fix(aqua): improve GitHub token handling for sigstore verification#6351
Merged
fix(aqua): improve GitHub token handling for sigstore verification#6351
Conversation
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR improves GitHub token handling for sigstore verification in the aqua backend and enhances the development environment setup. The changes simplify token access by leveraging mise's environment variable patterns and add necessary build dependencies for development containers.
- Replaces manual GitHub token environment variable checking with mise's standardized
env::GITHUB_TOKENapproach - Adds essential build dependencies (clang, libclang-dev, pkg-config) to the development Dockerfile
- Configures DevContainer with trusted config paths and auto-installation
Reviewed Changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| src/backend/aqua.rs | Simplifies GitHub token retrieval using mise's env pattern |
| packaging/dev/Dockerfile | Adds clang and related build dependencies |
| .devcontainer/post-create.sh | Adds auto-installation of mise tools |
| .devcontainer/devcontainer.json | Sets trusted config paths environment variable |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
- Use env::GITHUB_TOKEN for consistent token access in aqua backend - Add required build dependencies (clang, libclang-dev, pkg-config) to dev Dockerfile - Configure devcontainer with MISE_TRUSTED_CONFIG_PATHS environment variable - Auto-install mise tools in post-create script - Update Cargo.lock for sigstore-verification dependency changes
jdx
force-pushed
the
fix/github-token-sigstore-verification
branch
from
949fdf0 to
ae9e209
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| let token = env::var("GITHUB_TOKEN") | ||
| .ok() | ||
| .or_else(|| env::var("GH_TOKEN").ok()); | ||
| let token = env::GITHUB_TOKEN.as_ref().cloned(); |
There was a problem hiding this comment.
Bug: GitHub Token Retrieval Loses GH_TOKEN Compatibility
The GitHub token retrieval logic no longer explicitly falls back to the GH_TOKEN environment variable. This removes compatibility for users and CI systems that rely on GH_TOKEN as an alternative to GITHUB_TOKEN.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.14 x -- echo |
19.7 ± 0.3 | 19.2 | 22.6 | 1.00 |
mise x -- echo |
19.8 ± 0.6 | 19.3 | 29.2 | 1.01 ± 0.03 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.14 env |
19.1 ± 0.3 | 18.6 | 20.8 | 1.00 |
mise env |
19.5 ± 0.6 | 18.7 | 26.0 | 1.02 ± 0.03 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.14 hook-env |
18.9 ± 0.3 | 18.3 | 20.4 | 1.00 ± 0.02 |
mise hook-env |
18.9 ± 0.3 | 18.3 | 20.2 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.9.14 ls |
16.8 ± 0.3 | 16.2 | 21.3 | 1.00 ± 0.03 |
mise ls |
16.7 ± 0.4 | 16.2 | 20.7 | 1.00 |
xtasks/test/perf
| Command | mise-2025.9.14 | mise | Variance |
|---|---|---|---|
| install (cached) | 169ms | ✅ 103ms | +64% |
| ls (cached) | 64ms | 64ms | +0% |
| bin-paths (cached) | 70ms | 70ms | +0% |
| task-ls (cached) | 467ms | 469ms | +0% |
✅ Performance improvement: install cached is 64%
jdx
added a commit
that referenced
this pull request
Sep 21, 2025
### 📦 Registry - add missing cargo backends by @jayvdb in [#6307](#6307) ### 🚀 Features - add env propagation by @Its-Just-Nans in [#6342](#6342) ### 🐛 Bug Fixes - **(aqua)** improve GitHub token handling for sigstore verification by @jdx in [#6351](#6351) - **(backend)** change dependency checks to warnings instead of errors by @jdx in [#6363](#6363) - **(npm)** improve error message when npm/bun is not installed by @jdx in [#6359](#6359) - **(vfox)** enable TLS support for reqwest to fix CI tests by @jdx in [#6356](#6356) ### 🚜 Refactor - **(registry)** convert to nested TOML sections format by @jdx in [#6361](#6361) ### 🧪 Testing - **(e2e)** resolve mise via PATH in backend missing deps test by @jdx in [#6362](#6362) - **(vfox)** replace flaky external HTTP tests with local mock server by @jdx in [#6354](#6354) ### 📦️ Dependency Updates - pin dependencies by @renovate[bot] in [#6243](#6243) ### Chore - **(install.sh)** add `MISE_INSTALL_MUSL` to force installing musl variants on Linux by @malept in [#6355](#6355) Co-authored-by: mise-en-dev <release@mise.jdx.dev>
netbsd-srcmastr
pushed a commit
to NetBSD/pkgsrc
that referenced
this pull request
Sep 24, 2025
