Skip to content

chore(deps): update jdx/mise-action action to v4.2.1#2312

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/jdx-mise-action-4.x
Open

chore(deps): update jdx/mise-action action to v4.2.1#2312
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/jdx-mise-action-4.x

Conversation

@renovate

@renovate renovate Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
jdx/mise-action action patch v4.2.0v4.2.1

Release Notes

jdx/mise-action (jdx/mise-action)

v4.2.1: : Signed checksums and PATH export fix

Compare Source

A small patch release with two user-facing fixes: mise downloads are now verified against minisign-signed release checksums by default, and the env input no longer leaks the runner's PATH into subsequent steps.

Fixed
Verify mise downloads with signed checksums (#​548) by @​jdx

The action now embeds mise's minisign public key and verifies SHASUMS256.txt.minisig before trusting any release checksums, then checks the downloaded mise binary's SHA256 against the verified list. This applies to both GitHub release archives (verified before extraction) and the default mise.jdx.dev CDN path (verified against the signed checksum for the matching release asset). If a CDN download fails verification, the action warns and falls back to the signed GitHub release asset instead of installing an unverified binary.

  • The existing sha256 input still works as an explicit override.
  • Pinned mise versions older than 2024.12.24 (which predate minisign checksums) get a warning and skip signed verification rather than failing.
  • Because tar installs now extract from a verified file on disk, the previous streaming download | tar fast path is replaced with a download-then-verify-then-extract flow.

Thanks to @​potiuk for the detailed threat-model writeup in #​547.

Exclude PATH from environment export (#​556) by @​jdx

The env input has always documented that "PATH modifications are not part of this", but since the switch to mise env --json in #​252 (needed for redaction support), the action was exporting every string value returned by mise — including the computed PATH — into GITHUB_ENV. That effectively snapshotted the runner's entire PATH into subsequent steps and let [env] _.path entries in mise.toml leak past the action's own PATH management.

exportMiseEnv now skips PATH (case-insensitive) when exporting JSON env vars, restoring the documented behavior. Normal mise env vars are still exported, and PATH continues to be managed by the action's own setup (e.g. add_shims_to_path). Fixes #​555.

Full Changelog: jdx/mise-action@v4.2.0...v4.2.1


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
renovate Bot requested a review from fstab as a code owner July 17, 2026 13:37
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 17, 2026
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jul 17, 2026
@renovate
renovate Bot enabled auto-merge (squash) July 17, 2026 13:37
@github-actions

github-actions Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Benchmark results

Benchmark run finished with conclusion skipped for 72d7dc90d56400c2186b8bfdc7500a3d56940749.

Benchmark summary artifact was not found; see the workflow run for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants