chore(release): vendor aqua registry from main

[jdx]

Summary

• vendor aqua-registry from the current upstream main commit instead of the latest tagged release
• keep writing the resolved commit SHA into vendor/aqua-registry/metadata.json as tag, so the vendored snapshot remains reproducible and existing build metadata keeps working

Validation

• bash -n xtasks/release-plz
• resolved aquaproj/aqua-registry main to b2116015b48a040543836bbd35f8ca3a3313698e and confirmed that fetched registry contains repo_owner: jdx / repo_name: aube with the endevco/aube alias

This PR was generated by an AI coding assistant.

---

Note

Low Risk
Release-script-only change; vendoring still pins a specific commit SHA in metadata with no runtime auth or data-path changes.

Overview
Updates xtasks/release-plz so the vendored aquaproj/aqua-registry snapshot tracks upstream main instead of the latest GitHub release.

NEW_AQUA_REGISTRY_TAG is now resolved via gh api …/commits/main (commit SHA) rather than gh release view. The same variable still drives raw.githubusercontent.com fetches and is written to vendor/aqua-registry/metadata.json as tag, so prep/release behavior and aqua changelog diffs stay keyed to a fixed ref.

^{Reviewed by Cursor Bugbot for commit 42eaa6c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a new Python validation script that ensures consistency between a vendored Aqua registry YAML and local Mise registry backend TOML files, then integrates it into the release workflow. The validator parses both data sources, compares Aqua package IDs, and reports any missing entries with exit code handling for automation.

Changes

Aqua Registry Validator

Layer / File(s)	Summary
Validation script implementation scripts/validate-vendored-aqua-registry	Configuration loads the vendored registry path and Mise backend directory; strip_quotes helper normalizes YAML scalars; parse_vendored_aqua_registry extracts package IDs from the vendored YAML via regex splitting; parse_mise_aqua_backends scans local TOML files for aqua:<id> references; main() compares the sets and reports missing IDs to stderr or success to stdout, returning exit code 0 or 1.
Release process integration xtasks/release-plz	The validator script is called immediately after aqua-registry metadata and archive download, before changelog generation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• jdx/mise#10285: Updates vendor/aqua-registry/registry.yml and registry backend TOMLs, which the new validator script directly targets for consistency checking.
• jdx/mise#10213: Modifies vendor/aqua-registry/registry.yml during releases, and the new validator will check that content against local backends.

Suggested labels

release

Poem

🐰 A validator hops through the registry,
Checking names match between YAML and TOML with glee.
Before releasing, it ensures they're in sync—
No missing aquas, all linked in a blink! 🔗

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore(release): validate vendored aqua registry' directly and clearly describes the main changes in the PR, which adds validation for the vendored aqua registry during the release process.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/validate-vendored-aqua

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

Changes xtasks/release-plz to vendor the aquaproj/aqua-registry from the latest commit on main (via gh api repos/.../commits/main --jq .sha) instead of the latest tagged release (previously gh release view --json tagName).

• The commit SHA replaces the semantic version tag as the pinned reference, but metadata.json still writes the value under the key "tag", creating a semantic mismatch.
• The PR description extensively describes a new scripts/validate-vendored-aqua-registry script and calls it from release-plz, but neither the script nor any call to it is present in the diff or in the repository; the actual change is narrower than described.

Confidence Score: 4/5

Safe to merge for a release-tooling-only change; the main risk is vendoring a transient main commit that has not been cut as a stable release by the upstream project.

The actual change is small and confined to the release script. Switching from tagged releases to main SHAs is a deliberate trade-off for freshness over stability, but the change is limited to CI/release automation and does not affect runtime behavior for end users.

Only xtasks/release-plz changed; the metadata key naming warrants a quick look.

Important Files Changed

Filename	Overview
xtasks/release-plz	Switched aqua-registry vendoring from latest tagged release to latest main commit SHA; metadata.json still labels the SHA as "tag".

Comments Outside Diff (1)

1. xtasks/release-plz, line 299-303 (link)

   Metadata key "tag" now stores a commit SHA

   The JSON key is still "tag" but the value written is now a 40-character commit SHA rather than a semantic version tag. Code that reads metadata.json (e.g. the gen-aqua-changelog.sh script, or any tooling that surfaces the vendored version to users) will silently receive a SHA where it previously got a human-readable tag like v4.523.0. The gen-aqua-changelog.sh script's curl call (raw.githubusercontent.com/$REPO/$OLD_TAG/registry.yaml) will still work with a SHA, but the display value loses readability. Consider renaming the key to "ref" or "commit" to match the comment change on line 286.

   

_{Reviews (1): Last reviewed commit: "chore(release): vendor aqua registry fro..." | Re-trigger Greptile}

[greptile-apps]

Pinning to main instead of a tagged release

Fetching the latest commit SHA from aquaproj/aqua-registry's main branch means the vendored registry can include WIP or unreleased changes that have not gone through aqua-registry's own release testing. Between upstream releases, main may contain broken YAML, schema changes, or incomplete package entries. Previously the code used the latest tagged release (gh release view), which is a stable, explicitly tested snapshot. This trade-off deliberately accepts instability to keep packages fresher, but it could cause a mise release to ship a vendored registry that aqua-registry themselves haven't yet cut as stable.

Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.1 x -- echo	23.8 ± 1.9	20.3	32.8	1.00
mise x -- echo	26.1 ± 3.2	21.0	55.5	1.10 ± 0.16

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.1 env	24.9 ± 1.9	21.0	33.6	1.00
mise env	26.3 ± 2.2	21.0	38.2	1.06 ± 0.12

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.1 hook-env	23.7 ± 1.7	19.8	32.1	1.00
mise hook-env	26.4 ± 2.7	20.9	37.5	1.12 ± 0.14
⚠️ Inconclusive: hook-env measured 12% slower, but the relative uncertainty overlaps the 10% threshold.

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.6.1 ls	19.1 ± 1.4	16.2	26.4	1.00
mise ls	21.6 ± 1.8	17.0	31.7	1.13 ± 0.12
⚠️ Inconclusive: ls measured 13% slower, but the relative uncertainty overlaps the 10% threshold.

xtasks/test/perf

Command	mise-2026.6.1	mise	Variance
install (cached)	165ms	168ms	-1%
ls (cached)	75ms	80ms	-6%
bin-paths (cached)	88ms	89ms	-1%
task-ls (cached)	169ms	171ms	-1%

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 42eaa6c. Configure here.}

[cursor]

Commit SHA breaks tag assertion

Medium Severity

The release script now records the upstream main commit SHA in metadata.json’s tag field, but baked-registry tests still require that value to start with v like an aqua-registry release tag. Once vendoring runs, test_baked_registry_metadata fails even though the registry content is valid.

 

^{Reviewed by Cursor Bugbot for commit 42eaa6c. Configure here.}