chore(npm-publish): use aube publish instead of npm publish#9328
Conversation
Greptile SummaryThis PR swaps both
Confidence Score: 4/5Safe to merge for CI publishing, but macOS contributors will hit a mise install failure until the OS guard is added to mise.toml. One P1 finding: the unconditional aube entry in mise.toml will break mise.toml — needs an OS restriction on the aube entry Important Files Changed
Sequence DiagramsequenceDiagram
participant GHA as GitHub Actions
participant SN as actions/setup-node
participant Mise as mise (curl bootstrap)
participant Aube as aube (via mise)
participant NPM as npm registry
GHA->>SN: setup Node 24.x + write ~/.npmrc (auth token + registry URL)
GHA->>Mise: curl https://mise.run | sh
Mise-->>GHA: mise binary installed
GHA->>Mise: mise install aube (checksums from mise.lock)
Mise-->>GHA: aube 1.1.0 installed & verified
GHA->>Mise: mise x aube -- ./scripts/release-npm.sh
loop for each platform (linux-x64, linux-arm64, macos-x64, macos-arm64, linux-armv7)
Mise->>Aube: aube publish --access public --tag $dist_tag --provenance
Aube->>Aube: read ~/.npmrc (auth token written by setup-node)
Aube->>NPM: PUT tarball + SLSA provenance (Sigstore OIDC via id-token:write)
NPM-->>Aube: 200 OK or already published
Aube-->>Mise: exit 0 (or grep skips duplicate)
end
Reviews (8): Last reviewed commit: "test(npm): cover aube package manager on..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several tool versions in the mise configuration and migrates the NPM release script to use aube. Several critical issues were identified in the mise.lock file, including missing checksums and URLs for actionlint and cargo-binstall, and an incorrect platform mapping for aube on musl-based Linux systems. Additionally, there is a suggestion to refine the regex used for detecting already published versions in the release script to avoid overly broad matching.
| [[tools.actionlint]] | ||
| version = "1.7.12" | ||
| backend = "aqua:rhysd/actionlint" |
There was a problem hiding this comment.
The new entry for actionlint version 1.7.12 is missing checksum and url fields for its platform definitions (lines 66-97). This will prevent mise from being able to download this version reliably. It appears the lockfile was not fully populated for this version update.
| [[tools.cargo-binstall]] | ||
| version = "1.18.1" | ||
| backend = "aqua:cargo-bins/cargo-binstall" |
There was a problem hiding this comment.
The new entry for cargo-binstall version 1.18.1 is missing all platform-specific configuration (checksums, URLs). This makes the lockfile incomplete for this tool version and will cause installation failures in environments requiring this version.
| checksum = "sha256:023cd7f1493e0a880c5311b56643b0020968e5292c7a6c8a530560f9ea0165a5" | ||
| url = "https://github.com/endevco/aube/releases/download/v1.0.0-beta.12/aube-v1.0.0-beta.12-x86_64-unknown-linux-gnu.tar.gz" | ||
| url_api = "https://api.github.com/repos/endevco/aube/releases/assets/402905001" |
There was a problem hiding this comment.
The linux-x64-musl-baseline platform for aube is incorrectly configured to use the gnu tarball and checksum. This will cause execution failures on musl-based systems (like Alpine Linux) due to missing glibc dependencies. It should use the musl assets instead, matching the configuration for linux-x64-musl.
checksum = "sha256:865202821e0489ba50b1ed5261c1b8a4e71ce1051806ab25349f6d8239b099e7"
url = "https://github.com/endevco/aube/releases/download/v1.0.0-beta.12/aube-v1.0.0-beta.12-x86_64-unknown-linux-musl.tar.gz"
url_api = "https://api.github.com/repos/endevco/aube/releases/assets/402905104"
| if ! npm publish --access public --tag "$dist_tag" --provenance 2>&1 | tee /tmp/npm-publish.log; then | ||
| if grep -q "You cannot publish over the previously published versions" /tmp/npm-publish.log; then | ||
| if ! aube publish --access public --tag "$dist_tag" --provenance 2>&1 | tee /tmp/npm-publish.log; then | ||
| if grep -qE "already (on|published)|previously published" /tmp/npm-publish.log; then |
There was a problem hiding this comment.
The regex already (on|published)|previously published is a bit broad. While it correctly captures aube's "already on registry" and npm's "previously published" messages, it might accidentally match other unrelated error strings containing "already ". Consider making it slightly more specific to the expected registry responses.
| if grep -qE "already (on|published)|previously published" /tmp/npm-publish.log; then | |
| if grep -qE "already (on registry|published)|previously published" /tmp/npm-publish.log; then |
jdx
changed the title
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 x -- echo |
22.0 ± 0.6 | 21.1 | 27.0 | 1.00 |
mise x -- echo |
22.7 ± 0.6 | 21.7 | 24.7 | 1.03 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 env |
21.3 ± 0.6 | 20.5 | 26.7 | 1.00 |
mise env |
21.9 ± 0.5 | 21.1 | 26.5 | 1.03 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 hook-env |
22.1 ± 0.4 | 21.2 | 24.1 | 1.00 |
mise hook-env |
22.7 ± 0.4 | 21.8 | 24.1 | 1.03 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 ls |
22.2 ± 0.4 | 21.4 | 24.4 | 1.00 |
mise ls |
22.9 ± 0.4 | 22.1 | 24.5 | 1.03 ± 0.02 |
xtasks/test/perf
| Command | mise-2026.4.20 | mise | Variance |
|---|---|---|---|
| install (cached) | 164ms | 169ms | -2% |
| ls (cached) | 79ms | 79ms | +0% |
| bin-paths (cached) | 80ms | 81ms | -1% |
| task-ls (cached) | 803ms | 797ms | +0% |
Switch the npm-publish workflow from `npm publish --provenance` to `aube publish --provenance`. aube reads the `.npmrc` written by `actions/setup-node` and signs SLSA provenance via the same Sigstore public-good instance, so the published packages keep their npm provenance badge and the workflow's `id-token: write` permission is unchanged. Also adds aube to `mise.toml` so the registry entry stays exercised by local + e2e flows. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
Replaces `npm install -g @endevco/aube@latest` with `curl mise.run | sh` plus `mise install aube`. aube is registered in mise.toml so it now comes from the mise registry path, dogfooding the same install flow local devs get with `mise install`. `actions/setup-node` is kept solely for the `.npmrc` it writes (registry URL + `NODE_AUTH_TOKEN`); aube reads the same file when it PUTs the tarball. The publish step now runs `mise x aube -- ./scripts/release-npm.sh` so the script picks up the mise-managed `aube` on PATH. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
windows-e2e on the previous push failed with a malformed Windows path
("Cannot find module 'C:\\...\\bin\\?\\C:\\...'") when prettier was being
installed as `npm:prettier`. Root cause: mise's npm backend
(`package_manager_for_install` in src/backend/npm.rs) auto-selects aube
over npm whenever aube is in the toolset. Adding `aube = "latest"` to
mise.toml therefore changed the install path for every `npm:*` dev tool,
and aube has a Windows path bug there.
Fix: don't put aube in this repo's mise.toml. Resolve it ad-hoc in the
workflow with `mise x aube@latest -- …`, which keeps aube available for
the publish step without affecting the npm backend's package-manager
selection on Windows e2e.
Failed CI run: https://github.com/jdx/mise/actions/runs/24852804095
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
…oml" Re-add aube to mise.toml and route the workflow back through `mise install aube` + `mise x aube --`. The Windows-e2e regression that motivated the previous commit was actually a bug in aube's global-install bin shim on Windows (canonicalize returning the `\\?\` verbatim prefix); fixed upstream in endevco/aube#243. This PR depends on that landing in an aube release. This reverts commit 1c3bca3.
jdx
force-pushed
the
claude/aube-publish
branch
from
6d26739 to
be747d6
Compare
Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
| [tools] | ||
| "actionlint" = "latest" | ||
| age = "latest" | ||
| aube = "1.1.0" |
There was a problem hiding this comment.
mise install breaks on macOS
aube = "1.1.0" is declared without an OS guard, but mise.lock contains zero macOS platform entries for aube (only linux-* and windows-* variants). Any contributor running mise install on macOS will hit a "no release found" error. The same file already demonstrates the correct pattern for tools without macOS binaries — "cargo:usage-cli" uses os = ["linux", "macos"]. aube would need os = ["linux", "windows"].
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0070be9. Configure here.
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Setup Node.js | ||
| # `actions/setup-node` writes the npm registry URL and `NODE_AUTH_TOKEN` |
There was a problem hiding this comment.
Missing mise trust/lockfile env vars in workflow
High Severity
The workflow's env: block is missing MISE_TRUSTED_CONFIG_PATHS, MISE_LOCKFILE, and MISE_EXPERIMENTAL — environment variables that every other workflow in the repo sets when using mise (see autofix.yml, test.yml, test-vfox.yml, registry.yml). Without MISE_TRUSTED_CONFIG_PATHS, mise install aube and mise x aube may refuse to read mise.toml (or prompt for trust, hanging CI). Without MISE_LOCKFILE, the checksums in mise.lock won't be verified, bypassing integrity checks in a publish-critical workflow.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 0070be9. Configure here.
### 🚀 Features - **(registry)** add --security flag to include security info in JSON output by @jdx in [#9364](#9364) ### 🐛 Bug Fixes - **(config)** limit resolved backend opts to aliases by @risu729 in [#9315](#9315) - **(docs)** stack banner message and link on mobile by @jdx in [#9362](#9362) - **(github)** prefer shortest asset name as tiebreaker in auto-detection by @jdx in [#9361](#9361) - **(java)** newer zulu versions use a different directory structure by @roele in [#9365](#9365) - **(prune)** respect tracked lockfiles by @jdx in [#9373](#9373) - **(task)** skip tool install for missing naked tasks by @jdx in [#9374](#9374) - **(trust)** add untrust command by @jdx in [#9370](#9370) - fix - flux-operator-mcp aqua path by @monotek in [#9357](#9357) ### 📚 Documentation - update ruby compile msg by @fladson in [#9338](#9338) ### 📦️ Dependency Updates - update ubuntu docker tag to v26 by @renovate[bot] in [#9347](#9347) - update ghcr.io/jdx/mise:deb docker digest to 1af5a69 by @renovate[bot] in [#9352](#9352) - update taiki-e/install-action digest to 787505c by @renovate[bot] in [#9354](#9354) - update ghcr.io/jdx/mise:rpm docker digest to 7015ff3 by @renovate[bot] in [#9353](#9353) - update ghcr.io/jdx/mise:copr docker digest to da63a0f by @renovate[bot] in [#9351](#9351) - update ghcr.io/jdx/mise:alpine docker digest to 461700f by @renovate[bot] in [#9350](#9350) - bump communique 1.0.3 → 1.0.4 by @jdx in [#9378](#9378) ### 📦 Registry - remove openshift-install by @jdx in [#9372](#9372) - remove go-sdk by @jdx in [#9371](#9371) ### Chore - **(npm-publish)** use aube publish instead of npm publish by @jdx in [#9328](#9328) ### New Contributors - @fladson made their first contribution in [#9338](#9338)
1 participant
Summary
Swap
npm publish --provenanceforaube publish --provenancein the npm-publish workflow.aubereads the.npmrcthatactions/setup-nodewrites (auth token + registry URL) and signs SLSA provenance through the same Sigstore public-good instance, so the published packages keep their npm provenance badge and the workflow'sid-token: writepermission is unchanged.--access,--tag,--provenance, and--dry-runall map 1:1 to the existingnpm publishinvocation.Also adds
aube = \"latest\"to mise.toml so the registry entry stays exercised locally and in e2e.Changes
npm publish→aube publish. Also broadens the "already published" detection regex slightly so aube's pre-flight "already on registry" message is treated the same as npm's "You cannot publish over the previously published versions".npm install -g @endevco/aube@latest) right afteractions/setup-node. Reuses the existing Node setup, no new third-party action.Verified
mise install aube— installs cleanly, attestation verifies,aube --versionreports 1.0.0-beta.12aube publish --helpconfirms--access,--tag,--provenance,--dry-runall match what the script usesshellcheck scripts/release-npm.sh,shfmt -d,actionlint .github/workflows/npm-publish.yml— all cleanNotes
The script's generated
installArchSpecificPackage.js(run on user machines afternpm install) is intentionally left alone — it's only the publish side that switches.🤖 Generated with Claude Code
Note
Medium Risk
Changes the release pipeline that publishes packages to npm, so failures could block or alter publishing behavior despite largely equivalent flags and provenance handling.
Overview
Switches npm publishing from
npm publishtoaube publishfor both the per-platform and top-level packages, keeping--access,--tag, and--provenancebehavior while updating the “already published” log detection to matchaubeoutput.Updates the
npm-publishGitHub Actions workflow to installmiseand then install/runaube(mise x aube -- ./scripts/release-npm.sh) while still usingactions/setup-nodeto populate~/.npmrcauth.Adds
aubetomise.toml/mise.lock(plus routine lockfile bumps) and adjusts the Windows e2e test to validatenpm:installs whenaubeis present; also makes env cleanup in the bun test robust viatry/finally.Reviewed by Cursor Bugbot for commit 0070be9. Bugbot is set up for automated code reviews on this repo. Configure here.