From bb8ae5c2f4ab411e4b13d6b09f5cb1794193f9f6 Mon Sep 17 00:00:00 2001
From: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Date: Fri, 20 Feb 2026 18:59:16 +0100
Subject: [PATCH 1/2] Add mise version+sha256 pinning to CI workflows

Pin mise version and sha256 in all workflow files for reproducibility
and supply-chain security.
Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
---
 .github/workflows/build.yml   | 3 +++
 .github/workflows/lint.yml    | 3 +++
 .github/workflows/release.yml | 2 ++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 5f0b5dca..87d5e455 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,6 +22,9 @@ jobs:
           persist-credentials: false
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+        with:
+          version: v2026.2.11
+          sha256: 3e1baedb9284124b770d2d561a04a98c343d05967c83deb8b35c7c941f8d9c9a
       - name: Build
         run: mise run build
         env:
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index 82e5d92e..8c6e2fb2 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -22,6 +22,9 @@ jobs:
 
       - name: Setup mise
         uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
+        with:
+          version: v2026.2.11
+          sha256: 3e1baedb9284124b770d2d561a04a98c343d05967c83deb8b35c7c941f8d9c9a
 
       - name: Lint
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 879ca88a..cc48c39a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,6 +30,8 @@ jobs:
 
       - uses: jdx/mise-action@6d1e696aa24c1aa1bcc1adea0212707c71ab78a8 # v3.6.1
         with:
+          version: v2026.2.11
+          sha256: 3e1baedb9284124b770d2d561a04a98c343d05967c83deb8b35c7c941f8d9c9a
           cache: false
 
       - name: Build

From 1fff5a7d38fac0894f98db4662a247eb0469ecd7 Mon Sep 17 00:00:00 2001
From: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Date: Fri, 20 Feb 2026 20:40:10 +0100
Subject: [PATCH 2/2] Add mise entries to renovate-tracked-deps.json
 Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>

---
 .github/renovate-tracked-deps.json | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/renovate-tracked-deps.json b/.github/renovate-tracked-deps.json
index e03cc663..929deca5 100644
--- a/.github/renovate-tracked-deps.json
+++ b/.github/renovate-tracked-deps.json
@@ -4,6 +4,21 @@
       "grafana/flint"
     ]
   },
+  ".github/workflows/build.yml": {
+    "regex": [
+      "mise"
+    ]
+  },
+  ".github/workflows/lint.yml": {
+    "regex": [
+      "mise"
+    ]
+  },
+  ".github/workflows/release.yml": {
+    "regex": [
+      "mise"
+    ]
+  },
   "Dockerfile": {
     "dockerfile": [
       "springio/petclinic",