mirror of
https://github.com/jdx/mise-action.git
synced 2026-06-09 17:04:49 +00:00
No description
5b45072a5e
Some checks failed
Check dist/ / Check dist/ (push) Has been cancelled
Continuous Integration / TypeScript Tests (push) Has been cancelled
CodeQL / Analyze (push) Has been cancelled
release-plz / release-plz (push) Has been cancelled
Test Redacted Environment Variables / test-redacted-env (push) Has been cancelled
build-test / build (push) Has been cancelled
build-test / alpine (push) Has been cancelled
build-test / macos (push) Has been cancelled
build-test / ubuntu (push) Has been cancelled
build-test / windows (push) Has been cancelled
build-test / specific_version (push) Has been cancelled
build-test / checksum_failure (push) Has been cancelled
build-test / custom_cache_key (push) Has been cancelled
build-test / fetch_from_github (push) Has been cancelled
build-test / final (push) Has been cancelled
This PR contains the following updates: | Package | Update | Change | Pending | |---|---|---|---| | [aube](https://redirect.github.com/endevco/aube) | minor | `v1.9.1` → `v1.14.1` | `v1.15.0` | --- ### Release Notes <details> <summary>endevco/aube (aube)</summary> ### [`v1.14.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.1): : Install module split [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.14.0...v1.14.1) A maintenance release with no user-facing behavior changes. The install command's growing `commands/install/mod.rs` was split into focused submodules to keep the install pipeline easier to navigate. Install behavior, flags, and output are unchanged from v1.14.0. #### Changed - *(install)* Extracted the fetch/import pipeline (local source import, lockfile fetch wrapper, store-index classification, tarball fetch/import, contextualized-index remapping) into a new `commands/install/fetch.rs` module ([#​704](https://redirect.github.com/endevco/aube/pull/704) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Split the materializer, native-build critical-path heuristic, and workspace graph/lifecycle/per-project lockfile helpers into dedicated `materialize.rs`, `critical_path.rs`, and `workspace.rs` modules ([#​702](https://redirect.github.com/endevco/aube/pull/702) by [@​jdx](https://redirect.github.com/jdx)). - *(install)* Moved post-pipeline helpers — `--lockfile-dir` importer remapping, human install summary output, `.aube` cache invalidation/orphan cleanup, and skipped-build warning replay — into `lockfile_dir.rs`, `summary.rs`, `sweep.rs`, and `unreviewed_builds.rs` ([#​698](https://redirect.github.com/endevco/aube/pull/698) by [@​jdx](https://redirect.github.com/jdx)). **Full Changelog**: <https://github.com/endevco/aube/compare/v1.14.0...v1.14.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.14.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.14.0): : Bloom-filtered OSV checks and lifecycle-script content sniffing [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.1...v1.14.0) Two new opt-in supply-chain layers on top of the v1.13 gates: a \~380 KB bloom-filter prefilter that lets plain reinstalls cheaply probe the OSV `MAL-*` set without pulling the 200 MB mirror, and a regex-based content sniff that flags dangerous shapes in dependency `preinstall`/`install`/`postinstall` scripts before you click through `aube approve-builds`. #### Added - *(install)* **OSV bloom-filter prefilter for lockfile installs** ([#​680](https://redirect.github.com/endevco/aube/pull/680) by [@​jdx](https://redirect.github.com/jdx)) — New `advisoryBloomCheck` setting (`on` / `required` / `off`, default `off`) adds a fourth route to the post-resolve OSV decision table. Plain reinstalls probe the resolved transitive graph against a \~380 KB bloom filter fetched from [`endevco/osv-bloom`](https://redirect.github.com/endevco/osv-bloom) — regenerated upstream every 10 minutes from OSV's `MAL-*` archive — and only escalate bloom hits to the live `/querybatch` API for exact `(name, version)` confirmation. Bloom FPR is \~0.1%, so a typical 1000-package lockfile triggers zero or one extra live-API round trip per install. When both are configured, the bloom branch wins over the 200 MB `all.zip` mirror — under 1 MB on the wire, same live-API oracle, same `ERR_AUBE_MALICIOUS_PACKAGE` on a confirmed hit. Cached under `$XDG_CACHE_HOME/aube/osv-bloom/` and short-circuits