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
396ce9daa2
|
chore(deps): update dependency aube to v1.5.1 (#463)
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `1.4` β `v1.5.1` | `v1.9.1` (+6) | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.5.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.1): : POSIX colon tarball filenames [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.5.0...v1.5.1) A small patch release fixing tarball installs that contain `:` in entry filenames on POSIX platforms (e.g. `redos-detector@6.1.4`'s `dist/__mocks__/package-json:version.d.ts`). #### Fixed - **POSIX colon tarball filenames** β the store tarball validator and the linker's `validate_index_key` previously rejected `:` on every platform to defend against Windows drive-prefix and NTFS alternate-data-stream ambiguity. That guard was too broad for POSIX, where colon is a valid filename character, and caused installs of packages like `redos-detector@6.1.4` to fail. Both guards are now platform-gated: `:` is still rejected on Windows, but accepted on Linux and macOS. ([#​386](https://redirect.github.com/endevco/aube/pull/386) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.5.0...v1.5.1> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.5.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.5.0): : Dependency graph queries and patch/lockfile fixes [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.4.0...v1.5.0) This release adds `aube query` for selector-based dependency graph inspection, fixes patch application against CRLF tarball files, repairs npm-aliased catalog dependencies in pnpm-generated lockfiles, and unifies how aube decides where to write workspace settings. #### Added - **`aube query`** β a vlt-inspired dependency-graph query command. Supply a selector expression (attribute predicates plus pseudo-selectors like `:scripts`, `:bin`, `:peer`, `:type(...)`, `:license(...)`), optionally scope with workspace `--filter`/`--prod`/`--dev` roots, and emit human-readable, `--parseable`, or `--json` output. Reads only the local lockfile. ([#​380](https://redirect.github.com/endevco/aube/pull/380) by [@​jdx](https://redirect.github.com/jdx)) #### Fixed - **Patches against CRLF text files** β tarballs published from Windows editors (e.g. `gifuct-js@2.1.2/index.d.ts`) ship CRLF, but git/pnpm-style patches always emit LF, and diffy refused to match LF hunks against CRLF context. aube now normalizes the original to LF before applying and restores CRLF on write β matching pnpm's approach β with a `\r\r\n` collapse so a literal `\r` byte mid-line doesn't gain a second carriage return. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **`aube patch-commit` destination** β previously wrote unconditionally to `pnpm.patchedDependencies` in `package.json` even on projects already using the pnpm v10+ workspace-yaml home. A single rule now applies to every command that mutates a setting which can live in either the workspace yaml or `package.json#{pnpm,aube}.<key>`: 1. If a workspace yaml exists on disk β write there. 2. Otherwise, if `package.json#pnpm` is already declared β write `pnpm.<key>` (preserve the user's namespace). 3. Otherwise β write `aube.<key>`. `aube patch-remove` now strips entries from every place they could live and reports the files actually rewritten. The same rule covers `aube approve-builds` and install-time auto-deny seeding. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **npm-aliased catalog deps from pnpm lockfiles** β `aube install --frozen-lockfile` previously accepted a pnpm lockfile with `beamcoder: npm:beamcoder-prebuild@β¦` declared via `pnpm-workspace.yaml#catalog` and silently produced an empty `node_modules`, because the importer's specifier was `'catalog:'` and alias detection only fired on `specifier.starts_with("npm:")`. Aliases are now detected purely from the canonical `<real>@​<resolved>` `version:` shape, with a peer-suffix strip so `version: 18.2.0(react@18.2.0)` isn't misclassified. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Bounded resolver stream** β the resolved-package stream is now a bounded Tokio channel sized from the same network concurrency used by fetch workers, with awaited sends so resolver/fetch overlap applies backpressure instead of accumulating an unbounded queue. ([#​377](https://redirect.github.com/endevco/aube/pull/377) by [@​jdx](https://redirect.github.com/jdx)) #### Changed - **`aube-workspace.yaml` is the default-write filename** β when neither `aube-workspace.yaml` nor `pnpm-workspace.yaml` exists, `aube approve-builds` (and the install-time auto-seed of unreviewed build scripts) now creates `aube-workspace.yaml` so it pairs with `aube-lock.yaml` instead of leaving mixed vendor namespaces side by side. Existing `pnpm-workspace.yaml` files keep being mutated in place. ([#​382](https://redirect.github.com/endevco/aube/pull/382) by [@​jdx](https://redirect.github.com/jdx)) - **Comment-preserving workspace-yaml writes** β yaml writes now skip the rewrite when the closure produces no structural change, so user comments survive every no-op update to `allowBuilds`, `patchedDependencies`, and catalog cleanup. ([#​384](https://redirect.github.com/endevco/aube/pull/384) by [@​jdx](https://redirect.github.com/jdx)) - **Install phase timing sink** β set `AUBE_BENCH_PHASES_FILE` to append per-phase install timings (resolve/fetch/link/scripts/state/sweep) as JSONL, optionally tagged with `AUBE_BENCH_SCENARIO`. The benchmark harness samples aube install-shaped scenarios and `benchmarks/generate-phase-results.mjs` turns the JSONL into a Markdown table plus a structured JSON artifact. ([#​381](https://redirect.github.com/endevco/aube/pull/381) by [@​jdx](https://redirect.github.com/jdx)) **Full Changelog**: <https://github.com/endevco/aube/compare/v1.4.0...v1.5.0> #### π Sponsor aube aube is part of [**en.dev**](https://en.dev) β an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8720daa86c
|
chore(deps): update github/codeql-action digest to 68bde55 (#462)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
jdx
|
c6a35e2d7d
|
chore(ci): use !cancelled() instead of always() for final job (#460)
## Summary
- Combined with the workflow's `cancel-in-progress` group, `if:
always()` overrides cancellation and runs the `final` aggregator even on
superseded commits.
- `!cancelled()` still runs on upstream success or failure but skips
when the workflow is cancelled β saves a runner and avoids confusing
error annotations on already-superseded shas.
- Caught by Cursor Bugbot on a sibling repo (endevco/pitchfork#413).
Same `final`-aggregator pattern + `cancel-in-progress: true` here, so
the same fix applies.
## Test plan
- [ ] CI passes on this PR
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that just adjusts when the `final` job runs;
main risk is slightly different status reporting when runs are
cancelled.
>
> **Overview**
> Updates the GitHub Actions `final` aggregator job to use `if: ${{
!cancelled() }}` instead of `always()`, so it still runs for upstream
success/failure but **does not** run for cancelled workflows (e.g.,
superseded runs under `cancel-in-progress`).
>
> Adds clarifying comments to document why cancellation should skip the
aggregator to avoid wasting runners and producing noise on cancelled
commits.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
b9e293457e
|
chore(deps): update github/codeql-action digest to e46ed2c (#459)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
renovate[bot]
|
9839807d80
|
chore(deps): update dependency @types/handlebars to v4.1.0 (#457)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/handlebars](https://redirect.github.com/wycats/handlebars.js) | [`4.0.40` β `4.1.0`](https://renovatebot.com/diffs/npm/@types%2fhandlebars/4.0.40/4.1.0) |  |  | --- ### Release Notes <details> <summary>wycats/handlebars.js (@​types/handlebars)</summary> ### [`v4.1.0`](https://redirect.github.com/wycats/handlebars.js/blob/HEAD/release-notes.md#v410---February-7th-2019) New Features - import TypeScript typings - [`27ac1ee`]( |
||
|
renovate[bot]
|
1a7cfe9372
|
fix(deps): update dependency @actions/glob to ^0.7.0 (#458)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/glob](https://redirect.github.com/actions/toolkit/tree/main/packages/glob) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/glob)) | [`^0.6.0` β `^0.7.0`](https://renovatebot.com/diffs/npm/@actions%2fglob/0.6.1/0.7.0) |  |  | --- ### Release Notes <details> <summary>actions/toolkit (@​actions/glob)</summary> ### [`v0.7.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/glob/RELEASES.md#070) - Bump `minimatch` from `^3.0.4` to `^10.2.5` [#​2355](https://redirect.github.com/actions/toolkit/pull/2355) - Bump `undici` from `6.23.0` to `6.24.0` [#​2345](https://redirect.github.com/actions/toolkit/pull/2345) - Bump `brace-expansion` in `/packages/glob` [#​2369](https://redirect.github.com/actions/toolkit/pull/2369) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
b287efda3d
|
fix: include runner image in cache key to prevent cross-provider collisions (#456)
## Problem
The default cache key was `mise-v1-{os}-{arch}-{file_hash}` β no
runner-image discriminator. Any repo whose CI runs on multiple runner
providers with the same os/arch shares one cache slot:
- github-hosted `macos-latest`
- namespace.so `nscloud-macos-sequoia-arm64-*` /
`namespace-profile-*-macos-arm64`
- self-hosted M-series macs
- BuildJet, blacksmith, etc.
When a repo migrates from one provider to another, the new run restores
the previous provider's tool installs (~200 MB of
`~/.local/share/mise/installs/*`), and tools that loaded fine in the
original image break in the new one.
### Concrete failures observed
Discovered while migrating [jdx/hk](https://github.com/jdx/hk/pull/891)
from github-hosted to namespace.so. Same `mise-v1-macos-arm64-<hash>`
cache hit on namespace; tool resolution fails everywhere:
```
mise ERROR Tool 'ubi:koalaman/shellcheck' does not have an executable named 'shellcheck'
mise ERROR Tool 'gem:asciidoctor' does not have an executable named 'asciidoctor'
mise ERROR Tool 'aqua:betterleaks/betterleaks' does not have an executable named 'betterleaks'
mise ERROR Tool 'biome' does not have an executable named 'biome'
mise ERROR Tool 'buf' does not have an executable named 'buf'
mise ERROR Tool 'github:google/google-java-format' does not have an executable named 'google-java-format'
```
β installs are present (cache restored 185 MB) but the executable layout
from the github-hosted macOS-15 image doesn't match what mise expects on
namespace's macOS arm64 image.
On Linux, cached binaries built against the github-hosted ubuntu
glibc/CPU featureset SIGILL on namespace's image (e.g. `swiftlint` exit
code 132).
## Fix
Append the GitHub Actions hosted-runner `ImageOS` env var (e.g.
`macos15`, `ubuntu24`) to the platform segment of the default cache key.
Other runners pool under `self-hosted`.
```ts
const imageOS = process.env.ImageOS || 'self-hosted'
return `${base}-${imageOS}`
```
After this change:
- `mise-v1-macos-arm64-macos15-<hash>` (github-hosted)
- `mise-v1-macos-arm64-self-hosted-<hash>` (namespace, self-hosted,
etc.)
Users with multiple self-hosted profiles that need finer scoping can set
`cache_key_prefix` per workflow. The README's docs for `{{platform}}`
are updated to reflect the new format.
## Trade-offs
- One-time cache miss for everyone on the next run after upgrade. Cache
rebuilds and stays scoped per-image after that.
- Hosted-runner image rolls (e.g. `macos15` β `macos16`) will invalidate
cache, which is desirable β that's exactly when stale binaries cause
problems.
- Self-hosted users with mixed runner pools all share one `self-hosted`
slot. They'd need `cache_key_prefix` per pool, same as before. This PR
doesn't make that worse.
## Test plan
- [ ] Verify `dist/index.js` rebuilt cleanly (yes, `npm run package`
succeeded with the change visible at `getTarget()` callsite).
- [ ] Run on a github-hosted runner β confirm `ImageOS` is read from env
(e.g. `macos15`) and shows up in the `mise cache restored from key:` log
line.
- [ ] Run on a non-hosted runner β confirm fallback to `-self-hosted`.
- [ ] Verify a workflow that switched providers no longer pulls a
poisoned cache.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Changes cache-key generation and will cause a one-time cache miss plus
different cache partitioning, which can affect build times and cache
reuse across runners.
>
> **Overview**
> Updates the default cache-key `{{platform}}` value to append a runner
image discriminator (`process.env.ImageOS` on GitHub-hosted runners,
otherwise `self-hosted`), reducing cross-provider/image cache collisions
that can restore incompatible tool installs.
>
> Implements this via a new `getRunnerImageId()` helper used during
cache-key template processing, and documents the new `{{platform}}`
format in the README; `dist/index.js` is rebuilt accordingly.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
ac8a6414ec
|
feat: add wings_enabled input (mise-wings cache integration) (#454)
## Summary
Adds two new inputs that gate the mise-wings asset cache for tool
installs. Existing workflows are unaffected: default `wings_enabled:
false` is a no-op.
| Input | Default | Description |
|---|---|---|
| `wings_enabled` | `false` | Route tool-install URLs through the wings
cache when `true` |
## How it works
When `wings_enabled: true`, the action exports `MISE_WINGS_ENABLED=1`.
Authentication is **fully automatic** β mise itself owns the GHA OIDC β
wings session exchange. No `mise wings login` step in workflow YAML, no
long-lived secrets to rotate.
When mise (built with wings support β see
[jdx/mise#9458](https://github.com/jdx/mise/pull/9458)) sees
`MISE_WINGS_ENABLED=1` and detects the GHA OIDC env vars
(`ACTIONS_ID_TOKEN_REQUEST_URL` + `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it:
1. Fetches the runner's OIDC token, scoped to the wings deployment
audience
2. POSTs it to `https://api.<host>/auth` to mint a wings CI session JWT
3. Caches the JWT in-process for the rest of the workflow run
4. Transparently rewrites `registry.npmjs.org` / `github.com` /
`api.github.com` URLs to the corresponding wings cache subdomains and
attaches the JWT as a Bearer header
## Why opt-in (not opt-out)
The default-off posture is deliberate. Many workflows already declare
`permissions: id-token: write` for unrelated reasons (SLSA provenance,
AWS OIDC, Sigstore, npm provenance, etc.). If `wings_enabled` defaulted
to `true`, those workflows would silently send the runner's OIDC
identity claims to a third-party cache without explicit consent. Cursor
Bugbot HIGH + Greptile P1+security correctly flagged the previous
"default true" iteration of this PR as a privacy regression.
Explicit opt-in keeps the gate visible in the workflow YAML.
## Workflow requirements
```yaml
permissions:
id-token: write # required for OIDC
jobs:
build:
steps:
- uses: jdx/mise-action@<sha>
with:
wings_enabled: true
```
The action emits a clear warning when `wings_enabled: true` but
`id-token: write` is missing β without that hint, the user would see
"wings configured but doing nothing" and have no clue why.
## Test plan
- [x] `npm run all` β format + lint + package, clean
- [x] `dist/index.js` rebuilt and contains the wings hook (greppable:
`MISE_WINGS_ENABLED`, `setupWings`)
- [ ] End-to-end: a workflow with `wings_enabled: true`, `permissions:
id-token: write`, an active wings subscription, and a recent enough
`mise` binary. The mise repo's own `docs.yml` will exercise this path
once [jdx/mise#9458](https://github.com/jdx/mise/pull/9458) is merged.
- [ ] Default-off path: a workflow without the `wings_enabled` input
behaves identically to today.
## Out of scope
- Older mise binaries will see `MISE_WINGS_ENABLED` and silently ignore
it (no wings client code) β that's intended; the action doesn't gate on
mise version.
- Self-hosted runners: `permissions: id-token: write` only does anything
on GitHub-hosted runners by default. Self-hosted runners need extra
config; the warning above is conservative enough for both cases.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Introduces an opt-in path that can cause OIDC-based authentication to
a third-party cache and alters tool download routing when enabled.
Default-off behavior limits impact, but misconfiguration could create
confusing cache bypass or unexpected network/token exchange behavior.
>
> **Overview**
> Adds a new **experimental** `wings_enabled` action input (default
`false`) to opt workflows into the mise-wings asset cache by exporting
`MISE_WINGS_ENABLED=1`.
>
> When enabled, the action now runs `setupWings()` early to set the env
var and warn if GitHub OIDC env vars are missing (i.e., `permissions:
id-token: write` not configured), while leaving existing/default
behavior unchanged.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
jdx
|
0a780158e1
|
chore: migrate package manager from npm/pnpm/bun to aube (#455)
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged β aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install β it's the
script-runner shorthand (`aubr <script>` β‘ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && β¦"`). The literal
`npm` works for both callers β aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` β parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** β single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** β generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean β succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) β succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` β clean
- [x] `aubr lint` β clean
- [x] `aubr package` β produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesnβt change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`βs generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
3cd8ad48b8
|
chore(deps): lock file maintenance (#439)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - "before 4am on monday" - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
1c5f70fd40
|
chore(deps): bump communique to 1.1.2 (#453)
## Summary
- add a communique mise lock entry for v1.1.2
- include release asset URLs and checksums, including musl assets
## Validation
- monitored jdx/communique release workflow 24960017639 to success
- `mise install --locked communique`
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: adds an auto-generated tool lockfile entry only, affecting
developer tool installation but not runtime application behavior.
>
> **Overview**
> Pins the `communique` developer tool to **v1.1.2** by adding a
generated `mise.lock` entry.
>
> The lock includes **per-platform download URLs, asset API links, and
SHA-256 checksums**, including *musl* variants for Linux.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
5ad13376e3
|
chore(deps): update autofix-ci/action digest to c5b2d67 (#452)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [autofix-ci/action](https://redirect.github.com/autofix-ci/action)
([changelog](
|
||
|
renovate[bot]
|
6fa7302151
|
chore(deps): update actions/setup-node digest to 48b55a0 (#451)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node)
([changelog](
|
||
|
renovate[bot]
|
db69447ab3
|
chore(deps): update dependency eslint to v10.2.1 (#445)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`10.2.0` β `10.2.1`](https://renovatebot.com/diffs/npm/eslint/10.2.0/10.2.1) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (eslint)</summary> ### [`v10.2.1`](https://redirect.github.com/eslint/eslint/compare/v10.2.0...4d1d8f9737236603f64bbe83d5bb8001627b5611) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.2.0...v10.2.1) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
89d8187abc
|
chore(deps): update dependency typescript to v6.0.3 (#442)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript](https://www.typescriptlang.org/) ([source](https://redirect.github.com/microsoft/TypeScript)) | [`6.0.2` β `6.0.3`](https://renovatebot.com/diffs/npm/typescript/6.0.2/6.0.3) |  |  | --- ### Release Notes <details> <summary>microsoft/TypeScript (typescript)</summary> ### [`v6.0.3`](https://redirect.github.com/microsoft/TypeScript/compare/v6.0.2...050880ce59e30b356b686bd3144efe24f875ebc8) [Compare Source](https://redirect.github.com/microsoft/TypeScript/compare/v6.0.2...v6.0.3) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4513fc1bd4
|
chore(deps): update dependency typescript-eslint to v8.58.2 (#443)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.58.1` β `8.58.2`](https://renovatebot.com/diffs/npm/typescript-eslint/8.58.1/8.58.2) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.58.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8582-2026-04-13) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.58.1...v8.58.2) ##### π©Ή Fixes - remove tsbuildinfo cache file from published packages ([#​12187](https://redirect.github.com/typescript-eslint/typescript-eslint/pull/12187)) ##### β€οΈ Thank You - Abhijeet Singh [@​cseas](https://redirect.github.com/cseas) See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.58.2) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
2f9976bb5b
|
chore(deps): update dependency prettier to v3.8.3 (#441)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [prettier](https://prettier.io) ([source](https://redirect.github.com/prettier/prettier)) | [`3.8.2` β `3.8.3`](https://renovatebot.com/diffs/npm/prettier/3.8.2/3.8.3) |  |  | --- ### Release Notes <details> <summary>prettier/prettier (prettier)</summary> ### [`v3.8.3`](https://redirect.github.com/prettier/prettier/compare/3.8.2...3.8.3) [Compare Source](https://redirect.github.com/prettier/prettier/compare/3.8.2...3.8.3) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
4d6abcf45f
|
chore(deps): update dependency globals to v17.5.0 (#444)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`17.4.0` β `17.5.0`](https://renovatebot.com/diffs/npm/globals/17.4.0/17.5.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.5.0`]() [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.4.0...v17.5.0) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
f1b645161c
|
chore(deps): update github/codeql-action digest to 95e58e9 (#440)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
renovate[bot]
|
d6e9fb75ae
|
chore(deps): update dependency typescript-eslint to v8.58.1 (#422)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint) ([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint)) | [`8.58.0` β `8.58.1`](https://renovatebot.com/diffs/npm/typescript-eslint/8.58.0/8.58.1) |  |  | --- ### Release Notes <details> <summary>typescript-eslint/typescript-eslint (typescript-eslint)</summary> ### [`v8.58.1`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8581-2026-04-08) [Compare Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.58.0...v8.58.1) This was a version bump only for typescript-eslint to align it with other projects, there were no code changes. See [GitHub Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.58.1) for more information. You can read about our [versioning strategy](https://typescript-eslint.io/users/versioning) and [releases](https://typescript-eslint.io/users/releases) on our website. </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
a407fefef5
|
ci: add final job to aggregate build-test results (#438)
## Summary
- Add a `final` job to the build-test workflow that depends on all other
jobs
- Fails if any upstream job failed or was skipped
- Provides a single required status check for branch protection
## Test plan
- [ ] `final` job passes when all other jobs pass
- [ ] `final` job fails when any upstream job fails
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: workflow-only change that adds a single aggregator job and
doesnβt affect production code paths. Main risk is misconfiguring branch
protection expectations if the `final` job logic/conditions are wrong.
>
> **Overview**
> Adds a `final` GitHub Actions job to the `build-test` workflow that
depends on all other jobs and runs with `if: always()`.
>
> The `final` job fails the workflow if any upstream job result is
`failure`, `cancelled`, or `skipped`, enabling a single required status
check for branch protection.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
3b61f05fac
|
fix(deps): update dependency @actions/cache to v6 (#432)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@actions/cache](https://redirect.github.com/actions/toolkit/tree/main/packages/cache) ([source](https://redirect.github.com/actions/toolkit/tree/HEAD/packages/cache)) | [`^4.0.0` β `^6.0.0`](https://renovatebot.com/diffs/npm/@actions%2fcache/4.1.0/6.0.0) |  |  | --- ### Release Notes <details> <summary>actions/toolkit (@​actions/cache)</summary> ### [`v6.0.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#600) - **Breaking change**: Package is now ESM-only - CommonJS consumers must use dynamic `import()` instead of `require()` ### [`v5.0.5`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#505) - Bump `@actions/glob` to `0.5.1` ### [`v5.0.4`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#504) - Bump `@actions/http-client` to `3.0.2` ### [`v5.0.3`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#503) Prevent retries for rate limited cache operations [2243](https://redirect.github.com/actions/toolkit/pull/2243). ### [`v5.0.1`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#501) - Fix Node.js 24 punycode deprecation warning by updating `@azure/storage-blob` from `^12.13.0` to `^12.29.1` [#​2213](https://redirect.github.com/actions/toolkit/pull/2213) - Newer storage-blob uses `@azure/core-rest-pipeline` instead of deprecated `@azure/core-http`, which eliminates the transitive dependency on `node-fetch@2` β `whatwg-url@5` β `tr46@​0.0.3` that used the deprecated punycode module ### [`v5.0.0`](https://redirect.github.com/actions/toolkit/blob/HEAD/packages/cache/RELEASES.md#500) - Remove `@azure/ms-rest-js` dependency [#​2197](https://redirect.github.com/actions/toolkit/pull/2197) - The `TransferProgressEvent` type is now imported from `@azure/core-rest-pipeline` instead of `@azure/ms-rest-js` - Bump `@actions/core` from `^1.11.1` to `^2.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/exec` from `^1.0.1` to `^2.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/glob` from `^0.1.0` to `^0.5.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/http-client` from `^2.1.1` to `^3.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Bump `@actions/io` from `^1.0.1` to `^2.0.0` [#​2198](https://redirect.github.com/actions/toolkit/pull/2198) - Add support for Node.js 24 [#​2110](https://redirect.github.com/actions/toolkit/pull/2110) - Add `node-fetch` override to resolve audit vulnerabilities [#​2110](https://redirect.github.com/actions/toolkit/pull/2110) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
6ffba57a54
|
chore(deps): update dependency typescript to v6 (#428)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [typescript](https://www.typescriptlang.org/) ([source](https://redirect.github.com/microsoft/TypeScript)) | [`^5.7.2` β `^6.0.0`](https://renovatebot.com/diffs/npm/typescript/5.9.3/6.0.2) |  |  | --- ### Release Notes <details> <summary>microsoft/TypeScript (typescript)</summary> ### [`v6.0.2`](https://redirect.github.com/microsoft/TypeScript/compare/v5.9.3...607a22a90d1a5a1b507ce01bb8cd7ec020f954e7) [Compare Source](https://redirect.github.com/microsoft/TypeScript/compare/v5.9.3...v6.0.2) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
jdx
|
2a3eb97a03
|
chore: migrate from ncc (CJS) to rollup (ESM) (#436)
## Summary
- Switch bundler from `@vercel/ncc` to `rollup` with
`@rollup/plugin-commonjs`, `@rollup/plugin-node-resolve`,
`@rollup/plugin-json`, and `@rollup/plugin-typescript`
- Add `"type": "module"` to `package.json` for ESM support
- Upgrade all `@actions/*` dependencies to their latest major versions
(`@actions/core` v3, `@actions/exec` v3, `@actions/cache` v6,
`@actions/glob` v0.6, `@actions/io` v3)
- Remove old ncc artifacts (`dist/licenses.txt`,
`dist/sourcemap-register.js`)
## Why
The `@actions/toolkit` packages v3+ are ESM-only and can't be bundled by
ncc (which uses webpack with CJS `require()`). This is what's blocking
#435 (renovate `@actions/exec` v3 upgrade). The official
`actions/typescript-action` template has already migrated to rollup.
## Test plan
- [ ] CI passes (`npm run all` β format, lint, package)
- [ ] `check-dist` workflow passes (dist/index.js matches build output)
- [ ] Integration tests pass on all platforms (ubuntu, macos, windows,
alpine)
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Moderate risk because it changes the actionβs build/bundling pipeline
and module format (CJSβESM), which can break runtime execution or
dependency resolution if the generated `dist/` output differs across
environments.
>
> **Overview**
> Migrates the GitHub Action build from `@vercel/ncc` (CommonJS) to a
Rollup-based ESM bundle, adding `rollup.config.ts` and updating
TypeScript settings to `NodeNext` to support ESM output.
>
> Updates `package.json` to `"type": "module"`, switches the packaging
script to Rollup, and upgrades `@actions/*` dependencies to their latest
major (ESM-only) versions. The checked-in `dist/` artifacts are
regenerated accordingly (including license output) and legacy
ncc-specific artifacts are removed.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
|
||
|
renovate[bot]
|
a25e4af358
|
chore(deps): update amannn/action-semantic-pull-request action to v6 (#426)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [amannn/action-semantic-pull-request](https://redirect.github.com/amannn/action-semantic-pull-request) | action | major | `v5` β `v6` | --- ### Release Notes <details> <summary>amannn/action-semantic-pull-request (amannn/action-semantic-pull-request)</summary> ### [`v6`](https://redirect.github.com/amannn/action-semantic-pull-request/compare/v5...v6) [Compare Source](https://redirect.github.com/amannn/action-semantic-pull-request/compare/v5...v6) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
8b65f8f4d4
|
chore(deps): update github/codeql-action action to v4 (#430)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | major | `v3` β `v4` | --- ### Release Notes <details> <summary>github/codeql-action (github/codeql-action)</summary> ### [`v4`](https://redirect.github.com/github/codeql-action/compare/v3...v4) [Compare Source](https://redirect.github.com/github/codeql-action/compare/v3...v4) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
