Conversation
Release notes: https://github.com/jdx/communique/releases/tag/v1.0.4 1.0.4 salvages partial submit_release_notes submissions at the retry limit instead of hard-failing, and replaces the opaque "malformed N times" error with a miette diagnostic that embeds the received JSON and lists the specific per-field failures. Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
|
No reviewable files after applying ignore patterns. |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit e732c22. Configure here.
| provenance = "github-attestations" | ||
| checksum = "sha256:4ea1bc9e59fee38bee3b6e2d377eeb80f1c4c85787db0aed53c70e0b70857897" | ||
| url = "https://github.com/jdx/communique/releases/download/v1.0.4/communique-x86_64-unknown-linux-gnu.tar.gz" | ||
| url_api = "https://api.github.com/repos/jdx/communique/releases/assets/404781142" |
There was a problem hiding this comment.
Provenance attestation dropped for linux-x64 platform
Low Severity
The provenance = "github-attestations" field that was present on the platforms.linux-x64 entry for communique v1.0.3 has been silently dropped in the v1.0.4 update. Other tools in the lock file (e.g., actionlint, age) still carry this field on all their platform entries. This removes a supply-chain verification layer for the linux-x64 communique binary, even though checksums still provide basic integrity checking.
Reviewed by Cursor Bugbot for commit e732c22. Configure here.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the communique tool from version 1.0.3 to 1.0.4 in the mise.lock file, updating checksums and URLs for various platforms. A review comment suggests that the provenance field for the linux-x64 platform should be retained to ensure supply chain security, provided the new release supports GitHub attestations.
| checksum = "sha256:4ea1bc9e59fee38bee3b6e2d377eeb80f1c4c85787db0aed53c70e0b70857897" | ||
| url = "https://github.com/jdx/communique/releases/download/v1.0.4/communique-x86_64-unknown-linux-gnu.tar.gz" | ||
| url_api = "https://api.github.com/repos/jdx/communique/releases/assets/404781142" |
There was a problem hiding this comment.
The provenance = "github-attestations" field was removed for the linux-x64 platform. This field is important for supply chain security as it allows mise to verify the authenticity of the downloaded binary using GitHub's build attestations. If the v1.0.4 release of communique includes these attestations, this field should be retained to maintain the security posture of the project.
checksum = "sha256:4ea1bc9e59fee38bee3b6e2d377eeb80f1c4c85787db0aed53c70e0b70857897"
url = "https://github.com/jdx/communique/releases/download/v1.0.4/communique-x86_64-unknown-linux-gnu.tar.gz"
url_api = "https://api.github.com/repos/jdx/communique/releases/assets/404781142"
provenance = "github-attestations"
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 x -- echo |
17.9 ± 0.4 | 17.0 | 19.3 | 1.00 |
mise x -- echo |
18.5 ± 0.4 | 17.5 | 20.1 | 1.03 ± 0.03 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 env |
17.7 ± 0.5 | 16.5 | 22.4 | 1.00 |
mise env |
18.3 ± 0.5 | 17.3 | 22.1 | 1.04 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 hook-env |
18.5 ± 0.4 | 17.5 | 19.8 | 1.00 |
mise hook-env |
18.8 ± 0.3 | 17.8 | 20.0 | 1.02 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.20 ls |
19.1 ± 0.3 | 18.2 | 21.0 | 1.00 |
mise ls |
19.6 ± 0.3 | 18.7 | 20.8 | 1.02 ± 0.03 |
xtasks/test/perf
| Command | mise-2026.4.20 | mise | Variance |
|---|---|---|---|
| install (cached) | 124ms | 126ms | -1% |
| ls (cached) | 67ms | 69ms | -2% |
| bin-paths (cached) | 67ms | 68ms | -1% |
| task-ls (cached) | 705ms | 709ms | +0% |
### 🚀 Features - **(registry)** add --security flag to include security info in JSON output by @jdx in [#9364](#9364) ### 🐛 Bug Fixes - **(config)** limit resolved backend opts to aliases by @risu729 in [#9315](#9315) - **(docs)** stack banner message and link on mobile by @jdx in [#9362](#9362) - **(github)** prefer shortest asset name as tiebreaker in auto-detection by @jdx in [#9361](#9361) - **(java)** newer zulu versions use a different directory structure by @roele in [#9365](#9365) - **(prune)** respect tracked lockfiles by @jdx in [#9373](#9373) - **(task)** skip tool install for missing naked tasks by @jdx in [#9374](#9374) - **(trust)** add untrust command by @jdx in [#9370](#9370) - fix - flux-operator-mcp aqua path by @monotek in [#9357](#9357) ### 📚 Documentation - update ruby compile msg by @fladson in [#9338](#9338) ### 📦️ Dependency Updates - update ubuntu docker tag to v26 by @renovate[bot] in [#9347](#9347) - update ghcr.io/jdx/mise:deb docker digest to 1af5a69 by @renovate[bot] in [#9352](#9352) - update taiki-e/install-action digest to 787505c by @renovate[bot] in [#9354](#9354) - update ghcr.io/jdx/mise:rpm docker digest to 7015ff3 by @renovate[bot] in [#9353](#9353) - update ghcr.io/jdx/mise:copr docker digest to da63a0f by @renovate[bot] in [#9351](#9351) - update ghcr.io/jdx/mise:alpine docker digest to 461700f by @renovate[bot] in [#9350](#9350) - bump communique 1.0.3 → 1.0.4 by @jdx in [#9378](#9378) ### 📦 Registry - remove openshift-install by @jdx in [#9372](#9372) - remove go-sdk by @jdx in [#9371](#9371) ### Chore - **(npm-publish)** use aube publish instead of npm publish by @jdx in [#9328](#9328) ### New Contributors - @fladson made their first contribution in [#9338](#9338)
1 participant
Summary
Bumps the communique CLI used in the release workflow from 1.0.3 to 1.0.4.
1.0.4 salvages partial
submit_release_notessubmissions at the retry limit instead of hard-failing with a genericmalformed N timeserror, and replaces that error with a miette diagnostic that embeds the received JSON and lists the specific per-field failures.Test plan
mise.lockupdated viamise up communique🤖 Generated with Claude Code
Note
Low Risk
Low risk lockfile-only change that updates the pinned
communiqueCLI binary and its per-platform download URLs/checksums; impact is limited to tooling used in CI/release workflows.Overview
Updates the pinned
communiqueCLI inmise.lockfrom1.0.3to1.0.4, including refreshed per-platform artifact URLs, asset IDs, and SHA256 checksums.Reviewed by Cursor Bugbot for commit e732c22. Bugbot is set up for automated code reviews on this repo. Configure here.