fix(ci): add gh auth setup-git to release-plz.sh (#473)

## Summary
- Follow-up to [#471](https://github.com/jdx/mise-action/pull/471): the
release-plz checkout now uses `persist-credentials: false`, so the token
isn't written to `.git/config` and `git push origin release --force` in
[scripts/release-plz.sh](scripts/release-plz.sh) would 403.
- Mirror the workaround already applied to
[scripts/postversion.sh:9](scripts/postversion.sh:9) by calling `gh auth
setup-git` after the `git config user.{name,email}` block, before any
`git push`.

Flagged by Cursor Bugbot on
https://github.com/jdx/mise-action/pull/471#pullrequestreview-4275760577.

## Test plan
- [ ] Next scheduled release-plz run (or manual `workflow_dispatch`)
successfully pushes the `release` branch without a 403.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Low Risk**
> Low risk CI-only change that affects the release automation path; main
impact is whether the workflow can successfully push the `release`
branch.
> 
> **Overview**
> Fixes the `scripts/release-plz.sh` release automation to run `gh auth
setup-git` after setting the git author, ensuring `git push` works when
`actions/checkout` uses `persist-credentials: false`.
> 
> This prevents 403 failures when pushing the forced `release` branch
during automated version bump PR creation.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
f69419101e. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/renovate.json

@@ -1,14 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": [
-    "github>jdx/renovate-config"
-  ],
-  "postUpgradeTasks": {
-    "commands": ["npm run all"],
-    "fileFilters": ["dist/**/*"],
-    "executionMode": "branch"
-  },
-  "allowedCommands": [
-    ".*"
-  ]
+  "extends": ["github>jdx/renovate-config"],
+  "gitIgnoredAuthors": ["autofix.ci[bot] <autofix.ci[bot]@users.noreply.github.com>"],
+  "rebaseWhen": "conflicted"
 }

.github/workflows/check-dist.yml

@@ -31,21 +31,19 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 18
-          cache: npm
+          persist-credentials: false
+
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
 
       - name: Install Dependencies
         id: install
-        run: npm ci
+        run: aube ci
 
       - name: Build dist/ Directory
         id: build
-        run: npm run bundle
+        run: aubr bundle
 
       - name: Compare Expected and Actual Directories
         id: diff
@@ -58,7 +56,7 @@ jobs:
 
       # If index.js was different than expected, upload the expected version as
       # a workflow artifact.
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+      - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}
         with:
           name: dist

.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
       - main
       - 'releases/*'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -19,26 +22,31 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-
-      - name: Setup Node.js
-        id: setup-node
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          node-version: 18
-          cache: npm
+          persist-credentials: false
+
+      # `mise.toml` pins both Node and aube; mise-action installs
+      # whatever's listed there. Reads `package-lock.json`
+      # directly — no separate `aube-lock.yaml` to maintain.
+      # `.npmrc` pins `node-linker=hoisted` so the layout is
+      # npm-flat (rollup's `--configPlugin` resolution
+      # requires this).
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+        with:
+          cache: false
 
       - name: Install Dependencies
-        id: npm-ci
-        run: npm ci
+        id: aube-ci
+        run: aube ci
 
       - name: Check Format
-        id: npm-format-check
-        run: npm run format:check
+        id: aube-format-check
+        run: aubr format:check
 
       - name: Lint
-        id: npm-lint
-        run: npm run lint
+        id: aube-lint
+        run: aubr lint
 
       # - name: Test
       #   id: npm-ci-test

.github/workflows/codeql-analysis.yml

@@ -34,19 +34,21 @@ jobs:
     steps:
       - name: Checkout
         id: checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         id: initialize
-        uses: github/codeql-action/init@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         with:
           languages: ${{ matrix.language }}
           source-root: src
 
       - name: Autobuild
         id: autobuild
-        uses: github/codeql-action/autobuild@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3
+        uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
 
       - name: Perform CodeQL Analysis
         id: analyze
-        uses: github/codeql-action/analyze@51f77329afa6477de8c49fc9c7046c15b9a4e79d # v3
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4

.github/workflows/pr-closer.yml

@@ -0,0 +1,31 @@
+name: pr-closer
+
+on:
+  schedule:
+    - cron: "0 0 * * *" # daily at midnight
+  workflow_dispatch:
+
+jobs:
+  close-stale-prs:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Close stale PRs
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh pr list -R "${{ github.repository }}" --state open --json number,author,labels,updatedAt,statusCheckRollup --limit 100 | \
+          jq -r '.[] | select(
+            (.updatedAt | fromdateiso8601) < (now - 30*24*60*60) and
+            .author.login != "jdx" and
+            ([.labels[].name] | index("keep-open") | not)
+          ) | [.number, (if (.statusCheckRollup | length > 0) and (.statusCheckRollup | any(.conclusion == "FAILURE" or .conclusion == "failure")) then "failing" else "passing" end)] | @tsv' | \
+          while read -r pr status; do
+            echo "Closing PR #$pr (checks: $status)"
+            if [ "$status" = "failing" ]; then
+              gh pr close "$pr" -R "${{ github.repository }}" -c "This PR has been open for more than 30 days without activity. Note: CI checks were failing, which may be why it wasn't reviewed. Feel free to reopen or create a new PR if you'd like to continue working on this."
+            else
+              gh pr close "$pr" -R "${{ github.repository }}" -c "This PR has been open for more than 30 days without activity. Feel free to reopen or create a new PR if you'd like to continue working on this."
+            fi
+          done

.github/workflows/release-plz.yml

@@ -21,12 +21,13 @@ jobs:
   release-plz:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           submodules: recursive
           token: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}
-      - uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2
+          persist-credentials: false
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
       - run: mise run release-plz
         env:
           DRY_RUN: 0

.github/workflows/release.yml

@@ -5,24 +5,45 @@ on:
     types: [closed]
     branches: [main]
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   release:
     if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'release')
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - name: Setup mise
-        uses: jdx/mise-action@c37c93293d6b742fc901e1406b8f764f6fb19dac # v2
+        uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
 
       - name: Release
         run: ./scripts/postversion.sh
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  enhance-release:
+    needs: [release]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - name: Enhance release notes with communique
+        run: |
+          TAG_NAME="v$(jq -r .version package.json)"
+          communique generate "$TAG_NAME" --github-release
+        env:
+          ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PLZ_GITHUB_TOKEN }}

.github/workflows/semantic-pr-lint.yml

@@ -1,19 +0,0 @@
-name: semantic-pr-lint
-
-on:
-  pull_request_target:
-    types:
-      - opened
-      - edited
-      - reopened
-
-jobs:
-  main:
-    name: Validate PR title
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: read
-    steps:
-      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-redacted-env.yml

@@ -0,0 +1,77 @@
+name: Test Redacted Environment Variables
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  test-redacted-env:
+    runs-on: ubuntu-latest
+    
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      
+      - name: Create test mise config with sensitive values
+        run: |
+          cat > .mise.toml << 'EOF'
+          [env]
+          PUBLIC_VAR = "this-is-public"
+          API_KEY = {value = "secret-api-key-12345", redact = true}
+          SECRET_TOKEN = {value = "supersecret-token-xyz", redact = true}
+          DATABASE_PASSWORD = {value = "db-pass-789", redact = true}
+          EOF
+      
+      - name: Setup mise
+        uses: ./
+      
+      - name: Verify environment variables are exported
+        run: |
+          echo "Checking if environment variables are set..."
+          
+          # Check that public var is set
+          if [ "$PUBLIC_VAR" != "this-is-public" ]; then
+            echo "ERROR: PUBLIC_VAR not set correctly"
+            exit 1
+          fi
+          echo "✓ PUBLIC_VAR is set correctly"
+          
+          # Check that sensitive vars are set (but their values should be masked in logs)
+          if [ -z "$API_KEY" ]; then
+            echo "ERROR: API_KEY not set"
+            exit 1
+          fi
+          echo "✓ API_KEY is set"
+          
+          if [ -z "$SECRET_TOKEN" ]; then
+            echo "ERROR: SECRET_TOKEN not set"
+            exit 1
+          fi
+          echo "✓ SECRET_TOKEN is set"
+          
+          if [ -z "$DATABASE_PASSWORD" ]; then
+            echo "ERROR: DATABASE_PASSWORD not set"
+            exit 1
+          fi
+          echo "✓ DATABASE_PASSWORD is set"
+      
+      - name: Test that sensitive values are masked (will show *** if properly masked)
+        run: |
+          echo "Testing value masking..."
+          echo "API_KEY value: $API_KEY"
+          echo "SECRET_TOKEN value: $SECRET_TOKEN"
+          echo "DATABASE_PASSWORD value: $DATABASE_PASSWORD"
+          echo "PUBLIC_VAR value: $PUBLIC_VAR"
+          
+          # This should show the actual values in the step output,
+          # but GitHub Actions should mask them if core.setSecret was called
+      
+      - name: Verify mise version
+        run: mise --version

