This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v4.36.0` → `v4.36.2` |
---
### Release Notes
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v4.36.2`](https://redirect.github.com/github/codeql-action/compare/v4.36.1...v4.36.2)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.36.1...v4.36.2)
###
[`v4.36.1`](https://redirect.github.com/github/codeql-action/compare/v4.36.0...v4.36.1)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.36.0...v4.36.1)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated CodeQL analysis workflow dependencies to the latest patch
versions for enhanced security scanning capabilities.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | patch | `v6.0.2` → `v6.0.3` |
---
### Release Notes
<details>
<summary>actions/checkout (actions/checkout)</summary>
###
[`v6.0.3`](https://redirect.github.com/actions/checkout/blob/HEAD/CHANGELOG.md#v603)
[Compare
Source](https://redirect.github.com/actions/checkout/compare/v6.0.2...v6.0.3)
- Fix checkout init for SHA-256 repositories by
[@​yaananth](https://redirect.github.com/yaananth) in
[#​2439](https://redirect.github.com/actions/checkout/pull/2439)
- fix: expand merge commit SHA regex and add SHA-256 test cases by
[@​yaananth](https://redirect.github.com/yaananth) in
[#​2414](https://redirect.github.com/actions/checkout/pull/2414)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMTkuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIxOS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
* **Chores**
* Updated GitHub Actions checkout dependencies across multiple CI/CD
workflows to the latest version for improved stability and
compatibility.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change | Pending |
|---|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | patch | `v4.35.4` → `v4.35.5` | `v4.36.0` |
---
### Release Notes
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v4.35.5`](https://redirect.github.com/github/codeql-action/releases/tag/v4.35.5)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v4.35.4...v4.35.5)
- We have improved how the JavaScript bundles for the CodeQL Action are
generated to avoid duplication across bundles and reduce the size of the
repository by around 70%. This should have no effect on the runtime
behaviour of the CodeQL Action.
[#​3899](https://redirect.github.com/github/codeql-action/pull/3899)
- For performance and accuracy reasons, [improved incremental
analysis](https://redirect.github.com/github/roadmap/issues/1158) will
now only be enabled on a pull request when diff-informed analysis is
also enabled for that run. If diff-informed analysis is unavailable (for
example, because the PR diff ranges could not be computed), the action
will fall back to a full analysis.
[#​3791](https://redirect.github.com/github/codeql-action/pull/3791)
- If multiple inputs are provided for the GitHub-internal
`analysis-kinds` input, only `code-scanning` will be enabled. The
`analysis-kinds` input is experimental, for GitHub-internal use only,
and may change without notice at any time.
[#​3892](https://redirect.github.com/github/codeql-action/pull/3892)
- Added an experimental change which, when running a Code Scanning
analysis for a PR with [improved incremental
analysis](https://redirect.github.com/github/roadmap/issues/1158)
enabled, prefers CodeQL CLI versions that have a cached overlay-base
database for the configured languages. This speeds up analysis for a
repository when there is not yet a cached overlay-base database for the
latest CLI version. We expect to roll this change out to everyone in
May.
[#​3880](https://redirect.github.com/github/codeql-action/pull/3880)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
## Summary
- close inactive PRs after 7 days only when they have failing checks or
merge conflicts
- include merge state in the PR closer query and close with the specific
reason
- keep existing exclusions for @jdx-authored and keep-open PRs
## Validation
- actionlint .github/workflows/pr-closer.yml
- git diff --check
- jq filter sample validation
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Automates PR closure based on CI/merge-state signals; a bug in the
query or jq logic could incorrectly close active or recoverable PRs.
Limited to GitHub Actions workflow changes but impacts contributor
workflow.
>
> **Overview**
> Updates the `pr-closer` GitHub Actions workflow to **close PRs much
sooner (7 days inactivity)**, but only when they have *failing checks
and/or merge conflicts*.
>
> The workflow now queries `mergeStateStatus` and expanded check
conclusions to generate a specific closure reason, skips “warn-only”
states (e.g., cancelled checks/unknown merge state), increases the
listing limit to 500, and adds `concurrency` plus additional read
permissions (`checks`, `statuses`) to support the new filtering.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
34aded28f6. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
>
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
>
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Removes the autofix.ci workflow.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a standalone CI workflow with no runtime code
changes, but it will stop automatic fix commits on PRs and could
increase manual formatting churn.
>
> **Overview**
> Removes the `.github/workflows/autofix.yml` GitHub Actions workflow
that previously ran on `pull_request`/`main` pushes to install deps,
build/package, and invoke `autofix-ci/action` to push automated fixes
back to branches.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
1c2c416618. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
## Summary
- Deletes the only workflow in this repo triggered by
`pull_request_target`.
- `pull_request_target` runs in the context of the base repo (with
secrets / write tokens) on PRs from forks, which is risky. The workflow
only validated PR titles; not worth the trust footprint.
## Test plan
- [ ] None — workflow file removal only.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: deletes a GitHub Actions workflow only; no application code
or runtime behavior changes, and it reduces exposure from
`pull_request_target` workflows.
>
> **Overview**
> Removes the `semantic-pr-lint` GitHub Actions workflow that ran on
`pull_request_target` to validate PR titles.
>
> This eliminates the repo’s only `pull_request_target` workflow,
reducing the trust/secrets footprint for PRs (especially from forks).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
907019cdfa. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](e46ed2cbd0..68bde559de))
| action | digest | `e46ed2c` → `68bde55` |
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
## Summary
- Combined with the workflow's `cancel-in-progress` group, `if:
always()` overrides cancellation and runs the `final` aggregator even on
superseded commits.
- `!cancelled()` still runs on upstream success or failure but skips
when the workflow is cancelled — saves a runner and avoids confusing
error annotations on already-superseded shas.
- Caught by Cursor Bugbot on a sibling repo (endevco/pitchfork#413).
Same `final`-aggregator pattern + `cancel-in-progress: true` here, so
the same fix applies.
## Test plan
- [ ] CI passes on this PR
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk CI-only change that just adjusts when the `final` job runs;
main risk is slightly different status reporting when runs are
cancelled.
>
> **Overview**
> Updates the GitHub Actions `final` aggregator job to use `if: ${{
!cancelled() }}` instead of `always()`, so it still runs for upstream
success/failure but **does not** run for cancelled workflows (e.g.,
superseded runs under `cancel-in-progress`).
>
> Adds clarifying comments to document why cancellation should skip the
aggregator to avoid wasting runners and producing noise on cancelled
commits.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
4c62d5f2f1. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](95e58e9a2c..e46ed2cbd0))
| action | digest | `95e58e9` → `e46ed2c` |
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNTkuMiIsInVwZGF0ZWRJblZlciI6IjQzLjE1OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
## Summary
Switches the project's package-manager surface from a mix of `npm` /
`pnpm` / `bun` (different commands in different files) to a single tool:
[aube](https://aube.en.dev), en.dev's pnpm-compat package manager
(native Rust, fast, drops cleanly into pnpm/npm-compatible workflows).
| | Before | After |
|---|---|---|
| Workflows install step | `npm ci` | `aube ci` |
| Workflows run scripts | `npm run X` | `aubr X` (`aubr` is the `aube
run` shorthand) |
| `mise.toml` tasks | mixed `npm run` / `bun run` | `aubr X` |
| Lockfile | `package-lock.json` | `package-lock.json` (unchanged — aube
reads it directly) |
The `aubr` binary ships alongside `aube` in the same install — it's the
script-runner shorthand (`aubr <script>` ≡ `aube run <script>`). Saves a
word in every workflow / mise.toml line.
## What didn't change
- **`package-lock.json`** stays as the canonical lockfile. aube reads it
directly; no `aube-lock.yaml` is generated. Running `npm install` still
works for any dev who hasn't switched to aube yet.
