Conversation
Contributor
|
No reviewable files after applying ignore patterns. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the communique tool in mise.lock from version 1.0.1 to 1.0.2 across all supported platforms. A security concern was raised regarding the removal of the provenance = "github-attestations" field for the linux-x64 platform, which should be retained to ensure artifact integrity if the new version supports it.
Comment on lines
245
to
249
| [tools.communique."platforms.linux-x64"] | ||
| checksum = "sha256:33a48d38d83cba48c0e2dca967633baf1a22ea1f2aeb89b59106379c17b18bc2" | ||
| url = "https://github.com/jdx/communique/releases/download/v1.0.1/communique-x86_64-unknown-linux-gnu.tar.gz" | ||
| url_api = "https://api.github.com/repos/jdx/communique/releases/assets/400318330" | ||
| checksum = "sha256:0b1fc485a8a388b8fa6f3bf198e5053ce7c7f47418e9a31893a369a95d411dbc" | ||
| url = "https://github.com/jdx/communique/releases/download/v1.0.2/communique-x86_64-unknown-linux-gnu.tar.gz" | ||
| url_api = "https://api.github.com/repos/jdx/communique/releases/assets/401268760" | ||
| provenance = "github-attestations" |
Contributor
There was a problem hiding this comment.
The provenance = "github-attestations" field was removed for the linux-x64 platform during this version bump. This reduces the security posture of the lockfile as mise will no longer verify GitHub attestations for this tool. If version 1.0.2 of communique provides attestations, this field should be retained and ideally expanded to all supported platforms to ensure artifact integrity.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.19 x -- echo |
22.4 ± 0.6 | 21.2 | 24.4 | 1.00 |
mise x -- echo |
22.4 ± 0.7 | 21.3 | 32.7 | 1.00 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.19 env |
21.7 ± 0.7 | 20.5 | 25.6 | 1.00 |
mise env |
21.7 ± 0.7 | 20.6 | 28.2 | 1.00 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.19 hook-env |
22.5 ± 0.6 | 21.3 | 25.6 | 1.00 ± 0.03 |
mise hook-env |
22.4 ± 0.4 | 21.1 | 24.4 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.19 ls |
20.0 ± 0.5 | 18.9 | 21.4 | 1.00 |
mise ls |
20.0 ± 0.6 | 18.8 | 26.1 | 1.00 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.4.19 | mise | Variance |
|---|---|---|---|
| install (cached) | 163ms | 163ms | +0% |
| ls (cached) | 77ms | 76ms | +1% |
| bin-paths (cached) | 82ms | 81ms | +1% |
| task-ls (cached) | 804ms | 806ms | +0% |
mise-en-dev
added a commit
that referenced
this pull request
Apr 24, 2026
### 🐛 Bug Fixes - **(config)** resolve relative path: tool versions against config root by @jdx in [#9320](#9320) - **(lock)** resolve @latest and prune poisoned lockfile entries by @jdx in [#9321](#9321) - fix - be able to work with regex in attestation check by @monotek in [#9327](#9327) ### 🚜 Refactor - **(aqua)** bake aqua registry from merged yaml by @risu729 in [#9043](#9043) ### 📚 Documentation - add cross-site announcement banner by @jdx in [#9326](#9326) - keep banner height in sync via ResizeObserver by @jdx in [#9330](#9330) - respect banner expires field by @jdx in [#9334](#9334) ### 📦️ Dependency Updates - bump communique to 1.0.2 by @jdx in [#9313](#9313) - bump communique to 1.0.3 by @jdx in [#9332](#9332) - update actions/setup-node digest to 48b55a0 by @renovate[bot] in [#9339](#9339) - update ghcr.io/jdx/mise:alpine docker digest to a92efa5 by @renovate[bot] in [#9340](#9340) - update ghcr.io/jdx/mise:rpm docker digest to 5c24f69 by @renovate[bot] in [#9343](#9343) - update rust docker digest to e4f09e8 by @renovate[bot] in [#9345](#9345) - update rui314/setup-mold digest to 9c9c13b by @renovate[bot] in [#9344](#9344) - update ghcr.io/jdx/mise:deb docker digest to a3afe3e by @renovate[bot] in [#9342](#9342) - update ghcr.io/jdx/mise:copr docker digest to 4098d5a by @renovate[bot] in [#9341](#9341) - update taiki-e/install-action digest to 74e87cb by @renovate[bot] in [#9346](#9346) ### Chore - **(ci)** remove cargo-vendor install from ppa publish by @jdx in [#9312](#9312) - **(release)** publish snap to stable channel by @jdx in [#9318](#9318) - remove FUNDING.yml in favor of jdx/.github default by @jdx in [#9331](#9331) ## 📦 Aqua Registry Updated [aqua-registry](https://github.com/aquaproj/aqua-registry): [v4.492.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.492.0) -> [v4.498.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.498.0). Included aqua-registry releases: - [v4.493.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.493.0) - [v4.494.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.494.0) - [v4.494.1](https://github.com/aquaproj/aqua-registry/releases/tag/v4.494.1) - [v4.495.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.495.0) - [v4.496.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.496.0) - [v4.497.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.497.0) - [v4.498.0](https://github.com/aquaproj/aqua-registry/releases/tag/v4.498.0)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
communiquelockfile entry from1.0.1to1.0.2miserelease behavior, which now allows this lockfile refresh to completeNote
Low Risk
Low risk lockfile-only change updating a pinned dev tool binary; main impact is build/tooling reproducibility if the new upstream artifacts are incorrect.
Overview
Updates
mise.lockto bumpcommuniquefrom1.0.1to1.0.2, refreshing the pinned release artifact URLs, GitHub asset IDs, and per-platform checksums for Linux/macOS/Windows.Reviewed by Cursor Bugbot for commit a89c65c. Bugbot is set up for automated code reviews on this repo. Configure here.