0b79532206
|
chore(deps): update eslint monorepo to v10 (major) (#429)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@eslint/js](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint/tree/HEAD/packages/js)) | [`^9.15.0` β `^10.0.0`](https://renovatebot.com/diffs/npm/@eslint%2fjs/9.39.4/10.0.1) |  |  | | [eslint](https://eslint.org) ([source](https://redirect.github.com/eslint/eslint)) | [`^9.15.0` β `^10.0.0`](https://renovatebot.com/diffs/npm/eslint/9.39.4/10.2.0) |  |  | --- ### Release Notes <details> <summary>eslint/eslint (@​eslint/js)</summary> ### [`v10.0.1`](https://redirect.github.com/eslint/eslint/compare/v10.0.0...84fb885d49ac810e79a9491276b4828b53d913e5) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v10.0.0...v10.0.1) ### [`v10.0.0`](https://redirect.github.com/eslint/eslint/releases/tag/v10.0.0) [Compare Source](https://redirect.github.com/eslint/eslint/compare/v9.39.4...v10.0.0) #### Breaking Changes - [`f9e54f4`]( |
||
|
renovate[bot]
|
5dd08e1290
|
chore(deps): update dependency globals to v17 (#427)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [globals](https://redirect.github.com/sindresorhus/globals) | [`^16.0.0` β `^17.0.0`](https://renovatebot.com/diffs/npm/globals/16.5.0/17.4.0) |  |  | --- ### Release Notes <details> <summary>sindresorhus/globals (globals)</summary> ### [`v17.4.0`](https://redirect.github.com/sindresorhus/globals/compare/v17.3.0...a9cfd7493fb701474d4dc946283c7b9d63d64134) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.3.0...v17.4.0) ### [`v17.3.0`](https://redirect.github.com/sindresorhus/globals/releases/tag/v17.3.0) [Compare Source](https://redirect.github.com/sindresorhus/globals/compare/v17.2.0...v17.3.0) - Update globals (2026-02-01) ([#​336](https://redirect.github.com/sindresorhus/globals/issues/336)) [`295fba9`]( |
||
|
renovate[bot]
|
ac93c8a0e0
|
chore(deps): update actions/upload-artifact digest to 043fb46 (#434)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
([changelog](
|
||
|
renovate[bot]
|
970e54e062
|
chore(deps): update jdx/mise-action action to v4 (#431)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [jdx/mise-action](https://redirect.github.com/jdx/mise-action) | action | major | `v2` β `v4` | --- ### Release Notes <details> <summary>jdx/mise-action (jdx/mise-action)</summary> ### [`v4`](https://redirect.github.com/jdx/mise-action/compare/v3...v4) [Compare Source](https://redirect.github.com/jdx/mise-action/compare/v3...v4) ### [`v3`](https://redirect.github.com/jdx/mise-action/blob/HEAD/CHANGELOG.md#340---2025-10-31) [Compare Source](https://redirect.github.com/jdx/mise-action/compare/v2...v3) ##### π Features - use autofix.ci to auto-update dist/ on all PRs by [@​jdx](https://redirect.github.com/jdx) in [ |
||
|
renovate[bot]
|
41a529d4f6
|
chore(deps): update actions/upload-artifact action to v7 (#425)
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [actions/upload-artifact](https://redirect.github.com/actions/upload-artifact) | action | major | `v6` β `v7` | --- ### Release Notes <details> <summary>actions/upload-artifact (actions/upload-artifact)</summary> ### [`v7`](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) [Compare Source](https://redirect.github.com/actions/upload-artifact/compare/v6...v7) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
f2530f6d59
|
chore(deps): update dependency @types/handlebars to v4.1.0 (#423)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/handlebars](https://redirect.github.com/wycats/handlebars.js) | [`4.0.40` β `4.1.0`](https://renovatebot.com/diffs/npm/@types%2fhandlebars/4.0.40/4.1.0) |  |  | --- ### Release Notes <details> <summary>wycats/handlebars.js (@​types/handlebars)</summary> ### [`v4.1.0`](https://redirect.github.com/wycats/handlebars.js/blob/HEAD/release-notes.md#v410---February-7th-2019) New Features - import TypeScript typings - [`27ac1ee`]( |
||
|
renovate[bot]
|
05f8e725d3
|
chore(deps): update dependency prettier to v3.8.2 (#421)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [prettier](https://prettier.io) ([source](https://redirect.github.com/prettier/prettier)) | [`3.8.1` β `3.8.2`](https://renovatebot.com/diffs/npm/prettier/3.8.1/3.8.2) |  |  | --- ### Release Notes <details> <summary>prettier/prettier (prettier)</summary> ### [`v3.8.2`](https://redirect.github.com/prettier/prettier/compare/3.8.1...fbf300f9d89820364ddc9b2efa05b92b8c01b692) [Compare Source](https://redirect.github.com/prettier/prettier/compare/3.8.1...3.8.2) </details> --- ### Configuration π **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
1c992c2b17
|
chore(deps): lock file maintenance (#420)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration π **Schedule**: Branch creation - "before 4am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
d93325ba61
|