- **`package.json` scripts** still use `npm run X` for nested
invocations (e.g. `"all": "npm run format:write && …"`). The literal
`npm` works for both callers — aube's shell exec finds `npm` in PATH,
the inner invocation re-runs the same package.json script. Keeping these
PM-agnostic avoids a forced cutover for downstream contributors.
- **`dist/`** is byte-identical after `aubr all` — parity with the
npm-built bundle verified locally.
## New project files
- **`.npmrc`** — single line: `node-linker=hoisted`. Forces a flat,
npm-style `node_modules` layout instead of aube's default
symlink/virtual-store. Required because `rollup --configPlugin
@rollup/plugin-typescript` resolves the plugin from cwd's node_modules,
and the isolated layout puts rollup under `node_modules/.aube/...` where
standard module resolution can't reach back to the project root for the
plugin. npm reads `.npmrc` but ignores `node-linker` (npm always
installs flat), so the file is safe for both PMs.
- **`pnpm-workspace.yaml`** — generated by aube 1.4 to record
build-script approvals (`unrs-resolver: false`). Project-level config;
commits like a `package.json` companion.
Pinned `aube = '1.4'` in `mise.toml`'s tools so `mise install`
provisions the right binary locally.
## Why aube
Single tool replacing three. Less context-switching for contributors,
fewer places to run `npm audit` / `bun upgrade` / `pnpm dedupe`. aube's
cold-cache install for this repo's deps is ~3s vs `npm ci` at ~10s.
## Test plan
- [x] `aube install` from clean — succeeds, all 441 packages link
cleanly
- [x] `aubr all` (format + lint + package) — succeeds, `dist/`
byte-identical to checked-in version
- [x] `aubr format:check` — clean
- [x] `aubr lint` — clean
- [x] `aubr package` — produces `dist/index.js`, `dist/index.js.map`,
`dist/licenses.txt` matching what's checked in
- [ ] Workflows: `Continuous Integration` / `autofix.ci` / `Check dist/`
/ `test` all pass on this PR
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Mostly CI/build-system plumbing; risk is workflow or packaging
breakage (dependency install layout, rollup config) that could prevent
`dist/` from rebuilding or CI from running, but it doesn’t change
runtime action logic.
>
> **Overview**
> Switches GitHub Actions workflows to install tooling via
`jdx/mise-action` and run installs/scripts with `aube`/`aubr` instead of
`actions/setup-node` + `npm ci`/`npm run`.
>
> Pins `aube` (`1.4`) in `mise.toml`, updates `mise` tasks and developer
docs (`CLAUDE.md`) to use `aube`/`aubr`, and adds `.npmrc`
(`node-linker=hoisted`) plus a `.gitignore` entry to avoid committing
`aube`’s generated `pnpm-workspace.yaml`.
>
> Adjusts the packaging script to use `rollup.config.mjs` (replacing the
previous TS config invocation).
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
fd6530d89f. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [autofix-ci/action](https://redirect.github.com/autofix-ci/action)
([changelog](7a166d7532..c5b2d67aa2))
| action | digest | `7a166d7` → `c5b2d67` |
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNyIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node)
([changelog](53b83947a5..48b55a011b))
| action | digest | `53b8394` → `48b55a0` |
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNyIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](c10b8064de..95e58e9a2c))
| action | digest | `c10b806` → `95e58e9` |
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMjMuOCIsInVwZGF0ZWRJblZlciI6IjQzLjEyMy44IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
## Summary
- Add a `final` job to the build-test workflow that depends on all other
jobs
- Fails if any upstream job failed or was skipped
- Provides a single required status check for branch protection
## Test plan
- [ ] `final` job passes when all other jobs pass
- [ ] `final` job fails when any upstream job fails
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: workflow-only change that adds a single aggregator job and
doesn’t affect production code paths. Main risk is misconfiguring branch
protection expectations if the `final` job logic/conditions are wrong.
