diff --git a/.circleci/config.yml b/.circleci/config.yml
index 7f7775cf221..bd8a2be1d7c 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -18,7 +18,7 @@ commands:
       - run:
           name: Install Mise
           command: |
-            curl https://mise.run | MISE_VERSION=v2025.8.20 sh
+            curl https://mise.run | MISE_VERSION=v2026.5.5 sh
       - when:
           condition: << parameters.node-version >>
           steps:
@@ -26,6 +26,8 @@ commands:
       - run:
           name: Use Mise to configure the environment
           command: stty cols 80 && ~/.local/bin/mise install --verbose && mise ls && mise env --shell bash >> "$BASH_ENV" && cat "$BASH_ENV"
+          env:
+            MISE_LOCKED: "1"
       - node/install-packages:
           cache-version: node-v<< parameters.node-version >>
 
diff --git a/.config/mise/config.toml b/.config/mise/config.toml
index 49d7516f046..2df68ad9dd8 100644
--- a/.config/mise/config.toml
+++ b/.config/mise/config.toml
@@ -4,8 +4,13 @@
 
 [tools]
 node = "24.13.0"
-"ubi:codecov/codecov-cli" = "10.4.0"
+"github:codecov/codecov-cli" = { version = "10.4.0", bin = "codecov-cli" }
 
 [env]
 # Put binaries from npm-installed packages on PATH (eg `changeset`).
 _.path = ["{{config_root}}/node_modules/.bin"]
+
+[settings]
+lockfile = true
+github.github_attestations = false
+github.slsa = false
diff --git a/.config/mise/mise.lock b/.config/mise/mise.lock
new file mode 100644
index 00000000000..779ea425c16
--- /dev/null
+++ b/.config/mise/mise.lock
@@ -0,0 +1,72 @@
+# @generated - this file is auto-generated by `mise lock` https://mise.en.dev/dev-tools/mise-lock.html
+
+[[tools."github:codecov/codecov-cli"]]
+version = "10.4.0"
+backend = "github:codecov/codecov-cli"
+
+[tools."github:codecov/codecov-cli"."platforms.linux-arm64"]
+checksum = "blake3:68f96ede4e611d7bdc3cd1a9e0d12c3c08cc9efac5325eaf04cd44bcf1a6813f"
+url = "https://github.com/codecov/codecov-cli/releases/download/v10.4.0/codecovcli_linux_arm64"
+url_api = "https://api.github.com/repos/codecov/codecov-cli/releases/assets/244442559"
+
+[tools."github:codecov/codecov-cli"."platforms.linux-arm64-musl"]
+checksum = "blake3:5f02a5b9221542c6ac3c4b6d1b318373d9a65af9a3579b38b8ddd8e6ca82c9be"
+url = "https://github.com/codecov/codecov-cli/releases/download/v10.4.0/codecovcli_alpine_arm64"
+url_api = "https://api.github.com/repos/codecov/codecov-cli/releases/assets/244442413"
+
+[tools."github:codecov/codecov-cli"."platforms.linux-x64"]
+checksum = "blake3:7601bc5982daed458150c09070af94f07bba4220639c7b4c60526e511064d601"
+url = "https://github.com/codecov/codecov-cli/releases/download/v10.4.0/codecovcli_linux"
+url_api = "https://api.github.com/repos/codecov/codecov-cli/releases/assets/244441838"
+
+[tools."github:codecov/codecov-cli"."platforms.linux-x64-musl"]
+checksum = "blake3:53253f3d73f5550331fe62531b0622d63b4c44dd79e8c4815f51371c9ebb9e46"
+url = "https://github.com/codecov/codecov-cli/releases/download/v10.4.0/codecovcli_alpine_x86_64"
+url_api = "https://api.github.com/repos/codecov/codecov-cli/releases/assets/244441834"
+
+[tools."github:codecov/codecov-cli"."platforms.macos-arm64"]
+checksum = "blake3:fcfadc4f79dbdb211632db8857b1dbb09db2df1806a39a0dcdead77a7681111a"
+url = "https://github.com/codecov/codecov-cli/releases/download/v10.4.0/codecovcli_macos"
+url_api = "https://api.github.com/repos/codecov/codecov-cli/releases/assets/244441853"
+
+[tools."github:codecov/codecov-cli"."platforms.macos-x64"]
+checksum = "blake3:fcfadc4f79dbdb211632db8857b1dbb09db2df1806a39a0dcdead77a7681111a"
+url = "https://github.com/codecov/codecov-cli/releases/download/v10.4.0/codecovcli_macos"
+url_api = "https://api.github.com/repos/codecov/codecov-cli/releases/assets/244441853"
+
+[tools."github:codecov/codecov-cli"."platforms.windows-x64"]
+checksum = "blake3:bce1b2a424ce604086bd5c12557c1f6be74e32879eeb0b192165c338aa83b54f"
+url = "https://github.com/codecov/codecov-cli/releases/download/v10.4.0/codecovcli_windows.exe"
+url_api = "https://api.github.com/repos/codecov/codecov-cli/releases/assets/244441937"
+
+[[tools.node]]
+version = "24.13.0"
+backend = "core:node"
+
+[tools.node."platforms.linux-arm64"]
+checksum = "sha256:0f6d40b94c6a2eb6b4c240ffc8b9fd3ada7ab044c177dd413c06e1ef9a63f081"
+url = "https://nodejs.org/dist/v24.13.0/node-v24.13.0-linux-arm64.tar.gz"
+
+[tools.node."platforms.linux-arm64-musl"]
+checksum = "sha256:f8312012e07ff106a1c48ad08fc228f9434077e7f7462a2ffc6839c8e3f02935"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.13.0/node-v24.13.0-linux-arm64-musl.tar.gz"
+
+[tools.node."platforms.linux-x64"]
+checksum = "sha256:6223aad1a81f9d1e7b682c59d12e2de233f7b4c37475cd40d1c89c42b737ffa8"
+url = "https://nodejs.org/dist/v24.13.0/node-v24.13.0-linux-x64.tar.gz"
+
+[tools.node."platforms.linux-x64-musl"]
+checksum = "sha256:e2750d9e00008d2eadcecc00e17c3060980ed26888de90a55f9873ebdcde74ac"
+url = "https://unofficial-builds.nodejs.org/download/release/v24.13.0/node-v24.13.0-linux-x64-musl.tar.gz"
+
+[tools.node."platforms.macos-arm64"]
+checksum = "sha256:d595961e563fcae057d4a0fb992f175a54d97fcc4a14dc2d474d92ddeea3b9f8"
+url = "https://nodejs.org/dist/v24.13.0/node-v24.13.0-darwin-arm64.tar.gz"
+
+[tools.node."platforms.macos-x64"]
+checksum = "sha256:6f03c1b48ddbe1b129a6f8038be08e0899f05f17185b4d3e4350180ab669a7f3"
+url = "https://nodejs.org/dist/v24.13.0/node-v24.13.0-darwin-x64.tar.gz"
+
+[tools.node."platforms.windows-x64"]
+checksum = "sha256:ca2742695be8de44027d71b3f53a4bdb36009b95575fe1ae6f7f0b5ce091cb88"
+url = "https://nodejs.org/dist/v24.13.0/node-v24.13.0-win-x64.zip"
diff --git a/.github/workflows/release-pr.yml b/.github/workflows/release-pr.yml
index 1c9710dfe74..e966fbb09b2 100644
--- a/.github/workflows/release-pr.yml
+++ b/.github/workflows/release-pr.yml
@@ -24,13 +24,16 @@ jobs:
 
       - name: Install Node with Mise
         uses: jdx/mise-action@v2
-
-      # Because Mise installs Node, this action mostly just caches node_modules.
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
         with:
-          cache: 'npm'
+          # Disable caching mise tools in the Actions cache: when publishing releases, we want to make
+          # sure no other actions (even those run without credentials) had a chance to poison any cache.
+          cache: false
+        env:
+          MISE_LOCKED: "1"
 
+      # Deliberately not using an action like `actions/setup-node` which integrates with the Actions cache:
+      # when publishing releases, we want to make sure no other actions (even those run without credentials)
+      # had a chance to poison any cache.
       - name: Install Dependencies
         run: npm ci