Remove mise version pinning from CI

[zeitlinger]

Summary

• Remove version and sha256 pinning from jdx/mise-action in workflows — mise is stable enough to use latest
• Remove the custom renovate manager and package rule for mise version updates (no longer needed)

[martincostello]

This isn't about stability - it's about reproducibility and determinism.

Pinning means that the version doesn't silently change from under us and cause problems building the repo in the future, and it also mitigates about supply-chain attacks (e.g. a bad new version gets pushed which becomes the latest until it's noticed and taken down).

Essentially the exact same reason we pin GitHub Actions by their Git SHA.

[zeitlinger]

it's a good question

• gh actions usually package some sort of code - and you want to have that pinned
• mise uses mise.toml for the actual "payload"
• the only thing that mise pins protect against
  • logic in installing packages
  • deprecated features being removed

to sum it up

• I added this step when mise was less mature IMO
• and propose to remove it now
• either way, I think we should have it consistent across repos - but that's very easy to do either way using AI

[martincostello]

I don't think we should remove it, because we want the version to be deterministic.

mise is the subject of the pinning, and without pinning it the action will fetch a non-deterministic version here.

[zeitlinger]

OK, I'll revert for all repos then.

[zeitlinger]

what do you think about adding the renovate rules for that in flint - since flint also uses mise?

[martincostello]

Isn't it already covered by the "_VERSION in GitHub Actions" preset?

[zeitlinger]

I don't think so - https://github.com/grafana/otel-checker/pull/214/changes#diff-20ab1190d08a53a3012bc191ed56205c8f0ffb8fa1715e9d36ecfd1d2ea8a790L10-L32 vs https://github.com/grafana/flint/blob/main/default.json#L5-L12 is for yaml vs toml IIUC

[martincostello]

Ah I see, it's a custom rule that works without you needing to add the comment usual comment (like this).

I was talking about the standard preset that keeps things updated if you have the comment, but that wouldn't work anyway because it's version: not _VERSION:.

In that case, yeah we can add that to flint.

[zeitlinger]

Closing this — keeping the pinning per Martin's review. Instead, I'll move the renovate custom manager for mise to flint so all maintained repos get automatic version+sha256 update support, and add pinning to the repos that don't have it yet.

[zeitlinger]

Here are the PRs to centralize mise renovate rules in flint and roll out version+sha256 pinning to all maintained repos:

• flint (centralize renovate custom manager): Add mise version pinning custom manager flint#43
• otel-checker (remove redundant local rules): Remove mise renovate rules now provided by flint #217
• client_java (add pinning): ci: add mise version+sha256 pinning to CI prometheus/client_java#1904
• grafana-opentelemetry-java (add pinning): Add mise version+sha256 pinning to CI grafana-opentelemetry-java#1193
• docker-otel-lgtm (add pinning): Add mise version+sha256 pinning to CI docker-otel-lgtm#1070
• oats (add pinning): Add mise version+sha256 pinning to CI oats#230