## [2025.9.16](https://github.com/jdx/mise/compare/v2025.9.15..v2025.9.16) - 2025-09-22 ### 📦 Registry - use npm backend for zbctl by @risu729 in [#6379](jdx/mise#6379) ### 🐛 Bug Fixes - **(aqua)** remove blake3 support from aqua checksum algorithms by @risu729 in [#6370](jdx/mise#6370) - **(aqua)** remove cosign and slsa-verifier dependencies by @risu729 in [#6371](jdx/mise#6371) - **(aqua)** remove cosign.experimental by @risu729 in [#6376](jdx/mise#6376) ### 📚 Documentation - minisign doesn't require cli by @risu729 in [#6369](jdx/mise#6369) ### Chore - ignore renovate new bot name by @risu729 in [#6364](jdx/mise#6364) ## [2025.9.15](https://github.com/jdx/mise/compare/v2025.9.14..v2025.9.15) - 2025-09-21 ### 📦 Registry - add missing cargo backends by @jayvdb in [#6307](jdx/mise#6307) ### 🚀 Features - add env propagation by @Its-Just-Nans in [#6342](jdx/mise#6342) ### 🐛 Bug Fixes - **(aqua)** improve GitHub token handling for sigstore verification by @jdx in [#6351](jdx/mise#6351) - **(backend)** change dependency checks to warnings instead of errors by @jdx in [#6363](jdx/mise#6363) - **(npm)** improve error message when npm/bun is not installed by @jdx in [#6359](jdx/mise#6359) - **(vfox)** enable TLS support for reqwest to fix CI tests by @jdx in [#6356](jdx/mise#6356) ### 🚜 Refactor - **(registry)** convert to nested TOML sections format by @jdx in [#6361](jdx/mise#6361) ### 🧪 Testing - **(e2e)** resolve mise via PATH in backend missing deps test by @jdx in [#6362](jdx/mise#6362) - **(vfox)** replace flaky external HTTP tests with local mock server by @jdx in [#6354](jdx/mise#6354) ### 📦️ Dependency Updates - pin dependencies by @renovate[bot] in [#6243](jdx/mise#6243) ### Chore - **(install.sh)** add `MISE_INSTALL_MUSL` to force installing musl variants on Linux by @malept in [#6355](jdx/mise#6355) ## [2025.9.14](https://github.com/jdx/mise/compare/v2025.9.13..v2025.9.14) - 2025-09-20 ### 🐛 Bug Fixes - fix an issue where Swift could not be installed on arm64 Ubuntu by @lish82 in [#6348](jdx/mise#6348) ### Chore - use cross to build on linux by @jdx in [#6346](jdx/mise#6346) ### New Contributors - @lish82 made their first contribution in [#6348](jdx/mise#6348) ## [2025.9.13](https://github.com/jdx/mise/compare/v2025.9.12..v2025.9.13) - 2025-09-19 ### 📦 Registry - remove deprecated virtualos by @jdx in [166379f](jdx/mise@166379f) - add trufflehog ([aqua:trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)) by @risu729 in [#6316](jdx/mise#6316) ### 🚀 Features - **(aqua)** integrate native sigstore-verification for security verification by @jdx in [#6332](jdx/mise#6332) - **(docs)** improve search result readability with lighter teal background by @jdx in [#6328](jdx/mise#6328) - **(ui)** update logo as favicon and fix hover transitions by @jdx in [#6325](jdx/mise#6325) - **(vfox)** add file.read lua function by @malept in [#6333](jdx/mise#6333) - add documentation for "Environment in tasks" #5134 #5638 by @Its-Just-Nans in [#6329](jdx/mise#6329) ### 🐛 Bug Fixes - **(github)** correctly paginate releases/tags for private repos by @malept in [#6318](jdx/mise#6318) - **(hk)** exclude aqua-registry from prettier linting by @jdx in [#6327](jdx/mise#6327) - **(ui)** improve GitHub star badge layout and alignment by @jdx in [#6326](jdx/mise#6326) ### 📚 Documentation - change 'hello.py' to 'main.py' in python.md by @my1e5 in [#6319](jdx/mise#6319) - customize VitePress theme with unique branding by @jdx in [#6324](jdx/mise#6324) ### 📦️ Dependency Updates - update taiki-e/install-action digest to 0aa4f22 by @renovate[bot] in [#6334](jdx/mise#6334) - update rust crate comfy-table to v7.2.1 by @renovate[bot] in [#6335](jdx/mise#6335) - update rust crate console to v0.16.1 by @renovate[bot] in [#6336](jdx/mise#6336) - update rust crate indexmap to v2.11.4 by @renovate[bot] in [#6337](jdx/mise#6337) ### Chore - fixing typos by @Its-Just-Nans in [#6331](jdx/mise#6331) ### New Contributors - @Its-Just-Nans made their first contribution in [#6331](jdx/mise#6331) - @my1e5 made their first contribution in [#6319](jdx/mise#6319)
riastradh
pushed a commit
to riastradh/pkgsrc-test20250901
that referenced
this pull request
Feb 8, 2026