>
> **Overview**
> Adds a `final` GitHub Actions job to the `build-test` workflow that
depends on all other jobs and runs with `if: always()`.
>
> The `final` job fails the workflow if any upstream job result is
`failure`, `cancelled`, or `skipped`, enabling a single required status
check for branch protection.
>
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
45ecee53a1. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[amannn/action-semantic-pull-request](https://redirect.github.com/amannn/action-semantic-pull-request)
| action | major | `v5` → `v6` |
---
### Release Notes
<details>
<summary>amannn/action-semantic-pull-request
(amannn/action-semantic-pull-request)</summary>
###
[`v6`](https://redirect.github.com/amannn/action-semantic-pull-request/compare/v5...v6)
[Compare
Source](https://redirect.github.com/amannn/action-semantic-pull-request/compare/v5...v6)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | major | `v3` → `v4` |
---
### Release Notes
<details>
<summary>github/codeql-action (github/codeql-action)</summary>
###
[`v4`](https://redirect.github.com/github/codeql-action/compare/v3...v4)
[Compare
Source](https://redirect.github.com/github/codeql-action/compare/v3...v4)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
([changelog](bbbca2ddaa..043fb46d1a))
| action | digest | `bbbca2d` → `043fb46` |
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[actions/upload-artifact](https://redirect.github.com/actions/upload-artifact)
| action | major | `v6` → `v7` |
---
### Release Notes
<details>
<summary>actions/upload-artifact (actions/upload-artifact)</summary>
###
[`v7`](https://redirect.github.com/actions/upload-artifact/compare/v6...v7)
[Compare
Source](https://redirect.github.com/actions/upload-artifact/compare/v6...v7)
</details>
---
### Configuration
📅 **Schedule**: (in timezone America/Chicago)
- Branch creation
- Only on Friday (`* * * * 5`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMTAuMiIsInVwZGF0ZWRJblZlciI6IjQzLjExMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](603b797f8b..5c8a8a642e))
| action | digest | `603b797` → `5c8a8a6` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ1cGRhdGVkSW5WZXIiOiI0My4xMDIuMTEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
## Summary
- Add communique tool to mise.toml
- Add `enhance-release` job to release workflow that runs after release
creation to generate AI-enhanced release notes
## Test plan
- [ ] Verify next release triggers the enhance-release job
- [ ] Confirm ANTHROPIC_API_KEY secret is configured in repo settings
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Adds a new post-release GitHub Actions job that uses an external AI
API and an elevated token to modify GitHub release notes; failures or
misconfigured secrets can break the release workflow and token scope
matters.
>
> **Overview**
> After the `release` job completes, the workflow now runs a new
`enhance-release` job that computes the tag from `package.json` and
calls `communique generate ... --github-release` to update the GitHub
release notes.
>
> The PR also adds `communique` to `mise.toml` so the tool is available
in CI, and wires in `ANTHROPIC_API_KEY` plus a dedicated
`RELEASE_PLZ_GITHUB_TOKEN` for the release-note update step.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
d2335f661c. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Adds a daily workflow that auto-closes PRs inactive for 30+ days
- Skips PRs authored by jdx or labeled `keep-open`
- Includes different close messages depending on CI status (failing vs
passing)
Ported from jdx/mise.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Low Risk**
> Low risk: adds a standalone GitHub Actions workflow that only closes
eligible open PRs and does not affect application/runtime code.
>
> **Overview**
> Adds a new GitHub Actions workflow (`.github/workflows/pr-closer.yml`)
that runs daily (and manually) to close PRs with no activity for 30+
days.
>
> The job filters out PRs authored by `jdx` or labeled `keep-open`, and
posts a different close comment when CI checks are failing vs passing.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
959b5b27b2. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](820e3160e2..603b797f8b))
| action | digest | `820e316` → `603b797` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My42Ni40IiwidXBkYXRlZEluVmVyIjoiNDMuNjYuNCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](45580472a5..820e3160e2))
| action | digest | `4558047` → `820e316` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: jdx <216188+jdx@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node)
([changelog](6044e13b5d..53b83947a5))
| action | digest | `6044e13` → `53b8394` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My41OS4wIiwidXBkYXRlZEluVmVyIjoiNDMuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](f5c2471be7..45580472a5))
| action | digest | `f5c2471` → `4558047` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4zNi4yIiwidXBkYXRlZEluVmVyIjoiNDMuMzYuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](b5ebac6f4c..f5c2471be7))
| action | digest | `b5ebac6` → `f5c2471` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNS4xMSIsInVwZGF0ZWRJblZlciI6IjQzLjI1LjExIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](439137e1b5..b5ebac6f4c))
| action | digest | `439137e` → `b5ebac6` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My44LjUiLCJ1cGRhdGVkSW5WZXIiOiI0My44LjUiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout)
([changelog](8e8c483db8..de0fac2e45))
| action | digest | `8e8c483` → `de0fac2` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [autofix-ci/action](https://redirect.github.com/autofix-ci/action)
([changelog](635ffb0c97..7a166d7532))
| action | digest | `635ffb0` → `7a166d7` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45NS4yIiwidXBkYXRlZEluVmVyIjoiNDIuOTUuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](4bdb89f480..439137e1b5))
| action | digest | `4bdb89f` → `439137e` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi45Mi4xIiwidXBkYXRlZEluVmVyIjoiNDIuOTIuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Reverts jdx/mise-action#360https://github.com/jdx/mise-action/issues/363
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Reverts the monorepo cache isolation change and simplifies caching to
a single cache for the entire `mise` directory.
>
> - Replace binary/tools caches with a single cache via
`restoreMiseCache`/`saveCache`; set `cache-hit` from one restore
> - Default key template drops `dir_hash`; `file_hash` computed from
repo-wide glob patterns (no `working_directory`-specific config walk)
> - Persist `PRIMARY_KEY` and `MISE_DIR` in action state; `miseDir()`
reads from state
> - Remove monorepo cache isolation workflow `test-monorepo-cache.yml`;
minor cleanup in `AGENTS.md`
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
a157c4e176. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](45c373516f..4bdb89f480))
| action | digest | `45c3735` → `4bdb89f` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Problem
-------
mise-action hashes ALL mise config files in the repo to compute a single
default cache key. In a monorepo with multiple projects (e.g.,
apps/frontend, apps/backend), this causes cache pollution:
1. Job A runs for apps/frontend, installs only frontend tools
2. Cache is saved with a key based on ALL configs
3. Job B runs for apps/backend, gets cache HIT (same key)
4. Job B finds frontend tools but not backend tools
5. Job B has to install all tools because they are missing from cache
Additionally, any change to an unrelated project config would bust the
cache for all projects.
Solution
--------
When working_directory is set, compute the default cache key using only
the config files that affect that directory (detected via `mise config
ls --json`) instead of globbing all configs in the repo.
This required separating binary and tools caching:
- Binary cache: restored first so mise is available for `mise config ls`
- Tools cache: default key computed after mise is installed
Key Implementation Details
--------------------------
1. Cache separation:
- restoreMiseBinaryCache/saveMiseBinaryCache for the mise binary
- restoreToolsCache/saveToolsCache for the full mise directory
- Binary cache key: `{prefix}-binary-{platform}-{version}-{dirHash}`
- Tools default cache key: based on config file contents for
working_directory
2. Binary backup during tools cache restore: The tools cache includes
bin/, which could overwrite the binary that setupMise() just installed.
We use withBinaryBackup() to backup the binary before restoring the
tools cache and restore it afterward.
An alternative approach would be to only cache installs/ and shims/
instead of the full miseDir(), but that would change the caching
behavior for existing users. Using withBinaryBackup() retains the
original caching behavior while preventing the binary from being
overwritten.
