This release closes several trust-bypass vectors where a local `mise.toml` or `mise-tasks/` directory could run code before the user trusted a project, and brings aqua's GitHub attestation verification in line with what the registry asks for.
Fixed

(config) Treat github.credential_command, gitlab.credential_command, and forgejo.credential_command as global-only. They are stripped from project/local config at parse time (with a warning) so an untrusted mise.toml cannot use a credential command to execute arbitrary shell when fetching tokens. Global config, CLI flags, and environment variables are unchanged (#10356 by @jdx).
(config) Fix GHSA-436v-8fw5-4mj8 by ignoring ci, paranoid, trusted_config_paths, and yes when they come from local config files. A malicious mise.toml can no longer set trusted_config_paths = ["/"] or paranoid = false to auto-trust itself before _.source scripts run (#10357 by @jdx).
(task) Require trust before loading default task include directories (mise-tasks/, .mise-tasks/, and related layouts) in repos with no local mise config. Previously, a clone with only a mise-tasks/ directory could render Tera templates (including exec()) in task descriptions before the user trusted the project. Global task include paths and includes declared from a trusted mise.toml are still exempt (#10355 by @jdx).
(aqua) Model and forward github_artifact_attestations.predicate_type to GitHub during attestation detection and verification. Packages like foundry-rs/foundry and gleam-lang/gleam that pin an SPDX SBOM predicate now enforce that predicate instead of accepting whatever attestation happens to verify. Predicate-filtered requests bypass the digest-only versions-host attestation cache (#10169 by @risu729).
(aqua) Canonicalize aqua var options across plain keys, nested vars tables, and literal "vars.<name>" backend-option keys into a single lock/cache identity. Duplicate final vars now fail with a source-neutral conflicting aqua var error rather than silently picking one spelling; normal higher-precedence config overrides still apply (#10187 by @risu729).
(schema) Forbid hide, quiet, raw, interactive, and raw_args on [task_templates.*] in the JSON Schema, and drop the unused fields from TaskTemplate. Runtime never merged these into tasks (templates can't tell "unset" from false for plain bools), so editors no longer suggest keys that did nothing (#10242 by @risu729).
(schema) Accept supported OS, architecture, and os-arch selectors on registry backend platforms entries and backends.options.platforms.* tables — for example windows-x64, linux-arm64, darwin-aarch64, macos-arm64 — fixing false schema errors reported in discussion #10296 (#10358 by @risu729).

Full Changelog: jdx/mise@v2026.6.4...v2026.6.5
💚 Sponsor mise
mise is built by @jdx under en.dev — an independent studio making developer tooling (mise, aube, and more). Development is funded by sponsors.
If mise saves you or your team time, please consider sponsoring at en.dev. Individual and company sponsorships keep mise fast, free, and independent.

View the full release notes at https://github.com/jdx/mise/releases/tag/v2026.6.5.