fix(install): skip GitHub API calls for aqua tools in --locked mode#8679
Conversation
When `mise install --locked` is used and a lockfile URL exists, the aqua backend was still validating the URL against the registry's expected asset patterns. If the validation failed (e.g., registry format changed), it fell through to a code path that calls `github::get_release()`, causing API rate limit errors in environments without a GitHub token. Now in locked mode, the lockfile URL is trusted without validation, and if no lockfile URL is found, the code errors out immediately instead of attempting API calls. Fixes #8677 Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
Greptile SummaryThis PR fixes a bug where Key changes in
The fix is minimal, targeted, and logically correct. The two touch points ( Confidence Score: 5/5
Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[install_version_] --> B{existing_platform\nin lockfile?}
B -- Yes --> C[Skip get_version_tags API call]
B -- No --> D[Call get_version_tags API]
D --> E[...]
C --> F{ctx.locked\nOR non-GithubRelease?}
F -- Yes\n'NEW' --> G[validated_url = existing_platform\nTrust lockfile, no API call]
F -- No --> H[Validate filename vs registry\nasset pattern]
H -- Match --> I[validated_url = existing_platform]
H -- No match --> J[validated_url = None\nwarn: refreshing]
G --> K{validated_url = Some?}
I --> K
J --> K
K -- Yes --> L[Use URL directly\ndownload + verify + install]
K -- No --> M{ctx.locked?\n'NEW'}
M -- Yes --> N[bail! with clear error\nNEW BEHAVIOR]
M -- No --> O[Call github::get_release\nAPI to resolve URL]
O --> L
Last reviewed commit: "fix(install): skip G..." |
There was a problem hiding this comment.
Code Review
This pull request effectively addresses the issue of unnecessary GitHub API calls and unclear error messages when using mise install --locked with Aqua tools. The changes ensure that in --locked mode, the lockfile URL is trusted without re-validation, preventing redundant network requests. Furthermore, if a lockfile URL is not found in --locked mode, the installation now fails immediately with a clear and informative error message, improving the user experience. The modifications are precise and directly implement the described objectives, enhancing the reliability and efficiency of locked installations for Aqua tools.
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.10 x -- echo |
23.8 ± 0.3 | 23.3 | 28.0 | 1.00 ± 0.02 |
mise x -- echo |
23.8 ± 0.2 | 23.1 | 24.7 | 1.00 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.10 env |
23.4 ± 0.7 | 22.7 | 30.3 | 1.01 ± 0.03 |
mise env |
23.3 ± 0.4 | 22.4 | 26.7 | 1.00 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.10 hook-env |
24.2 ± 1.5 | 23.4 | 47.7 | 1.01 ± 0.06 |
mise hook-env |
24.0 ± 0.3 | 23.5 | 28.6 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.3.10 ls |
23.2 ± 0.6 | 22.4 | 28.7 | 1.00 ± 0.03 |
mise ls |
23.1 ± 0.2 | 22.6 | 24.8 | 1.00 |
xtasks/test/perf
| Command | mise-2026.3.10 | mise | Variance |
|---|---|---|---|
| install (cached) | 152ms | 151ms | +0% |
| ls (cached) | 84ms | 84ms | +0% |
| bin-paths (cached) | 86ms | 86ms | +0% |
| task-ls (cached) | 850ms | 825ms | +3% |
…s integrity data (#8688) ## Summary Skip provenance verification (GitHub attestations, SLSA, cosign, minisign) when the lockfile already has integrity data, avoiding redundant API calls on repeated installs. Provenance only needs to be verified once — subsequent installs are protected by the lockfile checksum. ### Backend-specific behavior - **aqua/github**: Skip when lockfile has both `checksum` and `provenance` for the platform. Still check that the recorded provenance type's setting is enabled (disabling attestation settings with a provenance-bearing lockfile is detected as a downgrade attack). - **vfox**: Skip when lockfile has `provenance` (vfox doesn't populate `PlatformInfo.checksum`). Only skip attestation when the plugin also provides sha256/sha512 checksums, ensuring at least one integrity check always runs. Downgrade detection is preserved via discriminant comparison after install. ### Key design decisions - Provenance re-verification is skipped in both `--locked` and non-locked modes when integrity data exists - `ensure_provenance_setting_enabled()` catches downgrades where settings are disabled after lockfile was created - vfox's `checksum_verified` field reflects actual verification (only set when a file was downloaded and checksums were present), not just plugin declarations - github backend errors explicitly on unexpected provenance types (Cosign/Minisign) rather than silently passing Follows up on #8679 which skipped asset URL resolution API calls in locked mode. Ref: #8677 (reply in thread) ## Test plan - [ ] Verify repeated `mise install` skips attestation API calls for aqua/github tools with lockfile integrity data - [ ] Verify first install (no lockfile entry) still performs full provenance verification - [ ] Verify disabling attestation settings with a provenance-bearing lockfile triggers downgrade error - [ ] Verify vfox plugins without sha256/sha512 still run attestation on repeated installs - [ ] Verify vfox plugins that remove attestation config are caught as downgrades 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches install-time security verification paths (checksums/attestations) across multiple backends; while it preserves