actions/mise-action
12
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-05-14 05:50:31 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
No description
633 commits 8 branches 67 tags 60 MiB
Find a file
jdx 969042fe52
feat: add wings_enabled input (mise-wings cache integration) 
Adds a single new input — `wings_enabled` — that gates the
[mise-wings](https://mise-wings.en.dev) asset cache for tool
installs. Existing workflows are unaffected: default `false`
is a no-op.

| Input | Default | Description |
|---|---|---|
| `wings_enabled` | `false` | Route tool-install URLs through the wings cache when `true` |

## How it works

When `wings_enabled: true`, the action exports
`MISE_WINGS_ENABLED=1`. Authentication is fully automatic —
mise itself owns the GHA OIDC → wings session exchange. No
`mise wings login` step in workflow YAML, no long-lived
secrets to rotate.

When mise (built with wings support — see jdx/mise#9458)
sees `MISE_WINGS_ENABLED=1` and detects the GHA OIDC env
vars (`ACTIONS_ID_TOKEN_REQUEST_URL` +
`ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it:

  1. Fetches the runner's OIDC token, scoped to the wings
     deployment audience
  2. POSTs it to `https://api.<host>/auth` to mint a wings
     CI session JWT
  3. Caches the JWT in-process for the rest of the workflow
  4. Transparently rewrites `registry.npmjs.org` /
     `github.com` / `api.github.com` URLs to the wings
     cache subdomains and attaches the JWT as a Bearer
     header

## Why opt-in (not opt-out)

The default-off posture is deliberate. Many workflows
already declare `permissions: id-token: write` for unrelated
reasons (SLSA provenance, AWS OIDC, Sigstore, npm
provenance). If `wings_enabled` defaulted to `true`, those
workflows would silently send the runner's OIDC identity
claims to a third-party cache without explicit consent.
Cursor Bugbot HIGH + Greptile P1+security flagged a prior
"default true" iteration of this PR as a privacy
regression.

Explicit opt-in keeps the gate visible in the workflow YAML.

## Workflow requirements

```yaml
permissions:
  id-token: write   # required for OIDC

jobs:
  build:
    steps:
      - uses: jdx/mise-action@<sha>
        with:
          wings_enabled: true
```

The action emits a clear warning when `wings_enabled: true`
but `id-token: write` is missing — without that hint, the
user would see "wings configured but doing nothing" and have
no clue why.

## Notes

- Older mise binaries see `MISE_WINGS_ENABLED` and silently
  ignore it — forward-compatible.
- `setupMise` fetches the mise binary itself with `curl`,
  which doesn't go through mise's HTTP layer; the wings
  rewriter only kicks in once the resulting mise binary
  runs `mise install`. The action sets the env var before
  any `mise` subcommand runs.
2026-04-29 09:31:06 -05:00
.github chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
.husky fix: run npm install in pre-commit hook before build (#410) 2026-03-22 10:54:05 -05:00
dist feat: add wings_enabled input (mise-wings cache integration) 2026-04-29 09:31:06 -05:00
scripts chore: remove duplicate release-plz logic 2025-08-18 11:57:51 -05:00
src feat: add wings_enabled input (mise-wings cache integration) 2026-04-29 09:31:06 -05:00
.eslintrc.yml feat: support windows (#122) 2024-09-25 21:27:52 +00:00
.gitattributes updated action template base from actions/typescript-action (#170) 2023-10-16 19:18:57 -05:00
.gitignore chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
.npmrc chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
.prettierignore updated action template base from actions/typescript-action (#170) 2023-10-16 19:18:57 -05:00
.prettierrc.json updated action template base from actions/typescript-action (#170) 2023-10-16 19:18:57 -05:00
action.yml feat: add wings_enabled input (mise-wings cache integration) 2026-04-29 09:31:06 -05:00
CHANGELOG.md chore: release v4.0.1 (#406) 2026-03-22 16:06:38 +00:00
CLAUDE.md chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
cliff.toml docs: hide release entries in CHANGELOG 2025-08-18 11:50:35 -05:00
CODEOWNERS jdxcode -> jdx 2023-08-27 12:12:44 -05:00
eslint.config.mjs chore: updated deps 2024-11-27 18:10:51 -06:00
LICENSE Initial commit 2023-01-14 08:11:40 -06:00
mise.lock chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
mise.toml chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
package-lock.json chore(deps): lock file maintenance (#439) 2026-04-29 13:10:10 +00:00
package.json chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
README.md docs: bump more versions listed in README.md (#408) 2026-03-21 23:43:54 +01:00
rollup.config.mjs chore: migrate package manager from npm/pnpm/bun to aube (#455) 2026-04-29 09:13:34 -05:00
tsconfig.json chore: migrate from ncc (CJS) to rollup (ESM) (#436) 2026-04-11 12:55:09 -05:00