chore(deps): update dependency @types/handlebars to v4.1.0 (#417)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [@types/handlebars](https://redirect.github.com/wycats/handlebars.js) | [`4.0.40` β `4.1.0`](https://renovatebot.com/diffs/npm/@types%2fhandlebars/4.0.40/4.1.0) |  |  | --- ### Release Notes <details> <summary>wycats/handlebars.js (@​types/handlebars)</summary> ### [`v4.1.0`](https://redirect.github.com/wycats/handlebars.js/blob/HEAD/release-notes.md#v410---February-7th-2019) New Features - import TypeScript typings - [`27ac1ee`]( |
||
|
renovate[bot]
|
641a2bcbed
|
chore(deps): update github/codeql-action digest to 5c8a8a6 (#416)
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](
|
||
|
renovate[bot]
|
ae16675061
|
chore(deps): lock file maintenance (#415)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration π **Schedule**: Branch creation - "before 4am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45NC4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
renovate[bot]
|
b106a2f3b6
|
chore(deps): lock file maintenance (#413)
This PR contains the following updates: | Update | Change | |---|---| | lockFileMaintenance | All locks refreshed | π§ This Pull Request updates lock files to use the latest dependency versions. --- ### Configuration π **Schedule**: Branch creation - "before 4am on monday" in timezone America/Chicago, Automerge - At any time (no schedule defined). π¦ **Automerge**: Enabled. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π» **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> |
||
|
jdx
|
0b4dcb0c10
|
ci: add communique to enhance release notes (#411)
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes
## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
>
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
>
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|
||
|
mise-en-dev
|
1648a7812b
|
chore: release v4.0.1 (#406)
--- ## [4.0.1](https://github.com/jdx/mise-action/compare/v4.0.0..v4.0.1) - 2026-03-22 ### π Bug Fixes - run npm install in pre-commit hook before build (#410) by [@jdx](https://github.com/jdx) in [#410](https://github.com/jdx/mise-action/pull/410) ### π Refactor - extract getCwd() helper to deduplicate working directory resolution (#403) by [@altendky](https://github.com/altendky) in [#403](https://github.com/jdx/mise-action/pull/403) ### π Documentation - bump versions listed im README.md (#407) by [@deining](https://github.com/deining) in [#407](https://github.com/jdx/mise-action/pull/407) - bump more versions listed in README.md (#408) by [@deining](https://github.com/deining) in [#408](https://github.com/jdx/mise-action/pull/408) ### βοΈ Miscellaneous Tasks - add workflow to auto-close stale PRs (#409) by [@jdx](https://github.com/jdx) in [#409](https://github.com/jdx/mise-action/pull/409) ### New Contributors * @deining made their first contribution in [#408](https://github.com/jdx/mise-action/pull/408) <!-- generated by git-cliff --> |
||
|
jdx
|
e2d499cca6
|
ci: add workflow to auto-close stale PRs (#409)
## Summary
- Adds a daily workflow that auto-closes PRs inactive for 30+ days
- Skips PRs authored by jdx or labeled `keep-open`
- Includes different close messages depending on CI status (failing vs
passing)
Ported from jdx/mise.
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: adds a standalone GitHub Actions workflow that only closes
eligible open PRs and does not affect application/runtime code.
>
> **Overview**
> Adds a new GitHub Actions workflow (`.github/workflows/pr-closer.yml`)
that runs daily (and manually) to close PRs with no activity for 30+
days.
>
> The job filters out PRs authored by `jdx` or labeled `keep-open`, and
posts a different close comment when CI checks are failing vs passing.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|
||
|
jdx
|
0cc0f19036
|
fix: run npm install in pre-commit hook before build (#410)
## Summary
- Adds `npm install` before `npm run all` in the husky pre-commit hook
- Prevents stale `node_modules` from producing unintended `dist/`
changes
π€ Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk change confined to developer tooling; it only affects local
pre-commit behavior and should not impact runtime code.
>
> **Overview**
> Ensures the pre-commit hook runs `npm ci` before `npm run all`, so
builds use a fresh/consistent `node_modules` prior to staging `dist`
changes.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
|
||
|
Andreas Deininger
|
89c67a39ab
|
docs: bump more versions listed in README.md (#408)
This is a continuation of #407: it bumps two more version I overlooked. |
||
|
Andreas Deininger
|
0409dde834
|
docs: bump versions listed im README.md (#407)
This PR bumps the versions mentioned in `README.md` to their latest versions. |
||
|
Kyle Altendorf
|
abadabdb1f
|
refactor: extract getCwd() helper to deduplicate working directory resolution (#403)
## Summary
- Extracts the duplicated working-directory resolution expression
(`core.getInput('working_directory') || core.getInput('install_dir') ||
process.cwd()`) into a `getCwd()` helper function.
- Replaces the 2 identical inline expressions in `exportMiseEnv()` and
`mise()` with calls to `getCwd()`.
## Motivation
Separated from #402 to allow independent review. This is a pure refactor
with no behavioral change, intended to simplify the diff in #402 by
providing a smaller, self-contained improvement.
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
|