fix(release): publish extracted mise.exe alongside Windows zip#8997
Merged
fix(release): publish extracted mise.exe alongside Windows zip#8997
Conversation
SHASUMS256.txt currently includes hashes for the .zip files but not the extracted .exe binaries. mise-action verifies the sha256 of the extracted binary, so Windows users cannot pin the sha256. Extract mise.exe from each Windows zip after signing and copy it as a release asset. The existing checksum generation then picks it up automatically, adding the .exe hashes to SHASUMS256.txt. Signed-off-by: Gregor Zeitlinger <gregor.zeitlinger@grafana.com>
Contributor
Greptile SummaryThis PR adds two lines to Confidence Score: 5/5Safe to merge — minimal, well-scoped change that mirrors the existing Linux/macOS binary extraction pattern. Only two lines added; the internal zip path No files require special attention. Important Files Changed
Sequence DiagramsequenceDiagram
participant A as artifacts/*
participant R as releases/$VERSION/
participant L as releases/ (latest)
participant C as SHASUMS256.txt
Note over A,C: Windows platforms loop (arm64, x64)
A->>R: cp mise-$VERSION-$platform.zip
R->>R: zipsign sign zip
R->>R: zipsign verify zip
R->>L: cp mise-latest-$platform.zip
Note over R,L: NEW - extract exe from signed zip
R->>R: unzip -p ...zip mise/bin/mise.exe → mise-$VERSION-$platform.exe
R->>L: cp mise-latest-$platform.exe
R->>C: sha256sum picks up .exe files automatically
L->>C: sha256sum ./mise-latest-* picks up .exe files automatically
Reviews (1): Last reviewed commit: "fix(release): publish extracted mise.exe..." | Re-trigger Greptile |
Contributor
There was a problem hiding this comment.
Code Review
This pull request updates the release script to extract the Windows executable from the zip archive and provide a 'latest' version. The review feedback suggests ensuring the executable bit is set on the extracted file for cross-platform consistency and using verbose output for the copy operation to align with other parts of the script.
zeitlinger
added a commit
to grafana/flint
that referenced
this pull request
Apr 10, 2026
The linux-x64 sha256 was used for all platforms, which only worked while macOS had a warm cache. Switch to a per-platform matrix with version and sha256 fields so each platform verifies its own binary. Windows exe sha256 is not published upstream yet (jdx/mise#8997). Add a Renovate custom manager to keep the matrix hashes updated alongside the existing lint.yml and generation.rs managers.
mise-en-dev
added a commit
that referenced
this pull request
Apr 11, 2026
### 🐛 Bug Fixes - **(docs)** upgrade esbuild to 0.28.0 with es2022 build target by @jdx in [#9047](#9047) - **(env)** skip tools=true module hooks in dependency_env by @jdx in [#9011](#9011) - **(lockfile)** resolve SLSA provenance URLs deterministically for all platforms by @cameronbrill in [#8982](#8982) - **(registry)** test of docuum in registry by @jylenhof in [#8996](#8996) - **(release)** publish extracted mise.exe alongside Windows zip by @zeitlinger in [#8997](#8997) - **(schema)** add missing config fields by @risu729 in [#9044](#9044) - **(task)** support sandbox fields in task templates by @risu729 in [#9046](#9046) - **(tasks)** respect env precedence for task config by @risu729 in [#9039](#9039) - prevent implicit enabling of `self_update` when rustls features are enabled by @salim-b in [#9040](#9040) - allow installing bun and others when downloads folder is on a different mount by @bgeron in [#9032](#9032) ### 📚 Documentation - discourage direnv compatibility PRs and remove issue suggestions by @jdx in [ca78346](ca78346) - tighten direnv compatibility language by @jdx in [ab140c8](ab140c8) - add Tera tip for unsupported version files by @risu729 in [#9048](#9048) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:deb docker digest to 49fa8a4 by @renovate[bot] in [#8999](#8999) - update ghcr.io/jdx/mise:copr docker digest to 61ba7b6 by @renovate[bot] in [#8998](#8998) - update ghcr.io/jdx/mise:copr docker digest to fa351ff by @renovate[bot] in [#9002](#9002) - update ghcr.io/jdx/mise:alpine docker digest to f3bb475 by @renovate[bot] in [#9001](#9001) - update ghcr.io/jdx/mise:rpm docker digest to d45af2d by @renovate[bot] in [#9005](#9005) - update ghcr.io/jdx/mise:deb docker digest to d7463ac by @renovate[bot] in [#9004](#9004) - update jdx/mise-action digest to 5228313 by @renovate[bot] in [#9007](#9007) - update rust docker digest to e8e2bb5 by @renovate[bot] in [#9008](#9008) - update taiki-e/install-action digest to 97a5807 by @renovate[bot] in [#9010](#9010) - update autofix-ci/action action to v1.3.3 by @renovate[bot] in [#9015](#9015) - update ubuntu:24.04 docker digest to 84e77de by @renovate[bot] in [#9012](#9012) - update actions/checkout action to v4.3.1 by @renovate[bot] in [#9014](#9014) - update ubuntu:26.04 docker digest to cc925e5 by @renovate[bot] in [#9013](#9013) - update rust crate tokio to v1.51.1 by @renovate[bot] in [#9018](#9018) - update rust crate zip to v8.5.1 by @renovate[bot] in [#9019](#9019) - update rust crate ctor to 0.9 by @renovate[bot] in [#9024](#9024) - update ubuntu docker tag to resolute-20260404 by @renovate[bot] in [#9020](#9020) - update dependency vitepress-plugin-tabs to ^0.8.0 by @renovate[bot] in [#9023](#9023) - update rust crate indexmap to v2.14.0 by @renovate[bot] in [#9025](#9025) - update rust crate nix to 0.31 by @renovate[bot] in [#9030](#9030) - update taiki-e/install-action digest to 7a4939c by @renovate[bot] in [#9027](#9027) - update dependency esbuild to v0.28.0 by @renovate[bot] in [#9022](#9022) - update rust crate rand to 0.10 by @renovate[bot] in [#9031](#9031) - update rust crate digest to 0.11.0 by @renovate[bot] in [#9028](#9028) - update rust crate confique to 0.4 by @renovate[bot] in [#9026](#9026) - update rust crate rattler to 0.40 by @renovate[bot] in [#9034](#9034) - lock file maintenance by @renovate[bot] in [#8416](#8416) - disable renovate for aws-config/aws-sdk-* crates by @jdx in [#9052](#9052) - update swatinem/rust-cache digest to e18b497 by @renovate[bot] in [#9009](#9009) ### 📦 Registry - remove broken tool tests by @jdx in [#9017](#9017) - update granted aqua backend repo by @risu729 in [#9033](#9033) - fix atlas-community test expected output by @jdx in [#9054](#9054) ### Chore - use deprecated_at! macro for ubi backend deprecation by @jdx in [#9049](#9049) ### Security - **(ci)** run test-tool inside Docker container by @jdx in [#9055](#9055) - **(ci)** avoid exposing MISE_GH_TOKEN to test-tool scripts by @jdx in [#9053](#9053) ### New Contributors - @bgeron made their first contribution in [#9032](#9032) - @salim-b made their first contribution in [#9040](#9040) ## 📦 Aqua Registry Updates #### Updated Packages (2) - [`cloudnative-pg/cloudnative-pg/kubectl-cnpg`](https://github.com/cloudnative-pg/cloudnative-pg/kubectl-cnpg) - [`gleam-lang/gleam`](https://github.com/gleam-lang/gleam)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
SHASUMS256.txtincludes hashes for the Windows.zipfiles but not for the extracted.exebinaries.mise-actionverifies the sha256 of the extracted binary after unpacking, so users currently cannot pinsha256for the Windows binary — it's simply not in the checksum file.Fix
After signing and verifying each Windows zip, extract
mise.exefrom it and copy it as a release asset (both versioned andmise-latest-<platform>.exe). The existing checksum generation loop then picks up the.exefiles automatically and adds them toSHASUMS256.txt.Two lines added to
scripts/release.sh, no other changes.Testing
SHASUMS256.txtcontains entries for.exefiles after a release buildmise-actioncan verify the Windows binary sha256 with the pinned hash