.github/workflows/test.yml

@@ -8,6 +8,9 @@ on: # rebuild any PRs and main branch changes
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref_name }}
   cancel-in-progress: true
@@ -16,11 +19,12 @@ jobs:
   build: # make sure build/ci work properly
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-      - run: |
-          npm install
-      - run: |
-          npm run all
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151 # v4
+      - run: aube install
+      - run: aubr all
   test: # make sure the action works on a clean machine without building
     strategy:
       fail-fast: false
@@ -43,7 +47,9 @@ jobs:
       - name: Install requirements
         if: ${{ matrix.requirements }}
         run: ${{ matrix.requirements }}
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         uses: ./
         with:
@@ -65,7 +71,9 @@ jobs:
   specific_version:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         uses: ./
         with:
@@ -79,11 +87,20 @@ jobs:
             bun = "1"
       - run: which bun
       - run: bun -v
+      - name: Update mise
+        uses: ./
+        with:
+          cache_save: ${{ github.ref_name == 'main' }}
+          cache_key_prefix: mise-v1
+          version: v2025.7.3 # should trim the `v`
+          sha256: d38d4993c5379a680b50661f86287731dc1d1264777880a79b786403af337948
 
   checksum_failure:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise
         id: bad
         uses: ./
@@ -101,14 +118,37 @@ jobs:
         if: ${{ steps.bad.outcome == 'failure' }}
       - name: not failed as expected
         run: |
-          echo "Expected failure but the job was ${{ steps.bad.outcome }}"
+          echo "Expected failure but the job was ${STEPS_BAD_OUTCOME}"
           exit 1
         if: ${{ steps.bad.outcome != 'failure' }}
+        env:
+          STEPS_BAD_OUTCOME: ${{ steps.bad.outcome }}
+
+  custom_cache_key:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Setup mise with custom cache key
+        uses: ./
+        with:
+          cache_key: "custom-{{platform}}-{{install_args_hash}}-${{ github.run_id }}"
+          install_args: "jq@1.7.1"
+          mise_toml: |
+            [tools]
+            jq = "1.7.1"
+      - run: mise --version
+      - run: mise x jq -- jq --version
+      - run: which jq
+      - run: jq --version
 
   fetch_from_github:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup mise from mise.jdx.dev
         uses: ./
         with:
@@ -122,3 +162,21 @@ jobs:
       - run: mise x jq -- jq --version
       - run: which jq
       - run: jq --version
+
+  final:
+    needs:
+      - build
+      - test
+      - specific_version
+      - checksum_failure
+      - custom_cache_key
+      - fetch_from_github
+    runs-on: ubuntu-latest
+    timeout-minutes: 1
+    # Run on success or upstream failure but skip when the workflow is cancelled
+    # — `always()` would override `cancel-in-progress` and waste a runner.
+    if: ${{ !cancelled() }}
+    steps:
+      - name: Check CI job results
+        if: contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || contains(needs.*.result, 'skipped')
+        run: exit 1

.github/workflows/zizmor.yml

@@ -0,0 +1,22 @@
+name: zizmor
+on:
+  push:
+    branches: [main]
+    paths: ['.github/workflows/**']
+  pull_request:
+    paths: ['.github/workflows/**']
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false

.gitignore

@@ -101,3 +101,10 @@ __tests__/runner/*
 .idea
 .vscode
 *.code-workspace
+
+# Generated by `aube install` to record build-script approvals.
+# We've chosen not to commit our approval state — the build doesn't
+# need any package's install scripts to run, and the file gets
+# regenerated each install anyway. The harmless "ignored build
+# scripts" warning in `aube install` output is the cost.
+pnpm-workspace.yaml

.husky/pre-commit

@@ -1,4 +1,5 @@
 # shellcheck disable=SC1091
 
+npm ci
 npm run all
 git add dist

.npmrc

@@ -0,0 +1,11 @@
+# Forces a flat npm-style `node_modules/` layout instead of
+# aube's default symlink/virtual-store. Required for
+# deterministic `dist/index.js.map` source-map paths in CI:
+# without flat layout, rollup embeds absolute paths into
+# aube's per-user cache dir (`/home/runner/.cache/aube/...`),
+# which differ across machines and break the `check-dist`
+# workflow's byte-equality check.
+#
+# npm reads `.npmrc` too but ignores `node-linker` (npm
+# always installs flat), so the file is safe for both PMs.
+node-linker=hoisted

CHANGELOG.md

@@ -1,5 +1,198 @@
 # Changelog
 
+---
+## [4.0.1](https://github.com/jdx/mise-action/compare/v4.0.0..v4.0.1) - 2026-03-22
+
+### 🐛 Bug Fixes
+
+- run npm install in pre-commit hook before build (#410) by [@jdx](https://github.com/jdx) in [#410](https://github.com/jdx/mise-action/pull/410)
+
+### 🚜 Refactor
+
+- extract getCwd() helper to deduplicate working directory resolution (#403) by [@altendky](https://github.com/altendky) in [#403](https://github.com/jdx/mise-action/pull/403)
+
+### 📚 Documentation
+
+- bump versions listed im README.md (#407) by [@deining](https://github.com/deining) in [#407](https://github.com/jdx/mise-action/pull/407)
+- bump more versions listed in README.md (#408) by [@deining](https://github.com/deining) in [#408](https://github.com/jdx/mise-action/pull/408)
+
+### ⚙️ Miscellaneous Tasks
+
+- add workflow to auto-close stale PRs (#409) by [@jdx](https://github.com/jdx) in [#409](https://github.com/jdx/mise-action/pull/409)
+
+### New Contributors
+
+* @deining made their first contribution in [#408](https://github.com/jdx/mise-action/pull/408)
+
+---
+## [4.0.0](https://github.com/jdx/mise-action/compare/v3.6.3..v4.0.0) - 2026-03-13
+
+### 🚀 Features
+
+- **breaking** Update Node.js version from 20 to 24 (#395) by [@tumerorkun](https://github.com/tumerorkun) in [#395](https://github.com/jdx/mise-action/pull/395)
+
+### New Contributors
+
+* @tumerorkun made their first contribution in [#395](https://github.com/jdx/mise-action/pull/395)
+
+---
+## [3.6.3](https://github.com/jdx/mise-action/compare/v3.6.2..v3.6.3) - 2026-03-06
+
+### 🐛 Bug Fixes
+
+- pass cwd to all exec calls in exportMiseEnv() (#390) by [@andrewthauer](https://github.com/andrewthauer) in [#390](https://github.com/jdx/mise-action/pull/390)
+
+### New Contributors
+
+* @andrewthauer made their first contribution in [#390](https://github.com/jdx/mise-action/pull/390)
+
+---
+## [3.6.2](https://github.com/jdx/mise-action/compare/v3.6.1..v3.6.2) - 2026-03-02
+
+### 🐛 Bug Fixes
+
+- move file_hash to end of cache key template to prevent prefix matching (#384) by [@altendky](https://github.com/altendky) in [#384](https://github.com/jdx/mise-action/pull/384)
+
+### New Contributors
+
+* @altendky made their first contribution in [#384](https://github.com/jdx/mise-action/pull/384)
+
+---
+## [3.6.1](https://github.com/jdx/mise-action/compare/v3.6.0..v3.6.1) - 2026-01-20
+
+### 🔍 Other Changes
+
+- Revert "fix(cache): isolate cache keys per working_directory in monorepos" (#364) by [@jdx](https://github.com/jdx) in [#364](https://github.com/jdx/mise-action/pull/364)
+
+---
+## [3.6.0](https://github.com/jdx/mise-action/compare/v3.5.1..v3.6.0) - 2026-01-18
+
+### 🚀 Features
+
+- add option to disable shims in PATH (#340) by [@jdx](https://github.com/jdx) in [#340](https://github.com/jdx/mise-action/pull/340)
+
+### 🐛 Bug Fixes
+
+- **(cache)** isolate cache keys per working_directory in monorepos (#360) by [@chadxz](https://github.com/chadxz) in [#360](https://github.com/jdx/mise-action/pull/360)
+- use mise_dir input when specified (#339) by [@jdx](https://github.com/jdx) in [#339](https://github.com/jdx/mise-action/pull/339)
+- pass environment variables to mise commands (#341) by [@jdx](https://github.com/jdx) in [#341](https://github.com/jdx/mise-action/pull/341)
+- make mise self-update output visible in logs (#355) by [@nikobockerman](https://github.com/nikobockerman) in [#355](https://github.com/jdx/mise-action/pull/355)
+
+### 📚 Documentation
+
+- fix description for `mise_toml` input (#351) by [@quad](https://github.com/quad) in [#351](https://github.com/jdx/mise-action/pull/351)
+
+### New Contributors
+
+* @chadxz made their first contribution in [#360](https://github.com/jdx/mise-action/pull/360)
+* @nikobockerman made their first contribution in [#355](https://github.com/jdx/mise-action/pull/355)
+* @quad made their first contribution in [#351](https://github.com/jdx/mise-action/pull/351)
+
+---
+## [3.5.1](https://github.com/jdx/mise-action/compare/v3.5.0..v3.5.1) - 2025-11-24
+
+### 🔍 Other Changes
+
+- Revert "feat(action): moved save cache to post step" (#329) by [@jdx](https://github.com/jdx) in [#329](https://github.com/jdx/mise-action/pull/329)
+
+---
+## [3.5.0](https://github.com/jdx/mise-action/compare/v3.4.1..v3.5.0) - 2025-11-21
+
+### 🚀 Features
+
+- **(action)** moved save cache to post step (#321) by [@aamkye](https://github.com/aamkye) in [#321](https://github.com/jdx/mise-action/pull/321)
+
+### New Contributors
+
+* @aamkye made their first contribution in [#321](https://github.com/jdx/mise-action/pull/321)
+
+---
+## [3.4.1](https://github.com/jdx/mise-action/compare/v3.4.0..v3.4.1) - 2025-11-13
+
+### 🐛 Bug Fixes
+
+- avoid github token downstream issue (#317) by [@acesyde](https://github.com/acesyde) in [#317](https://github.com/jdx/mise-action/pull/317)
+
+### New Contributors
+
+* @acesyde made their first contribution in [#317](https://github.com/jdx/mise-action/pull/317)
+
+---
+## [3.4.0](https://github.com/jdx/mise-action/compare/v3.3.1..v3.4.0) - 2025-10-31
+
+### 🚀 Features
+
+- use autofix.ci to auto-update dist/ on all PRs by [@jdx](https://github.com/jdx) in [16e9fd5](https://github.com/jdx/mise-action/commit/16e9fd5251189c3d389adb836f243575c134d680)
+- use autofix.ci to auto-update dist/ on all PRs (#308) by [@jdx](https://github.com/jdx) in [#308](https://github.com/jdx/mise-action/pull/308)
+
+### 🐛 Bug Fixes
+
+- add missing `await` to `core.group` calls (#305) by [@smorimoto](https://github.com/smorimoto) in [#305](https://github.com/jdx/mise-action/pull/305)
+- auto-update dist folder in Renovate PRs via GitHub Actions (#306) by [@jdx](https://github.com/jdx) in [#306](https://github.com/jdx/mise-action/pull/306)
+- configure Renovate to ignore github-actions[bot] commits by [@jdx](https://github.com/jdx) in [993e7d0](https://github.com/jdx/mise-action/commit/993e7d0bb6f3422ef833a702b90e2a44909ec651)
+- run auto-update-dist workflow on all PRs by [@jdx](https://github.com/jdx) in [6d0fd75](https://github.com/jdx/mise-action/commit/6d0fd75ed51124702e37bfcf6e977da73f64b4e1)
+
+### 📚 Documentation
+
+- update to v3 in README (#290) by [@pdecat](https://github.com/pdecat) in [#290](https://github.com/jdx/mise-action/pull/290)
+
+### ⚙️ Miscellaneous Tasks
+
+- upgrade all workflows to Node 24 by [@jdx](https://github.com/jdx) in [c7b5f37](https://github.com/jdx/mise-action/commit/c7b5f37cadd1a385188a023510a966efa5eed247)
+- remove unused workflow by [@jdx](https://github.com/jdx) in [aecb23d](https://github.com/jdx/mise-action/commit/aecb23d92f0e50768578578f309255414a23561d)
+
+### New Contributors
+
+* @smorimoto made their first contribution in [#305](https://github.com/jdx/mise-action/pull/305)
+* @pdecat made their first contribution in [#290](https://github.com/jdx/mise-action/pull/290)
+
+---
+## [3.3.1](https://github.com/jdx/mise-action/compare/v3.3.0..v3.3.1) - 2025-10-06
+
+### 🐛 Bug Fixes
+
+- trim "v" prefix on update (#287) by [@zeitlinger](https://github.com/zeitlinger) in [#287](https://github.com/jdx/mise-action/pull/287)
+
+---
+## [3.3.0](https://github.com/jdx/mise-action/compare/v3.2.0..v3.3.0) - 2025-10-03
+
+### 🚀 Features
+
+- use self-update to modify version if mise is already installed (#277) by [@ImpSy](https://github.com/ImpSy) in [#277](https://github.com/jdx/mise-action/pull/277)
+
+### 🐛 Bug Fixes
+
+- **(cache)** replace `,` in `MISE_ENV` with `-` (#278) by [@risu729](https://github.com/risu729) in [#278](https://github.com/jdx/mise-action/pull/278)
+- correct Renovate allowedPostUpgradeCommands configuration by [@jdx](https://github.com/jdx) in [4313941](https://github.com/jdx/mise-action/commit/43139419dcaeb99e24c487d646766d014d0957a2)
+
+### ⚙️ Miscellaneous Tasks
+
+- **(config)** migrate renovate config (#263) by [@renovate[bot]](https://github.com/renovate[bot]) in [#263](https://github.com/jdx/mise-action/pull/263)
+- updated deps by [@jdx](https://github.com/jdx) in [5795893](https://github.com/jdx/mise-action/commit/5795893acedc0f2044498a21005c38f12dd5d8d3)
+
+### New Contributors
+
+* @mise-en-dev made their first contribution in [#284](https://github.com/jdx/mise-action/pull/284)
+* @ImpSy made their first contribution in [#277](https://github.com/jdx/mise-action/pull/277)
+
+---
+## [3.2.0](https://github.com/jdx/mise-action/compare/v3.1.0..v3.2.0) - 2025-08-22
+
+### 🚀 Features
+
+- add environment variable support to cache key templates (#250) by [@pepicrft](https://github.com/pepicrft) in [#250](https://github.com/jdx/mise-action/pull/250)
+
+### 🐛 Bug Fixes
+
+- redact secret values from env (#252) by [@jdx](https://github.com/jdx) in [#252](https://github.com/jdx/mise-action/pull/252)
+
+---
+## [3.1.0](https://github.com/jdx/mise-action/compare/v3.0.2..v3.1.0) - 2025-08-19
+
+### 🚀 Features
+
+- add configurable cache key with template variable support (#246) by [@pepicrft](https://github.com/pepicrft) in [#246](https://github.com/jdx/mise-action/pull/246)
+
 ---
 ## [3.0.2](https://github.com/jdx/mise-action/compare/v3.0.1..v3.0.2) - 2025-08-18
 

