[codex] Mask repo token for mise release lookups

.github/workflows/gate.yml

@@ -23,11 +23,11 @@
 #   - permissions: contents: read at the workflow level; no job
 #     elevates. The only secret referenced is the auto-generated
 #     per-run secrets.GITHUB_TOKEN (see workflow-level env: block
-#     below) — needed because mise's aqua: backend authenticates
-#     to the GitHub API for release-tag lookups. The token
-#     inherits the read-only permissions; no write escalation.
-#     Workflow-level scope chosen over per-step for DRY (~7
-#     install-toolchain steps would otherwise repeat the env);
+#     below). setup/common/mise.sh intentionally masks this repo-
+#     scoped token from mise/aqua cross-repo release lookups unless
+#     a dedicated MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is supplied.
+#     The token inherits the read-only permissions; no write
+#     escalation. Workflow-level scope chosen over per-step for DRY;
 #     trade-off documented at the env: block.
 #   - Concurrency: workflow-scoped; cancel-in-progress only for PR
 #     events (main pushes queue so every main commit gets a record).
@@ -59,17 +59,15 @@ on:
 permissions:
   contents: read
 
-# Workflow-level env: exposes GITHUB_TOKEN to every step so mise's
-# `aqua:` backend (used for uv / shellcheck / actionlint /
-# markdownlint-cli2 / etc) can authenticate its GitHub API calls.
-# Without a token, mise hits the unauthenticated rate limit
-# (60 requests per hour per IP, shared across all GitHub Actions
-# runners) and fails to fetch release tags with a 403. With the
-# token, the limit is 5000/hr per token. See
-# https://mise.jdx.dev/dev-tools/github-tokens.html for mise's
-# supported token sources. The token inherits the workflow's
-# `permissions: contents: read` — no write escalation; mise only
-# reads release-tag metadata.
+# Workflow-level env: exposes GITHUB_TOKEN to steps that need the
+# current repository token. It is not a valid general-purpose token
+# for mise/aqua release lookups against other repositories: GitHub
+# returns 404 for some public release-tag endpoints when queried with
+# the repo-scoped Actions token. setup/common/mise.sh therefore masks
+# GITHUB_TOKEN during `mise install` unless a dedicated
+# MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is provided. See
+# https://mise.jdx.dev/dev-tools/github-tokens.html for mise's token
+# priority order.
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/lean-proof.yml

@@ -47,15 +47,15 @@ on:
 permissions:
   contents: read
 
-# Workflow-level env: exposes GITHUB_TOKEN to every step so mise's
-# aqua: backend (used by tools/setup/install.sh during toolchain
-# install) can authenticate its GitHub API calls. Without a token,
-# mise hits the unauthenticated rate limit (60 requests per hour
-# per IP, shared across all GitHub Actions runners) and fails to
-# fetch release tags with a 403. With the token, the limit is
-# 5000/hr per token. Same pattern as gate.yml (see workflow-level
-# env: block there); inherits the workflow's permissions:
-# contents: read — no write escalation.
+# Workflow-level env: exposes GITHUB_TOKEN to steps that need the
+# current repository token. It is not a valid general-purpose token
+# for mise/aqua release lookups against other repositories: GitHub
+# returns 404 for some public release-tag endpoints when queried with
+# the repo-scoped Actions token. setup/common/mise.sh therefore masks
+# GITHUB_TOKEN during `mise install` unless a dedicated
+# MISE_GITHUB_TOKEN or GITHUB_API_TOKEN is provided. Same pattern as
+# gate.yml (see workflow-level env: block there); inherits the
+# workflow's permissions: contents: read — no write escalation.
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

tools/setup/common/mise.sh

@@ -21,7 +21,19 @@ fi
 mise trust "$REPO_ROOT/.mise.toml" >/dev/null
 
 echo "↓ mise install (reading $REPO_ROOT/.mise.toml)..."
-(cd "$REPO_ROOT" && mise install)
+if [ "${GITHUB_ACTIONS:-}" = "true" ] &&
+   [ -n "${GITHUB_TOKEN:-}" ] &&
+   [ -z "${MISE_GITHUB_TOKEN:-}" ] &&
+   [ -z "${GITHUB_API_TOKEN:-}" ]; then
+  # GitHub Actions' default GITHUB_TOKEN is scoped to this repository.
+  # mise/aqua may reuse it for release metadata in other repositories
+  # (uv, shellcheck, actionlint), where GitHub returns 404. Prefer a
+  # dedicated mise token if supplied; otherwise fall back to anonymous
+  # public release lookups rather than poisoning them with the repo token.
+  (cd "$REPO_ROOT" && env -u GITHUB_TOKEN mise install)
+else
+  (cd "$REPO_ROOT" && mise install)
+fi
 echo "✓ mise runtimes installed"
 
 # Put mise shims on PATH for the remainder of this install.sh run