build: pin local & CI tool versions in one place (mise / .tool-versions) #157
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#157
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Problem
Local tooling and CI tooling can drift because they're version-pinned in
separate places — and some local installs aren't pinned at all.
Current state:
node-version: "22"repeated in ~10setup-nodesteps across.forgejo/workflows/pr.yml+secrets.yml;engines.nodeinpackage.jsonis>=20.9.0GITLEAKS_VERSION: 8.30.1in.forgejo/workflows/secrets.ymlACTIONLINT_VERSION: 1.7.12in.forgejo/workflows/pr.ymlTwo pain points:
commit that CI (8.30.1) flags, or vice versa. "Works on my machine,
red on CI" loop.
"22"is duplicated acrossevery
setup-nodestep. Bumping in one place silently drifts theothers; renovate would need a manager per occurrence.
Proposal
One source of truth for tool versions: a
mise.toml(or.tool-versions) at the repo root pinningnode,gitleaks, andactionlint. Both local hooks and CI activate the same versions fromthat file.
mise installafter clone; lefthook hooks rely onmise-shimmed binaries. The "not installed" branch inlefthook.ymlbecomes "run
mise install" instead of "brew install gitleaks".reusable step), then
mise install. The 10×node-version: "22"becomes one declaration.
misemanager picks up version bumps for allthree tools from one file — same model as
gomod/npm.Out of scope
warranted for three tools.
actions/setup-nodeentirely with mise-shimmed node —setup-node also handles npm cache restore; we keep it but read its
version input from the
mise.toml(or just have mise do it and dropsetup-node — TBD during implementation, will be decided in the PR
with the tradeoff explained inline).
cosign, syft, etc.). Those run via SHA-pinned actions and are in
scope of ADR-0009; not the same problem shape.
Acceptance
mise.toml(or.tool-versions) at repo root names exact versionsfor node, gitleaks, actionlint.
lefthook.ymlhooks pass without any local tool installed beyondmiseitself..forgejo/workflows/*.ymljob that uses node / gitleaks /actionlint reads the version from the pin file, not from inline
literals.
mise, thenmise install;the brew / Go-binary instructions for gitleaks + actionlint become
fallback, not the default.
why this lives in
mise.tomlrather thanpackage.json+inline-pinned binaries.
mise install..tool-versions(#157) #158