CLAUDE.md

@@ -8,21 +8,29 @@ This is a GitHub Action that installs and configures mise, a polyglot runtime ma
 
 ## Development Commands
 
+This project uses [aube](https://aube.en.dev) as its package
+manager (en.dev's pnpm-compat PM, native Rust). It reads
+`package-lock.json` directly — no separate `aube-lock.yaml`.
+`mise install` will install the pinned aube version
+automatically; you can also use `npm` if you prefer (the
+`.npmrc`'s `node-linker=hoisted` pin is aube-specific and
+ignored by npm).
+
 ```bash
 # Install dependencies
-npm install
+aube install
 
 # Build, format, lint, and package
-npm run all
+aubr all
 
 # Individual commands
-npm run format:write  # Format code with Prettier
-npm run lint         # Run ESLint and format check
-npm run package      # Bundle with ncc for distribution
+aubr format:write  # Format code with Prettier
+aubr lint         # Run ESLint and format check
+aubr package      # Bundle with rollup for distribution
 
 # Testing
-npm run all          # Run full build pipeline
-./scripts/test.sh    # Integration test script
+aubr all          # Run full build pipeline
+./scripts/test.sh     # Integration test script
 ```
 
 ## Architecture
@@ -50,6 +58,6 @@ The action follows GitHub's standard TypeScript action structure:
 
 ## Important Notes
 
-- Always run `npm run all` before committing to ensure dist/ is updated
+- Always run `aubr all` before committing to ensure dist/ is updated
 - The dist/ folder must be committed as GitHub Actions runs the compiled code
 - Test changes using the action itself (uses: ./) in test workflows

README.md

@@ -13,10 +13,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+      - uses: actions/checkout@v6
+      - uses: jdx/mise-action@v4
         with:
-          version: 2024.10.0 # [default: latest] mise version to install
+          version: 2026.3.10 # [default: latest] mise version to install
           install: true # [default: true] run `mise install`
           install_args: "bun" # [default: ""] additional arguments to `mise install`
           cache: true # [default: true] cache mise using GitHub's cache
@@ -24,11 +24,11 @@ jobs:
           log_level: debug # [default: info] log level
           # automatically write this .tool-versions file
           tool_versions: |
-            shellcheck 0.9.0
+            shellcheck 0.11.0
           # or, if you prefer .mise.toml format:
           mise_toml: |
             [tools]
-            shellcheck = "0.9.0"
+            shellcheck = "0.11.0"
           working_directory: app # [default: .] directory to run mise in
           reshim: false # [default: false] run `mise reshim -f`
           github_token: ${{ secrets.GITHUB_TOKEN }} # [default: ${{ github.token }}] GitHub token for API authentication
@@ -36,18 +36,70 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+      - uses: actions/checkout@v6
+      - uses: jdx/mise-action@v4
       # .tool-versions will be read from repo root
       - run: node ./my_app.js
 ```
 
+## Cache Configuration
+
+You can customize the cache key used by the action:
+
+```yaml
+- uses: jdx/mise-action@v4
+  with:
+    cache_key: "my-custom-cache-key"  # Override the entire cache key
+    cache_key_prefix: "mise-v1"       # Or just change the prefix (default: "mise-v0")
+```
+
+### Template Variables in Cache Keys
+
+When using `cache_key`, you can use template variables to reference internal values:
+
+```yaml
+- uses: jdx/mise-action@v4
+  with:
+    cache_key: "mise-{{platform}}-{{version}}-{{file_hash}}"
+    version: "2026.3.10"
+    install_args: "node python"
+```
+
+Available template variables:
+- `{{version}}` - The mise version (from the `version` input)
+- `{{cache_key_prefix}}` - The cache key prefix (from `cache_key_prefix` input or default)
+- `{{platform}}` - The target platform, including the runner image (e.g., "linux-x64-ubuntu24", "macos-arm64-macos15", "linux-x64-self-hosted"). The trailing segment is `process.env.ImageOS` on github-hosted runners and falls back to `"self-hosted"` elsewhere — preventing cache collisions when the same repo runs on different runner providers (github-hosted, namespace.so, self-hosted).
+- `{{file_hash}}` - Hash of all mise configuration files
+- `{{mise_env}}` - The MISE_ENV environment variable value
+- `{{install_args_hash}}` - SHA256 hash of the sorted tools from install args
+- `{{default}}` - The processed default cache key (useful for extending)
+
+Conditional logic is also supported using Handlebars syntax like `{{#if version}}...{{/if}}`.
+
+Example using multiple variables:
+```yaml
+- uses: jdx/mise-action@v4
+  with:
+    cache_key: "mise-v1-{{platform}}-{{install_args_hash}}-{{file_hash}}"
+    install_args: "node@24 python@3.14"
+```
+
+You can also extend the default cache key:
+```yaml
+- uses: jdx/mise-action@v4
+  with:
+    cache_key: "{{default}}-custom-suffix"
+    install_args: "node@24 python@3.14"
+```
+
+This gives you full control over cache invalidation based on the specific aspects that matter to your workflow.
+
 ## GitHub API Rate Limits
 
 When installing tools hosted on GitHub (like `gh`, `node`, `bun`, etc.), mise needs to make API calls to GitHub's releases API. Without authentication, these calls are subject to GitHub's rate limit of 60 requests per hour, which can cause installation failures.
 
 ```yaml
-- uses: jdx/mise-action@v2
+- uses: jdx/mise-action@v4
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
     # your other configuration

action.yml

@@ -22,7 +22,7 @@ inputs:
     description: If present, this value will be written to the .tool-versions file
   mise_toml:
     required: false
-    description: If present, this value will be written to the .mise.toml file
+    description: If present, this value will be written to the mise.toml file
   install:
     required: false
     default: "true"
@@ -43,8 +43,15 @@ inputs:
     description: if false, action will not write to cache
   cache_key_prefix:
     required: false
-    default: "mise-v0"
+    default: "mise-v1"
     description: The prefix key to use for the cache, change this to invalidate the cache
+  cache_key:
+    required: false
+    description: |
+      Override the complete cache key (ignores all other cache key options).
+      Supports template variables: {{version}}, {{cache_key_prefix}}, {{platform}}, {{file_hash}}, 
+      {{mise_env}}, {{install_args_hash}}, {{default}}, {{env.VAR_NAME}} for environment variables, 
+      and conditional logic like {{#if version}}...{{/if}}
   experimental:
     required: false
     default: "false"
@@ -60,6 +67,10 @@ inputs:
     required: false
     default: "false"
     description: if true, will run `mise reshim --all` after setting up mise
+  add_shims_to_path:
+    required: false
+    default: "true"
+    description: if false, will not add mise shims directory to PATH
   github_token:
     required: false
     description: |
@@ -74,9 +85,39 @@ inputs:
     description: "Automatically load mise env vars into GITHUB_ENV. Note that PATH modifications are not part of this."
     required: false
     default: "true"
+  wings_enabled:
+    description: |
+      [experimental] Opt in to the mise-wings asset cache
+      (https://mise-wings.en.dev) for this action invocation.
+
+      When `true`, the action exports `MISE_WINGS_ENABLED=1` so
+      the installed mise binary routes tool-install URLs (npm
+      tarballs, GitHub release artifacts) through the per-org
+      wings cache subdomains.
+
+      Authentication is automatic via the runner's GitHub OIDC
+      identity — no `mise wings login` step, no long-lived
+      secret to rotate. The workflow must declare
+      `permissions: id-token: write` so the OIDC token-issuer
+      env vars are populated; without that, mise falls through
+      to direct-origin fetches transparently.
+
+      Default `false` is the conservative posture: a workflow
+      with `id-token: write` (used for SLSA / AWS-OIDC /
+      Sigstore / etc.) should not have its OIDC token sent to
+      a third-party cache without explicit opt-in. Older mise
+      binaries that don't speak wings ignore the env var
+      entirely, so this is forward-compatible.
+
+      Requires an active mise-wings subscription on the Clerk
+      org linked to the GitHub org running the workflow;
+      without one, the proxy 402s and mise leaves the cache
+      off without affecting the workflow's success.
+    required: false
+    default: "false"
 outputs:
   cache-hit:
     description: A boolean value to indicate if a cache was hit.
 runs:
-  using: node20
+  using: node24
   main: dist/index.js

mise.lock

@@ -0,0 +1,166 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools.aube]]
+version = "1.6.2"
+backend = "github:endevco/aube"
+
+[tools.aube."platforms.linux-arm64"]
+checksum = "sha256:1c47d2c0a50cf80f49aedcc2f58ce8abcbdf763092e772c8961c6e5b18916e8b"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164231"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-arm64-musl"]
+checksum = "sha256:9780776921db3a54fc3237f50b9686489d93115e26584c7a85d54ce96a8e9b39"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164229"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-x64"]
+checksum = "sha256:16fcc40dfbaac110ce8f4e88728a440f2366094a45fd6c189bcbcc2b3ea31f06"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164107"
+provenance = "github-attestations"
+
+[tools.aube."platforms.linux-x64-musl"]
+checksum = "sha256:2ee3821fd62b56bb39cb2ceffe6ad38975e35f82311ca7f9ec6ee28bc6d284b8"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410164199"
+provenance = "github-attestations"
+
+[tools.aube."platforms.macos-arm64"]
+checksum = "sha256:4ce92482500f77f0779f288328cb7411f7ae2441b8618eae36a2ab5ea7591a32"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-aarch64-apple-darwin.tar.gz"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410166750"
+provenance = "github-attestations"
+
+[tools.aube."platforms.windows-x64"]
+checksum = "sha256:916594efae8f8b59fc898913f96d199a21d212c7037043853ee04df7264611d0"
+url = "https://github.com/endevco/aube/releases/download/v1.6.2/aube-v1.6.2-x86_64-pc-windows-msvc.zip"
+url_api = "https://api.github.com/repos/endevco/aube/releases/assets/410174742"
+provenance = "github-attestations"
+
+[[tools.communique]]
+version = "1.1.2"
+backend = "github:jdx/communique"
+
+[tools.communique."platforms.linux-arm64"]
+checksum = "sha256:7bb0843207fc3d7b5df2a5c0198bb10539cf13a6b247b4adfbf6b302a68f03de"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964161"
+
+[tools.communique."platforms.linux-arm64-musl"]
+checksum = "sha256:b663407be77a370c209df40307b82e436f56a6bc23d4e423510d62ac6e1fedf4"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964743"
+
+[tools.communique."platforms.linux-x64"]
+checksum = "sha256:5e74ead7037f42940c7dba4f6aa4ed968920cbb55a047aa0d291b0c675c65676"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-unknown-linux-gnu.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405963914"
+provenance = "github-attestations"
+
+[tools.communique."platforms.linux-x64-musl"]
+checksum = "sha256:01a6a8b49e635a5a209fdaf6c7b2e976374debc2db1c846c033f567fdba0d86c"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-unknown-linux-musl.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964691"
+
+[tools.communique."platforms.macos-arm64"]
+checksum = "sha256:459993e31a6c4ccbd09882f5679a2bc1ea5d9068701ecefc411a00fb69ce82e6"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-aarch64-apple-darwin.tar.gz"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964098"
+
+[tools.communique."platforms.windows-x64"]
+checksum = "sha256:3cc0e880ac2168aed3163223627bbd1eee62e07a9901cb85cb507c6c8927bc93"
+url = "https://github.com/jdx/communique/releases/download/v1.1.2/communique-x86_64-pc-windows-msvc.zip"
+url_api = "https://api.github.com/repos/jdx/communique/releases/assets/405964430"
+
+[[tools.gh]]
+version = "2.92.0"
+backend = "aqua:cli/cli"
+
+[tools.gh."platforms.linux-arm64"]
+checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-arm64-musl"]
+checksum = "sha256:c2248526dd0160c08d3fccca2332c3c1a07c15a78b23978e77735f1b5a18cfee"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_arm64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64"]
+checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.linux-x64-musl"]
+checksum = "sha256:b57848131bdf0c229cd35e1f2a51aa718199858b2e728410b37e89a428943ec4"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_linux_amd64.tar.gz"
+provenance = "github-attestations"
+
+[tools.gh."platforms.macos-arm64"]
+checksum = "sha256:b11c54f6bd7d15ed6590475079e5b2fcf36f45d3991a80041b29c9d0cc1f1d07"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_macOS_arm64.zip"
+provenance = "github-attestations"
+
+[tools.gh."platforms.windows-x64"]
+checksum = "sha256:b6a8df3c8c6b9c80f290906387673bc4d272840f3789c5650e0e4e6e75522785"
+url = "https://github.com/cli/cli/releases/download/v2.92.0/gh_2.92.0_windows_amd64.zip"
+provenance = "github-attestations"
+
+[[tools.git-cliff]]
+version = "2.13.1"
+backend = "aqua:orhun/git-cliff"
+
+[tools.git-cliff."platforms.linux-arm64"]
+checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-arm64-musl"]
+checksum = "sha256:4054c124b926c117f3fa048939bc8be0a954f29f3b6f367627e8cb22c1971882"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-x64"]
+checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.linux-x64-musl"]
+checksum = "sha256:200d2535da6d9703f3bcc8a4d159c3b55eacdb01cf2148c55b3eee9dd04d5249"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-unknown-linux-musl.tar.gz"
+
+[tools.git-cliff."platforms.macos-arm64"]
+checksum = "sha256:21547ae4a0421164070ab75c2522864ea5565858a011fabc5f583061b20f1226"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-aarch64-apple-darwin.tar.gz"
+
+[tools.git-cliff."platforms.windows-x64"]
+checksum = "sha256:3ae3a5549e85c7ad5b20192ebcfee4371269deca51255f6f2f2e051c6541f5ca"
+url = "https://github.com/orhun/git-cliff/releases/download/v2.13.1/git-cliff-2.13.1-x86_64-pc-windows-msvc.zip"
+
+[[tools.node]]
+version = "24.15.0"
+backend = "core:node"
+
+[tools.node."platforms.linux-arm64"]
+checksum = "sha256:73afc234d558c24919875f51c2d1ea002a2ada4ea6f83601a383869fefa64eed"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-arm64.tar.gz"
+
+[tools.node."platforms.linux-arm64-musl"]
+checksum = "sha256:31e98aa960a067da91edffd5d93bc46657b5d2a8029612c359f5f2ac0060152a"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-arm64-musl.tar.gz"
+
+[tools.node."platforms.linux-x64"]
+checksum = "sha256:44836872d9aec49f1e6b52a9a922872db9a2b02d235a616a5681b6a85fec8d89"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-linux-x64.tar.gz"
+
+[tools.node."platforms.linux-x64-musl"]
+checksum = "sha256:f55af5bd489c5347b113ca6594cae00a54b30ba57ac5875324311bfc6f4762e3"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.15.0/node-v24.15.0-linux-x64-musl.tar.gz"
+
+[tools.node."platforms.macos-arm64"]
+checksum = "sha256:372331b969779ab5d15b949884fc6eaf88d5afe87bde8ba881d6400b9100ffc4"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-darwin-arm64.tar.gz"
+
+[tools.node."platforms.windows-x64"]
+checksum = "sha256:cc5149eabd53779ce1e7bdc5401643622d0c7e6800ade18928a767e940bb0e62"
+url = "https://nodejs.org/dist/v24.15.0/node-v24.15.0-win-x64.zip"

mise.toml

@@ -1,12 +1,14 @@
-tasks.pre-commit = ["npm run all", "git add dist"]
+tasks.pre-commit = ["aubr all", "git add dist"]
 tasks.test.alias = ["t"]
-tasks.test.run = ["npm run all"]
-tasks.lint = "bun run lint"
-tasks."lint:fix" = "bun run format:write"
-tasks.version = "npm version"
+tasks.test.run = ["aubr all"]
+tasks.lint = "aubr lint"
+tasks."lint:fix" = "aubr format:write"
+tasks.version = "aube version"
 tasks.release-plz = "./scripts/release-plz.sh"
 
 [tools]
 node = '24'
+aube = 'v1.6.2'
 git-cliff = 'latest'
 gh = 'latest'
+communique = 'latest'

package.json

@@ -1,8 +1,9 @@
 {
   "name": "mise-action",
   "description": "mise tool setup action",
-  "version": "3.0.2",
+  "version": "4.0.1",
   "author": "jdx",
+  "type": "module",
   "private": true,
   "repository": {
     "type": "git",
@@ -21,32 +22,46 @@
     "bundle": "npm run format:write && npm run package",
     "format:check": "prettier --check **/*.ts",
     "format:write": "prettier --write **/*.ts",
-    "lint": "npx eslint . && npm run format:check",
-    "package": "ncc build -s src/index.ts --license licenses.txt",
+    "lint": "eslint . && npm run format:check",
+    "package": "rimraf ./dist && rollup --config rollup.config.mjs",
     "package:watch": "npm run package -- --watch",
     "version": "./scripts/version.sh",
     "prepare": "husky"
   },
   "license": "MIT",
   "dependencies": {
-    "@actions/cache": "^4.0.0",
-    "@actions/core": "^1.11.1",
-    "@actions/exec": "^1.1.1",
-    "@actions/glob": "^0.5.0"
+    "@actions/cache": "^6.0.0",
+    "@actions/core": "^3.0.0",
+    "@actions/exec": "^3.0.0",
+    "@actions/glob": "^0.7.0",
+    "@actions/io": "^3.0.0",
+    "@types/handlebars": "^4.0.40",
+    "handlebars": "^4.7.8"
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.2.0",
-    "@eslint/js": "^9.15.0",
+    "@eslint/js": "^10.0.0",
+    "@rollup/plugin-commonjs": "^29.0.0",
+    "@rollup/plugin-json": "^6.1.0",
+    "@rollup/plugin-node-resolve": "^16.0.0",
+    "@rollup/plugin-typescript": "^12.0.0",
     "@types/eslint__js": "^8.42.3",
     "@types/node": "^24",
-    "@vercel/ncc": "^0.38.3",
-    "eslint": "^9.15.0",
-    "globals": "^16.0.0",
+    "eslint": "^10.0.0",
+    "globals": "^17.0.0",
     "husky": "^9.1.7",
     "jest": "^30",
     "js-yaml": "^4.1.0",
     "prettier": "^3.4.1",
-    "typescript": "^5.7.2",
+    "rimraf": "^6.0.0",
+    "rollup": "^4.0.0",
+    "rollup-plugin-license": "^3.7.1",
+    "typescript": "^6.0.0",
     "typescript-eslint": "^8.16.0"
+  },
+  "aube": {
+    "allowBuilds": {
+      "unrs-resolver": false
+    }
   }
 }

rollup.config.mjs

@@ -0,0 +1,29 @@
+import commonjs from '@rollup/plugin-commonjs'
+import json from '@rollup/plugin-json'
+import nodeResolve from '@rollup/plugin-node-resolve'
+import typescript from '@rollup/plugin-typescript'
+import license from 'rollup-plugin-license'
+import path from 'path'
+
+const config = {
+  input: 'src/index.ts',
+  output: {
+    esModule: true,
+    file: 'dist/index.js',
+    format: 'es',
+    sourcemap: true
+  },
+  plugins: [
+    typescript(),
+    nodeResolve({ preferBuiltins: true }),
+    commonjs({ ignoreTryCatch: false }),
+    json(),
+    license({
+      thirdParty: {
+        output: path.resolve('dist', 'licenses.txt')
+      }
+    })
+  ]
+}
+
+export default config

scripts/postversion.sh

@@ -4,6 +4,11 @@ set -euxo pipefail
 VERSION=$(jq -r .version package.json)
 MAJOR_VERSION=$(echo "$VERSION" | cut -d. -f1)
 
+# Configure git to use gh's credential helper. The checkout step uses
+# persist-credentials: false (per zizmor's artipacked audit), so the
+# token isn't written to .git/config and raw `git push` would 403.
+gh auth setup-git
+
 # create the version tag (allow it to fail if it already exists)
 git tag "v$VERSION" || echo "Tag v$VERSION already exists locally"
 

scripts/release-plz.sh

@@ -47,6 +47,11 @@ if [ -n "$latest_release_version" ] && [ "$cur_pkg_version" = "$latest_release_v
 	git config user.name mise-en-dev
 	git config user.email 123107610+mise-en-dev@users.noreply.github.com
 
+	# Configure git to use gh's credential helper. The checkout step uses
+	# persist-credentials: false (per zizmor's artipacked audit), so the
+	# token isn't written to .git/config and raw `git push` would 403.
+	gh auth setup-git
+
 	# Create a PR with the version bump
 	npm version "${version#v}" --no-git-tag-version
 

src/index.ts

@@ -7,6 +7,40 @@ import * as crypto from 'crypto'
 import * as fs from 'fs'
 import * as os from 'os'
 import * as path from 'path'
+import * as Handlebars from 'handlebars'
+
+// Configuration file patterns for cache key generation
+const MISE_CONFIG_FILE_PATTERNS = [
+  `**/.config/mise/config.toml`,
+  `**/.config/mise/config.lock`,
+  `**/.config/mise/config.*.toml`,
+  `**/.config/mise/config.*.lock`,
+  `**/.config/mise.toml`,
+  `**/.config/mise.lock`,
+  `**/.config/mise.*.toml`,
+  `**/.config/mise.*.lock`,
+  `**/.mise/config.toml`,
+  `**/.mise/config.lock`,
+  `**/.mise/config.*.toml`,
+  `**/.mise/config.*.lock`,
+  `**/mise/config.toml`,
+  `**/mise/config.lock`,
+  `**/mise/config.*.toml`,
+  `**/mise/config.*.lock`,
+  `**/.mise.toml`,
+  `**/.mise.lock`,
+  `**/.mise.*.toml`,
+  `**/.mise.*.lock`,
+  `**/mise.toml`,
+  `**/mise.lock`,
+  `**/mise.*.toml`,
+  `**/mise.*.lock`,
+  `**/.tool-versions`
+]
+
+// Default cache key template
+const DEFAULT_CACHE_KEY_TEMPLATE =
+  '{{cache_key_prefix}}-{{platform}}{{#if version}}-{{version}}{{/if}}{{#if mise_env}}-{{mise_env}}{{/if}}{{#if install_args_hash}}-{{install_args_hash}}{{/if}}-{{#if file_hash}}{{file_hash}}{{else}}no-config{{/if}}'
 
 async function run(): Promise<void> {
   try {
@@ -20,6 +54,25 @@ async function run(): Promise<void> {
       core.setOutput('cache-hit', false)
     }
 
+    // Wings opt-in hook (experimental). When
+    // `wings_enabled: true` is set, this exports
+    // `MISE_WINGS_ENABLED=1` so subsequent `mise install`
+    // commands in this workflow route through the wings
+    // cache. Default `false` so workflows with
+    // `id-token: write` (used for SLSA / AWS-OIDC / Sigstore /
+    // etc.) don't silently send the runner's OIDC token to
+    // a third-party cache without explicit consent.
+    //
+    // Note: `setupMise` fetches the mise binary itself with
+    // `curl`, which doesn't go through mise's HTTP layer —
+    // the wings rewriter only kicks in once the resulting
+    // mise binary runs `mise install` and friends. Ordering
+    // here is irrelevant for binary acceleration; we just
+    // want the env var set before any `mise` subcommand
+    // runs. Greptile + Gemini both flagged the previous
+    // comment as overstating what the early call accelerates.
+    setupWings()
+
     const version = core.getInput('version')
     const fetchFromGitHub = core.getBooleanInput('fetch_from_github')
     await setupMise(version, fetchFromGitHub)
@@ -37,8 +90,7 @@ async function run(): Promise<void> {
     await miseLs()
     const loadEnv = core.getBooleanInput('env')
     if (loadEnv) {
-      const output = await exec.getExecOutput('mise', ['env', '--dotenv'])
-      fs.appendFileSync(process.env.GITHUB_ENV!, output.stdout)
+      await exportMiseEnv()
     }
   } catch (err) {
     if (err instanceof Error) core.setFailed(err.message)
@@ -46,6 +98,139 @@ async function run(): Promise<void> {
   }
 }
 
