renovatebot · jamietanna · Jun 3, 2026 · May 26, 2026 · May 26, 2026 · May 27, 2026
diff --git a/docs/usage/security-and-permissions.md b/docs/usage/security-and-permissions.md
@@ -97,6 +97,7 @@ This is particularly true during, for example:
 
 - `postUpgradeTasks`, where scripts specified by the repository are run
 - when a wrapper within the repository is called, like `gradlew` (if setting [`allowedUnsafeExecutions=["gradleWrapper"]`](./self-hosted-configuration.md#allowedunsafeexecutions).
+- when `mise trust` / `mise lock` are run from the repository checkout (if setting [`allowedUnsafeExecutions=["mise"]`](./self-hosted-configuration.md#allowedunsafeexecutions).
 
 These scripts can contain arbitrary code.
 This may pose a significant security risk if the repository's integrity is compromised, or if the repository maintainers have malicious intentions.

diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
@@ -156,11 +156,12 @@ For more details of where this may be found, see ["Trusting Repository Developer
 
 Allowed options:
 
-| Option          | Description                                                                   |
-| --------------- | ----------------------------------------------------------------------------- |
-| `bazelModDeps`  | Allows the `bazel mod deps` when perfoming bazelisk or bazel-module updates.  |
-| `goGenerate`    | Allows the `goGenerate` `postUpdateOption` to run after a go mod update.      |
-| `gradleWrapper` | Allows using `./gradlew` or `gradle.bat` when performing updates with Gradle. |
+| Option          | Description                                                                                   |
+| --------------- | --------------------------------------------------------------------------------------------- |
+| `bazelModDeps`  | Allows the `bazel mod deps` when perfoming bazelisk or bazel-module updates.                  |
+| `goGenerate`    | Allows the `goGenerate` `postUpdateOption` to run after a go mod update.                      |
+| `gradleWrapper` | Allows using `./gradlew` or `gradle.bat` when performing updates with Gradle.                 |
+| `mise`          | Allows running any `mise` commands, for instance `mise lock` when updating `mise.lock` files. |
 
 ## `autodiscover`
 

diff --git a/lib/config/options/index.ts b/lib/config/options/index.ts
@@ -3266,7 +3266,7 @@ const options: Readonly<RenovateOptions>[] = [
     type: 'array',
     subType: 'string',
     default: [],
-    allowedValues: ['bazelModDeps', 'goGenerate', 'gradleWrapper'],
+    allowedValues: ['bazelModDeps', 'goGenerate', 'gradleWrapper', 'mise'],
     stage: 'repository',
     globalOnly: true,
   },

diff --git a/lib/config/types.ts b/lib/config/types.ts
@@ -573,7 +573,8 @@ export type MergeStrategy =
 export type AllowedUnsafeExecution =
   | 'bazelModDeps'
   | 'goGenerate'
-  | 'gradleWrapper';
+  | 'gradleWrapper'
+  | 'mise';
 
 // TODO: Proper typings
 export interface PackageRule