2026-05-15 06:10:32 +00:00
32 changed files with 64956 additions and 76860 deletions
--- a/.github/renovate.json
+++ b/.github/renovate.json
@ -1,6 +1,14 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>jdx/renovate-config"],
+  "extends": [
-  "gitIgnoredAuthors": ["autofix.ci[bot] <autofix.ci[bot]@users.noreply.github.com>"],
+    "github>jdx/renovate-config"
-  "rebaseWhen": "conflicted"
+  ],
  "postUpgradeTasks": {
    "commands": ["npm run all"],
    "fileFilters": ["dist/**/*"],
    "executionMode": "branch"
  },
  "allowedCommands": [
    ".*"
  ]
 }
--- a/.github/workflows/check-dist.yml
+++ b/.github/workflows/check-dist.yml
@ -12,7 +12,11 @@ on:
  push:
    branches:
      - main
    paths-ignore:
      - '**.md'
  pull_request:
    paths-ignore:
      - '**.md'
  workflow_dispatch:
 concurrency:
@ -31,19 +35,21 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: 18
          cache: npm
      - name: Install Dependencies
        id: install
-        run: aube ci
+        run: npm ci
      - name: Build dist/ Directory
        id: build
-        run: aubr bundle
+        run: npm run bundle
      - name: Compare Expected and Actual Directories
        id: diff
@ -56,7 +62,7 @@ jobs:
      # If index.js was different than expected, upload the expected version as
      # a workflow artifact.
-      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+      - uses: actions/upload-artifact@v4
        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
        with:
          name: dist
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -7,9 +7,6 @@ on:
      - main
      - 'releases/*'
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref_name }}
  cancel-in-progress: true
@ -22,31 +19,26 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
-      # `mise.toml` pins both Node and aube; mise-action installs
+      - name: Setup Node.js
-      # whatever's listed there. Reads `package-lock.json`
+        id: setup-node
-      # directly — no separate `aube-lock.yaml` to maintain.
+        uses: actions/setup-node@v4
      # `.npmrc` pins `node-linker=hoisted` so the layout is
      # npm-flat (rollup's `--configPlugin` resolution
      # requires this).
      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
        with:
-          cache: false
+          node-version: 18
          cache: npm
      - name: Install Dependencies
-        id: aube-ci
+        id: npm-ci
-        run: aube ci
+        run: npm ci
      - name: Check Format
-        id: aube-format-check
+        id: npm-format-check
-        run: aubr format:check
+        run: npm run format:check
      - name: Lint
-        id: aube-lint
+        id: npm-lint
-        run: aubr lint
+        run: npm run lint
      # - name: Test
      #   id: npm-ci-test
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@ -34,21 +34,19 @@ jobs:
    steps:
      - name: Checkout
        id: checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Initialize CodeQL
        id: initialize
-        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/init@v3
        with:
          languages: ${{ matrix.language }}
          source-root: src
      - name: Autobuild
        id: autobuild
-        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/autobuild@v3
      - name: Perform CodeQL Analysis
        id: analyze
-        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
+        uses: github/codeql-action/analyze@v3
--- a/.github/workflows/pr-closer.yml
+++ b/.github/workflows/pr-closer.yml
@ -1,31 +0,0 @@
 name: pr-closer
 on:
  schedule:
    - cron: "0 0 * * *" # daily at midnight
  workflow_dispatch:
 jobs:
  close-stale-prs:
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
      - name: Close stale PRs
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          gh pr list -R "${{ github.repository }}" --state open --json number,author,labels,updatedAt,statusCheckRollup --limit 100 | \
          jq -r '.[] | select(
            (.updatedAt | fromdateiso8601) < (now - 30*24*60*60) and
            .author.login != "jdx" and
            ([.labels[].name] | index("keep-open") | not)
          ) | [.number, (if (.statusCheckRollup | length > 0) and (.statusCheckRollup | any(.conclusion == "FAILURE" or .conclusion == "failure")) then "failing" else "passing" end)] | @tsv' | \
          while read -r pr status; do
            echo "Closing PR #$pr (checks: $status)"
            if [ "$status" = "failing" ]; then
              gh pr close "$pr" -R "${{ github.repository }}" -c "This PR has been open for more than 30 days without activity. Note: CI checks were failing, which may be why it wasn't reviewed. Feel free to reopen or create a new PR if you'd like to continue working on this."
            else
              gh pr close "$pr" -R "${{ github.repository }}" -c "This PR has been open for more than 30 days without activity. Feel free to reopen or create a new PR if you'd like to continue working on this."
            fi
          done
--- a/.github/workflows/release-plz.yml
+++ b/.github/workflows/release-plz.yml
@ -1,34 +0,0 @@
 name: release-plz
 permissions:
  pull-requests: write
  contents: write
 on:
  workflow_dispatch:
  push:
    branches:
      - main
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NPM_CONFIG_FUND: false
 concurrency:
  group: release-plz
 jobs:
  release-plz:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          submodules: recursive
          token: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
          persist-credentials: false
      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
      - run: mise run release-plz
        env:
          DRY_RUN: 0
          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -1,49 +0,0 @@
 name: Release
 on:
  pull_request:
    types: [closed]
    branches: [main]
 permissions: {}
 jobs:
  release:
    if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release')
    runs-on: ubuntu-latest
    permissions:
      contents: write
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}
          persist-credentials: false
      - name: Setup mise
        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
      - name: Release
        run: ./scripts/postversion.sh
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  enhance-release:
    needs: [release]
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          fetch-depth: 0
          persist-credentials: false
      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
      - name: Enhance release notes with communique
        run: |
          TAG_NAME="v$(jq -r .version package.json)"
          communique generate "$TAG_NAME" --github-release
        env:
          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
--- a/.github/workflows/test-redacted-env.yml
+++ b/.github/workflows/test-redacted-env.yml
@ -1,77 +0,0 @@
 name: Test Redacted Environment Variables
 on:
  push:
    branches: [main]
  pull_request:
    branches: [main]
  workflow_dispatch:
 permissions:
  contents: read
 jobs:
  test-redacted-env:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Create test mise config with sensitive values
        run: |
          cat > .mise.toml << 'EOF'
          [env]
          PUBLIC_VAR = "this-is-public"
          API_KEY = {value = "secret-api-key-12345", redact = true}
          SECRET_TOKEN = {value = "supersecret-token-xyz", redact = true}
          DATABASE_PASSWORD = {value = "db-pass-789", redact = true}
          EOF
      - name: Setup mise
        uses: ./
      - name: Verify environment variables are exported
        run: |
          echo "Checking if environment variables are set..."
          # Check that public var is set
          if [ "$PUBLIC_VAR" != "this-is-public" ]; then
            echo "ERROR: PUBLIC_VAR not set correctly"
            exit 1
          fi
          echo "✓ PUBLIC_VAR is set correctly"
          # Check that sensitive vars are set (but their values should be masked in logs)
          if [ -z "$API_KEY" ]; then
            echo "ERROR: API_KEY not set"
            exit 1
          fi
          echo "✓ API_KEY is set"
          if [ -z "$SECRET_TOKEN" ]; then
            echo "ERROR: SECRET_TOKEN not set"
            exit 1
          fi
          echo "✓ SECRET_TOKEN is set"
          if [ -z "$DATABASE_PASSWORD" ]; then
            echo "ERROR: DATABASE_PASSWORD not set"
            exit 1
          fi
          echo "✓ DATABASE_PASSWORD is set"
      - name: Test that sensitive values are masked (will show *** if properly masked)
        run: |
          echo "Testing value masking..."
          echo "API_KEY value: $API_KEY"
          echo "SECRET_TOKEN value: $SECRET_TOKEN"
          echo "DATABASE_PASSWORD value: $DATABASE_PASSWORD"
          echo "PUBLIC_VAR value: $PUBLIC_VAR"
          # This should show the actual values in the step output,
          # but GitHub Actions should mask them if core.setSecret was called
      - name: Verify mise version
        run: mise --version
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -1,16 +1,12 @@
-name: "build-test"
+name: 'build-test'
 on: # rebuild any PRs and main branch changes
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
      - 'releases/*'
  workflow_dispatch:
 permissions:
  contents: read
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref_name }}
  cancel-in-progress: true
@ -19,12 +15,11 @@ jobs:
  build: # make sure build/ci work properly
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v4
-        with:
+      - run: |
-          persist-credentials: false
+          npm install
-      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - run: |
-      - run: aube install
+          npm run all
      - run: aubr all
  test: # make sure the action works on a clean machine without building
    strategy:
      fail-fast: false
@ -47,145 +42,35 @@ jobs:
      - name: Install requirements
        if: ${{ matrix.requirements }}
        run: ${{ matrix.requirements }}
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Setup mise
        uses: ./
        with:
          mise_toml: |
            [tools]
            jq = "1.7.1"
            [env]
            MY_ENV_VAR = "abc"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - run: mise --version
      - run: mise x jq -- jq --version
      - run: which jq
      - run: jq --version
      - name: Check Windows shim binary
        if: runner.os == 'Windows'
        shell: pwsh
        run: |
          $miseBinDir = Split-Path -Parent (Get-Command mise).Source
          $miseShim = Join-Path $miseBinDir "mise-shim.exe"
          if (!(Test-Path -LiteralPath $miseShim)) {
            throw "mise-shim.exe was not installed next to mise.exe"
          }
      - run: . scripts/test.sh
        shell: bash
  specific_version:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      - uses: actions/checkout@v4
        with:
          persist-credentials: false
      - name: Setup mise
        uses: ./
        with:
          cache_save: ${{ github.ref_name == 'main' }}
          cache_key_prefix: mise-v1
-          version: 2025.7.3
+          version: 2024.9.6
          sha256: d38d4993c5379a680b50661f86287731dc1d1264777880a79b786403af337948
          install_args: bun
          mise_toml: |
            [tools]
            bun = "1"
      - run: which bun
      - run: bun -v
      - name: Update mise
        uses: ./
        with:
          cache_save: ${{ github.ref_name == 'main' }}
          cache_key_prefix: mise-v1
          version: v2025.7.3 # should trim the `v`
          sha256: d38d4993c5379a680b50661f86287731dc1d1264777880a79b786403af337948
  checksum_failure:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Setup mise
        id: bad
        uses: ./
        with:
          version: 2024.9.6
          sha256: 1f0b8c3d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7g8h9i0j1k2l3m4n5o6p7q8r9s0t
        continue-on-error: true
      - name: Dump steps context
        if: ${{ always() }}
        env:
          STEPS_CONTEXT: ${{ toJson(steps) }}
        run: echo "$STEPS_CONTEXT"
      - name: expect failure
        run: echo "Failed as expected"
        if: ${{ steps.bad.outcome == 'failure' }}
      - name: not failed as expected
        run: |
          echo "Expected failure but the job was ${STEPS_BAD_OUTCOME}"
          exit 1
        if: ${{ steps.bad.outcome != 'failure' }}
        env:
          STEPS_BAD_OUTCOME: ${{ steps.bad.outcome }}
  custom_cache_key:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Setup mise with custom cache key
        uses: ./
        with:
          cache_key: "custom-{{platform}}-{{install_args_hash}}-${{ github.run_id }}"
          install_args: "jq@1.7.1"
          mise_toml: |
            [tools]
            jq = "1.7.1"
      - run: mise --version
      - run: mise x jq -- jq --version
      - run: which jq
      - run: jq --version
  fetch_from_github:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - name: Setup mise from mise.jdx.dev
        uses: ./
        with:
          fetch_from_github: true
          cache: false
          cache_save: false
          mise_toml: |
            [tools]
            jq = "1.7.1"
      - run: mise --version
      - run: mise x jq -- jq --version
      - run: which jq
      - run: jq --version
  final:
    needs:
      - build
      - test
      - specific_version
      - checksum_failure
      - custom_cache_key
      - fetch_from_github
    runs-on: ubuntu-latest
    timeout-minutes: 1
    # Run on success or upstream failure but skip when the workflow is cancelled
    # — `always()` would override `cancel-in-progress` and waste a runner.
    if: ${{ !cancelled() }}
    steps:
      - name: Check CI job results
        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')
        run: exit 1
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@ -1,22 +0,0 @@
 name: zizmor
 on:
  push:
    branches: [main]
    paths: ['.github/workflows/**']
  pull_request:
    paths: ['.github/workflows/**']
 permissions: {}
 jobs:
  zizmor:
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false
      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
        with:
          advanced-security: false
--- a/.gitignore
+++ b/.gitignore
@ -101,10 +101,3 @@ __tests__/runner/*
 .idea
 .vscode
 *.code-workspace
 # Generated by `aube install` to record build-script approvals.
 # We've chosen not to commit our approval state — the build doesn't
 # need any package's install scripts to run, and the file gets
 # regenerated each install anyway. The harmless "ignored build
 # scripts" warning in `aube install` output is the cost.
 pnpm-workspace.yaml
--- a/.husky/pre-commit
+++ b/.husky/pre-commit
@ -1,5 +1,4 @@
 # shellcheck disable=SC1091
 npm ci
 npm run all
 git add dist
--- a/.npmrc
+++ b/.npmrc
@ -1,11 +0,0 @@
 # Forces a flat npm-style `node_modules/` layout instead of
 # aube's default symlink/virtual-store. Required for
 # deterministic `dist/index.js.map` source-map paths in CI:
 # without flat layout, rollup embeds absolute paths into
 # aube's per-user cache dir (`/home/runner/.cache/aube/...`),
 # which differ across machines and break the `check-dist`
 # workflow's byte-equality check.
 #
 # npm reads `.npmrc` too but ignores `node-linker` (npm
 # always installs flat), so the file is safe for both PMs.
 node-linker=hoisted
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,292 +1,5 @@
 # Changelog
 ---
 ## [4.0.1](https://github.com/jdx/mise-action/compare/v4.0.0..v4.0.1) - 2026-03-22
 ### 🐛 Bug Fixes
 - run npm install in pre-commit hook before build (#410) by [@jdx](https://github.com/jdx) in [#410](https://github.com/jdx/mise-action/pull/410)
 ### 🚜 Refactor
 - extract getCwd() helper to deduplicate working directory resolution (#403) by [@altendky](https://github.com/altendky) in [#403](https://github.com/jdx/mise-action/pull/403)
 ### 📚 Documentation
 - bump versions listed im README.md (#407) by [@deining](https://github.com/deining) in [#407](https://github.com/jdx/mise-action/pull/407)
 - bump more versions listed in README.md (#408) by [@deining](https://github.com/deining) in [#408](https://github.com/jdx/mise-action/pull/408)
 ### ⚙️ Miscellaneous Tasks
 - add workflow to auto-close stale PRs (#409) by [@jdx](https://github.com/jdx) in [#409](https://github.com/jdx/mise-action/pull/409)
 ### New Contributors
 * @deining made their first contribution in [#408](https://github.com/jdx/mise-action/pull/408)
 ---
 ## [4.0.0](https://github.com/jdx/mise-action/compare/v3.6.3..v4.0.0) - 2026-03-13
 ### 🚀 Features
 - **breaking** Update Node.js version from 20 to 24 (#395) by [@tumerorkun](https://github.com/tumerorkun) in [#395](https://github.com/jdx/mise-action/pull/395)
 ### New Contributors
 * @tumerorkun made their first contribution in [#395](https://github.com/jdx/mise-action/pull/395)
 ---
 ## [3.6.3](https://github.com/jdx/mise-action/compare/v3.6.2..v3.6.3) - 2026-03-06
 ### 🐛 Bug Fixes
 - pass cwd to all exec calls in exportMiseEnv() (#390) by [@andrewthauer](https://github.com/andrewthauer) in [#390](https://github.com/jdx/mise-action/pull/390)
 ### New Contributors
 * @andrewthauer made their first contribution in [#390](https://github.com/jdx/mise-action/pull/390)
 ---
 ## [3.6.2](https://github.com/jdx/mise-action/compare/v3.6.1..v3.6.2) - 2026-03-02
 ### 🐛 Bug Fixes
 - move file_hash to end of cache key template to prevent prefix matching (#384) by [@altendky](https://github.com/altendky) in [#384](https://github.com/jdx/mise-action/pull/384)
 ### New Contributors
 * @altendky made their first contribution in [#384](https://github.com/jdx/mise-action/pull/384)
 ---
 ## [3.6.1](https://github.com/jdx/mise-action/compare/v3.6.0..v3.6.1) - 2026-01-20
 ### 🔍 Other Changes
 - Revert "fix(cache): isolate cache keys per working_directory in monorepos" (#364) by [@jdx](https://github.com/jdx) in [#364](https://github.com/jdx/mise-action/pull/364)
 ---
 ## [3.6.0](https://github.com/jdx/mise-action/compare/v3.5.1..v3.6.0) - 2026-01-18
 ### 🚀 Features
 - add option to disable shims in PATH (#340) by [@jdx](https://github.com/jdx) in [#340](https://github.com/jdx/mise-action/pull/340)
 ### 🐛 Bug Fixes
 - **(cache)** isolate cache keys per working_directory in monorepos (#360) by [@chadxz](https://github.com/chadxz) in [#360](https://github.com/jdx/mise-action/pull/360)
 - use mise_dir input when specified (#339) by [@jdx](https://github.com/jdx) in [#339](https://github.com/jdx/mise-action/pull/339)
 - pass environment variables to mise commands (#341) by [@jdx](https://github.com/jdx) in [#341](https://github.com/jdx/mise-action/pull/341)
 - make mise self-update output visible in logs (#355) by [@nikobockerman](https://github.com/nikobockerman) in [#355](https://github.com/jdx/mise-action/pull/355)
 ### 📚 Documentation
 - fix description for `mise_toml` input (#351) by [@quad](https://github.com/quad) in [#351](https://github.com/jdx/mise-action/pull/351)
 ### New Contributors
 * @chadxz made their first contribution in [#360](https://github.com/jdx/mise-action/pull/360)
 * @nikobockerman made their first contribution in [#355](https://github.com/jdx/mise-action/pull/355)
 * @quad made their first contribution in [#351](https://github.com/jdx/mise-action/pull/351)
 ---
 ## [3.5.1](https://github.com/jdx/mise-action/compare/v3.5.0..v3.5.1) - 2025-11-24
 ### 🔍 Other Changes
 - Revert "feat(action): moved save cache to post step" (#329) by [@jdx](https://github.com/jdx) in [#329](https://github.com/jdx/mise-action/pull/329)
 ---
 ## [3.5.0](https://github.com/jdx/mise-action/compare/v3.4.1..v3.5.0) - 2025-11-21
 ### 🚀 Features
 - **(action)** moved save cache to post step (#321) by [@aamkye](https://github.com/aamkye) in [#321](https://github.com/jdx/mise-action/pull/321)
 ### New Contributors
 * @aamkye made their first contribution in [#321](https://github.com/jdx/mise-action/pull/321)
 ---
 ## [3.4.1](https://github.com/jdx/mise-action/compare/v3.4.0..v3.4.1) - 2025-11-13
 ### 🐛 Bug Fixes
 - avoid github token downstream issue (#317) by [@acesyde](https://github.com/acesyde) in [#317](https://github.com/jdx/mise-action/pull/317)
 ### New Contributors
 * @acesyde made their first contribution in [#317](https://github.com/jdx/mise-action/pull/317)
 ---
 ## [3.4.0](https://github.com/jdx/mise-action/compare/v3.3.1..v3.4.0) - 2025-10-31
 ### 🚀 Features
 - use autofix.ci to auto-update dist/ on all PRs by [@jdx](https://github.com/jdx) in [16e9fd5](https://github.com/jdx/mise-action/commit/16e9fd5251189c3d389adb836f243575c134d680)
 - use autofix.ci to auto-update dist/ on all PRs (#308) by [@jdx](https://github.com/jdx) in [#308](https://github.com/jdx/mise-action/pull/308)
 ### 🐛 Bug Fixes
 - add missing `await` to `core.group` calls (#305) by [@smorimoto](https://github.com/smorimoto) in [#305](https://github.com/jdx/mise-action/pull/305)
 - auto-update dist folder in Renovate PRs via GitHub Actions (#306) by [@jdx](https://github.com/jdx) in [#306](https://github.com/jdx/mise-action/pull/306)
 - configure Renovate to ignore github-actions[bot] commits by [@jdx](https://github.com/jdx) in [993e7d0](https://github.com/jdx/mise-action/commit/993e7d0bb6f3422ef833a702b90e2a44909ec651)
 - run auto-update-dist workflow on all PRs by [@jdx](https://github.com/jdx) in [6d0fd75](https://github.com/jdx/mise-action/commit/6d0fd75ed51124702e37bfcf6e977da73f64b4e1)
 ### 📚 Documentation
 - update to v3 in README (#290) by [@pdecat](https://github.com/pdecat) in [#290](https://github.com/jdx/mise-action/pull/290)
 ### ⚙️ Miscellaneous Tasks
 - upgrade all workflows to Node 24 by [@jdx](https://github.com/jdx) in [c7b5f37](https://github.com/jdx/mise-action/commit/c7b5f37cadd1a385188a023510a966efa5eed247)
 - remove unused workflow by [@jdx](https://github.com/jdx) in [aecb23d](https://github.com/jdx/mise-action/commit/aecb23d92f0e50768578578f309255414a23561d)
 ### New Contributors
 * @smorimoto made their first contribution in [#305](https://github.com/jdx/mise-action/pull/305)
 * @pdecat made their first contribution in [#290](https://github.com/jdx/mise-action/pull/290)
 ---
 ## [3.3.1](https://github.com/jdx/mise-action/compare/v3.3.0..v3.3.1) - 2025-10-06
 ### 🐛 Bug Fixes
 - trim "v" prefix on update (#287) by [@zeitlinger](https://github.com/zeitlinger) in [#287](https://github.com/jdx/mise-action/pull/287)
 ---
 ## [3.3.0](https://github.com/jdx/mise-action/compare/v3.2.0..v3.3.0) - 2025-10-03
 ### 🚀 Features
 - use self-update to modify version if mise is already installed (#277) by [@ImpSy](https://github.com/ImpSy) in [#277](https://github.com/jdx/mise-action/pull/277)
 ### 🐛 Bug Fixes
 - **(cache)** replace `,` in `MISE_ENV` with `-` (#278) by [@risu729](https://github.com/risu729) in [#278](https://github.com/jdx/mise-action/pull/278)
 - correct Renovate allowedPostUpgradeCommands configuration by [@jdx](https://github.com/jdx) in [4313941](https://github.com/jdx/mise-action/commit/43139419dcaeb99e24c487d646766d014d0957a2)
 ### ⚙️ Miscellaneous Tasks
 - **(config)** migrate renovate config (#263) by [@renovate[bot]](https://github.com/renovate[bot]) in [#263](https://github.com/jdx/mise-action/pull/263)
 - updated deps by [@jdx](https://github.com/jdx) in [5795893](https://github.com/jdx/mise-action/commit/5795893acedc0f2044498a21005c38f12dd5d8d3)
 ### New Contributors
 * @mise-en-dev made their first contribution in [#284](https://github.com/jdx/mise-action/pull/284)
 * @ImpSy made their first contribution in [#277](https://github.com/jdx/mise-action/pull/277)
 ---
 ## [3.2.0](https://github.com/jdx/mise-action/compare/v3.1.0..v3.2.0) - 2025-08-22
 ### 🚀 Features
 - add environment variable support to cache key templates (#250) by [@pepicrft](https://github.com/pepicrft) in [#250](https://github.com/jdx/mise-action/pull/250)
 ### 🐛 Bug Fixes
 - redact secret values from env (#252) by [@jdx](https://github.com/jdx) in [#252](https://github.com/jdx/mise-action/pull/252)
 ---
 ## [3.1.0](https://github.com/jdx/mise-action/compare/v3.0.2..v3.1.0) - 2025-08-19
 ### 🚀 Features
 - add configurable cache key with template variable support (#246) by [@pepicrft](https://github.com/pepicrft) in [#246](https://github.com/jdx/mise-action/pull/246)
 ---
 ## [3.0.2](https://github.com/jdx/mise-action/compare/v3.0.1..v3.0.2) - 2025-08-18
 ### ⚙️ Miscellaneous Tasks
 - remove duplicate release-plz logic by [@jdx](https://github.com/jdx) in [7081572](https://github.com/jdx/mise-action/commit/70815728fdd7d32bad0deb6b33576cf791f1dafa)
 ---
 ## [3.0.1](https://github.com/jdx/mise-action/compare/v3.0.0..v3.0.1) - 2025-08-18
 ### 📚 Documentation
 - add CLAUDE.md by [@jdx](https://github.com/jdx) in [729161f](https://github.com/jdx/mise-action/commit/729161fe32f196174ff956fbe3ce8743567cb9e1)
 - hide release entries in CHANGELOG by [@jdx](https://github.com/jdx) in [96680f6](https://github.com/jdx/mise-action/commit/96680f666f91bbcb5b4d76ff2ac0f465bb941dd0)
 ### ⚙️ Miscellaneous Tasks
 - fix release-plz by [@jdx](https://github.com/jdx) in [3600b64](https://github.com/jdx/mise-action/commit/3600b6410713f6187847c1eb2bde38315e844484)
 - updated deps (#244) by [@jdx](https://github.com/jdx) in [#244](https://github.com/jdx/mise-action/pull/244)
 ---
 ## [3.0.0](https://github.com/jdx/mise-action/compare/v2.4.4..v3.0.0) - 2025-08-18
 ### 🚀 Features
 - **breaking** export env vars from mise.toml (#241) by [@maelp](https://github.com/maelp) in [#241](https://github.com/jdx/mise-action/pull/241)
 ### New Contributors
 * @maelp made their first contribution in [#241](https://github.com/jdx/mise-action/pull/241)
 ---
 ## [2.4.4](https://github.com/jdx/mise-action/compare/v2.4.3..v2.4.4) - 2025-07-27
 ### 🐛 Bug Fixes
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [07fb524](https://github.com/jdx/mise-action/commit/07fb524adc338a756d6ff7fa7a33f0e27bdc4d2d)
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [0de6d11](https://github.com/jdx/mise-action/commit/0de6d11b95678b220019adc7929e4d9752b59355)
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [75121b9](https://github.com/jdx/mise-action/commit/75121b9a3f21cd3b497f047d71a77d59099ff6b3)
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [583fe7b](https://github.com/jdx/mise-action/commit/583fe7be9d688739c95cc32249344e9796f4eebe)
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [7fa2a26](https://github.com/jdx/mise-action/commit/7fa2a26c1e3cf1b20bbf42f2d293912e90e71177)
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [cf44a56](https://github.com/jdx/mise-action/commit/cf44a563b9a45de221b77d23cbc5621dc7e6b377)
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [a35d5fc](https://github.com/jdx/mise-action/commit/a35d5fc6817dcb018e9e7a6613664fde7f5d4aaf)
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [c37c932](https://github.com/jdx/mise-action/commit/c37c93293d6b742fc901e1406b8f764f6fb19dac)
 ### ⚙️ Miscellaneous Tasks
 - add release workflow by [@jdx](https://github.com/jdx) in [eccbf00](https://github.com/jdx/mise-action/commit/eccbf00da17ac7d1d18017ead61bc54a442f3a38)
 - skip release script if no changes by [@jdx](https://github.com/jdx) in [eba59a9](https://github.com/jdx/mise-action/commit/eba59a9eefc99963516a3ff8be4c372c656f0215)
 ---
 ## [2.4.3](https://github.com/jdx/mise-action/compare/v2.4.2..v2.4.3) - 2025-07-27
 ### 🐛 Bug Fixes
 - v2 release tag automation by [@jdx](https://github.com/jdx) in [5c24f96](https://github.com/jdx/mise-action/commit/5c24f96c0ff8577151a76e76344591427bcf28c5)
 ---
 ## [2.4.2](https://github.com/jdx/mise-action/compare/v2.4.0..v2.4.2) - 2025-07-24
 ### 🚀 Features
 - allow fetching binary from mise.jdx.dev (#227) by [@jdx](https://github.com/jdx) in [#227](https://github.com/jdx/mise-action/pull/227)
 ### 🔍 Other Changes
 - Fix flag passed to `mise reshim` (#208) by [@andrewdriggs](https://github.com/andrewdriggs) in [#208](https://github.com/jdx/mise-action/pull/208)
 ### ⚙️ Miscellaneous Tasks
 - add semantic-pr-lint (#220) by [@jdx](https://github.com/jdx) in [#220](https://github.com/jdx/mise-action/pull/220)
 - added release-plz by [@jdx](https://github.com/jdx) in [bd8ba20](https://github.com/jdx/mise-action/commit/bd8ba20c5611a6ebc508d3c263444c97c5483bd1)
 - get postversion to work by [@jdx](https://github.com/jdx) in [954e13d](https://github.com/jdx/mise-action/commit/954e13db3e9329a8373a5d6cfa3718f7bc607149)
 - set release token by [@jdx](https://github.com/jdx) in [6d3ca74](https://github.com/jdx/mise-action/commit/6d3ca74ece306fcd7f501bd95086deaf8d0c3552)
 - use new release-plz token by [@jdx](https://github.com/jdx) in [1c87378](https://github.com/jdx/mise-action/commit/1c87378f400e5957e22607e2c938eac904a3e233)
 - fix check-dist by [@jdx](https://github.com/jdx) in [4dfd63f](https://github.com/jdx/mise-action/commit/4dfd63f0279a3418b93cbbfc4bc132ace1da2481)
 - add git add and git status commands to release script by [@jdx](https://github.com/jdx) in [0c56699](https://github.com/jdx/mise-action/commit/0c56699aa697e50cf8d17b7c07976b7c1e550c23)
 - update changelog extraction in release script to skip the section break line by [@jdx](https://github.com/jdx) in [714aa25](https://github.com/jdx/mise-action/commit/714aa2569b8097f175d58290710a86eefe2098d0)
 ### New Contributors
 * @github-actions[bot] made their first contribution in [#221](https://github.com/jdx/mise-action/pull/221)
 ---
 ## [2.4.0](https://github.com/jdx/mise-action/compare/v2.3.1..v2.4.0) - 2025-07-12
 ### 🔍 Other Changes
 - support checksum (#218) by [@zeitlinger](https://github.com/zeitlinger) in [#218](https://github.com/jdx/mise-action/pull/218)
 ### ⚙️ Miscellaneous Tasks
 - updated deps (#219) by [@jdx](https://github.com/jdx) in [#219](https://github.com/jdx/mise-action/pull/219)
 ---
 ## [2.3.1](https://github.com/jdx/mise-action/compare/v2.3.0..v2.3.1) - 2025-06-25
--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -1,63 +0,0 @@
 # CLAUDE.md
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 ## Project Overview
 This is a GitHub Action that installs and configures mise, a polyglot runtime manager. The action is written in TypeScript and published to the GitHub Actions marketplace.
 ## Development Commands
 This project uses [aube](https://aube.en.dev) as its package
 manager (en.dev's pnpm-compat PM, native Rust). It reads
 `package-lock.json` directly — no separate `aube-lock.yaml`.
 `mise install` will install the pinned aube version
 automatically; you can also use `npm` if you prefer (the
 `.npmrc`'s `node-linker=hoisted` pin is aube-specific and
 ignored by npm).
 ```bash
 # Install dependencies
 aube install
 # Build, format, lint, and package
 aubr all
 # Individual commands
 aubr format:write  # Format code with Prettier
 aubr lint         # Run ESLint and format check
 aubr package      # Bundle with rollup for distribution
 # Testing
 aubr all          # Run full build pipeline
 ./scripts/test.sh     # Integration test script
 ```
 ## Architecture
 The action follows GitHub's standard TypeScript action structure:
 1. **Entry Point**: `src/index.ts` - Main action logic that:
   - Downloads and installs mise binary
   - Manages caching through GitHub Actions cache
   - Configures environment variables (MISE_*, GITHUB_TOKEN)
   - Runs mise commands (install, reshim, etc.)
   - Exports mise environment variables to GITHUB_ENV
 2. **Distribution**: `dist/index.js` - Compiled and bundled output (must be committed)
 3. **Action Definition**: `action.yml` - Defines inputs, outputs, and metadata
 ## Key Implementation Details
 - **Cache Management**: Uses content-addressable caching based on mise config files (.mise.toml, .tool-versions, etc.)
 - **Binary Download**: Supports downloading from GitHub releases or mise.jdx.dev
 - **Platform Support**: Handles Linux (glibc/musl), macOS, and Windows
 - **Environment Setup**: Automatically adds mise bin and shims directories to PATH
 - **GitHub API**: Uses GITHUB_TOKEN to avoid rate limits when installing GitHub-hosted tools
 ## Important Notes
 - Always run `aubr all` before committing to ensure dist/ is updated
 - The dist/ folder must be committed as GitHub Actions runs the compiled code
 - Test changes using the action itself (uses: ./) in test workflows
--- a/README.md
+++ b/README.md
@ -13,10 +13,10 @@ jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
-      - uses: jdx/mise-action@v4
+      - uses: jdx/mise-action@v2
        with:
-          version: 2026.3.10 # [default: latest] mise version to install
+          version: 2024.10.0 # [default: latest] mise version to install
          install: true # [default: true] run `mise install`
          install_args: "bun" # [default: ""] additional arguments to `mise install`
          cache: true # [default: true] cache mise using GitHub's cache
@ -24,82 +24,30 @@ jobs:
          log_level: debug # [default: info] log level
          # automatically write this .tool-versions file
          tool_versions: |
-            shellcheck 0.11.0
+            shellcheck 0.9.0
          # or, if you prefer .mise.toml format:
          mise_toml: |
            [tools]
-            shellcheck = "0.11.0"
+            shellcheck = "0.9.0"
          working_directory: app # [default: .] directory to run mise in
-          reshim: false # [default: false] run `mise reshim -f`
+          reshim: false # [default: false] run `mise reshim --all`
          github_token: ${{ secrets.GITHUB_TOKEN }} # [default: ${{ github.token }}] GitHub token for API authentication
      - run: shellcheck scripts/*.sh
  test:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
-      - uses: jdx/mise-action@v4
+      - uses: jdx/mise-action@v2
      # .tool-versions will be read from repo root
      - run: node ./my_app.js
 ```
 ## Cache Configuration
 You can customize the cache key used by the action:
 ```yaml
 - uses: jdx/mise-action@v4
  with:
    cache_key: "my-custom-cache-key"  # Override the entire cache key
    cache_key_prefix: "mise-v1"       # Or just change the prefix (default: "mise-v0")
 ```
 ### Template Variables in Cache Keys
 When using `cache_key`, you can use template variables to reference internal values:
 ```yaml
 - uses: jdx/mise-action@v4
  with:
    cache_key: "mise-{{platform}}-{{version}}-{{file_hash}}"
    version: "2026.3.10"
    install_args: "node python"
 ```
 Available template variables:
 - `{{version}}` - The mise version (from the `version` input)
 - `{{cache_key_prefix}}` - The cache key prefix (from `cache_key_prefix` input or default)
 - `{{platform}}` - The target platform, including the runner image (e.g., "linux-x64-ubuntu24", "macos-arm64-macos15", "linux-x64-self-hosted"). The trailing segment is `process.env.ImageOS` on github-hosted runners and falls back to `"self-hosted"` elsewhere — preventing cache collisions when the same repo runs on different runner providers (github-hosted, namespace.so, self-hosted).
 - `{{file_hash}}` - Hash of all mise configuration files
 - `{{mise_env}}` - The MISE_ENV environment variable value
 - `{{install_args_hash}}` - SHA256 hash of the sorted tools from install args
 - `{{default}}` - The processed default cache key (useful for extending)
 Conditional logic is also supported using Handlebars syntax like `{{#if version}}...{{/if}}`.
 Example using multiple variables:
 ```yaml
 - uses: jdx/mise-action@v4
  with:
    cache_key: "mise-v1-{{platform}}-{{install_args_hash}}-{{file_hash}}"
    install_args: "node@24 python@3.14"
 ```
 You can also extend the default cache key:
 ```yaml
 - uses: jdx/mise-action@v4
  with:
    cache_key: "{{default}}-custom-suffix"
    install_args: "node@24 python@3.14"
 ```
 This gives you full control over cache invalidation based on the specific aspects that matter to your workflow.
 ## GitHub API Rate Limits
 When installing tools hosted on GitHub (like `gh`, `node`, `bun`, etc.), mise needs to make API calls to GitHub's releases API. Without authentication, these calls are subject to GitHub's rate limit of 60 requests per hour, which can cause installation failures.
 ```yaml
- uses: jdx/mise-action@v4
+- uses: jdx/mise-action@v2
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    # your other configuration
--- a/action.yml
+++ b/action.yml
@ -8,9 +8,6 @@ inputs:
  version:
    required: false
    description: The version of mise to use. If not specified, will use the latest release.
  sha256:
    required: false
    description: The SHA256 checksum of the mise binary to verify the download.
  mise_dir:
    required: false
    description: |
@ -22,7 +19,7 @@ inputs:
    description: If present, this value will be written to the .tool-versions file
  mise_toml:
    required: false
-    description: If present, this value will be written to the mise.toml file
+    description: If present, this value will be written to the .mise.toml file
  install:
    required: false
    default: "true"
@ -43,15 +40,8 @@ inputs:
    description: if false, action will not write to cache
  cache_key_prefix:
    required: false
-    default: "mise-v1"
+    default: "mise-v0"
    description: The prefix key to use for the cache, change this to invalidate the cache
  cache_key:
    required: false
    description: |
      Override the complete cache key (ignores all other cache key options).
      Supports template variables: {{version}}, {{cache_key_prefix}}, {{platform}}, {{file_hash}}, 
      {{mise_env}}, {{install_args_hash}}, {{default}}, {{env.VAR_NAME}} for environment variables, 
      and conditional logic like {{#if version}}...{{/if}}
  experimental:
    required: false
    default: "false"
@ -67,57 +57,15 @@ inputs:
    required: false
    default: "false"
    description: if true, will run `mise reshim --all` after setting up mise
  add_shims_to_path:
    required: false
    default: "true"
    description: if false, will not add mise shims directory to PATH
  github_token:
    required: false
    description: |
      GitHub token for API authentication to avoid rate limits when installing GitHub-hosted tools.
      Defaults to the automatic GitHub token.
    default: ${{ github.token }}
  fetch_from_github:
    required: false
    default: "true"
    description: If true (default), fetch the mise binary from GitHub. If false and using the latest version, fetch from mise.jdx.dev instead.
  env:
    description: "Automatically load mise env vars into GITHUB_ENV. Note that PATH modifications are not part of this."
    required: false
    default: "true"
  wings_enabled:
    description: |
      [experimental] Opt in to the mise-wings asset cache
      (https://mise-wings.en.dev) for this action invocation.
      When `true`, the action exports `MISE_WINGS_ENABLED=1` so
      the installed mise binary routes tool-install URLs (npm
      tarballs, GitHub release artifacts) through the per-org
      wings cache subdomains.
      Authentication is automatic via the runner's GitHub OIDC
      identity — no `mise wings login` step, no long-lived
      secret to rotate. The workflow must declare
      `permissions: id-token: write` so the OIDC token-issuer
      env vars are populated; without that, mise falls through
      to direct-origin fetches transparently.
      Default `false` is the conservative posture: a workflow
      with `id-token: write` (used for SLSA / AWS-OIDC /
      Sigstore / etc.) should not have its OIDC token sent to
      a third-party cache without explicit opt-in. Older mise
      binaries that don't speak wings ignore the env var
      entirely, so this is forward-compatible.
      Requires an active mise-wings subscription on the Clerk
      org linked to the GitHub org running the workflow;
      without one, the proxy 402s and mise leaves the cache
      off without affecting the workflow's success.
    required: false
    default: "false"
 outputs:
  cache-hit:
    description: A boolean value to indicate if a cache was hit.
 runs:
-  using: node24
+  using: node20
  main: dist/index.js
--- a/cliff.toml
+++ b/cliff.toml
@ -100,7 +100,6 @@ commit_parsers = [
    { message = '^chore\(release\): prepare for', skip = true },
    { message = '^chore\(pr\)', skip = true },
    { message = '^chore\(pull\)', skip = true },
    { message = '^chore: release v\d+\.\d+\.\d+', skip = true },
    { message = '^chore: Release mise-action', skip = true },
    { message = '^chore|^ci', group = "<!-- 7 -->⚙️ Miscellaneous Tasks" },
    { body = '.*security', group = "<!-- 8 -->🛡️ Security" },
--- a/dist/index.js
+++ b/dist/index.js
--- a/dist/index.js.map
+++ b/dist/index.js.map
--- a/dist/licenses.txt
+++ b/dist/licenses.txt
--- a/dist/sourcemap-register.js
+++ b/dist/sourcemap-register.js
--- a/mise.lock
+++ b/mise.lock
@ -1,166 +0,0 @@
 # @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
 [[tools.aube]]
 version = "1.6.2"
 backend = "github:endevco/aube"
 [tools.aube."platforms.linux-arm64"]
 checksum = "sha256:1c47d2c0a50cf80f49aedcc2f58ce8abcbdf763092e772c8961c6e5b18916e8b"
 url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-unknown-linux-gnu.tar.gz"
 url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164231"
 provenance = "github-attestations"
 [tools.aube."platforms.linux-arm64-musl"]
 checksum = "sha256:9780776921db3a54fc3237f50b9686489d93115e26584c7a85d54ce96a8e9b39"
 url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-unknown-linux-musl.tar.gz"
 url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164229"
 provenance = "github-attestations"
 [tools.aube."platforms.linux-x64"]
 checksum = "sha256:16fcc40dfbaac110ce8f4e88728a440f2366094a45fd6c189bcbcc2b3ea31f06"
 url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-unknown-linux-gnu.tar.gz"
 url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164107"
 provenance = "github-attestations"
 [tools.aube."platforms.linux-x64-musl"]
 checksum = "sha256:2ee3821fd62b56bb39cb2ceffe6ad38975e35f82311ca7f9ec6ee28bc6d284b8"
 url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-unknown-linux-musl.tar.gz"
 url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164199"
 provenance = "github-attestations"
 [tools.aube."platforms.macos-arm64"]
 checksum = "sha256:4ce92482500f77f0779f288328cb7411f7ae2441b8618eae36a2ab5ea7591a32"
 url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-apple-darwin.tar.gz"
 url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410166750"
 provenance = "github-attestations"
 [tools.aube."platforms.windows-x64"]
 checksum = "sha256:916594efae8f8b59fc898913f96d199a21d212c7037043853ee04df7264611d0"
 url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-pc-windows-msvc.zip"
 url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410174742"
 provenance = "github-attestations"
 [[tools.communique]]
 version = "1.1.2"
 backend = "github:jdx/communique"
 [tools.communique."platforms.linux-arm64"]
 checksum = "sha256:7bb0843207fc3d7b5df2a5c0198bb10539cf13a6b247b4adfbf6b302a68f03de"
 url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-unknown-linux-gnu.tar.gz"
 url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964161"
 [tools.communique."platforms.linux-arm64-musl"]
 checksum = "sha256:b663407be77a370c209df40307b82e436f56a6bc23d4e423510d62ac6e1fedf4"
 url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-unknown-linux-musl.tar.gz"
 url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964743"
 [tools.communique."platforms.linux-x64"]
 checksum = "sha256:5e74ead7037f42940c7dba4f6aa4ed968920cbb55a047aa0d291b0c675c65676"
 url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-unknown-linux-gnu.tar.gz"
 url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405963914"
 provenance = "github-attestations"
 [tools.communique."platforms.linux-x64-musl"]
 checksum = "sha256:01a6a8b49e635a5a209fdaf6c7b2e976374debc2db1c846c033f567fdba0d86c"
 url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-unknown-linux-musl.tar.gz"
 url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964691"
 [tools.communique."platforms.macos-arm64"]
 checksum = "sha256:459993e31a6c4ccbd09882f5679a2bc1ea5d9068701ecefc411a00fb69ce82e6"
 url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-apple-darwin.tar.gz"
 url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964098"
 [tools.communique."platforms.windows-x64"]
 checksum = "sha256:3cc0e880ac2168aed3163223627bbd1eee62e07a9901cb85cb507c6c8927bc93"
 url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-pc-windows-msvc.zip"
 url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964430"
 [[tools.gh]]
 version = "2.92.0"
 backend = "aqua:cli/cli"
 [tools.gh."platforms.linux-arm64"]
 checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
 url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
 provenance = "github-attestations"
 [tools.gh."platforms.linux-arm64-musl"]
 checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
 url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
 provenance = "github-attestations"
 [tools.gh."platforms.linux-x64"]
 checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
 url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
 provenance = "github-attestations"
 [tools.gh."platforms.linux-x64-musl"]
 checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
 url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
 provenance = "github-attestations"
 [tools.gh."platforms.macos-arm64"]
 checksum = "sha256:b11c54f6bd7d15ed6590475079e5b2fcf36f45d3991a80041b29c9d0cc1f1d07"
 url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_macOS_arm64.zip"
 provenance = "github-attestations"
 [tools.gh."platforms.windows-x64"]
 checksum = "sha256:b6a8df3c8c6b9c80f290906387673bc4d272840f3789c5650e0e4e6e75522785"
 url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_windows_amd64.zip"
 provenance = "github-attestations"
 [[tools.git-cliff]]
 version = "2.13.1"
 backend = "aqua:orhun/git-cliff"
 [tools.git-cliff."platforms.linux-arm64"]
 checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
 url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
 [tools.git-cliff."platforms.linux-arm64-musl"]
 checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
 url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
 [tools.git-cliff."platforms.linux-x64"]
 checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
 url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
 [tools.git-cliff."platforms.linux-x64-musl"]
 checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
 url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
 [tools.git-cliff."platforms.macos-arm64"]
 checksum = "sha256:21547ae4a0421164070ab75c2522864ea5565858a011fabc5f583061b20f1226"
 url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-apple-darwin.tar.gz"
 [tools.git-cliff."platforms.windows-x64"]
 checksum = "sha256:3ae3a5549e85c7ad5b20192ebcfee4371269deca51255f6f2f2e051c6541f5ca"
 url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-pc-windows-msvc.zip"
 [[tools.node]]
 version = "24.15.0"
 backend = "core:node"
 [tools.node."platforms.linux-arm64"]
 checksum = "sha256:73afc234d558c24919875f51c2d1ea002a2ada4ea6f83601a383869fefa64eed"
 url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-arm64.tar.gz"
 [tools.node."platforms.linux-arm64-musl"]
 checksum = "sha256:31e98aa960a067da91edffd5d93bc46657b5d2a8029612c359f5f2ac0060152a"
 url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-arm64-musl.tar.gz"
 [tools.node."platforms.linux-x64"]
 checksum = "sha256:44836872d9aec49f1e6b52a9a922872db9a2b02d235a616a5681b6a85fec8d89"
 url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-x64.tar.gz"
 [tools.node."platforms.linux-x64-musl"]
 checksum = "sha256:f55af5bd489c5347b113ca6594cae00a54b30ba57ac5875324311bfc6f4762e3"
 url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-x64-musl.tar.gz"
 [tools.node."platforms.macos-arm64"]
 checksum = "sha256:372331b969779ab5d15b949884fc6eaf88d5afe87bde8ba881d6400b9100ffc4"
 url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-darwin-arm64.tar.gz"
 [tools.node."platforms.windows-x64"]
 checksum = "sha256:cc5149eabd53779ce1e7bdc5401643622d0c7e6800ade18928a767e940bb0e62"
 url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-win-x64.zip"
--- a/mise.toml
+++ b/mise.toml
@ -1,14 +1,9 @@
-tasks.pre-commit = ["aubr all", "git add dist"]
+tasks.pre-commit = ["npm run all", "git add dist"]
 tasks.test.alias = ["t"]
-tasks.test.run = ["aubr all"]
+tasks.test.run = ["npm run all"]
-tasks.lint = "aubr lint"
+tasks.lint = "bun run lint"
-tasks."lint:fix" = "aubr format:write"
+tasks."lint:fix" = "bun run format:write"
-tasks.version = "aube version"
+tasks.version = "npm version"
 tasks.release-plz = "./scripts/release-plz.sh"
 [tools]
 node = '24'
 aube = 'v1.9.1'
 git-cliff = 'latest'
 gh = 'latest'
 communique = 'latest'
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,9 +1,8 @@
 {
  "name": "mise-action",
  "description": "mise tool setup action",
-  "version": "4.0.1",
+  "version": "2.3.1",
  "author": "jdx",
  "type": "module",
  "private": true,
  "repository": {
    "type": "git",
@ -22,46 +21,33 @@
    "bundle": "npm run format:write && npm run package",
    "format:check": "prettier --check **/*.ts",
    "format:write": "prettier --write **/*.ts",
-    "lint": "eslint . && npm run format:check",
+    "lint": "npx eslint . && npm run format:check",
-    "package": "rimraf ./dist && rollup --config rollup.config.mjs",
+    "package": "ncc build -s src/index.ts --license licenses.txt",
    "package:watch": "npm run package -- --watch",
    "version": "./scripts/version.sh",
    "postversion": "./scripts/postversion.sh",
    "prepare": "husky"
  },
  "license": "MIT",
  "dependencies": {
-    "@actions/cache": "^6.0.0",
+    "@actions/cache": "^4.0.0",
-    "@actions/core": "^3.0.0",
+    "@actions/core": "^1.11.1",
-    "@actions/exec": "^3.0.0",
+    "@actions/exec": "^1.1.1",
-    "@actions/glob": "^0.7.0",
+    "@actions/glob": "^0.5.0"
    "@actions/io": "^3.0.0",
    "@types/handlebars": "^4.0.40",
    "handlebars": "^4.7.8"
  },
  "devDependencies": {
    "@eslint/eslintrc": "^3.2.0",
-    "@eslint/js": "^10.0.0",
+    "@eslint/js": "^9.15.0",
    "@rollup/plugin-commonjs": "^29.0.0",
    "@rollup/plugin-json": "^6.1.0",
    "@rollup/plugin-node-resolve": "^16.0.0",
    "@rollup/plugin-typescript": "^12.0.0",
    "@types/eslint__js": "^8.42.3",
    "@types/node": "^24",
-    "eslint": "^10.0.0",
+    "@vercel/ncc": "^0.38.3",
-    "globals": "^17.0.0",
+    "eslint": "^9.15.0",
    "globals": "^16.0.0",
    "husky": "^9.1.7",
    "jest": "^30",
    "js-yaml": "^4.1.0",
    "prettier": "^3.4.1",
-    "rimraf": "^6.0.0",
+    "typescript": "^5.7.2",
    "rollup": "^4.0.0",
    "rollup-plugin-license": "^3.7.1",
    "typescript": "^6.0.0",
    "typescript-eslint": "^8.16.0"
  },
  "aube": {
    "allowBuilds": {
      "unrs-resolver": false
    }
  }
 }
--- a/rollup.config.mjs
+++ b/rollup.config.mjs
@ -1,29 +0,0 @@
 import commonjs from '@rollup/plugin-commonjs'
 import json from '@rollup/plugin-json'
 import nodeResolve from '@rollup/plugin-node-resolve'
 import typescript from '@rollup/plugin-typescript'
 import license from 'rollup-plugin-license'
 import path from 'path'
 const config = {
  input: 'src/index.ts',
  output: {
    esModule: true,
    file: 'dist/index.js',
    format: 'es',
    sourcemap: true
  },
  plugins: [
    typescript(),
    nodeResolve({ preferBuiltins: true }),
    commonjs({ ignoreTryCatch: false }),
    json(),
    license({
      thirdParty: {
        output: path.resolve('dist', 'licenses.txt')
      }
    })
  ]
 }
 export default config
--- a/scripts/postversion.sh
+++ b/scripts/postversion.sh
@ -2,35 +2,14 @@
 set -euxo pipefail
 VERSION=$(jq -r .version package.json)
 MAJOR_VERSION=$(echo "$VERSION" | cut -d. -f1)
 # Configure git to use gh's credential helper. The checkout step uses
 # persist-credentials: false (per zizmor's artipacked audit), so the
 # token isn't written to .git/config and raw `git push` would 403.
 gh auth setup-git
 # create the version tag (allow it to fail if it already exists)
 git tag "v$VERSION" || echo "Tag v$VERSION already exists locally"
 # push changes to github
 git push
 # push the current tag to github
-git push origin "v$VERSION" || echo "Tag v$VERSION already exists on remote"
+git push origin "v$VERSION"
-
+# set the v1 tag to this release
-# set the major version tag to this release
+git tag v2 -f
-git tag "v$MAJOR_VERSION" -f
+# push the v1 tag to github
-# push the major version tag to github (retry with pull if it fails)
+git push origin v2 -f
-if ! git push origin "v$MAJOR_VERSION" -f; then
+# create a release on github
-  echo "Failed to push v$MAJOR_VERSION tag, pulling and retrying..."
+gh release create "v$VERSION" --generate-notes --verify-tag
  git fetch origin "refs/tags/v$MAJOR_VERSION:refs/tags/v$MAJOR_VERSION" -f
  git tag "v$MAJOR_VERSION" -f
  git push origin "v$MAJOR_VERSION" -f
 fi
 # check if release already exists before creating
 if gh release view "v$VERSION" >/dev/null 2>&1; then
  echo "Release v$VERSION already exists, skipping creation"
 else
  # create a release on github
  gh release create "v$VERSION" --generate-notes --verify-tag
 fi
--- a/scripts/release-plz.sh
+++ b/scripts/release-plz.sh
@ -1,84 +0,0 @@
 #!/usr/bin/env bash
 # shellcheck shell=bash
 set -euxo pipefail
 # Get the current package.json version before any modifications
 cur_pkg_version="$(jq -r .version package.json)"
 # Get the latest GitHub release version
 latest_release="$(gh release view --json tagName --jq .tagName 2>/dev/null || echo "")"
 latest_release_version="${latest_release#v}"
 # Check if package.json version is newer than the latest release
 if [ -n "$latest_release_version" ] && [ "$cur_pkg_version" = "$latest_release_version" ]; then
 	echo "Package version $cur_pkg_version matches latest release $latest_release. Nothing to release."
 	# Still check if we need to create a new PR for unreleased changes
 	# Get the latest released version tag
 	latest_tag="$(git tag --list | grep -E '^v[0-9]+\.[0-9]+\.[0-9]+(-rc\.[0-9]+)?$' | sort -V | tail -1)"
 	# Check if there are commits since the last release
 	if [ -n "$latest_tag" ]; then
 		commits_since_release="$(git rev-list "$latest_tag"..HEAD --count)"
 		if [ "$commits_since_release" -eq 0 ]; then
 			echo "No commits since last release $latest_tag"
 			exit 0
 		fi
 		echo "Found $commits_since_release commits since $latest_tag"
 	fi
 	# Get the next version and changelog from git-cliff
 	version="$(git cliff --bumped-version)"
 	changelog="$(git cliff --bump --unreleased | tail -n +2)"
 	if [ "${DRY_RUN:-1}" == 1 ]; then
 		echo "version: $version"
 		echo "changelog: $changelog"
 		exit 0
 	fi
 	# Check if there are any unreleased changes
 	if [ -z "$changelog" ] || [ "$changelog" = "<!-- generated by git-cliff -->" ]; then
 		echo "No unreleased changes found"
 		exit 0
 	fi
 	# Configure git for automated commits
 	git config user.name mise-en-dev
 	git config user.email 123107610+mise-en-dev@users.noreply.github.com
 	# Configure git to use gh's credential helper. The checkout step uses
 	# persist-credentials: false (per zizmor's artipacked audit), so the
 	# token isn't written to .git/config and raw `git push` would 403.
 	gh auth setup-git
 	# Create a PR with the version bump
 	npm version "${version#v}" --no-git-tag-version
 	git add package.json package-lock.json
 	git status
 	# Create release branch and commit
 	git checkout -B release
 	git commit -m "chore: release $version"
 	# Push to release branch
 	git push origin release --force
 	# Create or update PR
 	if gh pr create --title "chore: release $version" --body "$changelog" --label "release"; then
 		echo "Created new release PR"
 	else
 		gh pr edit --title "chore: release $version" --body "$changelog"
 		echo "Updated existing release PR"
 	fi
 elif [ -n "$cur_pkg_version" ] && [ "$cur_pkg_version" != "$latest_release_version" ]; then
 	# Package version is different from latest release
 	echo "Package version v$cur_pkg_version is newer than latest release $latest_release."
 	echo "Release will be created by the release.yml workflow when the PR is merged."
 	# Exit successfully - the release.yml workflow handles actual release creation
 	exit 0
 else
 	echo "No action needed"
 	exit 0
 fi
--- a/scripts/test.sh
+++ b/scripts/test.sh
@ -2,10 +2,10 @@
 set -euxo pipefail
 function assert_equal() {
-	if [ "$1" != "$2" ]; then
+  if [ "$1" != "$2" ]; then
-		echo "Assertion failed: Expected '$1', got '$2'" >&2
+    echo "Assertion failed: Expected '$1', got '$2'" >&2
-		return 1
+    return 1
-	fi
+  fi
 }
 EXPECTED_OUTPUT="jq-1.7.1"
@ -14,8 +14,5 @@ which jq
 # windows bash does not seem to work with shims
 if [[ "$(uname)" != "MINGW"* ]]; then
-	assert_equal "$EXPECTED_OUTPUT" "$(jq --version)"
+  assert_equal "$EXPECTED_OUTPUT" "$(jq --version)"
 fi
 # checking that environment variables set in mise.toml are properly set
 assert_equal "${MY_ENV_VAR}" "abc"
--- a/src/index.ts
+++ b/src/index.ts
@ -7,40 +7,6 @@ import * as crypto from 'crypto'
 import * as fs from 'fs'
 import * as os from 'os'
 import * as path from 'path'
 import * as Handlebars from 'handlebars'
 // Configuration file patterns for cache key generation
 const MISE_CONFIG_FILE_PATTERNS = [
  `**/.config/mise/config.toml`,
  `**/.config/mise/config.lock`,
  `**/.config/mise/config.*.toml`,
  `**/.config/mise/config.*.lock`,
  `**/.config/mise.toml`,
  `**/.config/mise.lock`,
  `**/.config/mise.*.toml`,
  `**/.config/mise.*.lock`,
  `**/.mise/config.toml`,
  `**/.mise/config.lock`,
  `**/.mise/config.*.toml`,
  `**/.mise/config.*.lock`,
  `**/mise/config.toml`,
  `**/mise/config.lock`,
  `**/mise/config.*.toml`,
  `**/mise/config.*.lock`,
  `**/.mise.toml`,
  `**/.mise.lock`,
  `**/.mise.*.toml`,
  `**/.mise.*.lock`,
  `**/mise.toml`,
  `**/mise.lock`,
  `**/mise.*.toml`,
  `**/mise.*.lock`,
  `**/.tool-versions`
 ]
 // Default cache key template
 const DEFAULT_CACHE_KEY_TEMPLATE =
  '{{cache_key_prefix}}-{{platform}}{{#if version}}-{{version}}{{/if}}{{#if mise_env}}-{{mise_env}}{{/if}}{{#if install_args_hash}}-{{install_args_hash}}{{/if}}-{{#if file_hash}}{{file_hash}}{{else}}no-config{{/if}}'
 async function run(): Promise<void> {
  try {
@ -54,28 +20,8 @@ async function run(): Promise<void> {
      core.setOutput('cache-hit', false)
    }
    // Wings opt-in hook (experimental). When
    // `wings_enabled: true` is set, this exports
    // `MISE_WINGS_ENABLED=1` so subsequent `mise install`
    // commands in this workflow route through the wings
    // cache. Default `false` so workflows with
    // `id-token: write` (used for SLSA / AWS-OIDC / Sigstore /
    // etc.) don't silently send the runner's OIDC token to
    // a third-party cache without explicit consent.
    //
    // Note: `setupMise` fetches the mise binary itself with
    // `curl`, which doesn't go through mise's HTTP layer —
    // the wings rewriter only kicks in once the resulting
    // mise binary runs `mise install` and friends. Ordering
    // here is irrelevant for binary acceleration; we just
    // want the env var set before any `mise` subcommand
    // runs. Greptile + Gemini both flagged the previous
    // comment as overstating what the early call accelerates.
    setupWings()
    const version = core.getInput('version')
-    const fetchFromGitHub = core.getBooleanInput('fetch_from_github')
+    await setupMise(version)
    await setupMise(version, fetchFromGitHub)
    await setEnvVars()
    if (core.getBooleanInput('reshim')) {
      await miseReshim()
@ -88,149 +34,12 @@ async function run(): Promise<void> {
      }
    }
    await miseLs()
    const loadEnv = core.getBooleanInput('env')
    if (loadEnv) {
      await exportMiseEnv()
    }
  } catch (err) {
    if (err instanceof Error) core.setFailed(err.message)
    else throw err
  }
 }
 /**
 * Opt in to mise-wings caching for this workflow run. When
 * `wings_enabled: true`, exports `MISE_WINGS_ENABLED=1` so
 * subsequent `mise install` commands route through the
 * cache.
 *
 * Mise itself owns the OIDC → wings session exchange — when
 * it sees `MISE_WINGS_ENABLED=1` and the GHA OIDC env vars
 * (`ACTIONS_ID_TOKEN_REQUEST_URL` +
 * `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it fetches the runner's
 * OIDC token, exchanges it at the proxy's `POST /auth`
 * route, and caches the resulting session JWT for the rest
 * of the process.
 *
 * Pre-flight check: `id-token: write` permission must be
 * declared at the workflow or job level for the OIDC env
 * vars to be present. We log a warning when wings is
 * enabled but the env vars are absent — without this hint,
 * the user sees a transparent "wings configured but doing
 * nothing" which is hard to debug.
 */
 function setupWings(): void {
  if (!core.getBooleanInput('wings_enabled')) {
    return
  }
  core.exportVariable('MISE_WINGS_ENABLED', '1')
  core.info(
    "mise-wings: enabled. mise will exchange the runner's OIDC token for a wings session on first use."
  )
  const oidcUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL
  const oidcToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
  if (!oidcUrl || !oidcToken) {
    core.warning(
      'mise-wings: GHA OIDC env vars are missing. Add ' +
        '`permissions: id-token: write` at the workflow or job ' +
        'level so the runner can mint OIDC tokens. Without this, ' +
        'mise falls through to direct-origin fetches and the cache ' +
        'is bypassed.'
    )
  }
 }
 async function exportMiseEnv(): Promise<void> {
  core.startGroup('Exporting mise environment variables')
  const cwd = getCwd()
  // Check if mise supports --redacted flags based on version input
  const supportsRedacted = checkMiseSupportsRedacted()
  if (supportsRedacted) {
    try {
      // First, get the redacted values to identify what needs masking
      const redactedOutput = await exec.getExecOutput(
        'mise',
        ['env', '--redacted', '--json'],
        { silent: true, cwd }
      )
      const redactedVars = JSON.parse(redactedOutput.stdout)
      // Mask sensitive values in GitHub Actions
      for (const [key, actualValue] of Object.entries(redactedVars)) {
        core.setSecret(actualValue as string)
        core.info(`Masked sensitive value for: ${key}`)
      }
      // Then get the actual values
      const actualOutput = await exec.getExecOutput('mise', ['env', '--json'], {
        cwd
      })
      const actualVars = JSON.parse(actualOutput.stdout)
      // Export all environment variables
      for (const [key, value] of Object.entries(actualVars)) {
        if (typeof value === 'string') {
          core.exportVariable(key, value)
        }
      }
    } catch {
      // Fall back to dotenv format if the redacted command fails
      core.info('Falling back to dotenv format')
      const output = await exec.getExecOutput('mise', ['env', '--dotenv'], {
        cwd
      })
      fs.appendFileSync(process.env.GITHUB_ENV!, output.stdout)
    }
  } else {
    // Fall back to the old --dotenv format for older versions
    const output = await exec.getExecOutput('mise', ['env', '--dotenv'], {
      cwd
    })
    fs.appendFileSync(process.env.GITHUB_ENV!, output.stdout)
  }
  core.endGroup()
 }
 function cleanVersion(version: string) {
  // remove 'v' prefix if present
  return version.replace(/^v/, '')
 }
 function checkMiseSupportsRedacted(): boolean {
  const version = core.getInput('version')
  // If no version is specified, assume latest which supports redacted
  if (!version) {
    return true
  }
  const versionMatch = cleanVersion(version).match(/^(\d+)\.(\d+)\.(\d+)/)
  if (!versionMatch) {
    // If we can't parse the version, assume it supports redacted
    return true
  }
  const [, year, month, patch] = versionMatch
  const yearNum = parseInt(year, 10)
  const monthNum = parseInt(month, 10)
  const patchNum = parseInt(patch, 10)
  // Check if version is >= 2025.8.17
  if (yearNum > 2025) return true
  if (yearNum === 2025) {
    if (monthNum > 8) return true
    if (monthNum === 8 && patchNum >= 17) return true
  }
  return false
 }
 async function setEnvVars(): Promise<void> {
  core.startGroup('Setting env vars')
  const set = (k: string, v: string): void => {
@ -246,32 +55,75 @@ async function setEnvVars(): Promise<void> {
  const githubToken = core.getInput('github_token')
  if (githubToken) {
-    // Don't use GITHUB_TOKEN, use MISE_GITHUB_TOKEN instead to avoid downstream issues.
+    set('GITHUB_TOKEN', githubToken)
    set('MISE_GITHUB_TOKEN', githubToken)
  } else {
    core.warning(
-      'No MISE_GITHUB_TOKEN provided. You may hit GitHub API rate limits when installing tools from GitHub.'
+      'No GITHUB_TOKEN provided. You may hit GitHub API rate limits when installing tools from GitHub.'
    )
  }
  set('MISE_TRUSTED_CONFIG_PATHS', process.cwd())
  set('MISE_YES', '1')
-  if (core.getBooleanInput('add_shims_to_path')) {
+  const shimsDir = path.join(miseDir(), 'shims')
-    const shimsDir = path.join(miseDir(), 'shims')
+  core.info(`Adding ${shimsDir} to PATH`)
-    core.info(`Adding ${shimsDir} to PATH`)
+  core.addPath(shimsDir)
    core.addPath(shimsDir)
  }
 }
 async function restoreMiseCache(): Promise<string | undefined> {
  core.startGroup('Restoring mise cache')
  const version = core.getInput('version')
  const installArgs = core.getInput('install_args')
  const { MISE_ENV } = process.env
  const cachePath = miseDir()
-
+  const fileHash = await glob.hashFiles(
-  // Use custom cache key if provided, otherwise use default template
+    [
-  const cacheKeyTemplate =
+      `**/.config/mise/config.toml`,
-    core.getInput('cache_key') || DEFAULT_CACHE_KEY_TEMPLATE
+      `**/.config/mise/config.lock`,
-  const primaryKey = await processCacheKeyTemplate(cacheKeyTemplate)
+      `**/.config/mise/config.*.toml`,
      `**/.config/mise/config.*.lock`,
      `**/.config/mise.toml`,
      `**/.config/mise.lock`,
      `**/.config/mise.*.toml`,
      `**/.config/mise.*.lock`,
      `**/.mise/config.toml`,
      `**/.mise/config.lock`,
      `**/.mise/config.*.toml`,
      `**/.mise/config.*.lock`,
      `**/mise/config.toml`,
      `**/mise/config.lock`,
      `**/mise/config.*.toml`,
      `**/mise/config.*.lock`,
      `**/.mise.toml`,
      `**/.mise.lock`,
      `**/.mise.*.toml`,
      `**/.mise.*.lock`,
      `**/mise.toml`,
      `**/mise.lock`,
      `**/mise.*.toml`,
      `**/mise.*.lock`,
      `**/.tool-versions`
    ].join('\n')
  )
  const prefix = core.getInput('cache_key_prefix') || 'mise-v0'
  let primaryKey = `${prefix}-${await getTarget()}-${fileHash}`
  if (version) {
    primaryKey = `${primaryKey}-${version}`
  }
  if (MISE_ENV) {
    primaryKey = `${primaryKey}-${MISE_ENV}`
  }
  if (installArgs) {
    const tools = installArgs
      .split(' ')
      .filter(arg => !arg.startsWith('-'))
      .sort()
      .join(' ')
    if (tools) {
      const toolsHash = crypto.createHash('sha256').update(tools).digest('hex')
      primaryKey = `${primaryKey}-${toolsHash}`
    }
  }
  core.saveState('PRIMARY_KEY', primaryKey)
  core.saveState('MISE_DIR', cachePath)
@ -287,17 +139,12 @@ async function restoreMiseCache(): Promise<string | undefined> {
  core.info(`mise cache restored from key: ${cacheKey}`)
 }
-async function setupMise(
+async function setupMise(version: string): Promise<void> {
  version: string,
  fetchFromGitHub = false
 ): Promise<void> {
  const miseBinDir = path.join(miseDir(), 'bin')
  const miseBinPath = path.join(
    miseBinDir,
    process.platform === 'win32' ? 'mise.exe' : 'mise'
  )
  const miseShimPath = path.join(miseBinDir, 'mise-shim.exe')
  let installedVersion: string | undefined
  if (!fs.existsSync(path.join(miseBinPath))) {
    core.startGroup(version ? `Download mise@${version}` : 'Setup mise')
    await fs.promises.mkdir(miseBinDir, { recursive: true })
@ -309,25 +156,15 @@ async function setupMise(
          : (await zstdInstalled())
            ? '.tar.zst'
            : '.tar.gz'
-    let resolvedVersion = version || (await latestMiseVersion())
+    version = (version || (await latestMiseVersion())).replace(/^v/, '')
-    resolvedVersion = resolvedVersion.replace(/^v/, '')
+    const url = `https://github.com/jdx/mise/releases/download/v${version}/mise-v${version}-${await getTarget()}${ext}`
-    let url: string
+    const archivePath = path.join(os.tmpdir(), `mise${ext}`)
    if (!fetchFromGitHub && !version) {
      // Only for latest version
      url = `https://mise.jdx.dev/mise-latest-${await getTarget()}${ext}`
    } else {
      url = `https://github.com/jdx/mise/releases/download/v${resolvedVersion}/mise-v${resolvedVersion}-${await getTarget()}${ext}`
    }
    installedVersion = resolvedVersion
    switch (ext) {
-      case '.zip': {
+      case '.zip':
-        await withExtractedZip(url, 'mise.zip', async extractDir => {
+        await exec.exec('curl', ['-fsSL', url, '--output', archivePath])
-          const extractedMiseBinDir = path.join(extractDir, 'mise', 'bin')
+        await exec.exec('unzip', [archivePath, '-d', os.tmpdir()])
-          await io.mv(path.join(extractedMiseBinDir, 'mise.exe'), miseBinPath)
+        await io.mv(path.join(os.tmpdir(), 'mise/bin/mise.exe'), miseBinPath)
          await installWindowsMiseShim(extractedMiseBinDir, miseShimPath)
        })
        break
      }
      case '.tar.zst':
        await exec.exec('sh', [
          '-c',
@ -345,119 +182,10 @@ async function setupMise(
        await exec.exec('chmod', ['+x', miseBinPath])
        break
    }
  } else {
    const requestedVersion = cleanVersion(core.getInput('version'))
    if (requestedVersion !== '') {
      installedVersion = await getInstalledMiseVersion(miseBinPath)
      if (requestedVersion === installedVersion) {
        core.info(`mise already installed`)
      } else {
        core.info(
          `mise already installed (${installedVersion}), but different version requested (${requestedVersion})`
        )
        await exec.exec(miseBinPath, ['self-update', requestedVersion, '-y'])
        core.info(`mise updated to version ${requestedVersion}`)
        installedVersion = requestedVersion
      }
    }
  }
  await ensureWindowsMiseShim(miseBinPath, miseShimPath, installedVersion)
  // compare with provided hash
  const want = core.getInput('sha256')
  if (want) {
    const hash = crypto.createHash('sha256')
    const fileBuffer = await fs.promises.readFile(miseBinPath)
    const got = hash.update(fileBuffer).digest('hex')
    if (got !== want) {
      throw new Error(
        `SHA256 mismatch: expected ${want}, got ${got} for ${miseBinPath}`
      )
    }
  }
  core.addPath(miseBinDir)
 }
 async function withExtractedZip(
  url: string,
  archiveName: string,
  fn: (extractDir: string) => Promise<void>
 ): Promise<void> {
  const tempDir = await fs.promises.mkdtemp(
    path.join(os.tmpdir(), 'mise-action-')
  )
  try {
    const archivePath = path.join(tempDir, archiveName)
    const extractDir = path.join(tempDir, 'extract')
    await exec.exec('curl', ['-fsSL', url, '--output', archivePath])
    await exec.exec('unzip', [archivePath, '-d', extractDir])
    await fn(extractDir)
  } finally {
    await io.rmRF(tempDir)
  }
 }
 async function installWindowsMiseShim(
  extractedMiseBinDir: string,
  miseShimPath: string
 ): Promise<void> {
  if (process.platform !== 'win32') return
  const extractedMiseShimPath = path.join(extractedMiseBinDir, 'mise-shim.exe')
  if (!fs.existsSync(extractedMiseShimPath)) {
    core.info('mise-shim.exe not found in the mise archive; skipping')
    return
  }
  await io.mv(extractedMiseShimPath, miseShimPath)
 }
 async function ensureWindowsMiseShim(
  miseBinPath: string,
  miseShimPath: string,
  version?: string
 ): Promise<void> {
  if (process.platform !== 'win32') return
  if (fs.existsSync(miseShimPath)) return
  core.info(
    'mise-shim.exe not found next to mise.exe; installing it from the matching release archive'
  )
  try {
    const installedVersion =
      version || (await getInstalledMiseVersion(miseBinPath))
    const archiveName = `mise-v${installedVersion}-${await getTarget()}.zip`
    const url = `https://github.com/jdx/mise/releases/download/v${installedVersion}/${archiveName}`
    await withExtractedZip(url, archiveName, async extractDir => {
      await installWindowsMiseShim(
        path.join(extractDir, 'mise', 'bin'),
        miseShimPath
      )
    })
  } catch (err) {
    core.warning(
      `Failed to install mise-shim.exe: ${errorMessage(err)}. Continuing because mise can fall back to file shim mode on Windows.`
    )
  }
 }
 async function getInstalledMiseVersion(miseBinPath: string): Promise<string> {
  const versionOutput = await exec.getExecOutput(
    miseBinPath,
    ['version', '--json'],
    { silent: true }
  )
  const versionJson = JSON.parse(versionOutput.stdout) as { version: string }
  return cleanVersion(versionJson.version.split(' ')[0])
 }
 function errorMessage(err: unknown): string {
  return err instanceof Error ? err.message : String(err)
 }
 async function zstdInstalled(): Promise<boolean> {
  try {
    await exec.exec('zstd', ['--version'])
@ -493,18 +221,16 @@ const testMise = async (): Promise<number> => mise(['--version'])
 const miseInstall = async (): Promise<number> =>
  mise([`install ${core.getInput('install_args')}`])
 const miseLs = async (): Promise<number> => mise([`ls`])
-const miseReshim = async (): Promise<number> => mise([`reshim`, `-f`])
+const miseReshim = async (): Promise<number> => mise([`reshim`, `--all`])
 const mise = async (args: string[]): Promise<number> =>
-  await core.group(`Running mise ${args.join(' ')}`, async () => {
+  core.group(`Running mise ${args.join(' ')}`, async () => {
-    const cwd = getCwd()
+    const cwd =
-    const baseEnv = Object.fromEntries(
+      core.getInput('working_directory') ||
-      Object.entries(process.env).filter(
+      core.getInput('install_dir') ||
-        (entry): entry is [string, string] => entry[1] !== undefined
+      process.cwd()
      )
    )
    const env = core.isDebug()
-      ? { ...baseEnv, MISE_LOG_LEVEL: 'debug' }
+      ? { ...process.env, MISE_LOG_LEVEL: 'debug' }
-      : baseEnv
+      : undefined
    if (args.length === 1) {
      return exec.exec(`mise ${args}`, [], {
@ -517,28 +243,17 @@ const mise = async (args: string[]): Promise<number> =>
  })
 const writeFile = async (p: fs.PathLike, body: string): Promise<void> =>
-  await core.group(`Writing ${p}`, async () => {
+  core.group(`Writing ${p}`, async () => {
    core.info(`Body:\n${body}`)
    await fs.promises.writeFile(p, body, { encoding: 'utf8' })
  })
 run()
 function getCwd(): string {
  return (
    core.getInput('working_directory') ||
    core.getInput('install_dir') ||
    process.cwd()
  )
 }
 function miseDir(): string {
  const dir = core.getState('MISE_DIR')
  if (dir) return dir
  const miseDir = core.getInput('mise_dir')
  if (miseDir) return miseDir
  const { MISE_DATA_DIR, XDG_DATA_HOME, LOCALAPPDATA } = process.env
  if (MISE_DATA_DIR) return MISE_DATA_DIR
  if (XDG_DATA_HOME) return path.join(XDG_DATA_HOME, 'mise')
@ -549,7 +264,7 @@ function miseDir(): string {
 }
 async function saveCache(cacheKey: string): Promise<void> {
-  await core.group(`Saving mise cache`, async () => {
+  core.group(`Saving mise cache`, async () => {
    const cachePath = miseDir()
    if (!fs.existsSync(cachePath)) {
@ -564,7 +279,11 @@ async function saveCache(cacheKey: string): Promise<void> {
 }
 async function getTarget(): Promise<string> {
-  const arch = process.arch === 'arm' ? 'armv7' : process.arch
+  let { arch } = process
  // quick overwrite to abide by release format
  if (arch === 'arm') arch = 'armv7' as NodeJS.Architecture
  switch (process.platform) {
    case 'darwin':
      return `macos-${arch}`
@ -577,68 +296,6 @@ async function getTarget(): Promise<string> {
  }
 }
 /**
 * Identifies the runner image so cached binaries from one provider
 * (github-hosted, namespace.so, BuildJet, self-hosted) aren't restored
 * onto another provider's image where their compiled-in paths and libc
 * versions don't match. GitHub-hosted images export `ImageOS`
 * (e.g. "macos15", "ubuntu24"); other runners leave it unset and pool
 * under "self-hosted".
 */
 function getRunnerImageId(): string {
  return process.env.ImageOS || 'self-hosted'
 }
 async function processCacheKeyTemplate(template: string): Promise<string> {
  // Get all available variables
  const version = core.getInput('version')
  const installArgs = core.getInput('install_args')
  const cacheKeyPrefix = core.getInput('cache_key_prefix') || 'mise-v1'
  const miseEnv = process.env.MISE_ENV?.replace(/,/g, '-')
  const platform = `${await getTarget()}-${getRunnerImageId()}`
  // Calculate file hash
  const fileHash = await glob.hashFiles(MISE_CONFIG_FILE_PATTERNS.join('\n'))
  // Calculate install args hash
  let installArgsHash = ''
  if (installArgs) {
    const tools = installArgs
      .split(' ')
      .filter(arg => !arg.startsWith('-'))
      .sort()
      .join(' ')
    if (tools) {
      installArgsHash = crypto.createHash('sha256').update(tools).digest('hex')
    }
  }
  // Prepare base template data
  const baseTemplateData = {
    version,
    cache_key_prefix: cacheKeyPrefix,
    platform,
    file_hash: fileHash,
    mise_env: miseEnv,
    install_args_hash: installArgsHash
  }
  // Calculate the default cache key by processing the default template
  const defaultTemplate = Handlebars.compile(DEFAULT_CACHE_KEY_TEMPLATE)
  const defaultCacheKey = defaultTemplate(baseTemplateData)
  // Prepare final template data including the default cache key and env variables
  const templateData = {
    ...baseTemplateData,
    default: defaultCacheKey,
    env: process.env
  }
  // Compile and execute the user's template
  const compiledTemplate = Handlebars.compile(template)
  return compiledTemplate(templateData)
 }
 async function isMusl() {
  // `ldd --version` always returns 1 and print to stderr
  const { stderr } = await exec.getExecOutput('ldd', ['--version'], {
--- a/tsconfig.json
+++ b/tsconfig.json
@ -13,9 +13,7 @@
    "forceConsistentCasingInFileNames": true,
    "strict": true,
    "skipLibCheck": true,
-    "newLine": "lf",
+    "newLine": "lf"
    "isolatedModules": true,
    "allowSyntheticDefaultImports": true
  },
  "exclude": ["./dist", "./node_modules", "./__tests__", "./coverage"]
 }