+/**
+ * Opt in to mise-wings caching for this workflow run. When
+ * `wings_enabled: true`, exports `MISE_WINGS_ENABLED=1` so
+ * subsequent `mise install` commands route through the
+ * cache.
+ *
+ * Mise itself owns the OIDC → wings session exchange — when
+ * it sees `MISE_WINGS_ENABLED=1` and the GHA OIDC env vars
+ * (`ACTIONS_ID_TOKEN_REQUEST_URL` +
+ * `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it fetches the runner's
+ * OIDC token, exchanges it at the proxy's `POST /auth`
+ * route, and caches the resulting session JWT for the rest
+ * of the process.
+ *
+ * Pre-flight check: `id-token: write` permission must be
+ * declared at the workflow or job level for the OIDC env
+ * vars to be present. We log a warning when wings is
+ * enabled but the env vars are absent — without this hint,
+ * the user sees a transparent "wings configured but doing
+ * nothing" which is hard to debug.
+ */
+function setupWings(): void {
+  if (!core.getBooleanInput('wings_enabled')) {
+    return
+  }
+  core.exportVariable('MISE_WINGS_ENABLED', '1')
+  core.info(
+    "mise-wings: enabled. mise will exchange the runner's OIDC token for a wings session on first use."
+  )
+
+  const oidcUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL
+  const oidcToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
+  if (!oidcUrl || !oidcToken) {
+    core.warning(
+      'mise-wings: GHA OIDC env vars are missing. Add ' +
+        '`permissions: id-token: write` at the workflow or job ' +
+        'level so the runner can mint OIDC tokens. Without this, ' +
+        'mise falls through to direct-origin fetches and the cache ' +
+        'is bypassed.'
+    )
+  }
+}
+
+async function exportMiseEnv(): Promise<void> {
+  core.startGroup('Exporting mise environment variables')
+
+  const cwd = getCwd()
+
+  // Check if mise supports --redacted flags based on version input
+  const supportsRedacted = checkMiseSupportsRedacted()
+
+  if (supportsRedacted) {
+    try {
+      // First, get the redacted values to identify what needs masking
+      const redactedOutput = await exec.getExecOutput(
+        'mise',
+        ['env', '--redacted', '--json'],
+        { silent: true, cwd }
+      )
+      const redactedVars = JSON.parse(redactedOutput.stdout)
+
+      // Mask sensitive values in GitHub Actions
+      for (const [key, actualValue] of Object.entries(redactedVars)) {
+        core.setSecret(actualValue as string)
+        core.info(`Masked sensitive value for: ${key}`)
+      }
+
+      // Then get the actual values
+      const actualOutput = await exec.getExecOutput('mise', ['env', '--json'], {
+        cwd
+      })
+      const actualVars = JSON.parse(actualOutput.stdout)
+
+      // Export all environment variables
+      for (const [key, value] of Object.entries(actualVars)) {
+        if (typeof value === 'string') {
+          core.exportVariable(key, value)
+        }
+      }
+    } catch {
+      // Fall back to dotenv format if the redacted command fails
+      core.info('Falling back to dotenv format')
+      const output = await exec.getExecOutput('mise', ['env', '--dotenv'], {
+        cwd
+      })
+      fs.appendFileSync(process.env.GITHUB_ENV!, output.stdout)
+    }
+  } else {
+    // Fall back to the old --dotenv format for older versions
+    const output = await exec.getExecOutput('mise', ['env', '--dotenv'], {
+      cwd
+    })
+    fs.appendFileSync(process.env.GITHUB_ENV!, output.stdout)
+  }
+
+  core.endGroup()
+}
+
+function cleanVersion(version: string) {
+  // remove 'v' prefix if present
+  return version.replace(/^v/, '')
+}
+
+function checkMiseSupportsRedacted(): boolean {
+  const version = core.getInput('version')
+
+  // If no version is specified, assume latest which supports redacted
+  if (!version) {
+    return true
+  }
+
+  const versionMatch = cleanVersion(version).match(/^(\d+)\.(\d+)\.(\d+)/)
+
+  if (!versionMatch) {
+    // If we can't parse the version, assume it supports redacted
+    return true
+  }
+
+  const [, year, month, patch] = versionMatch
+  const yearNum = parseInt(year, 10)
+  const monthNum = parseInt(month, 10)
+  const patchNum = parseInt(patch, 10)
+
+  // Check if version is >= 2025.8.17
+  if (yearNum > 2025) return true
+  if (yearNum === 2025) {
+    if (monthNum > 8) return true
+    if (monthNum === 8 && patchNum >= 17) return true
+  }
+
+  return false
+}
+
 async function setEnvVars(): Promise<void> {
   core.startGroup('Setting env vars')
   const set = (k: string, v: string): void => {
@@ -61,75 +246,32 @@ async function setEnvVars(): Promise<void> {
 
   const githubToken = core.getInput('github_token')
   if (githubToken) {
-    set('GITHUB_TOKEN', githubToken)
+    // Don't use GITHUB_TOKEN, use MISE_GITHUB_TOKEN instead to avoid downstream issues.
+    set('MISE_GITHUB_TOKEN', githubToken)
   } else {
     core.warning(
-      'No GITHUB_TOKEN provided. You may hit GitHub API rate limits when installing tools from GitHub.'
+      'No MISE_GITHUB_TOKEN provided. You may hit GitHub API rate limits when installing tools from GitHub.'
     )
   }
 
   set('MISE_TRUSTED_CONFIG_PATHS', process.cwd())
   set('MISE_YES', '1')
 
-  const shimsDir = path.join(miseDir(), 'shims')
-  core.info(`Adding ${shimsDir} to PATH`)
-  core.addPath(shimsDir)
+  if (core.getBooleanInput('add_shims_to_path')) {
+    const shimsDir = path.join(miseDir(), 'shims')
+    core.info(`Adding ${shimsDir} to PATH`)
+    core.addPath(shimsDir)
+  }
 }
 
 async function restoreMiseCache(): Promise<string | undefined> {
   core.startGroup('Restoring mise cache')
-  const version = core.getInput('version')
-  const installArgs = core.getInput('install_args')
-  const { MISE_ENV } = process.env
   const cachePath = miseDir()
-  const fileHash = await glob.hashFiles(
-    [
-      `**/.config/mise/config.toml`,
-      `**/.config/mise/config.lock`,
-      `**/.config/mise/config.*.toml`,
-      `**/.config/mise/config.*.lock`,
-      `**/.config/mise.toml`,
-      `**/.config/mise.lock`,
-      `**/.config/mise.*.toml`,
-      `**/.config/mise.*.lock`,
-      `**/.mise/config.toml`,
-      `**/.mise/config.lock`,
-      `**/.mise/config.*.toml`,
-      `**/.mise/config.*.lock`,
-      `**/mise/config.toml`,
-      `**/mise/config.lock`,
-      `**/mise/config.*.toml`,
-      `**/mise/config.*.lock`,
-      `**/.mise.toml`,
-      `**/.mise.lock`,
-      `**/.mise.*.toml`,
-      `**/.mise.*.lock`,
-      `**/mise.toml`,
-      `**/mise.lock`,
-      `**/mise.*.toml`,
-      `**/mise.*.lock`,
-      `**/.tool-versions`
-    ].join('\n')
-  )
-  const prefix = core.getInput('cache_key_prefix') || 'mise-v0'
-  let primaryKey = `${prefix}-${await getTarget()}-${fileHash}`
-  if (version) {
-    primaryKey = `${primaryKey}-${version}`
-  }
-  if (MISE_ENV) {
-    primaryKey = `${primaryKey}-${MISE_ENV}`
-  }
-  if (installArgs) {
-    const tools = installArgs
-      .split(' ')
-      .filter(arg => !arg.startsWith('-'))
-      .sort()
-      .join(' ')
-    if (tools) {
-      const toolsHash = crypto.createHash('sha256').update(tools).digest('hex')
-      primaryKey = `${primaryKey}-${toolsHash}`
-    }
-  }
+
+  // Use custom cache key if provided, otherwise use default template
+  const cacheKeyTemplate =
+    core.getInput('cache_key') || DEFAULT_CACHE_KEY_TEMPLATE
+  const primaryKey = await processCacheKeyTemplate(cacheKeyTemplate)
 
