fix(github): skip versions host for non-registry tools

[jdx]

Summary

• skip the versions host for non-registry tools in remote version listing
• pass the same registry/backend gate into GitHub release metadata lookups
• keep registry-backed GitHub tools using mise-versions when their backend matches the registry entry

Why

Non-registry tools can be private, internal, or ad hoc github:owner/repo references. Sending those release/version probes to mise-versions adds noise and can leak/internalize failures that should go directly to the configured upstream GitHub API instead.

Test plan

• cargo fmt
• cargo test versions_host

This PR was generated by an AI coding assistant.

---

Note

Medium Risk
Changes when GitHub installs and version resolution hit mise-versions vs api.github.com; wrong gating could break registry installs or send private repos to the wrong endpoint.

Overview
GitHub release metadata now consults mise-versions only when the tool is in the registry and its backend matches the registry entry (inline [...] options are ignored for that check via full_without_opts). Install, version resolution, asset lookup, and provenance paths all pass this gate into get_release_for_url_with_versions_host.

Remote version listing for non-plugin github: tools no longer defaults to the versions host for tools absent from the registry; previously those lookups could still hit mise-versions.

The e2e test installs registry tool communique with api.github.com blocked and asserts no requests reach the public GitHub API.

^{Reviewed by Cursor Bugbot for commit a3acc31. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

• Refactor
  • GitHub release resolution and caching were centralized to respect registry backend settings, reducing unnecessary external lookups and improving release resolution consistency.
• Tests
  • End-to-end tests updated to validate GitHub-backed installs can succeed without contacting the public GitHub API.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new public GitHub entrypoint adds a use_versions_host flag that affects cache keys and resolution. Backend code now decides whether to enable versions-host lookup based on registry membership and routes all GitHub release fetches through the options-aware resolver. Tests and an e2e script are updated accordingly.

Changes

GitHub versions-host conditional release fetching

Layer / File(s)	Summary
GitHub API: new entrypoint and resolver src/github.rs	Adds get_release_for_url_with_versions_host(api_url, repo, tag, use_versions_host) with cache-key including versions-host-{bool}, refactors resolver into get_release_with_options() which conditionally calls versions_host::github_release when allowed; updates unit tests to the new API and cache key.
Backend integration: use_versions_host decision and application src/backend/github.rs	UnifiedGitBackend now imports the registry helper and routes all GitHub release lookups (latest tag, exact-version probing, provenance detection, lock-time/install-time SLSA verification, asset resolution) through the versions-host-aware API, passing a computed use_versions_host flag.
Registry membership policy src/backend/mod.rs	Adds backend_arg_matches_registry_backend(ba: &BackendArg) -> bool and changes non-plugin fallback: if backend short name is absent from REGISTRY, use_versions_host is set to false; includes unit test ensuring inline backend options are ignored for matching.
End-to-end test update e2e/backend/test_github_versions_host_no_api	Test now installs communique = "1.1.3" from mise-versions metadata without contacting api.github.com and asserts the tool's reported version.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• jdx/mise#10254: Touches versions-host GitHub release metadata paths and logging/fallback behavior in versions_host.rs, likely related to coordinated versions-host behavior changes.
• jdx/mise#10240: Adjusts versions_host GitHub asset URL validation/casing behavior; affects the same versions-host lookup path invoked by this PR.

"A rabbit checks the registry gate,
Known backend? it quietly states.
Versions-host on or off, it sings,
Releases fetched with careful strings.
Hops away with a happy twirl. 🐰"

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'fix(github): skip versions host for non-registry tools' accurately summarizes the main change: conditionally skipping the versions host (mise-versions) for GitHub tools that don't match registry entries.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/skip-versions-host-for-non-registry-github

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR gates mise-versions usage on registry membership: non-registry github: tools now go directly to api.github.com for release metadata instead of hitting the versions host, preventing noise and potential leakage for private or ad-hoc repos.

