Skip to content

feat: schema changes + ci fix #27

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
petar-omni wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: schema changes + ci fix #27

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,15 @@ jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5

- uses: jdx/mise-action@v2
- name: Install mise
run: |
curl https://mise.run | sh
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

What is the recommended secure way to install mise in GitHub Actions: pinned jdx/mise-action commit SHA or checksum-verified installer script?

💡 Result:

Recommended secure approach: pin jdx/mise-action to a full commit SHA (not a tag), and avoid the unauthenticated “curl | sh” style installer unless you verify its signature/checksum. In addition, use mise.lock (checksum-verified tool tarballs) to ensure the exact mise-installed tools are reproducible. 1) Pin the GitHub Action to a commit SHA - GitHub recommends pinning third-party Actions to a specific commit SHA to prevent malicious code in newly-updated branches/tags from being used automatically. [1] - Example: - uses: jdx/mise-action@ 2) Prefer mise-action for installing mise/tools in CI - The supported GitHub Actions integration for mise is jdx/mise-action, which installs mise and runs mise install/tool installation according to your configuration. [2][3] 3) If you use the installer script, verify it (signature or checksum), not just curl|sh - The mise install documentation provides an explicit verification flow using GPG: download install.sh and decrypt the detached signature install.sh.sig, verify it was signed by the mise release key, then run the script. [4][5] - The documentation also notes that without changing MISE_VERSION, the script is pinned to “whatever the latest version was when it was downloaded with checksums inside the file,” i.e., the checksum logic inside the script governs what it installs. [4] 4) Use mise.lock for checksum verification of tool tarballs - mise supports lockfiles that “store/verify the checksum of tool tarballs,” and committing mise.lock helps ensure the exact same tool versions are installed across developers and CI/CD systems. [6] Which is more secure: pinned SHA vs checksum-verified installer? - For the Action itself: pinning to a commit SHA is the strongest control against supply-chain changes in the Action code, and is explicitly recommended by GitHub. [1] - For installing the mise binary via script: checksum/signature verification is the secure counterpart when you choose the script-based route. [4][5] So the “secure best practice” stack is: - Pin jdx/mise-action to a full commit SHA for CI governance. [1] - Use mise.lock to checksum-verify the installed tools. [6] - Only if you must use the script, verify its signature/checksum as documented. [4][5] Sample hardened workflow snippet (using mise-action): - uses: jdx/mise-action@c94f0bf # example full SHA pin from jdx/mise repo history with: version: 2026.3.10 install: true cache: true # plus your tool_versions/mise_toml Confidence: high that SHA-pinning and script signature verification are correct because they are explicitly stated in GitHub’s recommendation and mise’s own docs, and mise.lock checksum verification is explicitly described in mise security documentation. [1][4][5][6]

Citations:

Replace curl | sh with jdx/mise-action GitHub Action pinned to a commit SHA.

Line 18 executes a remote installer script without integrity verification, creating a supply-chain risk. Use the official jdx/mise-action Action pinned to a full commit SHA (not a tag) instead, or if you must use the installer script, verify it with GPG signature as documented in the mise installation guide.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml at line 18, The workflow currently runs an
unverified remote installer via the line "curl https://mise.run | sh", which is
a supply-chain risk; replace that step with the official GitHub Action
"jdx/mise-action" and pin it to a full commit SHA (not a tag) in the workflow
invocation, or, if you must keep the installer, add proper GPG signature
verification per the mise docs; update the step that contains the "curl
https://mise.run | sh" command to use the pinned action reference or include
signature verification logic instead.

echo "$HOME/.local/share/mise/bin" >> $GITHUB_PATH
echo "$HOME/.local/share/mise/shims" >> $GITHUB_PATH
mise install
Comment on lines +19 to +21
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

GitHub Actions documentation: when writing to GITHUB_PATH inside a run step, is the updated PATH available in the same step or only subsequent steps?

💡 Result:

When writing to GITHUB_PATH inside a run step in GitHub Actions, the updated PATH is not available in the same step. It is only available to subsequent steps in the same job.[1][2]

Citations:

Fix PATH updates before using mise install in the same step.

Line 21 uses mise in the same step where lines 19-20 append to $GITHUB_PATH, but GitHub Actions environment variable exports don't apply until the next step. Use inline export PATH to make the directories available immediately, then append to $GITHUB_PATH for subsequent steps.

Suggested patch 
       - name: Install mise
         run: |
-          curl https://mise.run | sh
-          echo "$HOME/.local/share/mise/bin" >> $GITHUB_PATH
-          echo "$HOME/.local/share/mise/shims" >> $GITHUB_PATH
-          mise install
+          set -euo pipefail
+          curl -fsSL https://mise.run | sh
+          export PATH="$HOME/.local/bin:$HOME/.local/share/mise/bin:$HOME/.local/share/mise/shims:$PATH"
+          echo "$HOME/.local/bin" >> "$GITHUB_PATH"
+          echo "$HOME/.local/share/mise/bin" >> "$GITHUB_PATH"
+          echo "$HOME/.local/share/mise/shims" >> "$GITHUB_PATH"
+          mise install
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 19 - 21, The PATH updates appended to
$GITHUB_PATH won't take effect until the next step, so before calling mise
install add an inline PATH export that prepends $HOME/.local/share/mise/bin and
$HOME/.local/share/mise/shims to PATH so mise is available immediately, then
still append those two paths to $GITHUB_PATH (the existing echo lines) so they
persist for subsequent steps; update the step that runs mise to perform the
inline export before invoking the mise command.


- run: pnpm install --frozen-lockfile

Expand Down
4 changes: 2 additions & 2 deletions mise.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
[tools]
node = "24"
pnpm = "10"
node = "24.15.0"
pnpm = "10.33.2"
Loading
Loading