README.md

Example Workflow

name: test
on:
  pull_request:
    branches:
      - main
  push:
    branches:
      - main
jobs:
  lint:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: jdx/mise-action@v4
        with:
          version: 2026.3.10 # [default: latest] mise version to install
          install: true # [default: true] run `mise install`
          install_args: "bun" # [default: ""] additional arguments to `mise install`
          cache: true # [default: true] cache mise using GitHub's cache
          experimental: true # [default: false] enable experimental features
          log_level: debug # [default: info] log level
          # automatically write this .tool-versions file
          tool_versions: |
            shellcheck 0.11.0
          # or, if you prefer .mise.toml format:
          mise_toml: |
            [tools]
            shellcheck = "0.11.0"
          working_directory: app # [default: .] directory to run mise in
          reshim: false # [default: false] run `mise reshim -f`
          github_token: ${{ secrets.GITHUB_TOKEN }} # [default: ${{ github.token }}] GitHub token for API authentication
      - run: shellcheck scripts/*.sh
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v6
      - uses: jdx/mise-action@v4
      # .tool-versions will be read from repo root
      - run: node ./my_app.js

Cache Configuration

You can customize the cache key used by the action:

- uses: jdx/mise-action@v4
  with:
    cache_key: "my-custom-cache-key"  # Override the entire cache key
    cache_key_prefix: "mise-v1"       # Or just change the prefix (default: "mise-v0")

Template Variables in Cache Keys

When using cache_key, you can use template variables to reference internal values:

- uses: jdx/mise-action@v4
  with:
    cache_key: "mise-{{platform}}-{{version}}-{{file_hash}}"
    version: "2026.3.10"
    install_args: "node python"

Available template variables:

  • {{version}} - The mise version (from the version input)
  • {{cache_key_prefix}} - The cache key prefix (from cache_key_prefix input or default)
  • {{platform}} - The target platform (e.g., "linux-x64", "macos-arm64")
  • {{file_hash}} - Hash of all mise configuration files
  • {{mise_env}} - The MISE_ENV environment variable value
  • {{install_args_hash}} - SHA256 hash of the sorted tools from install args
  • {{default}} - The processed default cache key (useful for extending)

Conditional logic is also supported using Handlebars syntax like {{#if version}}...{{/if}}.

Example using multiple variables:

- uses: jdx/mise-action@v4
  with:
    cache_key: "mise-v1-{{platform}}-{{install_args_hash}}-{{file_hash}}"
    install_args: "node@24 python@3.14"

You can also extend the default cache key:

- uses: jdx/mise-action@v4
  with:
    cache_key: "{{default}}-custom-suffix"
    install_args: "node@24 python@3.14"

This gives you full control over cache invalidation based on the specific aspects that matter to your workflow.

GitHub API Rate Limits

When installing tools hosted on GitHub (like gh, node, bun, etc.), mise needs to make API calls to GitHub's releases API. Without authentication, these calls are subject to GitHub's rate limit of 60 requests per hour, which can cause installation failures.

- uses: jdx/mise-action@v4
  with:
    github_token: ${{ secrets.GITHUB_TOKEN }}
    # your other configuration

Note: The action automatically uses ${{ github.token }} as the default, so in most cases you don't need to explicitly provide it. However, if you encounter rate limit errors, make sure the token is being passed correctly.

Alternative Installation

Alternatively, mise is easy to use in GitHub Actions even without this:

jobs:
  build:
    steps:
    - run: |
        curl https://mise.run | sh
        echo "$HOME/.local/share/mise/bin" >> $GITHUB_PATH
        echo "$HOME/.local/share/mise/shims" >> $GITHUB_PATH