From 34e763bc3db7bd37005700511bfc31c1262605c8 Mon Sep 17 00:00:00 2001 From: Lior Date: Thu, 28 May 2026 09:15:52 -0400 Subject: [PATCH 1/4] claim: reserve setup mise tool pin fix Reserve the setup-pin repair lane after #5800 exposed shared mise/aqua 404 failures for uv and actionlint. Validation: - git diff --check Agency-Signature-Version: 1 Agent: Vera Agent-Runtime: OpenAI Codex Agent-Model: GPT-5 Credential-Identity: AceHack Credential-Mode: shared Human-Review: not-implied-by-credential Human-Review-Evidence: none Action-Mode: autonomous-fail-open Task: task-setup-mise-tool-pins-20260528 Co-Authored-By: Codex --- .../task-setup-mise-tool-pins-20260528.md | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 docs/claims/task-setup-mise-tool-pins-20260528.md diff --git a/docs/claims/task-setup-mise-tool-pins-20260528.md b/docs/claims/task-setup-mise-tool-pins-20260528.md new file mode 100644 index 0000000000..ca94a5f20c --- /dev/null +++ b/docs/claims/task-setup-mise-tool-pins-20260528.md @@ -0,0 +1,21 @@ +# Claim - task-setup-mise-tool-pins-20260528 + +- **Session ID:** codex/20260528T131246Z +- **Harness:** codex +- **Claimed at:** 2026-05-28T13:13:00Z +- **ETA:** 2026-05-28T13:30:00Z +- **Scope:** Repair shared mise/aqua setup pins that block GitHub Actions lint jobs across PR #5800 and newer PRs. +- **Durable target:** `.mise.toml` and setup/toolchain notes if needed. +- **Platform mirror:** #5800 CI failure cluster + +## Notes + +Claim opened after inspecting #5800 run `26576555171`, job `78297343887`. +The failing jobs do not reach their lint scripts; they fail during `./tools/setup/install.sh`. +Observed failing pins: + +- `aqua:astral-sh/uv@0.11.8` returned GitHub API 404 for release tag `0.11.8`. +- `aqua:rhysd/actionlint@1.7.12` returned GitHub API 404 for release tag `v1.7.12`. +- `pipx:semgrep@1.161.0` skipped because uv/actionlint setup failed. + +Ownership check found no open PR title/head branch and no active claim file for this setup-pin repair. From 278afea4ab91ac500b3c1e94ef0f05238fab0a3d Mon Sep 17 00:00:00 2001 From: Lior Date: Thu, 28 May 2026 09:21:03 -0400 Subject: [PATCH 2/4] fix(ci): mask repo token for mise release lookups GitHub Actions exposes a repository-scoped GITHUB_TOKEN. mise's aqua backend reuses that token for public release metadata in external repositories such as astral-sh/uv, koalaman/shellcheck, and rhysd/actionlint; GitHub returns 404 for those cross-repo calls under the repo token. Mask GITHUB_TOKEN only for the mise install call when running in GitHub Actions and no dedicated MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is provided. Dedicated mise tokens still win; otherwise mise falls back to public release lookups instead of poisoned authenticated ones. Validation: - bash -n tools/setup/common/mise.sh - git diff --check - actionlint .github/workflows/gate.yml - GITHUB_ACTIONS=true GITHUB_TOKEN=invalid-token ./tools/setup/common/mise.sh Agency-Signature-Version: 1 Agent: Vera Agent-Runtime: OpenAI Codex Agent-Model: GPT-5 Credential-Identity: AceHack Credential-Mode: shared Human-Review: not-implied-by-credential Human-Review-Evidence: none Action-Mode: autonomous-fail-open Task: task-setup-mise-tool-pins-20260528 Co-Authored-By: Codex --- .github/workflows/gate.yml | 30 ++++++++++++++---------------- tools/setup/common/mise.sh | 14 +++++++++++++- 2 files changed, 27 insertions(+), 17 deletions(-) diff --git a/.github/workflows/gate.yml b/.github/workflows/gate.yml index 9b9989e5bb..0215629010 100644 --- a/.github/workflows/gate.yml +++ b/.github/workflows/gate.yml @@ -23,11 +23,11 @@ # - permissions: contents: read at the workflow level; no job # elevates. The only secret referenced is the auto-generated # per-run secrets.GITHUB_TOKEN (see workflow-level env: block -# below) — needed because mise's aqua: backend authenticates -# to the GitHub API for release-tag lookups. The token -# inherits the read-only permissions; no write escalation. -# Workflow-level scope chosen over per-step for DRY (~7 -# install-toolchain steps would otherwise repeat the env); +# below). setup/common/mise.sh intentionally masks this repo- +# scoped token from mise/aqua cross-repo release lookups unless +# a dedicated MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is supplied. +# The token inherits the read-only permissions; no write +# escalation. Workflow-level scope chosen over per-step for DRY; # trade-off documented at the env: block. # - Concurrency: workflow-scoped; cancel-in-progress only for PR # events (main pushes queue so every main commit gets a record). @@ -59,17 +59,15 @@ on: permissions: contents: read -# Workflow-level env: exposes GITHUB_TOKEN to every step so mise's -# `aqua:` backend (used for uv / shellcheck / actionlint / -# markdownlint-cli2 / etc) can authenticate its GitHub API calls. -# Without a token, mise hits the unauthenticated rate limit -# (60 requests per hour per IP, shared across all GitHub Actions -# runners) and fails to fetch release tags with a 403. With the -# token, the limit is 5000/hr per token. See -# https://mise.jdx.dev/dev-tools/github-tokens.html for mise's -# supported token sources. The token inherits the workflow's -# `permissions: contents: read` — no write escalation; mise only -# reads release-tag metadata. +# Workflow-level env: exposes GITHUB_TOKEN to steps that need the +# current repository token. It is not a valid general-purpose token +# for mise/aqua release lookups against other repositories: GitHub +# returns 404 for some public release-tag endpoints when queried with +# the repo-scoped Actions token. setup/common/mise.sh therefore masks +# GITHUB_TOKEN during `mise install` unless a dedicated +# MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is provided. See +# https://mise.jdx.dev/dev-tools/github-tokens.html for mise's token +# priority order. env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/tools/setup/common/mise.sh b/tools/setup/common/mise.sh index b6a7a3bf56..386560e0b3 100755 --- a/tools/setup/common/mise.sh +++ b/tools/setup/common/mise.sh @@ -21,7 +21,19 @@ fi mise trust "$REPO_ROOT/.mise.toml" >/dev/null echo "↓ mise install (reading $REPO_ROOT/.mise.toml)..." -(cd "$REPO_ROOT" && mise install) +if [ "${GITHUB_ACTIONS:-}" = "true" ] && + [ -n "${GITHUB_TOKEN:-}" ] && + [ -z "${MISE_GITHUB_TOKEN:-}" ] && + [ -z "${GITHUB_API_TOKEN:-}" ]; then + # GitHub Actions' default GITHUB_TOKEN is scoped to this repository. + # mise/aqua may reuse it for release metadata in other repositories + # (uv, shellcheck, actionlint), where GitHub returns 404. Prefer a + # dedicated mise token if supplied; otherwise fall back to anonymous + # public release lookups rather than poisoning them with the repo token. + (cd "$REPO_ROOT" && env -u GITHUB_TOKEN mise install) +else + (cd "$REPO_ROOT" && mise install) +fi echo "✓ mise runtimes installed" # Put mise shims on PATH for the remainder of this install.sh run From 99962a9c5554f5a277177eae5d4d180760a30b21 Mon Sep 17 00:00:00 2001 From: Aaron Stainback Date: Thu, 28 May 2026 10:05:53 -0400 Subject: [PATCH 3/4] chore(claim): release task-setup-mise-tool-pins claim per protocol Per docs/claims/README.md: live claims under docs/claims/ are released by deleting the file in the same PR that lands the work. The implementation lands in this PR (gate.yml + mise.sh); deleting the active claim file. Resolves Copilot review thread on PR #5813. Co-Authored-By: Claude --- .../task-setup-mise-tool-pins-20260528.md | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 