• backend_arg_matches_registry_backend is extracted as a shared helper using full_without_opts(), fixing a pre-existing subtle bug where inline backend options (e.g. [asset_pattern=…]) would cause a registry-backed tool to incorrectly fail the match and skip the versions host.
• get_release_for_url gains an explicit use_versions_host flag and the cache key now includes it, so direct-API and versions-host results get separate slots; five call sites in UnifiedGitBackend are updated accordingly.
• The e2e "no api.github.com" test switches to the registry tool communique because an ad-hoc github: tool now correctly bypasses mise-versions and would fail when the GitHub API is blocked.

Confidence Score: 5/5

Safe to merge; registry-backed tools behave as before and non-registry tools now correctly bypass the versions host.

The behavioral change (flipping the non-registry fallback to false) is intentional and consistent with all call sites. The full_without_opts() fix correctly handles inline opts, and the shared helper eliminates the previously duplicated logic. The cache key now properly differentiates the two fetch paths. The e2e test switch is well-reasoned and validates the end-to-end constraint. No correctness issues were found.

No files require special attention.

Important Files Changed

Filename	Overview
src/backend/mod.rs	Extracts backend_arg_matches_registry_backend helper using full_without_opts() (correctly strips inline opts before comparing to registry), and flips the non-registry fallback in use_versions_host from true to false; adds a unit test for the opt-stripping behavior.
src/github.rs	Renames get_release_for_url to get_release_for_url_with_versions_host with a use_versions_host flag; updates the in-memory cache key to include that flag so direct-API and versions-host fetches get separate cache slots; internal get_release_ retains its always-true default for the existing callers (aqua, core plugins).
src/backend/github.rs	Adds use_versions_host_for_github_metadata and get_github_release_for_url helpers on UnifiedGitBackend, wiring the new flag into five release-fetching call sites (latest, exact version, asset lookup, provenance detection, SLSA check).
e2e/backend/test_github_versions_host_no_api	Replaces the raw github:jdx/mise-test-fixtures fixture with the registry-backed communique 1.1.3, keeping the "no api.github.com" guarantee: a registry tool routes metadata through mise-versions, while an ad-hoc github: tool now bypasses it (and would fail the blocked-API test, hence the switch).

_{Reviews (3): Last reviewed commit: "fix(github): match registry backends wit..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/github.rs`:
- Around line 302-316: The cache key built in
get_release_for_url_with_versions_host currently omits the use_versions_host
flag so entries collide; update the key generation (the key variable) to include
use_versions_host (e.g., append the boolean or an indicator like "-versionsHost"
when true) so get_release_cache/get_or_try_init_async_if will differentiate
registry-backed vs mise-versions lookups and avoid returning the wrong cached
release.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: ff454472-8cfc-4a9d-9dcf-231c9f9d198d

📥 Commits

Reviewing files that changed from the base of the PR and between 3568eb5 and b3345e9.

📒 Files selected for processing (3)

• src/backend/github.rs
• src/backend/mod.rs
• src/github.rs

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.0 x -- echo	18.6 ± 0.9	17.0	23.2	1.00
mise x -- echo	19.3 ± 2.0	17.3	58.7	1.04 ± 0.12

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.0 env	18.2 ± 0.9	16.5	22.1	1.00
mise env	18.5 ± 0.8	16.9	21.8	1.02 ± 0.07

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.0 hook-env	18.7 ± 0.9	16.9	23.8	1.00
mise hook-env	19.4 ± 1.0	17.8	23.2	1.04 ± 0.07

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.0 ls	15.3 ± 0.8	13.7	19.6	1.00
mise ls	15.7 ± 0.8	14.3	18.6	1.03 ± 0.07

xtasks/test/perf

Command	mise-2026.6.0	mise	Variance
install (cached)	131ms	133ms	-1%
ls (cached)	58ms	58ms	+0%
bin-paths (cached)	62ms	64ms	-3%
task-ls (cached)	125ms	125ms	+0%

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 86e09f6. Configure here.}