downgrade protections, mistakes could reduce provenance enforcement or skip required verification in some scenarios. > > **Overview** > Avoids **redundant provenance re-verification** on repeated installs when the lockfile already contains integrity data. > > For `aqua` and `github` backends, provenance checks (attestations/SLSA/etc.) are skipped when the lockfile already has both `checksum` and `provenance` for the platform, but the code now **errors if the corresponding verification setting is disabled** to prevent downgrade-by-config. > > For `vfox`, adds `Vfox.skip_verification` and an `InstallResult.checksum_verified` signal so attestation verification can be skipped only when a lockfile provenance entry exists *and* the plugin verified a strong checksum (sha256/sha512), while still enforcing lockfile provenance type expectations. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit fa47516. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]>
### 🚀 Features - **(github)** read tokens from gh CLI hosts.yml config by @jdx in [#8692](#8692) - **(task)** support optional `args` and `env` fields in `run` entries by @jdx in [#8687](#8687) - **(task)** add --skip-tools flag to mise run by @jdx in [#8699](#8699) - **(vfox)** add try_get, try_head, try_download_file to Lua HTTP module by @jdx in [#8697](#8697) ### 🐛 Bug Fixes - **(config)** recognize SSH and other non-HTTPS URLs in get_repo_url by @modestman in [#8666](#8666) - **(docs)** add dark mode support to favicon by @jdx in [#8678](#8678) - **(env)** support multiple --env/-E flags by @jdx in [#8686](#8686) - **(github)** rename_exe renames correct binary when archive contains multiple executables by @jdx in [#8700](#8700) - **(implode)** include system data dir in implode cleanup by @jdx in [#8696](#8696) - **(install)** skip GitHub API calls for aqua tools in --locked mode by @jdx in [#8679](#8679) - **(install)** skip redundant provenance verification when lockfile has integrity data by @jdx in [#8688](#8688) - **(lock)** respect existing platforms in lockfile when running `mise lock` by @jdx in [#8708](#8708) - **(lock)** skip global config lockfile by default by @jdx in [#8707](#8707) - **(node)** expand tilde in default_packages_file path by @jdx in [#8709](#8709) - **(shell)** error when no version specified instead of silent no-op by @jdx in [#8693](#8693) - **(shim)** detect shims by checking shims directory instead of binary name by @jdx in [#8694](#8694) - **(task)** inherit task_config.dir for included TOML and file tasks by @jdx in [#8689](#8689) - **(task)** strip inline args when validating run.tasks references by @jdx in [#8701](#8701) - **(task)** include idiomatic version files in monorepo task toolset by @jdx in [#8702](#8702) - **(task)** improve error message when task files are not executable by @jdx in [#8705](#8705) - **(test)** update vfox provenance test for checksum-backed skip by @jdx in [#8703](#8703) - improve usage spec element support in tasks by @nkakouros in [#8623](#8623) - make env plugin (Module) vars available in Tera template context by @victor-founder in [#8682](#8682) - respect MISE_COLOR=0 for color_eyre error output by @jdx in [#8690](#8690) - add windows support for usage tool registry by @jdx in [#8713](#8713) ### 📚 Documentation - **(task)** clarify interactive task blocking behavior by @jdx in [#8685](#8685) - improve visibility of install_before setting by @jdx in [#8712](#8712) ### 📦 Registry - add rtk ([github:rtk-ai/rtk](https://github.com/rtk-ai/rtk)) by @bricelalu in [#8683](#8683) ### New Contributors - @victor-founder made their first contribution in [#8682](#8682) - @modestman made their first contribution in [#8666](#8666) - @bricelalu made their first contribution in [#8683](#8683)
Summary
--lockedmode, trust the lockfile URL for aqua tools without re-validating it against the registry's expected asset patterns, preventing unnecessary GitHub API calls--lockedmode, fail immediately with a clear error instead of falling through to API calls that will fail anywayContext
When using
mise install --locked, the aqua backend was validating lockfile URLs against the registry's expected asset filenames. If validation failed (e.g., registry format changed since lock was generated), the code fell through togithub::get_release()which requires API access — defeating the purpose of--lockedmode.Test plan
mise install --lockedworks for aqua tools without GitHub token when lockfile has pre-resolved URLsmise install --lockedfails clearly when no lockfile URL exists🤖 Generated with Claude Code
Note
Medium Risk
Changes aqua install URL selection logic in
--lockedmode, which can affect whether installs succeed/fail and when network/GitHub API calls occur. Low security risk, but moderate behavioral impact for locked installs that previously fell back to refresh behavior.Overview
In the aqua backend install path,
--lockedmode now trusts lockfile-provided asset URLs without re-validating them against registry asset patterns, preventing fallthrough into GitHub API lookups when registries change.If
--lockedis enabled but the lockfile has no pre-resolved URL for the current platform, installation now fails immediately with a clear error instead of attempting to resolve via remote calls.Written by Cursor Bugbot for commit d0f14bc. This will update automatically on new commits. Configure here.