mirror of
https://github.com/jdx/mise-action.git
synced 2026-05-14 22:00:34 +00:00
969042fe52
Adds a single new input — `wings_enabled` — that gates the [mise-wings](https://mise-wings.en.dev) asset cache for tool installs. Existing workflows are unaffected: default `false` is a no-op. | Input | Default | Description | |---|---|---| | `wings_enabled` | `false` | Route tool-install URLs through the wings cache when `true` | ## How it works When `wings_enabled: true`, the action exports `MISE_WINGS_ENABLED=1`. Authentication is fully automatic — mise itself owns the GHA OIDC → wings session exchange. No `mise wings login` step in workflow YAML, no long-lived secrets to rotate. When mise (built with wings support — see jdx/mise#9458) sees `MISE_WINGS_ENABLED=1` and detects the GHA OIDC env vars (`ACTIONS_ID_TOKEN_REQUEST_URL` + `ACTIONS_ID_TOKEN_REQUEST_TOKEN`), it: 1. Fetches the runner's OIDC token, scoped to the wings deployment audience 2. POSTs it to `https://api.<host>/auth` to mint a wings CI session JWT 3. Caches the JWT in-process for the rest of the workflow 4. Transparently rewrites `registry.npmjs.org` / `github.com` / `api.github.com` URLs to the wings cache subdomains and attaches the JWT as a Bearer header ## Why opt-in (not opt-out) The default-off posture is deliberate. Many workflows already declare `permissions: id-token: write` for unrelated reasons (SLSA provenance, AWS OIDC, Sigstore, npm provenance). If `wings_enabled` defaulted to `true`, those workflows would silently send the runner's OIDC identity claims to a third-party cache without explicit consent. Cursor Bugbot HIGH + Greptile P1+security flagged a prior "default true" iteration of this PR as a privacy regression. Explicit opt-in keeps the gate visible in the workflow YAML. ## Workflow requirements ```yaml permissions: id-token: write # required for OIDC jobs: build: steps: - uses: jdx/mise-action@<sha> with: wings_enabled: true ``` The action emits a clear warning when `wings_enabled: true` but `id-token: write` is missing — without that hint, the user would see "wings configured but doing nothing" and have no clue why. ## Notes - Older mise binaries see `MISE_WINGS_ENABLED` and silently ignore it — forward-compatible. - `setupMise` fetches the mise binary itself with `curl`, which doesn't go through mise's HTTP layer; the wings rewriter only kicks in once the resulting mise binary runs `mise install`. The action sets the env var before any `mise` subcommand runs.
123 lines
4.5 KiB
YAML
123 lines
4.5 KiB
YAML
name: mise action
|
|
description: Actions for working with mise runtime manager
|
|
author: Jeff Dickey <@jdx>
|
|
branding:
|
|
icon: arrow-down-circle
|
|
color: purple
|
|
inputs:
|
|
version:
|
|
required: false
|
|
description: The version of mise to use. If not specified, will use the latest release.
|
|
sha256:
|
|
required: false
|
|
description: The SHA256 checksum of the mise binary to verify the download.
|
|
mise_dir:
|
|
required: false
|
|
description: |
|
|
The directory that mise will be installed to, defaults to $HOME/.local/share/mise
|
|
Or $XDG_DATA_HOME/mise if $XDG_DATA_HOME is set.
|
|
Or $MISE_DATA_DIR if $MISE_DATA_DIR is set.
|
|
tool_versions:
|
|
required: false
|
|
description: If present, this value will be written to the .tool-versions file
|
|
mise_toml:
|
|
required: false
|
|
description: If present, this value will be written to the mise.toml file
|
|
install:
|
|
required: false
|
|
default: "true"
|
|
description: if false, will not run `mise install`
|
|
install_args:
|
|
required: false
|
|
description: Arguments to pass to `mise install` such as "bun" to only install bun
|
|
install_dir:
|
|
required: false
|
|
description: deprecated
|
|
cache:
|
|
required: false
|
|
default: "true"
|
|
description: if false, action will not read or write to cache
|
|
cache_save:
|
|
required: false
|
|
default: "true"
|
|
description: if false, action will not write to cache
|
|
cache_key_prefix:
|
|
required: false
|
|
default: "mise-v1"
|
|
description: The prefix key to use for the cache, change this to invalidate the cache
|
|
cache_key:
|
|
required: false
|
|
description: |
|
|
Override the complete cache key (ignores all other cache key options).
|
|
Supports template variables: {{version}}, {{cache_key_prefix}}, {{platform}}, {{file_hash}},
|
|
{{mise_env}}, {{install_args_hash}}, {{default}}, {{env.VAR_NAME}} for environment variables,
|
|
and conditional logic like {{#if version}}...{{/if}}
|
|
experimental:
|
|
required: false
|
|
default: "false"
|
|
description: if true, will use experimental features
|
|
log_level:
|
|
required: false
|
|
default: "info"
|
|
description: The log level to use for the action
|
|
working_directory:
|
|
required: false
|
|
description: The directory that mise runs in
|
|
reshim:
|
|
required: false
|
|
default: "false"
|
|
description: if true, will run `mise reshim --all` after setting up mise
|
|
add_shims_to_path:
|
|
required: false
|
|
default: "true"
|
|
description: if false, will not add mise shims directory to PATH
|
|
github_token:
|
|
required: false
|
|
description: |
|
|
GitHub token for API authentication to avoid rate limits when installing GitHub-hosted tools.
|
|
Defaults to the automatic GitHub token.
|
|
default: ${{ github.token }}
|
|
fetch_from_github:
|
|
required: false
|
|
default: "true"
|
|
description: If true (default), fetch the mise binary from GitHub. If false and using the latest version, fetch from mise.jdx.dev instead.
|
|
env:
|
|
description: "Automatically load mise env vars into GITHUB_ENV. Note that PATH modifications are not part of this."
|
|
required: false
|
|
default: "true"
|
|
wings_enabled:
|
|
description: |
|
|
[experimental] Opt in to the mise-wings asset cache
|
|
(https://mise-wings.en.dev) for this action invocation.
|
|
|
|
When `true`, the action exports `MISE_WINGS_ENABLED=1` so
|
|
the installed mise binary routes tool-install URLs (npm
|
|
tarballs, GitHub release artifacts) through the per-org
|
|
wings cache subdomains.
|
|
|
|
Authentication is automatic via the runner's GitHub OIDC
|
|
identity — no `mise wings login` step, no long-lived
|
|
secret to rotate. The workflow must declare
|
|
`permissions: id-token: write` so the OIDC token-issuer
|
|
env vars are populated; without that, mise falls through
|
|
to direct-origin fetches transparently.
|
|
|
|
Default `false` is the conservative posture: a workflow
|
|
with `id-token: write` (used for SLSA / AWS-OIDC /
|
|
Sigstore / etc.) should not have its OIDC token sent to
|
|
a third-party cache without explicit opt-in. Older mise
|
|
binaries that don't speak wings ignore the env var
|
|
entirely, so this is forward-compatible.
|
|
|
|
Requires an active mise-wings subscription on the Clerk
|
|
org linked to the GitHub org running the workflow;
|
|
without one, the proxy 402s and mise leaves the cache
|
|
off without affecting the workflow's success.
|
|
required: false
|
|
default: "false"
|
|
outputs:
|
|
cache-hit:
|
|
description: A boolean value to indicate if a cache was hit.
|
|
runs:
|
|
using: node24
|
|
main: dist/index.js
|