Skip to content

Comments

feat: migrate to use mise instead of asdf#262

Merged
zapo merged 1 commit intomasterfrom
ab/feat/migrate-to-mise
Feb 19, 2026
Merged

feat: migrate to use mise instead of asdf#262
zapo merged 1 commit intomasterfrom
ab/feat/migrate-to-mise

Conversation

@ab116699
Copy link
Contributor

@ab116699 ab116699 commented Feb 19, 2026

Summary

  • Migrate toolchain management from asdf to mise
  • Replace .tool-versions with mise.toml + mise.lock for reproducible, checksummed installs
  • Update all CI workflows and composite actions to use mise instead of asdf

What changed?

New files

File Purpose
mise.toml Single source of truth for 4 dev tools (replaces .tool-versions)
mise.lock Lockfile with checksums and URLs pinned across 5 platforms
.github/actions/setup-mise/action.yml CI composite action using jdx/mise-action (SHA-pinned)

Deleted files

File Why
.tool-versions Replaced by mise.toml

Modified files

File Change
Makefile asdf target (plugin adds + install) → mise target (mise install)
.github/workflows/release.yml asdf-vm/actions/installsetup-mise
.github/actions/setup-pnpm/action.yml Parse node/pnpm versions from mise.toml instead of .tool-versions
.github/actions/setup-pnpm-demos-npm/action.yml Same
.github/actions/setup-pnpm-demos-react/action.yml Same

Tool backend mapping

Backend Tool Security model
core (built-in) node Official sources, built into mise
aqua (checksummed) pnpm, mkcert SHA256 + cosign/SLSA verification via aqua registry
vfox semver vfox plugin registry

pre-commit was removed from toolchain management as it is installed via brew locally and not used in CI.

Why mise over asdf?

Supply chain security. asdf relies on third-party bash plugins — arbitrary shell scripts pulled from random GitHub repos that run curl | bash patterns and download binaries without checksum verification. Each plugin is an unaudited attack surface.

mise replaces this with:

  • Checksummed backends: aqua registry provides SHA256 + cosign/SLSA verification for tools like pnpm and mkcert
  • A lockfile (mise.lock): pins exact download URLs and checksums across all platforms for reproducible installs
  • No third-party plugin scripts: 3 out of 4 tools use built-in or aqua backends with zero shell script plugins
  • Single Rust binary: no shim overhead, no reshimming after installs

This aligns with the migration done in the parent monorepo.

How to test

CI

This PR exercises the full pipeline — the setup-pnpm actions parse versions from mise.toml, and the release workflow uses setup-mise to install semver for version computation.

Local

brew install mise                        # if not already installed
eval "$(mise activate zsh)"              # add to ~/.zshrc
cd optable-web-sdk && mise trust && mise install
mise ls                                  # should show 4 tools
make all                                 # full build

@zapo zapo merged commit 1147098 into master Feb 19, 2026
7 checks passed
@zapo zapo deleted the ab/feat/migrate-to-mise branch February 19, 2026 20:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zapo zapo zapo approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ab116699 @zapo