Skip to content

chore(deps): bump jdx/mise-action from 4.2.0 to 4.2.1 in the all group#508

Merged
roele merged 2 commits into
mainfrom
dependabot/github_actions/all-b5951b4396
Jul 17, 2026
Merged

chore(deps): bump jdx/mise-action from 4.2.0 to 4.2.1 in the all group#508
roele merged 2 commits into
mainfrom
dependabot/github_actions/all-b5951b4396

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 17, 2026

Copy link
Copy Markdown
Contributor

Bumps the all group with 1 update: jdx/mise-action.

Updates jdx/mise-action from 4.2.0 to 4.2.1

Release notes

Sourced from jdx/mise-action's releases.

v4.2.1: Signed checksums and PATH export fix

A small patch release with two user-facing fixes: mise downloads are now verified against minisign-signed release checksums by default, and the env input no longer leaks the runner's PATH into subsequent steps.

Fixed

Verify mise downloads with signed checksums (#548) by @​jdx

The action now embeds mise's minisign public key and verifies SHASUMS256.txt.minisig before trusting any release checksums, then checks the downloaded mise binary's SHA256 against the verified list. This applies to both GitHub release archives (verified before extraction) and the default mise.jdx.dev CDN path (verified against the signed checksum for the matching release asset). If a CDN download fails verification, the action warns and falls back to the signed GitHub release asset instead of installing an unverified binary.

  • The existing sha256 input still works as an explicit override.
  • Pinned mise versions older than 2024.12.24 (which predate minisign checksums) get a warning and skip signed verification rather than failing.
  • Because tar installs now extract from a verified file on disk, the previous streaming download | tar fast path is replaced with a download-then-verify-then-extract flow.

Thanks to @​potiuk for the detailed threat-model writeup in #547.

Exclude PATH from environment export (#556) by @​jdx

The env input has always documented that "PATH modifications are not part of this", but since the switch to mise env --json in #252 (needed for redaction support), the action was exporting every string value returned by mise — including the computed PATH — into GITHUB_ENV. That effectively snapshotted the runner's entire PATH into subsequent steps and let [env] _.path entries in mise.toml leak past the action's own PATH management.

exportMiseEnv now skips PATH (case-insensitive) when exporting JSON env vars, restoring the documented behavior. Normal mise env vars are still exported, and PATH continues to be managed by the action's own setup (e.g. add_shims_to_path). Fixes #555.

Full Changelog: jdx/mise-action@v4.2.0...v4.2.1

Changelog

Sourced from jdx/mise-action's changelog.

Changelog


4.2.1 - 2026-07-16

🐛 Bug Fixes

🔍 Other Changes

⚙️ Miscellaneous Tasks


4.2.0 - 2026-06-17

🚀 Features

🐛 Bug Fixes

📚 Documentation

⚙️ Miscellaneous Tasks


4.1.0 - 2026-06-04

🚀 Features

🐛 Bug Fixes

... (truncated)

Commits
  • dad1bfd chore: release v4.2.1 (#530)
  • 1e7bfbb chore(ci): automate weekly releases (#557)
  • b107e20 fix: exclude PATH from environment export (#556)
  • d538618 chore(deps): update dependency prettier to v3.9.4 (#553)
  • 99eca4c chore(deps): update github/codeql-action action to v4.36.3 (#552)
  • 43d01e6 chore(deps): update dependency typescript-eslint to v8.62.1 (#551)
  • d44584d chore(deps): update dependency js-yaml to v5.2.1 (#550)
  • 4b4b9b2 chore(release): skip ai reviews for release prs (#549)
  • 0f03c79 fix: verify mise downloads with signed checksums (#548)
  • 6bd511f chore(deps): update dependency js-yaml to v5.2.0 (#546)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the all group with 1 update: [jdx/mise-action](https://github.com/jdx/mise-action).


Updates `jdx/mise-action` from 4.2.0 to 4.2.1
- [Release notes](https://github.com/jdx/mise-action/releases)
- [Changelog](https://github.com/jdx/mise-action/blob/main/CHANGELOG.md)
- [Commits](jdx/mise-action@e6a8b39...dad1bfd)

---
updated-dependencies:
- dependency-name: jdx/mise-action
  dependency-version: 4.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: all
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Jul 17, 2026
@greptile-apps

greptile-apps Bot commented Jul 17, 2026

Copy link
Copy Markdown

PR author is in the excluded authors list.

@roele
roele merged commit 236c851 into main Jul 17, 2026
3 checks passed
@roele
roele deleted the dependabot/github_actions/all-b5951b4396 branch July 17, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant