Skip to content

ci(ci-deps): update ci dependencies#52

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ci-dependencies
Open

ci(ci-deps): update ci dependencies#52
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/ci-dependencies

Conversation

@renovate

@renovate renovate Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
actions/attest (changelog) action digest a1948c3f7c74d2
jdx/mise-action (changelog) action digest e6a8b39dad1bfd
jdx/mise-action action patch v4.2.0v4.2.1

Release Notes

jdx/mise-action (jdx/mise-action)

v4.2.1: : Signed checksums and PATH export fix

Compare Source

A small patch release with two user-facing fixes: mise downloads are now verified against minisign-signed release checksums by default, and the env input no longer leaks the runner's PATH into subsequent steps.

Fixed
Verify mise downloads with signed checksums (#​548) by @​jdx

The action now embeds mise's minisign public key and verifies SHASUMS256.txt.minisig before trusting any release checksums, then checks the downloaded mise binary's SHA256 against the verified list. This applies to both GitHub release archives (verified before extraction) and the default mise.jdx.dev CDN path (verified against the signed checksum for the matching release asset). If a CDN download fails verification, the action warns and falls back to the signed GitHub release asset instead of installing an unverified binary.

  • The existing sha256 input still works as an explicit override.
  • Pinned mise versions older than 2024.12.24 (which predate minisign checksums) get a warning and skip signed verification rather than failing.
  • Because tar installs now extract from a verified file on disk, the previous streaming download | tar fast path is replaced with a download-then-verify-then-extract flow.

Thanks to @​potiuk for the detailed threat-model writeup in #​547.

Exclude PATH from environment export (#​556) by @​jdx

The env input has always documented that "PATH modifications are not part of this", but since the switch to mise env --json in #​252 (needed for redaction support), the action was exporting every string value returned by mise — including the computed PATH — into GITHUB_ENV. That effectively snapshotted the runner's entire PATH into subsequent steps and let [env] _.path entries in mise.toml leak past the action's own PATH management.

exportMiseEnv now skips PATH (case-insensitive) when exporting JSON env vars, restoring the documented behavior. Normal mise env vars are still exported, and PATH continues to be managed by the action's own setup (e.g. add_shims_to_path). Fixes #​555.

Full Changelog: jdx/mise-action@v4.2.0...v4.2.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from fullerzz July 17, 2026 03:23
@renovate
renovate Bot force-pushed the renovate/ci-dependencies branch 4 times, most recently from 6409c1c to f08b030 Compare July 18, 2026 04:28
@renovate
renovate Bot force-pushed the renovate/ci-dependencies branch from f08b030 to 357d52c Compare July 18, 2026 08:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants