security(ci): avoid exposing MISE_GH_TOKEN to test-tool scripts

[jdx]

Summary

• GITHUB_TOKEN was set at workflow level to MISE_GH_TOKEN, making it available to all tool install scripts run by mise test-tool
• Moved MISE_GH_TOKEN to only the build job that needs it
• test-tool job now only gets the pooled token from the token pool API

Test plan

• Verify registry CI jobs still pass (checkout works without token for public repos)
• Verify test-tool still gets pooled token for rate limits

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk workflow scoping change, but could affect CI if any non-build steps implicitly relied on GITHUB_TOKEN being pre-set to MISE_GH_TOKEN.

Overview
Removes the workflow-level override of GITHUB_TOKEN (previously set to secrets.MISE_GH_TOKEN || secrets.GITHUB_TOKEN) in registry.yml and scopes it to the build job only.

This reduces secret exposure to mise test-tool/tool install scripts while keeping the elevated token available where the build needs it.

^{Reviewed by Cursor Bugbot for commit 5d1e6e1. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[greptile-apps]

Greptile Summary

This PR tightens the scope of MISE_GH_TOKEN in the registry.yml workflow by removing it from the workflow-level environment (where it was accessible to every job, including test-tool) and moving it to only the build job env and the specific "Check grace period" step that genuinely need it. The test-tool job now exclusively uses a pooled token fetched from the internal token-pool API as its GITHUB_TOKEN inside Docker.

Confidence Score: 5/5

Safe to merge — clear security hardening with no functional regressions expected.

The change is a straightforward scope reduction: the org token is moved from workflow-level env (all jobs) to only the build job and one specific step that explicitly needs it. The test-tool job correctly substitutes the pooled token. The fetch-token action already calls ::add-mask:: before emitting the token, so log exposure is handled. No P0 or P1 findings.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/registry.yml	Moves MISE_GH_TOKEN from workflow-level env to build job only; test-tool job correctly uses the pooled token via fetch-token action instead.

Sequence Diagram

sequenceDiagram
    participant B as build job
    participant T as test-tool job
    participant P as Token Pool API
    participant D as Docker Container

    B->>B: Uses scoped org token for cargo build
    B->>B: Upload mise binary artifact

    T->>P: Fetch pooled token (api-secret)
    P-->>T: Returns pooled token
    T->>T: Mask token in logs
    T->>T: Store as POOL_TOKEN in env
    T->>D: Pass POOL_TOKEN as GITHUB_TOKEN
    D->>D: mise test-tool runs with rate-limit token

    Note over B: MISE_GH_TOKEN scoped to build job only
    Note over T: test-tool never sees MISE_GH_TOKEN

Loading

_{Reviews (2): Last reviewed commit: "Merge branch 'main' into fix/test-tool-t..." | Re-trigger Greptile}

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.8 x -- echo	22.1 ± 0.4	21.4	24.2	1.00
mise x -- echo	22.4 ± 0.4	21.5	24.1	1.02 ± 0.03

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.8 env	21.8 ± 0.6	20.9	27.1	1.00
mise env	22.0 ± 0.5	21.2	25.4	1.01 ± 0.04

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.8 hook-env	22.3 ± 0.4	21.6	25.0	1.00
mise hook-env	22.7 ± 0.4	21.8	25.6	1.02 ± 0.03

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.8 ls	19.6 ± 0.4	18.9	23.3	1.00
mise ls	20.0 ± 0.4	19.2	23.1	1.02 ± 0.03

xtasks/test/perf

Command	mise-2026.4.8	mise	Variance
install (cached)	147ms	147ms	+0%
ls (cached)	77ms	77ms	+0%
bin-paths (cached)	81ms	81ms	+0%
task-ls (cached)	814ms	795ms	+2%