the download when upstream's `set_digest_sha256` is unchanged. New warning `WARN_AUBE_OSV_BLOOM_REFRESH_FAILED`: under `on` install continues against the previously cached filter; under `required` it fails closed with `ERR_AUBE_ADVISORY_CHECK_FAILED`. - *(install)* **Content-sniff dependency lifecycle scripts before approve-builds** ([#​685](https://redirect.github.com/endevco/aube/pull/685) by [@​jdx](https://redirect.github.com/jdx)) — aube's existing supply-chain gates (OSV `MAL-*`, downloads floor, bun-compat scanner, `BuildPolicy` allowlist) are all name-based; none inspects what `postinstall` actually does, which leaves an OSV-ingest-lag window of 12–48h that the 2024–2026 wave of unobfuscated `curl … | sh` postinstalls walked right through. New regex matcher fires advisory warnings for known-dangerous shapes in lifecycle script bodies: | Signal | Catches | | -------------------- | ---------------------------------------------------------------------------------------------------------------- | | `ShellPipe` | `curl … \| sh`, `wget … \| bash`, `… \| node` | | `EvalDecode` | `eval(atob(…))`, `Function(atob(…))`, `eval(Buffer.from(…))` | | `CredentialFileRead` | `~/.ssh`, `~/.aws`, `~/.npmrc`, `~/.config/gh` reads | | `SecretEnvRead` | `process.env.*(TOKEN\|SECRET\|API_KEY\|PASSWORD\|ACCESS_KEY\|PRIVATE_KEY\|AUTH)` | | `ExfilEndpoint` | Discord/Telegram webhooks, OAST hosts (`oast.pro`, `interactsh`, `webhook.site`, `pipedream.net`, `ngrok.io`, …) | | `BareIpHttp` | Bare-IP HTTP fetch targets (literal IPv4 hosts over plain HTTP) | Sniff is advisory — `allowBuilds` still gates execution — and shows up in three places: end-of-install emits one `WARN_AUBE_SUSPICIOUS_LIFECYCLE_SCRIPT` per flagged package alongside the existing `WARN_AUBE_IGNORED_BUILD_SCRIPTS`; `aube approve-builds` annotates picker rows with `⚠ suspicious: <category>` and prints a pre-picker summary of the matched hook+description; `aube ignored-builds` indents `⚠ <hook> — <description>` lines under each `name@version`. Findings are re-derived per install rather than persisted, so the regex set can evolve without a state-file migration. Works offline, doesn't degrade to advisory in headless CI. #### Changed - Refreshed `benchmarks/results.json` against v1.13.1 and Bun 1.3.14 ([#​687](https://redirect.github.com/endevco/aube/pull/687)) — public ratios update to warm installs **3× Bun / 6× pnpm**, repeat test **6× Bun / 45× pnpm**. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.1...v1.14.0> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.1): : Version-aware transitive MAL-* gate [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.13.0...v1.13.1) A targeted fix for the transitive supply-chain gate added in v1.13.0: the post-resolve OSV check is now version-aware, so name-level `MAL-*` advisories stop blocking installs that resolve to clean versions of the same package. #### Fixed - *(install)* **Version-aware transitive `MAL-*` check** ([#​682](https://redirect.github.com/endevco/aube/pull/682) by [@​jdx](https://redirect.github.com/jdx)) — The post-resolve gate was reusing the pre-resolve name-only OSV query, so any name-level advisory hit every install that transitively pulled in *any* version of that package. Concretely, `aube add cowsay@1.6.0` refused with `ERR_AUBE_MALICIOUS_PACKAGE` because cowsay's tree includes `ansi-regex@3.0.1`, and `ansi-regex` carries the Sep 2025 shai-hulud advisory `MAL-2025-46966` against `6.2.1` — a version published years after `3.0.1`. The live-API and OSV-mirror lookups now send `(name, version)` pairs, refusal messages surface `name@version (MAL-…)`, and the local mirror index bumps to `format = 2` (storing per-advisory affected versions; v1 indexes rebuild on next refresh, and advisories with no enumerated versions still fail closed). The pre-resolve `aube add` name-gate keeps its versionless query — typosquats are malicious in every version. **Full Changelog**: <https://github.com/endevco/aube/compare/v1.13.0...v1.13.1> #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.13.