diff --git a/shell/ci/env/mise.sh b/shell/ci/env/mise.sh index 3618e8b1..d5472206 100755 --- a/shell/ci/env/mise.sh +++ b/shell/ci/env/mise.sh @@ -35,6 +35,14 @@ inject_mise_commands() { # Assumes that `gh` has already been set up. ghToken="$(gh auth token)" +# Isolate mise install from global config. Global tools (from orc setup or +# pre-built CI image in ~/.config/mise/) don't have lockfiles and cause +# --locked to fail. _MISE_INSTALL_CONFIG_DIR is picked up by run_mise() and +# applied only to the mise binary invocation, so shims (e.g. +# wait-for-gh-rate-limit) still resolve against the real global config. +_MISE_INSTALL_CONFIG_DIR="$(mktemp -d)" +export _MISE_INSTALL_CONFIG_DIR + # TODO(malept): feature parity with asdf.sh in the same folder. if [[ -f "$repoDir"/mise.toml ]]; then info_sub "🧑‍🍳 installing tool versions via mise" @@ -43,10 +51,22 @@ if [[ -f "$repoDir"/mise.toml ]]; then else info_sub "🧑‍🍳 ignoring .tool-versions (managed by asdf)" fi - MISE_GITHUB_TOKEN="$ghToken" run_mise install --cd "$repoDir" --yes + + # Use --locked when a lockfile exists to prevent GitHub API calls for + # version resolution. Repos without mise.lock fall back to normal install. + locked_flag="" + if [[ -f "$repoDir"/mise.lock ]]; then + locked_flag="--locked" + fi + # shellcheck disable=SC2086 + MISE_GITHUB_TOKEN="$ghToken" run_mise install --cd "$repoDir" $locked_flag --yes fi MISE_GITHUB_TOKEN="$ghToken" devbase_install_mise_tools + +rm -rf "$_MISE_INSTALL_CONFIG_DIR" +unset _MISE_INSTALL_CONFIG_DIR + devbase_configure_global_tools if [[ -n ${BASH_ENV:-} ]]; then diff --git a/shell/lib/mise.sh b/shell/lib/mise.sh index 19aa8beb..f17ba15e 100644 --- a/shell/lib/mise.sh +++ b/shell/lib/mise.sh @@ -254,8 +254,17 @@ run_mise() { tool_versions_override="none" fi - MISE_OVERRIDE_TOOL_VERSIONS_FILENAMES="$tool_versions_override" \ - "$mise_path" "$@" + # _MISE_INSTALL_CONFIG_DIR, when set, overrides MISE_CONFIG_DIR only for + # the mise binary — not for helper tools like wait-for-gh-rate-limit + # that run via mise shims and need the real global config. + if [[ -n ${_MISE_INSTALL_CONFIG_DIR:-} ]]; then + MISE_OVERRIDE_TOOL_VERSIONS_FILENAMES="$tool_versions_override" \ + MISE_CONFIG_DIR="$_MISE_INSTALL_CONFIG_DIR" \ + "$mise_path" "$@" + else + MISE_OVERRIDE_TOOL_VERSIONS_FILENAMES="$tool_versions_override" \ + "$mise_path" "$@" + fi } # If `wait-for-gh-rate-limit` is installed, runs it to wait for @@ -417,7 +426,20 @@ devbase_install_mise_tools() { if ! mise_version_compatible "2025.10.11"; then mise settings set experimental true fi - devbase_mise install --yes + # go: backend tools compile from source and can't produce lockfile URLs, + # so --locked always fails for them (mise bug: go backend doesn't override + # supports_lockfile_url). MISE_DISABLE_BACKENDS=go also doesn't work for + # explicitly declared tools (mise bug: get() bypasses the filter). + # Workaround: use MISE_DISABLE_TOOLS with the actual go: tool names. + local devbaseDir + devbaseDir="$(get_devbase_directory)" + local go_tools + go_tools=$(grep '^"go:' "$devbaseDir/mise.devbase.toml" | cut -d'"' -f2 | paste -sd, -) + # Pass 1: all lockable tools with --locked (no GitHub API calls) + MISE_DISABLE_TOOLS="$go_tools" devbase_mise install --yes --locked + # Pass 2: go: tools without --locked (they use Go module proxy, not GitHub API). + # MISE_LOCKFILE=false prevents lockfile writes — CI must never mutate lockfiles. + MISE_LOCKFILE=false devbase_mise install --yes } # The current version of mise.