docs/claims/task-setup-mise-tool-pins-20260528.md diff --git a/docs/claims/task-setup-mise-tool-pins-20260528.md b/docs/claims/task-setup-mise-tool-pins-20260528.md deleted file mode 100644 index ca94a5f20c..0000000000 --- a/docs/claims/task-setup-mise-tool-pins-20260528.md +++ /dev/null @@ -1,21 +0,0 @@ -# Claim - task-setup-mise-tool-pins-20260528 - -- **Session ID:** codex/20260528T131246Z -- **Harness:** codex -- **Claimed at:** 2026-05-28T13:13:00Z -- **ETA:** 2026-05-28T13:30:00Z -- **Scope:** Repair shared mise/aqua setup pins that block GitHub Actions lint jobs across PR #5800 and newer PRs. -- **Durable target:** `.mise.toml` and setup/toolchain notes if needed. -- **Platform mirror:** #5800 CI failure cluster - -## Notes - -Claim opened after inspecting #5800 run `26576555171`, job `78297343887`. -The failing jobs do not reach their lint scripts; they fail during `./tools/setup/install.sh`. -Observed failing pins: - -- `aqua:astral-sh/uv@0.11.8` returned GitHub API 404 for release tag `0.11.8`. -- `aqua:rhysd/actionlint@1.7.12` returned GitHub API 404 for release tag `v1.7.12`. -- `pipx:semgrep@1.161.0` skipped because uv/actionlint setup failed. - -Ownership check found no open PR title/head branch and no active claim file for this setup-pin repair. From d9bc7d41fc7d8d264e21f4571e25289a590286f1 Mon Sep 17 00:00:00 2001 From: Lior Date: Thu, 28 May 2026 10:28:02 -0400 Subject: [PATCH 4/4] fix(ci): align lean-proof mise token rationale Update the copied lean-proof workflow comment to match gate.yml: the repo-scoped Actions token remains available to steps, but setup/common/mise.sh masks it during mise install unless a dedicated mise token is supplied. Addresses the unresolved Copilot config-drift thread on PR #5813. Validation: - git diff --check - actionlint .github/workflows/lean-proof.yml Agency-Signature-Version: 1 Agent: Codex Background Service Agent-Runtime: OpenAI Codex Agent-Model: GPT-5 Credential-Identity: AceHack Credential-Mode: shared Human-Review: not-implied-by-credential Human-Review-Evidence: none Action-Mode: autonomous-fail-open Task: task-setup-mise-tool-pins-20260528 Co-Authored-By: Codex Codex-Origin: codex-launchd-loop Codex-Surface: codex-background-service Codex-Loop-Run-Id: 20260528T142510Z --- .github/workflows/lean-proof.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/lean-proof.yml b/.github/workflows/lean-proof.yml index 40d5e909a0..5490de02be 100644 --- a/.github/workflows/lean-proof.yml +++ b/.github/workflows/lean-proof.yml @@ -47,15 +47,15 @@ on: permissions: contents: read -# Workflow-level env: exposes GITHUB_TOKEN to every step so mise's -# aqua: backend (used by tools/setup/install.sh during toolchain -# install) can authenticate its GitHub API calls. Without a token, -# mise hits the unauthenticated rate limit (60 requests per hour -# per IP, shared across all GitHub Actions runners) and fails to -# fetch release tags with a 403. With the token, the limit is -# 5000/hr per token. Same pattern as gate.yml (see workflow-level -# env: block there); inherits the workflow's permissions: -# contents: read — no write escalation. +# Workflow-level env: exposes GITHUB_TOKEN to steps that need the +# current repository token. It is not a valid general-purpose token +# for mise/aqua release lookups against other repositories: GitHub +# returns 404 for some public release-tag endpoints when queried with +# the repo-scoped Actions token. setup/common/mise.sh therefore masks +# GITHUB_TOKEN during `mise install` unless a dedicated +# MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is provided. Same pattern as +# gate.yml (see workflow-level env: block there); inherits the +# workflow's permissions: contents: read — no write escalation. env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}