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.13.0): : Supply-chain gates for `aube add` [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.12.0...v1.13.0) #### Added - *(install)* Bun-compatible pluggable security scanner — drop in any `securityScanner` package that follows the Bun Security Scanner API (oven-sh template, `@socketsecurity/bun-security-scanner`, etc.) and aube runs it post-resolve against the full graph via a `node` bridge ([#​657](https://redirect.github.com/endevco/aube/pull/657)) - *(add)* Supply-chain gates on `aube add`: OSV `MAL-*` advisory hard-block plus a weekly-downloads floor with TTY prompt / `--allow-low-downloads` bypass. New `advisoryCheck` and `lowDownloadThreshold` settings, both folded into `paranoid: true` ([#​656](https://redirect.github.com/endevco/aube/pull/656)) - *(install)* OSV checks now extend to the full resolved graph, routed live-API vs. local OSV mirror based on whether resolution produced fresh `(name, version)` picks; opt-in `advisoryCheckOnInstall` covers plain reinstalls, `advisoryCheckEveryInstall` forces live API every time ([#​678](https://redirect.github.com/endevco/aube/pull/678)) - *(add)* Auto-skip supply-chain gates for packages routed through a non-`registry.npmjs.org` registry, plus a new `allowedUnpopularPackages` glob allowlist to silence the downloads gate on known-internal names ([#​673](https://redirect.github.com/endevco/aube/pull/673)) #### Changed - *(install)* No longer rewrites `package.json` / workspace yaml to seed `allowBuilds: { <pkg>: "set this to true or false" }` placeholders for unreviewed build scripts ([#​662](https://redirect.github.com/endevco/aube/pull/662)) - *(install perf)* Deleted the pre-resolver direct-dep packument prefetch; 12–22% wall-time win across fixture size, bandwidth, and RTT ([#​672](https://redirect.github.com/endevco/aube/pull/672)) - *(add)* `--allow-build=<pkg>` now flips an existing deny instead of erroring, help renders correctly as `--allow-build=<PKG>`, and the no-op `--ignore-scripts` is hidden on `add` / `import` / `update` ([#​660](https://redirect.github.com/endevco/aube/pull/660)) #### Fixed - *(linker)* Windows bin shims for `aube add --global … --allow-build=<dep>` no longer emit a duplicated install-root path segment when `.aube/<dep>/` sits behind a directory junction ([#​659](https://redirect.github.com/endevco/aube/pull/659)) - *(global)* `aube remove --global` on Windows no longer fails with `Access is denied (os error 5)` on the hash pointer when it's an NTFS directory junction ([#​658](https://redirect.github.com/endevco/aube/pull/658)) #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.12.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.12.0): : Tidier config, smarter installs from bun.lock [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.11.0...v1.12.0) A round of fixes driven by user reports — `bun.lock` imports now keep peer-only packages, the store layout is reorganized so one cache mount covers everything, and `aube config set` stops scribbling unknown keys into `.npmrc`. #### Added - **Smarter `aube config set` / `delete` routing** ([#​634](https://redirect.github.com/endevco/aube/pull/634) by [@​jdx](https://redirect.github.com/jdx)) — Writes only land in `.npmrc` for the npm-shared surface (per-host auth/cert templates, scoped registries, and a curated allowlist of npm-standard scalars like `registry`, `proxy`, `fetch-retries`, …). Aube-only and pnpm-only keys (`autoInstallPeers`, `dangerouslyAllowAllBuilds`, `pnpmfilePath`, …) plus unknown free-form keys now go to `~/.config/aube/config.toml`. Dotted writes for aube map settings — `aube config set --local allowBuilds.@​mongodb-js/zstd true`, `aube config set --local overrides.lodash 4.17.21` — edit a single entry of `pnpm-workspace.yaml` (or `package.json#<pnpm|aube>.<map>`) in place. `aube config delete` sweeps both files so legacy writes from older versions are still cleaned up. New error code `ERR_AUBE_CONFIG_NESTED_AUBE_KEY` covers invalid nested writes. - **Polished install progress display** ([#​616](https://redirect.github.com/endevco/aube/pull/616) by [@​jdx](https://redirect.github.com/jdx)) — The bar is now cyan across every phase (no more "completing twice" as the phase flips green), reserves the final slice so it never reads 100% while the linker is still running, and paints a full 100% from a new `done` phase on `finish()` / `stop()` so the last frame matches the `✓` summary line. The displayed `~XX MB` total is now a dynamic blend of the static `unpackedSize × 0.20` fallback and a linear extrapolation from observed