actions/mise-action
12
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-05-14 05:50:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2
mise-action/action.yml
jdx ac8a6414ec
feat: add wings_enabled input (mise-wings cache integration) (#454) 
## Summary

Adds two new inputs that gate the mise-wings asset cache for tool
installs. Existing workflows are unaffected: default `wings_enabled:
false` is a no-op.

| Input | Default | Description |
|---|---|---|
| `wings_enabled` | `false` | Route tool-install URLs through the wings
cache when `true` |

## How it works

When `wings_enabled: true`, the action exports `MISE_WINGS_ENABLED=1`.
Authentication is **fully automatic** — mise itself owns the GHA OIDC →
wings session exchange. No `mise wings login` step in workflow YAML, no
long-lived secrets to rotate.

When mise (built with wings support — see
[jdx/mise#9458](https://github.com/jdx/mise/pull/9458)) sees
`MISE_WINGS_ENABLED=1` and detects the GHA OIDC env vars
(`ACTIONS_ID_TOKEN_REQUEST_URL` + `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it:

1. Fetches the runner's OIDC token, scoped to the wings deployment
audience
2. POSTs it to `https://api.<host>/auth` to mint a wings CI session JWT
3. Caches the JWT in-process for the rest of the workflow run
4. Transparently rewrites `registry.npmjs.org` / `github.com` /
`api.github.com` URLs to the corresponding wings cache subdomains and
attaches the JWT as a Bearer header

## Why opt-in (not opt-out)

The default-off posture is deliberate. Many workflows already declare
`permissions: id-token: write` for unrelated reasons (SLSA provenance,
AWS OIDC, Sigstore, npm provenance, etc.). If `wings_enabled` defaulted
to `true`, those workflows would silently send the runner's OIDC
identity claims to a third-party cache without explicit consent. Cursor
Bugbot HIGH + Greptile P1+security correctly flagged the previous
"default true" iteration of this PR as a privacy regression.

Explicit opt-in keeps the gate visible in the workflow YAML.

## Workflow requirements

```yaml
permissions:
  id-token: write   # required for OIDC

jobs:
  build:
    steps:
      - uses: jdx/mise-action@<sha>
        with:
          wings_enabled: true
```

The action emits a clear warning when `wings_enabled: true` but
`id-token: write` is missing — without that hint, the user would see
"wings configured but doing nothing" and have no clue why.

## Test plan

- [x] `npm run all` — format + lint + package, clean
- [x] `dist/index.js` rebuilt and contains the wings hook (greppable:
`MISE_WINGS_ENABLED`, `setupWings`)
- [ ] End-to-end: a workflow with `wings_enabled: true`, `permissions:
id-token: write`, an active wings subscription, and a recent enough
`mise` binary. The mise repo's own `docs.yml` will exercise this path
once [jdx/mise#9458](https://github.com/jdx/mise/pull/9458) is merged.
- [ ] Default-off path: a workflow without the `wings_enabled` input
behaves identically to today.

## Out of scope

- Older mise binaries will see `MISE_WINGS_ENABLED` and silently ignore
it (no wings client code) — that's intended; the action doesn't gate on
mise version.
- Self-hosted runners: `permissions: id-token: write` only does anything
on GitHub-hosted runners by default. Self-hosted runners need extra
config; the warning above is conservative enough for both cases.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Introduces an opt-in path that can cause OIDC-based authentication to
a third-party cache and alters tool download routing when enabled.
Default-off behavior limits impact, but misconfiguration could create
confusing cache bypass or unexpected network/token exchange behavior.
> 
> **Overview**
> Adds a new **experimental** `wings_enabled` action input (default
`false`) to opt workflows into the mise-wings asset cache by exporting
`MISE_WINGS_ENABLED=1`.
> 
> When enabled, the action now runs `setupWings()` early to set the env
var and warn if GitHub OIDC env vars are missing (i.e., `permissions:
id-token: write` not configured), while leaving existing/default
behavior unchanged.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
969042fe52. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
2026-04-29 09:36:39 -05:00

123 lines
4.5 KiB
YAML
Raw Permalink Blame History

name: mise action
description: Actions for working with mise runtime manager
author: Jeff Dickey <@jdx>
branding:
icon: arrow-down-circle
color: purple
inputs:
version:
required: false
description: The version of mise to use. If not specified, will use the latest release.
sha256:
required: false
description: The SHA256 checksum of the mise binary to verify the download.
mise_dir:
required: false
description: |
The directory that mise will be installed to, defaults to $HOME/.local/share/mise
Or $XDG_DATA_HOME/mise if $XDG_DATA_HOME is set.
Or $MISE_DATA_DIR if $MISE_DATA_DIR is set.
tool_versions:
required: false
description: If present, this value will be written to the .tool-versions file
mise_toml:
required: false
description: If present, this value will be written to the mise.toml file
install:
required: false
default: "true"
description: if false, will not run `mise install`
install_args:
required: false
description: Arguments to pass to `mise install` such as "bun" to only install bun
install_dir:
required: false
description: deprecated
cache:
required: false
default: "true"
description: if false, action will not read or write to cache
cache_save:
required: false
default: "true"
description: if false, action will not write to cache
cache_key_prefix:
required: false
default: "mise-v1"
description: The prefix key to use for the cache, change this to invalidate the cache
cache_key:
required: false
description: |
Override the complete cache key (ignores all other cache key options).
Supports template variables: {{version}}, {{cache_key_prefix}}, {{platform}}, {{file_hash}},
{{mise_env}}, {{install_args_hash}}, {{default}}, {{env.VAR_NAME}} for environment variables,
and conditional logic like {{#if version}}...{{/if}}
experimental:
required: false
default: "false"
description: if true, will use experimental features
log_level:
required: false
default: "info"
description: The log level to use for the action
working_directory:
required: false
description: The directory that mise runs in
reshim:
required: false
default: "false"
description: if true, will run `mise reshim --all` after setting up mise
add_shims_to_path:
required: false
default: "true"
description: if false, will not add mise shims directory to PATH
github_token:
required: false
description: |
GitHub token for API authentication to avoid rate limits when installing GitHub-hosted tools.
Defaults to the automatic GitHub token.
default: ${{ github.token }}
fetch_from_github:
required: false
default: "true"
description: If true (default), fetch the mise binary from GitHub. If false and using the latest version, fetch from mise.jdx.dev instead.
env:
description: "Automatically load mise env vars into GITHUB_ENV. Note that PATH modifications are not part of this."
required: false
default: "true"
wings_enabled:
description: |
[experimental] Opt in to the mise-wings asset cache
(https://mise-wings.en.dev) for this action invocation.
When `true`, the action exports `MISE_WINGS_ENABLED=1` so
the installed mise binary routes tool-install URLs (npm
tarballs, GitHub release artifacts) through the per-org
wings cache subdomains.
Authentication is automatic via the runner's GitHub OIDC
identity — no `mise wings login` step, no long-lived
secret to rotate. The workflow must declare
`permissions: id-token: write` so the OIDC token-issuer
env vars are populated; without that, mise falls through
to direct-origin fetches transparently.
Default `false` is the conservative posture: a workflow
with `id-token: write` (used for SLSA / AWS-OIDC /
Sigstore / etc.) should not have its OIDC token sent to
a third-party cache without explicit opt-in. Older mise
binaries that don't speak wings ignore the env var
entirely, so this is forward-compatible.
Requires an active mise-wings subscription on the Clerk
org linked to the GitHub org running the workflow;
without one, the proxy 402s and mise leaves the cache
off without affecting the workflow's success.
required: false
default: "false"
outputs:
cache-hit:
description: A boolean value to indicate if a cache was hit.
runs:
using: node24
main: dist/index.js
Reference in a new issue View git blame Copy permalink