   core.saveState('PRIMARY_KEY', primaryKey)
   core.saveState('MISE_DIR', cachePath)
@@ -198,6 +340,26 @@ async function setupMise(
         await exec.exec('chmod', ['+x', miseBinPath])
         break
     }
+  } else {
+    const requestedVersion = cleanVersion(core.getInput('version'))
+    if (requestedVersion !== '') {
+      const versionOutput = await exec.getExecOutput(
+        miseBinPath,
+        ['version', '--json'],
+        { silent: true }
+      )
+      const versionJson = JSON.parse(versionOutput.stdout)
+      const version = cleanVersion(versionJson.version.split(' ')[0])
+      if (requestedVersion === version) {
+        core.info(`mise already installed`)
+      } else {
+        core.info(
+          `mise already installed (${version}), but different version requested (${requestedVersion})`
+        )
+        await exec.exec(miseBinPath, ['self-update', requestedVersion, '-y'])
+        core.info(`mise updated to version ${requestedVersion}`)
+      }
+    }
   }
   // compare with provided hash
   const want = core.getInput('sha256')
@@ -252,14 +414,16 @@ const miseInstall = async (): Promise<number> =>
 const miseLs = async (): Promise<number> => mise([`ls`])
 const miseReshim = async (): Promise<number> => mise([`reshim`, `-f`])
 const mise = async (args: string[]): Promise<number> =>
-  core.group(`Running mise ${args.join(' ')}`, async () => {
-    const cwd =
-      core.getInput('working_directory') ||
-      core.getInput('install_dir') ||
-      process.cwd()
+  await core.group(`Running mise ${args.join(' ')}`, async () => {
+    const cwd = getCwd()
+    const baseEnv = Object.fromEntries(
+      Object.entries(process.env).filter(
+        (entry): entry is [string, string] => entry[1] !== undefined
+      )
+    )
     const env = core.isDebug()
-      ? { ...process.env, MISE_LOG_LEVEL: 'debug' }
-      : undefined
+      ? { ...baseEnv, MISE_LOG_LEVEL: 'debug' }
+      : baseEnv
 
     if (args.length === 1) {
       return exec.exec(`mise ${args}`, [], {
@@ -272,17 +436,28 @@ const mise = async (args: string[]): Promise<number> =>
   })
 
 const writeFile = async (p: fs.PathLike, body: string): Promise<void> =>
-  core.group(`Writing ${p}`, async () => {
+  await core.group(`Writing ${p}`, async () => {
     core.info(`Body:\n${body}`)
     await fs.promises.writeFile(p, body, { encoding: 'utf8' })
   })
 
 run()
 
+function getCwd(): string {
+  return (
+    core.getInput('working_directory') ||
+    core.getInput('install_dir') ||
+    process.cwd()
+  )
+}
+
 function miseDir(): string {
   const dir = core.getState('MISE_DIR')
   if (dir) return dir
 
+  const miseDir = core.getInput('mise_dir')
+  if (miseDir) return miseDir
+
   const { MISE_DATA_DIR, XDG_DATA_HOME, LOCALAPPDATA } = process.env
   if (MISE_DATA_DIR) return MISE_DATA_DIR
   if (XDG_DATA_HOME) return path.join(XDG_DATA_HOME, 'mise')
@@ -293,7 +468,7 @@ function miseDir(): string {
 }
 
 async function saveCache(cacheKey: string): Promise<void> {
-  core.group(`Saving mise cache`, async () => {
+  await core.group(`Saving mise cache`, async () => {
     const cachePath = miseDir()
 
     if (!fs.existsSync(cachePath)) {
@@ -308,11 +483,7 @@ async function saveCache(cacheKey: string): Promise<void> {
 }
 
 async function getTarget(): Promise<string> {
-  let { arch } = process
-
-  // quick overwrite to abide by release format
-  if (arch === 'arm') arch = 'armv7' as NodeJS.Architecture
-
+  const arch = process.arch === 'arm' ? 'armv7' : process.arch
   switch (process.platform) {
     case 'darwin':
       return `macos-${arch}`
@@ -325,6 +496,68 @@ async function getTarget(): Promise<string> {
   }
 }
 
+/**
+ * Identifies the runner image so cached binaries from one provider
+ * (github-hosted, namespace.so, BuildJet, self-hosted) aren't restored
+ * onto another provider's image where their compiled-in paths and libc
+ * versions don't match. GitHub-hosted images export `ImageOS`
+ * (e.g. "macos15", "ubuntu24"); other runners leave it unset and pool
+ * under "self-hosted".
+ */
+function getRunnerImageId(): string {
+  return process.env.ImageOS || 'self-hosted'
+}
+
+async function processCacheKeyTemplate(template: string): Promise<string> {
+  // Get all available variables
+  const version = core.getInput('version')
+  const installArgs = core.getInput('install_args')
+  const cacheKeyPrefix = core.getInput('cache_key_prefix') || 'mise-v1'
+  const miseEnv = process.env.MISE_ENV?.replace(/,/g, '-')
+  const platform = `${await getTarget()}-${getRunnerImageId()}`
+
+  // Calculate file hash
+  const fileHash = await glob.hashFiles(MISE_CONFIG_FILE_PATTERNS.join('\n'))
+
+  // Calculate install args hash
+  let installArgsHash = ''
+  if (installArgs) {
+    const tools = installArgs
+      .split(' ')
+      .filter(arg => !arg.startsWith('-'))
+      .sort()
+      .join(' ')
+    if (tools) {
+      installArgsHash = crypto.createHash('sha256').update(tools).digest('hex')
+    }
+  }
+
+  // Prepare base template data
+  const baseTemplateData = {
+    version,
+    cache_key_prefix: cacheKeyPrefix,
+    platform,
+    file_hash: fileHash,
+    mise_env: miseEnv,
+    install_args_hash: installArgsHash
+  }
+
+  // Calculate the default cache key by processing the default template
+  const defaultTemplate = Handlebars.compile(DEFAULT_CACHE_KEY_TEMPLATE)
+  const defaultCacheKey = defaultTemplate(baseTemplateData)
+
+  // Prepare final template data including the default cache key and env variables
+  const templateData = {
+    ...baseTemplateData,
+    default: defaultCacheKey,
+    env: process.env
+  }
+
+  // Compile and execute the user's template
+  const compiledTemplate = Handlebars.compile(template)
+  return compiledTemplate(templateData)
+}
+
 async function isMusl() {
   // `ldd --version` always returns 1 and print to stderr
   const { stderr } = await exec.getExecOutput('ldd', ['--version'], {

tsconfig.json

@@ -13,7 +13,9 @@
     "forceConsistentCasingInFileNames": true,
     "strict": true,
     "skipLibCheck": true,
-    "newLine": "lf"
+    "newLine": "lf",
+    "isolatedModules": true,
+    "allowSyntheticDefaultImports": true
   },
   "exclude": ["./dist", "./node_modules", "./__tests__", "./coverage"]
 }