bytes-per-package — converging to the real total instead of overshooting by \~48%. `resolving` switched yellow → cyan, the `pkgs` counter is bold/uncolored mid-install, and `WARN_AUBE_SLOW_METADATA` drops redundant fields. #### Fixed - **Peer-only packages from `bun.lock` no longer silently dropped** ([#​639](https://redirect.github.com/endevco/aube/pull/639) by [@​jdx](https://redirect.github.com/jdx)) — `filter_graph`'s GC walk ran *before* `hoist_auto_installed_peers`, so peer-installed deps like `@mui/material` that weren't directly listed in workspace `dependencies:` got pruned as unreachable before the hoist could promote them. The pipeline now hoists first, then walks. On the linked repro, `aube install` goes from 6 packages (with broken `@mui/material` / `@emotion/*`) to 44 with everything resolved. - **`bun.lock` imports now run the peer-context pass** ([#​619](https://redirect.github.com/endevco/aube/pull/619) by [@​jdx](https://redirect.github.com/jdx)) — `LockfileKind::Bun` was missing from the `apply_peer_contexts` branch, so peer-dependent packages landed at `.aube/<pkg>@​<ver>/` without sibling peer links and walked up to whatever hoisted copy they found. Now they get peer-qualified `dep_paths` (e.g. `@cloudflare+vite-plugin@1.17.1_vite@8.0.10_…`) with correct sibling symlinks, matching the npm-lockfile import behavior. - **Stale cached indexes now self-heal at fetch time** ([#​635](https://redirect.github.com/endevco/aube/pull/635) by [@​jdx](https://redirect.github.com/jdx)) — Cached package indexes moved from `$XDG_CACHE_HOME/aube/index/` into the store at `<store>/v1/index/`, next to `v1/files/`. The install fast path swapped `load_index` for `load_index_verified`, so an index whose CAS shards have drifted out from under it is dropped at fetch classification and the tarball re-fetched cleanly — instead of the materializer dying mid-link with `ERR_AUBE_MISSING_STORE_FILE`. Fixes a BuildKit cache-mount footgun where only one of the two cache dirs would be persisted. - **`engines.pnpm` no longer triggers spurious version warnings** ([#​633](https://redirect.github.com/endevco/aube/pull/633) by [@​jdx](https://redirect.github.com/jdx)) — A project pinning `engines.pnpm: ">=10.11.1"` produced `warn: wanted pnpm >=10.11.1, got 1.x` on every install (or a hard failure under `engine-strict`). Aube and pnpm live in different version namespaces, so honoring this field was net-negative. `engines.pnpm` is now skipped entirely; `engines.aube` is still honored for projects that want to gate on the running tool, and `engines.node` is unchanged. - **`update -i` no longer reports phantom upgrade rows for catalog deps** ([#​636](https://redirect.github.com/endevco/aube/pull/636) by [@​jdx](https://redirect.github.com/jdx)) — When a `catalog:` dep resolved to a newer version while the same name was pulled in transitively at an older one (e.g. `jose@6.2.3` direct + `jose@5.10.0` via `@upstash/qstash`), `lookup_pkg`'s name-scan picked the transitive snapshot as "current" and offered a downgrade row the rewrite path then ignored. Lookup now goes through the importer's `DirectDep.dep_path`. The companion fix extends the `--latest` prerelease guard to the *locked* version, so `"^1.0.0-rc.1"` isn't silently rewritten to whatever the registry's `latest` dist-tag points at. - **`update` / `add` / `dedupe` / `remove` / `audit` preserve cross-platform optionals and `time:` entries** ([#​637](https://redirect.github.com/endevco/aube/pull/637) by [@​jdx](https://redirect.github.com/jdx)) — These commands now route through install's `configure_resolver`, inheriting the full settings pipeline (`supportedArchitectures`, `resolutionMode`, `minimumReleaseAge`, overrides, …). They opt out of the full-packument disk cache so an immediately-following re-resolve picks up registry `dist-tag` changes, and the resolver carries forward the prior lockfile's `time:` entry when a fresh corgi packument lacks publish time for a resolved version — so direct deps don't lose their `time:` line on update. - **`aube add --global --allow-build=<pkg>` actually pre-approves builds** ([#​620](https://redirect.github.com/endevco/aube/pull/620) by [@​jdx](https://redirect.github.com/jdx)) — The synthetic inner `AddArgs` was being built with `allow_build: Vec::new()`, silently dropping the outer flag and erroring with "must be reviewed before install" under `strictDepBuilds=true`. The flag is now plumbed through `run_global` / `run_global_inner` and approvals are written to the throwaway install dir's `package.json#aube.allowBuilds` before lifecycle scripts run. #### Changed - **`aube store path` now returns the `v1/` directory** ([#​635](https://redirect.github.com/endevco/aube/pull/635)) — One level above the previous `v1/files/` output, so a single Docker BuildKit cache mount or backup captures both the CAS and the new co-located index dir. Scripts consuming `aube store path` will now mount one level higher (the intended behavior). A lazy in-place migration from the legacy `$XDG_CACHE_HOME/aube/index/` location runs on the first store open after upgrade (rename fast path, recursive-copy fallback for cross-FS). #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.11.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.11.0): : Workspace-root flags, scoped config, and a 2× macOS CAS fast path [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.4...v1.11.0) #### Added - *(install)* Fill the resolving bar against a real denominator so the progress bar advances during dependency resolution ([#​611](https://redirect.github.com/endevco/aube/pull/611)) - *(outdated, update)* Wire `-w/--workspace-root` to retarget cwd at the workspace root from a sub-package ([#​614](https://redirect.github.com/endevco/aube/pull/614)) - *(config)* Scope-split settings precedence and project `<cwd>/.config/aube/config.toml` support ([#​608](https://redirect.github.com/endevco/aube/pull/608)) - *(deploy)* Accept `--offline` and `--prefer-offline`, forwarded into the deploy install ([#​606](https://redirect.github.com/endevco/aube/pull/606)) - *(store)* Direct-write CAS fast path on macOS under an exclusive install lock (\~2× per-file CAS write speedup) ([#​615](https://redirect.github.com/endevco/aube/pull/615)) #### Fixed - *(linker)* Bin shims now point `NODE_PATH` at the hidden modules dir, and the isolated linker defaults `preferSymlinkedExecutables` to shims so `extendNodePath` actually works ([#​613](https://redirect.github.com/endevco/aube/pull/613)) - *(install/lockfile/outdated/update)* Address several bugs reported in [#​602](https://redirect.github.com/endevco/aube/discussions/602): lockfile rewrites when a dep moves between `dependencies`/`devDependencies`, `outdated -r` includes the workspace root, semver-diff color in `Wanted`/`Latest`, smarter `update -i` picker, and `updateConfig.ignoreDependencies` is loaded from the workspace root ([#​610](https://redirect.github.com/endevco/aube/pull/610)) - *(install)* Probe link strategy against the actual destination dir so cross-FS installs with GVS enabled hardlink instead of falling back to per-file copy ([#​604](https://redirect.github.com/endevco/aube/pull/604)) - *(install)* Surface the underlying materializer error instead of a generic "channel closed" message ([#​607](https://redirect.github.com/endevco/aube/pull/607)) - *(progress)* Clamp `reused` on a downward `set_total` rebase so summaries stop reporting `reused > resolved` ([#​609](https://redirect.github.com/endevco/aube/pull/609)) - *(config)* Preserve a symlinked `~/.config/aube/config.toml` on write ([#​605](https://redirect.github.com/endevco/aube/pull/605)) - *(registry)* Coalesce slow-metadata warnings into a single resolve-end summary instead of one warning per slow packument ([#​592](https://redirect.github.com/endevco/aube/pull/592)) #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.4`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.4): : Streaming tarball retries + 32-bit Linux build fix [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.3...v1.10.4) Two targeted fixes: cold installs now retry transient registry failures on the streaming tarball path, and `aube-store` builds cleanly on 32-bit Linux again. #### Fixed - **Streaming tarball fetch retries transient failures** ([#​591](https://redirect.github.com/endevco/aube/pull/591) by [@​jdx](https://redirect.github.com/jdx)) — `start_tarball_stream` (the default install hot path for sha512-pinned lockfile entries) used to skip retry entirely to avoid unwinding partial CAS writes mid-stream. That reasoning is sound for mid-stream errors, but it also leaked into *pre-response* failures: a 503, 