3. Binary cache key includes mise_dir hash: Prevents cache collision
when users change mise_dir between runs. Without this, a cache hit could
restore the binary to the wrong location.
4. Explicit mise binary path: Uses full path to mise binary instead of
relying on PATH lookup, avoiding potential race conditions with
core.addPath().
5. Lock file handling:
- .toml files: look for corresponding .lock file
- .tool-versions: look for mise.lock in the same directory
6. Graceful degradation: If `mise config ls` fails when
working_directory is set, caching is disabled with a warning rather
than:
- Failing the action entirely, or
- Falling back to glob patterns (which would reintroduce the bug)
Backward Compatibility
----------------------
- working_directory not set: No change, uses existing glob of all
configs
- working_directory set: Default cache key based on `mise config ls`
output
Note on cache_key input: The `cache_key` input now only controls the
tools cache key. The binary cache key is always computed automatically
based on platform, version, and mise_dir. This is generally better since
the binary cache is version-stable and does not need custom key logic.
Test Coverage
-------------
Added test-monorepo-cache.yml with 8 test scenarios:
- install-backend/restore-frontend: Verify cache isolation
- install-frontend/unrelated-change-no-bust: Verify unrelated changes do
not bust cache
- parent-config-change: Verify parent config changes bust child cache
- lock-file-change: Verify lock file changes bust cache
- install-default-mise-dir/restore-custom-mise-dir: Verify mise_dir in
cache key
Final Note
----------
Currently, the default tool cache key includes the mise version. This
was in place prior, so it was left intact. With this change and the
splitting of the mise version cache from the tool cache, we could safely
remove the mise version from the tool cache key. Left this for a
subsequent change if desired.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> Fixes cache key pollution in monorepos by scoping tool cache keys to
the `working_directory`'s config hierarchy and separating binary vs.
tools caching.
>
> - New cache flow: `restoreMiseBinaryCache/saveMiseBinaryCache` (key:
`{prefix}-binary-{platform}-{version}-{dirHash}`) runs before
installation; `restoreToolsCache/saveToolsCache` uses a default key
derived from `mise config ls --json` for the specified
`working_directory`
> - Uses explicit `mise` binary path and preserves it during tools cache
restore via `withBinaryBackup` to avoid overwrites
> - Default tools key still supports template inputs; includes lockfile
handling and guards to disable caching on failures
> - `mise_dir` hash included in binary cache key to prevent cross-dir
collisions
> - Adds `.github/workflows/test-monorepo-cache.yml` with scenarios
verifying monorepo cache isolation, unrelated-config no-bust,
parent-config change bust, lockfile change bust, identical-content
different-path isolation, and `mise_dir`-key differentiation
> - Updates compiled `dist/` artifacts; minor docs entry `AGENTS.md`
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
434d5feca5. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/setup-node](https://redirect.github.com/actions/setup-node)
([changelog](395ad32622..6044e13b5d))
| action | digest | `395ad32` → `6044e13` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi43NC41IiwidXBkYXRlZEluVmVyIjoiNDIuNzQuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
([changelog](497990dfed..45c373516f))
| action | digest | `497990d` -> `45c3735` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi41OS4wIiwidXBkYXRlZEluVmVyIjoiNDIuNTkuMCIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | digest | `f94c9be` -> `497990d` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNi4xIiwidXBkYXRlZEluVmVyIjoiNDIuMTkuOSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `08eba0b` -> `34e1148` |
| [actions/checkout](https://redirect.github.com/actions/checkout) |
action | digest | `08c6903` -> `93cb6ef` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0Mi4xNi4xIiwidXBkYXRlZEluVmVyIjoiNDIuMTYuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
|
[github/codeql-action](https://redirect.github.com/github/codeql-action)
| action | digest | `5d5cd55` -> `f94c9be` |
---
### Configuration
📅 **Schedule**: Branch creation - "before 4am on friday" in timezone
America/Chicago, Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
