This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [jdx/mise-action](https://redirect.github.com/jdx/mise-action) |
action | minor | `v4.1.0` → `v4.2.0` |
---
### Release Notes
<details>
<summary>jdx/mise-action (jdx/mise-action)</summary>
###
[`v4.2.0`](https://redirect.github.com/jdx/mise-action/releases/tag/v4.2.0):
: Bootstrap mode & wget fallback
[Compare
Source](https://redirect.github.com/jdx/mise-action/compare/v4.1.0...v4.2.0)
This release adds an opt-in **bootstrap mode** for projects that use
`mise bootstrap`, and makes the action work on runner images that ship
`wget` but not `curl`.
#### Added
##### Bootstrap mode
([#​522](https://redirect.github.com/jdx/mise-action/pull/522)) by
[@​jdx](https://redirect.github.com/jdx)
Three new inputs let the action drive `mise bootstrap` instead of `mise
install`:
```yaml
- uses: jdx/mise-action@v4
with:
bootstrap: true
bootstrap_skip: "tools,task" # comma-separated parts to skip
bootstrap_args: "--yes" # extra args forwarded to mise bootstrap
```
- When `bootstrap: true`, the action runs `mise bootstrap` under the
existing `install` gate and sets `MISE_EXPERIMENTAL=1` automatically.
- If a repo mise lock file is present, it runs `mise --locked
bootstrap`, matching the auto-lock behavior introduced for `mise
install` in v4.1.0.
- `install_args` cannot be combined with `bootstrap: true` — the action
fails fast and tells you to use `bootstrap_skip` / `bootstrap_args`
instead, because full bootstrap doesn't support partial tool install
args.
- A new `{{bootstrap_hash}}` template variable is included in the
default cache key (and available in custom `cache_key` templates) so
bootstrap and non-bootstrap configurations don't share caches.
`bootstrap_skip` relies on `mise bootstrap --skip` from
[jdx/mise#10497](https://redirect.github.com/jdx/mise/pull/10497), so
make sure you're on a recent mise version if you use it.
#### Fixed
- **Fall back to `wget` when `curl` is unavailable**
([#​521](https://redirect.github.com/jdx/mise-action/pull/521)) by
[@​risu729](https://redirect.github.com/risu729) — The action used
to hard-code `curl` for fetching the mise binary, tar/zip archives, and
the latest `VERSION` lookup, which broke on minimal runner images that
only ship `wget`. It now prefers `curl` and transparently falls back to
`wget`, preserving the streaming `download | tar` fast path for
`.tar.gz` and `.tar.zst` installs on Linux/macOS. Proxy support is
unchanged — both tools honor `HTTP_PROXY`/`HTTPS_PROXY`. Addresses
[jdx/mise#10488](https://redirect.github.com/jdx/mise/issues/10488).
#### Documentation
- Link the known Rust cache interaction note from the README
([#​496](https://redirect.github.com/jdx/mise-action/pull/496)) by
[@​risu729](https://redirect.github.com/risu729).
**Full Changelog**:
<https://github.com/jdx/mise-action/compare/v4.1.0...v4.2.0>
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDIuMiIsInVwZGF0ZWRJblZlciI6IjQzLjI0Mi4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [jdx/mise-action](https://redirect.github.com/jdx/mise-action) |
action | minor | `v4.0.1` → `v4.1.0` |
---
### Release Notes
<details>
<summary>jdx/mise-action (jdx/mise-action)</summary>
###
[`v4.1.0`](https://redirect.github.com/jdx/mise-action/releases/tag/v4.1.0):
: automatic --locked installs
[Compare
Source](https://redirect.github.com/jdx/mise-action/compare/v4.0.1...v4.1.0)
This release adds automatic locked installs when a `mise.lock` is
present, and fixes a long-standing cache-key collision that could poison
tool installs when workflows migrate between runner providers.
#### Added
##### Automatic `--locked` install when `mise.lock` exists
([#​495](https://redirect.github.com/jdx/mise-action/pull/495)) by
[@​zeitlinger](https://redirect.github.com/zeitlinger)
When a repo contains `mise.lock`, the action now automatically passes
`--locked` to `mise install` (on mise versions that support it). This
removes the need to manually set `install_args: --locked` and prevents
`mise install` from silently mutating the lockfile in CI. Explicit
`install_args` and older mise versions are still respected.
Note: workflows with a stale lockfile may now fail earlier and more
explicitly instead of silently updating `mise.lock` mid-run — this
surfaces lockfile drift rather than hiding it.
#### Fixed
- **Cache key collisions across runner providers**
([#​456](https://redirect.github.com/jdx/mise-action/pull/456)) —
the default cache key now includes the runner image (e.g. `macos15`,
`ubuntu24` for GitHub-hosted runners; `self-hosted` otherwise).
Previously, repos migrating between providers like github-hosted,
namespace.so, BuildJet, and self-hosted runners with the same OS/arch
could restore a peer provider's `~/.local/share/mise/installs/*`,
causing failures like `does not have an executable named '…'` or SIGILL
crashes from binaries built against a different glibc/CPU featureset.
Expect a one-time cache miss after upgrading; thereafter the cache stays
scoped per image.
- **`mise-shim.exe` missing on Windows**
([#​476](https://redirect.github.com/jdx/mise-action/pull/476)) by
[@​risu729](https://redirect.github.com/risu729) — the action now
installs `mise-shim.exe` alongside `mise.exe` and repairs restored
caches that lack the shim. Fixes
[#​475](https://redirect.github.com/jdx/mise-action/issues/475).
#### Changed
- Migrated the bundled action build from ncc (CommonJS) to Rollup (ESM)
([#​436](https://redirect.github.com/jdx/mise-action/pull/436)).
No user-facing behavior change.
**Full Changelog**:
<https://github.com/jdx/mise-action/compare/v4.0.1...v4.1.0>
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | patch | `v6.0.2` → `v6.0.3` |
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
###
[`v6.0.3`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v603)
[Compare
Source](https://redirect.github.com/actions/checkout/compare/v6.0.2...v6.0.3)
- Fix checkout init for SHA-256 repositories by
[@​yaananth](https://redirect.github.com/yaananth) in
[#​2439](https://redirect.github.com/actions/checkout/pull/2439)
- fix: expand merge commit SHA regex and add SHA-256 test cases by
[@​yaananth](https://redirect.github.com/yaananth) in
[#​2414](https://redirect.github.com/actions/checkout/pull/2414)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated GitHub Actions checkout dependencies across multiple CI/CD
workflows to the latest version for improved stability and
compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout)
([changelog](8e8c483db8..de0fac2e45))
| action | digest | `8e8c483` → `de0fac2` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `08eba0b` -> `34e1148` |
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `08c6903` -> `93cb6ef` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNi4xIiwidXBkYXRlZEluVmVyIjoiNDIuMTYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `11bd719` -> `08eba0b` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on Friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuODEuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>