Add mise version pinning custom manager#43
Conversation
The mise custom manager and package rule are now centralized in grafana/flint (grafana/flint#43). Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
There was a problem hiding this comment.
Pull request overview
This PR adds a Renovate custom manager to handle mise version pinning with SHA256 checksums in GitHub Actions workflows. The implementation includes both the shared preset configuration (default.json) and the repository-specific configuration (.github/renovate.json5), along with weekly scheduling rules for mise updates.
Changes:
- Added custom regex manager to detect and update mise version + sha256 combinations in workflow files
- Added weekly schedule package rule for mise updates (before 4am on monday)
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| default.json | Added mise custom manager regex and weekly schedule rule to shared preset |
| .github/renovate.json5 | Added mise custom manager regex and weekly schedule rule for flint repository |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "matchPackageNames": ["jdx/mise"], | ||
| "groupName": "mise", | ||
| "description": "Only update mise once a week", | ||
| "schedule": ["before 4am on monday"] |
There was a problem hiding this comment.
Inconsistent day capitalization in schedule. The renovate package rule on line 41 uses "Monday" with a capital M, while this uses "monday" with a lowercase m. For consistency, these should match.
| "schedule": ["before 4am on monday"] | |
| "schedule": ["before 4am on Monday"] |
There was a problem hiding this comment.
Accepted — fixed capitalization to Monday.
| "packageNameTemplate": "jdx/mise", | ||
| "depNameTemplate": "mise", | ||
| "matchStrings": [ | ||
| "jdx/mise-action.*\\n\\s*with:\\s*\\n\\s*version: [\"']?(?<currentValue>v[.\\d]+)[\"']?\\s*\\n\\s*sha256: [\"']?(?<currentDigest>\\w+)[\"']?" |
There was a problem hiding this comment.
The regex pattern expects mise-action usage with with:, version:, and sha256: fields in the workflow YAML. However, the actual usage in .github/workflows/lint.yml line 24 shows uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 without any with: block containing version and sha256 fields. This custom manager will not match the current workflow format and won't be able to update mise-action. The regex pattern needs to be updated to match the actual usage pattern, or the workflow file needs to be updated to use the version/sha256 format expected by this regex.
| "jdx/mise-action.*\\n\\s*with:\\s*\\n\\s*version: [\"']?(?<currentValue>v[.\\d]+)[\"']?\\s*\\n\\s*sha256: [\"']?(?<currentDigest>\\w+)[\"']?" | |
| "^\\s*uses:\\s*jdx/mise-action@(?<currentDigest>[a-f0-9]{40})\\s*#\\s*(?<currentValue>v\\S+)" |
There was a problem hiding this comment.
Rejected — the regex is intentionally for version: + sha256: pinning, not the action SHA. The lint.yml in this same PR was updated to include with: version: / sha256:, and the renovate linter confirms the match (mise now appears in renovate-tracked-deps.json).
| packageNameTemplate: "jdx/mise", | ||
| depNameTemplate: "mise", | ||
| matchStrings: [ | ||
| 'jdx/mise-action.*\\n\\s*with:\\s*\\n\\s*version: ["\']?(?<currentValue>v[.\\d]+)["\']?\\s*\\n\\s*sha256: ["\']?(?<currentDigest>\\w+)["\']?', |
There was a problem hiding this comment.
The regex pattern expects mise-action usage with with:, version:, and sha256: fields in the workflow YAML. However, the actual usage in .github/workflows/lint.yml line 24 shows uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1 without any with: block containing version and sha256 fields. This custom manager will not match the current workflow format and won't be able to update mise-action. The regex pattern needs to be updated to match the actual usage pattern, or the workflow file needs to be updated to use the version/sha256 format expected by this regex.
| 'jdx/mise-action.*\\n\\s*with:\\s*\\n\\s*version: ["\']?(?<currentValue>v[.\\d]+)["\']?\\s*\\n\\s*sha256: ["\']?(?<currentDigest>\\w+)["\']?', | |
| 'jdx/mise-action.*\\n\\s*with:\\s*\\n\\s*version: ["\']?(?<currentValue>v[.\\d]+)["\']?\\s*\\n\\s*sha256: ["\']?(?<currentDigest>\\w+)["\']?', | |
| 'uses:\\s*jdx/mise-action@(?<currentDigest>[a-f0-9]{40})\\s*#\\s*(?<currentValue>v[.\\d]+)', |
There was a problem hiding this comment.
Rejected — same as above. The lint.yml was updated in this PR to include version: + sha256:, and the renovate linter confirms the regex matches correctly.
Centralize the renovate custom manager for mise version+sha256 pinning in GitHub Actions workflows so all repos that extend flint get automatic updates. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
zeitlinger
force-pushed
the
centralize-mise-renovate
branch
from
0c14a2d to
ccc10af
Compare
- Capitalize "Monday" consistently in mise schedule rule - Add mise to renovate-tracked-deps.json (now detected via custom manager) Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
## Summary - Pin mise `version` and `sha256` in all workflow files for reproducibility and supply-chain security - Renovate will keep these up to date via the custom manager in [grafana/flint#43](grafana/flint#43) ## Test plan - [ ] CI passes with pinned mise version --------- Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
## Summary - Remove mise custom manager and package rule from this repo's renovate config - These are now centralized in [grafana/flint#43](grafana/flint#43) ## Test plan - [ ] Verify renovate still picks up mise version updates after flint PR merges --------- Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
## Summary - Pin mise `version` and `sha256` in all workflow files for reproducibility and supply-chain security - Renovate will keep these up to date via the custom manager in [grafana/flint#43](grafana/flint#43) ## Test plan - [ ] CI passes with pinned mise version --------- Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
## Summary - Pin mise `version` and `sha256` in all workflow files for reproducibility and supply-chain security - Renovate will keep these up to date via the custom manager in [grafana/flint#43](grafana/flint#43) ## Test plan - [ ] CI passes with pinned mise version --------- Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
## Summary - Pin mise `version` and `sha256` in all workflow files for reproducibility and supply-chain security - Renovate will keep these up to date via the custom manager in [grafana/flint#43](grafana/flint#43) ## Test plan - [ ] CI passes with pinned mise version --------- Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Summary
default.json(shared preset) and inlinerenovate.json5(for flint itself)Test plan