## [2025.9.16](https://github.com/jdx/mise/compare/v2025.9.15..v2025.9.16) - 2025-09-22 ### 📦 Registry - use npm backend for zbctl by @risu729 in [#6379](jdx/mise#6379) ### 🐛 Bug Fixes - **(aqua)** remove blake3 support from aqua checksum algorithms by @risu729 in [#6370](jdx/mise#6370) - **(aqua)** remove cosign and slsa-verifier dependencies by @risu729 in [#6371](jdx/mise#6371) - **(aqua)** remove cosign.experimental by @risu729 in [#6376](jdx/mise#6376) ### 📚 Documentation - minisign doesn't require cli by @risu729 in [#6369](jdx/mise#6369) ### Chore - ignore renovate new bot name by @risu729 in [#6364](jdx/mise#6364) ## [2025.9.15](https://github.com/jdx/mise/compare/v2025.9.14..v2025.9.15) - 2025-09-21 ### 📦 Registry - add missing cargo backends by @jayvdb in [#6307](jdx/mise#6307) ### 🚀 Features - add env propagation by @Its-Just-Nans in [#6342](jdx/mise#6342) ### 🐛 Bug Fixes - **(aqua)** improve GitHub token handling for sigstore verification by @jdx in [#6351](jdx/mise#6351) - **(backend)** change dependency checks to warnings instead of errors by @jdx in [#6363](jdx/mise#6363) - **(npm)** improve error message when npm/bun is not installed by @jdx in [#6359](jdx/mise#6359) - **(vfox)** enable TLS support for reqwest to fix CI tests by @jdx in [#6356](jdx/mise#6356) ### 🚜 Refactor - **(registry)** convert to nested TOML sections format by @jdx in [#6361](jdx/mise#6361) ### 🧪 Testing - **(e2e)** resolve mise via PATH in backend missing deps test by @jdx in [#6362](jdx/mise#6362) - **(vfox)** replace flaky external HTTP tests with local mock server by @jdx in [#6354](jdx/mise#6354) ### 📦️ Dependency Updates - pin dependencies by @renovate[bot] in [#6243](jdx/mise#6243) ### Chore - **(install.sh)** add `MISE_INSTALL_MUSL` to force installing musl variants on Linux by @malept in [#6355](jdx/mise#6355) ## [2025.9.14](https://github.com/jdx/mise/compare/v2025.9.13..v2025.9.14) - 2025-09-20 ### 🐛 Bug Fixes - fix an issue where Swift could not be installed on arm64 Ubuntu by @lish82 in [#6348](jdx/mise#6348) ### Chore - use cross to build on linux by @jdx in [#6346](jdx/mise#6346) ### New Contributors - @lish82 made their first contribution in [#6348](jdx/mise#6348) ## [2025.9.13](https://github.com/jdx/mise/compare/v2025.9.12..v2025.9.13) - 2025-09-19 ### 📦 Registry - remove deprecated virtualos by @jdx in [166379f](jdx/mise@166379f) - add trufflehog ([aqua:trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog)) by @risu729 in [#6316](jdx/mise#6316) ### 🚀 Features - **(aqua)** integrate native sigstore-verification for security verification by @jdx in [#6332](jdx/mise#6332) - **(docs)** improve search result readability with lighter teal background by @jdx in [#6328](jdx/mise#6328) - **(ui)** update logo as favicon and fix hover transitions by @jdx in [#6325](jdx/mise#6325) - **(vfox)** add file.read lua function by @malept in [#6333](jdx/mise#6333) - add documentation for "Environment in tasks" #5134 #5638 by @Its-Just-Nans in [#6329](jdx/mise#6329) ### 🐛 Bug Fixes - **(github)** correctly paginate releases/tags for private repos by @malept in [#6318](jdx/mise#6318) - **(hk)** exclude aqua-registry from prettier linting by @jdx in [#6327](jdx/mise#6327) - **(ui)** improve GitHub star badge layout and alignment by @jdx in [#6326](jdx/mise#6326) ### 📚 Documentation - change 'hello.py' to 'main.py' in python.md by @my1e5 in [#6319](jdx/mise#6319) - customize VitePress theme with unique branding by @jdx in [#6324](jdx/mise#6324) ### 📦️ Dependency Updates - update taiki-e/install-action digest to 0aa4f22 by @renovate[bot] in [#6334](jdx/mise#6334) - update rust crate comfy-table to v7.2.1 by @renovate[bot] in [#6335](jdx/mise#6335) - update rust crate console to v0.16.1 by @renovate[bot] in [#6336](jdx/mise#6336) - update rust crate indexmap to v2.11.4 by @renovate[bot] in [#6337](jdx/mise#6337) ### Chore - fixing typos by @Its-Just-Nans in [#6331](jdx/mise#6331) ### New Contributors - @Its-Just-Nans made their first contribution in [#6331](jdx/mise#6331) - @my1e5 made their first contribution in [#6319](jdx/mise#6319)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
env::GITHUB_TOKENinstead of manual environment variable checkingChanges Made
env::var("GITHUB_TOKEN").ok().or_else(|| env::var("GH_TOKEN").ok())withenv::GITHUB_TOKEN.as_ref().cloned()for cleaner and more consistent token accessclang,libclang-dev, andpkg-configbuild dependencies to support compilation requirementsMISE_TRUSTED_CONFIG_PATHSenvironment variable and auto-install on container creationTesting
🤖 Generated with Claude Code