429, connection refused, or connection reset before any chunk had flowed would propagate straight back to the caller with no recovery, while the buffered path retried the same failures up to `fetchRetries` times. The initial `send().await` now retries on `is_retriable_status` (5xx + 429, honoring `Retry-After`) and on transport errors (bounded by `TIMEOUT_RETRY_CAP`), emitting the existing `WARN_AUBE_HTTP_RETRY_TRANSIENT` / `_TRANSPORT` logs. Once headers pass `error_for_status` and chunks start flowing, behavior is unchanged. Caught on a macOS PGO dry-run where Verdaccio / the throttle-proxy hiccupped and the install bailed without a single retry log line. - **`aube-store` builds on 32-bit Linux** ([#​587](https://redirect.github.com/endevco/aube/pull/587) by [@​jdx](https://redirect.github.com/jdx)) — The `posix_fallocate` wrapper hard-coded `len: i64`, which matches `libc::off_t` on every 64-bit target but breaks armhf, where the default (non-LFS) `off_t = i32`. The wrapper now takes `libc::off_t` directly and the single call site casts `bytes.len() as libc::off_t`, unblocking Launchpad's Ubuntu Resolute armhf build of aube and any downstream `armv7-unknown-linux-gnueabihf` consumer. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.3`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.3) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.2...v1.10.3) > \[!NOTE] > No user-visible code changes since v1.10.2. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Fixed - *(ci)* Add native `aarch64-unknown-linux-gnu` PGO matrix row and bump macOS arm64 PGO to `macos-arm64-large` to work around the v1.10.1 instrumented-binary segfault ([#​582](https://redirect.github.com/endevco/aube/pull/582)) - *(bench)* Install yarn 4 via `npm:@​yarnpkg/cli-dist@latest` — the `yarn` npm package only publishes 1.x and 2.x ([#​583](https://redirect.github.com/endevco/aube/pull/583)) - *(bench)* Pass `--frozen-lockfile` to vlt install scenarios so vlt is measured on the same path as every other tool in the matrix ([#​581](https://redirect.github.com/endevco/aube/pull/581)) #### Binaries This release ships without prebuilt archives. Install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.2`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.2) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.1...v1.10.2) > \[!NOTE] > No user-visible code changes since v1.10.1. Tagged so the release-plz / `cargo publish` cadence stays unbroken; entries below are CI and benchmark tooling. #### Changed - *(ci)* Bump x86\_64 Linux PGO release runners to `linux-amd64-large` (32 GB) to fix OOM during the instrumented link step ([#​577](https://redirect.github.com/endevco/aube/pull/577)) - *(docs)* Benchmark matrix switches yarn to berry, adds **deno** and **vlt**, refreshes the landing-page chart ([#​578](https://redirect.github.com/endevco/aube/pull/578)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release — or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.1`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.1) [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.10.0...v1.10.1) #### Added - *(install)* Post-install summary flags **deprecated** and **outdated** direct deps inline so you see what to upgrade without scrolling back through fetch output ([#​575](https://redirect.github.com/endevco/aube/pull/575)) #### Fixed - *(deploy)* `aube deploy` resolves `catalog:` references and accepts packages without an explicit `version` field ([#​574](https://redirect.github.com/endevco/aube/pull/574)) - *(install)* Pad package counts in the progress UI and drop the ETA placeholder when none is available ([#​570](https://redirect.github.com/endevco/aube/pull/570)) - *(release)* `npm publish` skips already-published versions so re-running the publish workflow is idempotent ([#​565](https://redirect.github.com/endevco/aube/pull/565)) #### Changed - *(release)* x86\_64 Linux GNU/musl and macOS arm64 binaries now ship as PGO-optimized artifacts. Linux x86\_64 uses `cross` for the glibc baseline; macOS arm64 builds natively ([#​572](https://redirect.github.com/endevco/aube/pull/572)) #### Performance - *(registry)* Swap `simd-json` for `sonic-rs` on the packument hot path ([#​569](https://redirect.github.com/endevco/aube/pull/569)) - *(registry)* Drop deep clone and `fsync` from packument