Skip to content

pin actions, disable cache #8210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
glasser merged 19 commits into from
May 12, 2026
+89 −7
Merged

pin actions, disable cache #8210

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
e172aaf
pin GH actions, disable cache
phryneas May 12, 2026
c8c02f8
add comment
phryneas May 12, 2026
37b1fc9
lock mise down
phryneas May 12, 2026
b6ec4e5
switch to github backend for codecov
phryneas May 12, 2026
9087340
update mise
phryneas May 12, 2026
5c3a696
update MISE_VERSION even more
phryneas May 12, 2026
2742dc9
MISE_LOCKED in Circle
phryneas May 12, 2026
6862966
manually add checksums to lockfile :facepalm:
phryneas May 12, 2026
69e889b
disable checking github attestations
phryneas May 12, 2026
51b0d9d
github.slsa = false
phryneas May 12, 2026
5b3536d
ls
phryneas May 12, 2026
b95fc41
update linux url and checksum
phryneas May 12, 2026
1dac73a
add `bin` option
phryneas May 12, 2026
1d43921
ls again
phryneas May 12, 2026
d52a674
now?
phryneas May 12, 2026
22e9ad8
remove debugging
phryneas May 12, 2026
905c75c
don't pin action SHAs in *this* PR
phryneas May 12, 2026
6dbc0c3
Update comments
glasser May 12, 2026
e0bcd08
Space comments
glasser May 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .config/mise/config.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,3 +9,6 @@ node = "24.13.0"
[env]
# Put binaries from npm-installed packages on PATH (eg `changeset`).
_.path = ["{{config_root}}/node_modules/.bin"]

[settings]
lockfile = true
Comment on lines +13 to +14

@coderabbitai coderabbitai Bot May 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if mise.lock exists
if [ -f "mise.lock" ]; then
  echo "✓ mise.lock exists"
  echo "Lock file content:"
  cat mise.lock
else
  echo "✗ mise.lock NOT FOUND - lockfile setting will have no effect"
  exit 1
fi

Repository: apollographql/apollo-server

Length of output: 132

Generate and commit the mise.lock file to pin tool versions.

The lockfile = true setting is enabled, but the mise.lock file does not exist in the repository. Without this file, the lockfile setting has no effect and tool versions remain unpinned, breaking reproducibility across environments. Generate the lock file by running mise lock and commit it to the repository.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.config/mise/config.toml around lines 13 - 14, The repository has mise
lockfile support enabled via the settings key lockfile = true but the actual
mise.lock is missing; run the mise lock command locally (mise lock) to generate
mise.lock, verify the generated file, add and commit mise.lock to the repo so
the lockfile setting takes effect and tool versions are pinned.

37 changes: 37 additions & 0 deletions .config/mise/mise.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

15 changes: 7 additions & 8 deletions .github/workflows/release-pr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,25 +17,24 @@ jobs:
if: github.repository == 'apollographql/apollo-server'
steps:
- name: Checkout Repo
uses: actions/checkout@v4
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd

@glasser glasser May 12, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you do this manually? I think it would be better to configure Renovate to do pinning for GHA (https://docs.renovatebot.com/modules/manager/github-actions/#digest-pinning-and-updating) instead of doing it manually; it will leave in an appropriate comment which will allow it to create update PRs which we can hypothetically evaluate.

with:
# This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
fetch-depth: 0

- name: Install Node with Mise
uses: jdx/mise-action@v2

# Because Mise installs Node, this action mostly just caches node_modules.
- name: Setup Node.js
uses: actions/setup-node@v4
uses: jdx/mise-action@1648a7812b9aeae629881980618f079932869151
with:
cache: 'npm'
cache: false
env:
MISE_LOCKED: "1"

Comment thread
coderabbitai[bot] marked this conversation as resolved.
# deliberately not using a cache for action with elevated permissions, see https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

@glasser glasser May 12, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this comment implies that the cache: false above relates to the npm cache, but really you're just saying that you're not using something like setup-node that does npm cache caching — probably worth being explicit

@phryneas phryneas May 12, 2026
edited
Loading

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tbh., the comment is here primarily so nobody (= no helpful agent) gets the idea of adding a cached npm install or cached anything else - if you have better wording for it, please go for it :)

@phryneas phryneas May 12, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, the diff is weird here - I did put the comment in the place where previously this code was found:

      # Because Mise installs Node, this action mostly just caches node_modules.
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          cache: 'npm'

@glasser glasser May 12, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood, but I only understood that because I saw the now-deleted comments :)

- name: Install Dependencies
run: npm ci

- name: Create Release Pull Request / NPM Publish
uses: changesets/action@v1
uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b
with:
publish: npm run changeset-publish
version: npm run changeset-version
Expand Down