cache writes ([#​568](https://redirect.github.com/endevco/aube/pull/568)) #### Binaries This release has a partial archive set. For a complete set of prebuilts, use a later release — or install via `cargo install aube`, `mise use aube`, or `npm i -g aube`. #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. ### [`v1.10.0`](https://redirect.github.com/endevco/aube/releases/tag/v1.10.0): : Recursive runs grow up, install gets a diagnostics microscope [Compare Source](https://redirect.github.com/endevco/aube/compare/v1.9.1...v1.10.0) #### Added - *(cli)* Wire the recursive-run flags (`--sort`/`--no-sort`, `--reverse`, `--resume-from`, `--workspace-concurrency`, `--reporter-hide-prefix`) and add a per-package output multiplexer for parallel runs ([#​545](https://redirect.github.com/endevco/aube/pull/545)) - *(diag)* End-to-end install instrumentation and the `aube diag analyze` / `aube diag compare` subcommands behind a new `--diag <summary|trace|live|full>` flag ([#​547](https://redirect.github.com/endevco/aube/pull/547)) - *(install)* Post-install dependency summary grouped by dependency type ([#​559](https://redirect.github.com/endevco/aube/pull/559)) - *(update)* `--lockfile-only` flag to refresh `aube-lock.yaml` without touching `node_modules` ([#​560](https://redirect.github.com/endevco/aube/pull/560)) - *(add)* `linkWorkspacePackages` and `saveWorkspaceProtocol` settings plus `--save-workspace-protocol` / `--no-save-workspace-protocol` flags ([#​539](https://redirect.github.com/endevco/aube/pull/539)) #### Fixed - *(workspace)* Linker no longer substitutes a workspace sibling for a registry-pinned dep, lockfile drift flags orphan importers, recursive `remove` skips projects that don't declare the dep, and parent-relative `../**` globs in `pnpm-workspace.yaml` are honored ([#​564](https://redirect.github.com/endevco/aube/pull/564)) - *(workspace)* Filtered runs respect `--workspace-root` and `includeWorkspaceRoot: true` ([#​556](https://redirect.github.com/endevco/aube/pull/556)) - *(update)* Filtered workspace updates merge back into the shared root lockfile under `sharedWorkspaceLockfile=true` instead of leaving per-package `aube-lock.yaml` files behind ([#​558](https://redirect.github.com/endevco/aube/pull/558)) - *(update)* `--interactive` renders a multiselect picker, fails fast on non-TTY, and `--latest` preserves `catalog:` / `catalog:<name>` specifiers ([#​552](https://redirect.github.com/endevco/aube/pull/552)) - *(pnpmfile)* Hard-fail the install when a defined `readPackage` hook returns a non-object ([#​562](https://redirect.github.com/endevco/aube/pull/562)) - *(deploy)* Keep filtered workspace packages in the index when `package.json` has no `version` ([#​549](https://redirect.github.com/endevco/aube/pull/549)) - *(install)* Inherit top-level `pnpm.allowBuilds` approvals into the nested install used for git-dep `prepare` ([#​546](https://redirect.github.com/endevco/aube/pull/546)) - *(cli)* Skip `verifyDepsBeforeRun` checks when `npm_lifecycle_event` is set, fixing both the `error`-mode hard-fail and the `install`-mode lock deadlock from nested `aube run` inside lifecycle scripts ([#​538](https://redirect.github.com/endevco/aube/pull/538)) - *(install)* Interactive `aube approve-builds` requires at least one selection and the TTY guard checks both stdin and stderr ([#​537](https://redirect.github.com/endevco/aube/pull/537)) #### Changed - *(install)* New `aube_util::adaptive` limiter (slow-start, AIMD, CUSUM-gated shrink) wired at every previously magic-numbered concurrency site, with a separate http1-only reqwest client for tarball downloads ([#​548](https://redirect.github.com/endevco/aube/pull/548)) #### 💚 Sponsor aube aube is part of [**en.dev**](https://en.dev) — an independent developer-tooling studio run by [@​jdx](https://redirect.github.com/jdx), also behind [mise](https://mise.jdx.dev/). Work on aube is funded entirely by sponsors. If aube is saving your team install time or CI minutes, please consider [sponsoring at en.dev](https://en.dev). Individual and company sponsorships are what keep the project fast, free, and independent. </details> --- ### Configuration 📅 **Schedule**: (in timezone America/Chicago) - Branch creation - Only on Friday (`* * * * 5`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/jdx/mise-action). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE4NS4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> |
||
|---|---|---|
| .github | ||
| .husky | ||
| dist | ||
| scripts | ||
| src | ||
| .eslintrc.yml | ||
| .gitattributes | ||
| .gitignore | ||
| .npmrc | ||
| .prettierignore | ||
| .prettierrc.json | ||
| action.yml | ||
| CHANGELOG.md | ||
| CLAUDE.md | ||
| cliff.toml | ||
| CODEOWNERS | ||
| eslint.config.mjs | ||
| LICENSE | ||
| mise.lock | ||
| mise.toml | ||
| package-lock.json | ||
| package.json | ||
| README.md | ||
| rollup.config.mjs | ||
| tsconfig.json | ||
Example Workflow
name: test
on:
pull_request:
branches:
- main
push:
branches:
- main
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: jdx/mise-action@v4
with:
version: 2026.3.10 # [default: latest] mise version to install
install: true # [default: true] run `mise install`
install_args: "bun" # [default: ""] additional arguments to `mise install`
cache: true # [default: true] cache mise using GitHub's cache
experimental: true # [default: false] enable experimental features
log_level: debug # [default: info] log level
# automatically write this .tool-versions file
tool_versions: |
shellcheck 0.11.0
# or, if you prefer .mise.toml format:
mise_toml: |
[tools]
shellcheck = "0.11.0"
working_directory: app # [default: .] directory to run mise in
reshim: false # [default: false] run `mise reshim -f`
github_token: ${{ secrets.GITHUB_TOKEN }} # [default: ${{ github.token }}] GitHub token for API authentication
- run: shellcheck scripts/*.sh
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: jdx/mise-action@v4
# .tool-versions will be read from repo root
- run: node ./my_app.js
Cache Configuration
You can customize the cache key used by the action:
- uses: jdx/mise-action@v4
with:
cache_key: "my-custom-cache-key" # Override the entire cache key
cache_key_prefix: "mise-v1" # Or just change the prefix (default: "mise-v0")
Template Variables in Cache Keys
When using cache_key, you can use template variables to reference internal values:
- uses: jdx/mise-action@v4
with:
cache_key: "mise-{{platform}}-{{version}}-{{file_hash}}"
version: "2026.3.10"
install_args: "node python"
Available template variables:
{{version}}- The mise version (from theversioninput){{cache_key_prefix}}- The cache key prefix (fromcache_key_prefixinput or default){{platform}}- The target platform, including the runner image (e.g., "linux-x64-ubuntu24", "macos-arm64-macos15", "linux-x64-self-hosted"). The trailing segment isprocess.env.ImageOSon github-hosted runners and falls back to"self-hosted"elsewhere — preventing cache collisions when the same repo runs on different runner providers (github-hosted, namespace.so, self-hosted).{{file_hash}}- Hash of all mise configuration files{{mise_env}}- The MISE_ENV environment variable value{{install_args_hash}}- SHA256 hash of the sorted tools from install args{{default}}- The processed default cache key (useful for extending)
Conditional logic is also supported using Handlebars syntax like {{#if version}}...{{/if}}.
Example using multiple variables:
- uses: jdx/mise-action@v4
with:
cache_key: "mise-v1-{{platform}}-{{install_args_hash}}-{{file_hash}}"
install_args: "node@24 python@3.14"
You can also extend the default cache key:
- uses: jdx/mise-action@v4
with:
cache_key: "{{default}}-custom-suffix"
install_args: "node@24 python@3.14"
This gives you full control over cache invalidation based on the specific aspects that matter to your workflow.
GitHub API Rate Limits
When installing tools hosted on GitHub (like gh, node, bun, etc.), mise needs to make API calls to GitHub's releases API. Without authentication, these calls are subject to GitHub's rate limit of 60 requests per hour, which can cause installation failures.
- uses: jdx/mise-action@v4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
# your other configuration
Note: The action automatically uses ${{ github.token }} as the default, so in most cases you don't need to explicitly provide it. However, if you encounter rate limit errors, make sure the token is being passed correctly.
Alternative Installation
Alternatively, mise is easy to use in GitHub Actions even without this:
jobs:
build:
steps:
- run: |
curl https://mise.run | sh
echo "$HOME/.local/share/mise/bin" >> $GITHUB_PATH
echo "$HOME/.local/share/mise/shims" >> $GITHUB_PATH