feat(lockfile): add multi-platform checksums without downloading tarballs #7113
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…alls Enable `mise lock` to include SHA256 checksums for all platforms by leveraging: 1. **GitHub API digests** - GitHub provides SHA256 digests for release assets via their API, available without downloading files 2. **Aqua checksum files** - Download small checksum files (~1KB) that contain checksums for all platforms, parsed for the target platform's asset Changes: - aqua.rs: Use GitHub API digest in resolve_lock_info instead of discarding it; add fetch_checksum_from_file() for tools with checksum config - github.rs: Override resolve_lock_info to include digest from GitHub API; add resolve_asset_url_for_target() for cross-platform resolution - static_helpers.rs: Add lookup_platform_key_for_target() helper - asset_detector.rs: Add detect_asset_for_target() helper - Export AquaChecksum type from aqua-registry crate 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR enhances mise lock to include SHA256 checksums for all platforms without downloading tarballs. It leverages GitHub API digests for release assets and downloads small checksum files (~1KB) from Aqua registry definitions that contain checksums for all platforms.
Key changes:
- Adds cross-platform lockfile support by implementing
resolve_lock_info()for GitHub/GitLab backends - Enables checksum retrieval from Aqua checksum files for tools with checksum configuration
- Adds helpers for cross-platform asset detection and platform-specific configuration lookup
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/backend/static_helpers.rs | Adds lookup_platform_key_for_target() and target_platform_aliases() to support cross-platform configuration lookup |
| src/backend/github.rs | Implements resolve_lock_info() and asset resolution methods for cross-platform lockfile generation |
| src/backend/asset_detector.rs | Adds detect_asset_for_target() helper for cross-platform asset detection |
| src/backend/aqua.rs | Updates resolve_lock_info() to fetch checksums from checksum files and adds checksum parsing logic |
| src/aqua/aqua_registry_wrapper.rs | Exports AquaChecksum type for use in backend code |
| crates/aqua-registry/src/lib.rs | Exports AquaChecksum type from types module |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+377
to
+378
| let picker = AssetPicker::new(target_os.to_string(), target_arch.to_string()); | ||
| picker.pick_best_asset(assets).ok_or_else(|| { |
There was a problem hiding this comment.
[nitpick] The variable name picker is generic. Consider renaming it to asset_picker for better clarity.
Suggested change
| let picker = AssetPicker::new(target_os.to_string(), target_arch.to_string()); | |
| picker.pick_best_asset(assets).ok_or_else(|| { | |
| let asset_picker = AssetPicker::new(target_os.to_string(), target_arch.to_string()); | |
| asset_picker.pick_best_asset(assets).ok_or_else(|| { |
| checksum_config: &AquaChecksum, | ||
| filename: &str, | ||
| ) -> Result<String> { | ||
| let mut checksum_file = content.to_string(); |
There was a problem hiding this comment.
The variable name checksum_file is misleading as it contains the content of the checksum file, not the file itself. Consider renaming it to checksum_content or checksum_data.
src/backend/github.rs
Outdated
| let darwin_os = if os == "macos" { "darwin" } else { os }; | ||
| let amd64_arch = match arch { | ||
| "x64" => "amd64", | ||
| "arm64" => "aarch64", |
There was a problem hiding this comment.
The arm64 to aarch64 mapping is inconsistent with the opposite mapping in detect_asset_for_target() (line 373 in asset_detector.rs). Consider extracting architecture normalization into a shared helper function to ensure consistency across the codebase.
Comment on lines
+598
to
+618
| let checksum_str = checksum_file | ||
| .lines() | ||
| .filter_map(|l| { | ||
| let split = l.split_whitespace().collect_vec(); | ||
| if split.len() == 2 { | ||
| Some(( | ||
| split[0].to_string(), | ||
| split[1] | ||
| .rsplit_once('/') | ||
| .map(|(_, f)| f) | ||
| .unwrap_or(split[1]) | ||
| .trim_matches('*') | ||
| .to_string(), | ||
| )) | ||
| } else { | ||
| None | ||
| } | ||
| }) | ||
| .find(|(_, f)| f == filename) | ||
| .map(|(c, _)| c) | ||
| .unwrap_or(checksum_file); |
There was a problem hiding this comment.
[nitpick] This checksum parsing logic is complex and difficult to follow. Consider extracting it into a separate helper method like parse_standard_checksum_format() with clear documentation of the expected format.
| let arch = target.arch_name(); | ||
|
|
||
| // Map to common naming conventions | ||
| let darwin_os = if os == "macos" { "darwin" } else { os }; |
There was a problem hiding this comment.
[nitpick] The variable name darwin_os is confusing as it may not always contain 'darwin'. Consider renaming it to normalized_os or os_alias to better reflect its purpose.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Extract `parse_checksum_from_content()` usage in verify() to eliminate ~50 lines - Add `is_platform_supported()` helper for consistent platform validation - Add `resolve_repo_info()` helper for repo owner/name resolution (5 call sites) - Add `download_url_to_path()` helper for cosign asset downloads (3 call sites) Net reduction: 47 lines while improving maintainability. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- Consolidate _list_remote_versions: extract common filtering/mapping - Make resolve_asset_url delegate to resolve_asset_url_for_target - Remove duplicate resolve_github_asset_url and resolve_gitlab_asset_url - Remove unused auto_detect_asset method and Settings import Net reduction: 164 lines while improving maintainability. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
- amd64_arch: "x64" → "amd64", "arm64" unchanged (Go/Docker convention) - x86_64_arch: "x64" → "x86_64", "arm64" → "aarch64" (GNU convention) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
jdx
force-pushed
the
feat/lockfile-multi-platform-checksums
branch
from
c761ba9 to
fa9d0fe
Compare
Hyperfine Performance
|
| Command | mise-2025.11.10 | mise | Variance |
|---|---|---|---|
| install (cached) | 107ms | 106ms | +0% |
| ls (cached) | 64ms | 64ms | +0% |
| bin-paths (cached) | 70ms | 70ms | +0% |
| task-ls (cached) | 419ms | 418ms | +0% |
jdx
pushed a commit
that referenced
this pull request
Nov 30, 2025
### 🚀 Features - **(backend)** add filter_bins option to github/gitlab backends by @risu729 in [#7105](#7105) - **(ci)** auto-close PRs from non-maintainers by @jdx in [#7108](#7108) - **(conda)** add conda backend for installing packages from conda-forge by @jdx in [#7139](#7139) - **(github)** add rename_exe option and switch elm, opam, yt-dlp from ubi by @jdx in [#7140](#7140) - **(install)** add --locked flag for strict lockfile mode by @jdx in [#7098](#7098) - **(lock)** implement cross-platform lockfile generation by @jdx in [#7091](#7091) - **(lockfile)** add options field for tool artifact identity by @jdx in [#7092](#7092) - **(lockfile)** add env field and local lockfile support by @jdx in [#7099](#7099) - **(lockfile)** add URL support for deno, go, and zig backends by @jdx in [#7112](#7112) - **(lockfile)** add URL support for vfox backend by @jdx in [#7114](#7114) - **(lockfile)** add multi-platform checksums without downloading tarballs by @jdx in [#7113](#7113) ### 🐛 Bug Fixes - **(backend)** allow platform-specific strip_components by @risu729 in [#7106](#7106) - **(backend)** prefer path root for bin path if it contains an executable by @risu729 in [#7151](#7151) - **(bash)** avoid deactivate error on (no)unset PROMPT_COMMAND by @scop in [#7096](#7096) - **(ci)** use updatedAt instead of createdAt for stale PR detection by @jdx in [#7109](#7109) - **(github)** search subdirectories for executables in discover_bin_paths by @jdx in [#7138](#7138) - **(lockfile)** combine api_url with asset_pattern for GitHub release URLs by @jdx in [#7111](#7111) ### 🚜 Refactor - **(lock)** simplify lockfile to always use array format by @jdx in [#7093](#7093) - **(lockfile)** use compact inline table format by @jdx in [#7141](#7141) ### 📚 Documentation - **(gitlab)** document rename_exe option also for gitlab backend by @risu729 in [#7149](#7149) - **(lockfile)** update documentation for recent lockfile changes by @jdx in [#7107](#7107) - **(node)** use config_root in _.path for pnpm example by @risu729 in [#7146](#7146) - **(registry)** add github/gitlab backends to the preferred backends list by @risu729 in [#7148](#7148) - **(registry)** add url mappings for all backends by @risu729 in [#7147](#7147) ### 📦️ Dependency Updates - update docker/metadata-action digest to c299e40 by @renovate[bot] in [#7101](#7101) - update ghcr.io/jdx/mise:alpine docker digest to 693c5f6 by @renovate[bot] in [#7102](#7102) - update ghcr.io/jdx/mise:deb docker digest to 9985cab by @renovate[bot] in [#7104](#7104) - update ghcr.io/jdx/mise:copr docker digest to 564d8e1 by @renovate[bot] in [#7103](#7103) - update rust crate ubi to 0.8.4 by @risu729 in [#7154](#7154) ### 📦 Registry - add aqua backend as primary for e1s by @jdx in [#7115](#7115) - add gem backend for bashly by @jdx in [6af6607](6af6607) - switch 1password from asdf to vfox backend by @jdx in [#7116](#7116) - add vfox backend for bfs by @jdx in [#7126](#7126) - add github backend for btrace by @jdx in [#7129](#7129) - add github backend for cf by @jdx in [#7131](#7131) - add vfox backend for bpkg by @jdx in [#7130](#7130) - switch apollo-ios from asdf to github backend by @jdx in [#7118](#7118) - add vfox backend for chromedriver by @jdx in [#7134](#7134) - switch superhtml, vespa-cli, xcsift from ubi to github backend by @jdx in [#7137](#7137) - add vfox backend for clickhouse by @jdx in [#7136](#7136) - switch chicken to vfox plugin by @jdx in [#7135](#7135) - switch chezscheme from asdf to vfox backend by @jdx in [#7132](#7132) - add vfox backend for carthage by @jdx in [#7133](#7133) - switch azure-functions-core-tools from asdf to vfox backend by @jdx in [#7128](#7128) - switch aapt2 to vfox backend by @jdx in [#7117](#7117) - switch ant to vfox backend by @jdx in [#7119](#7119) - switch asciidoctorj from asdf to vfox backend by @jdx in [#7121](#7121) - switch awscli-local to pipx backend by @jdx in [#7120](#7120) - add omnictl by @risu729 in [#7145](#7145) - remove pnpm asdf plugin from fallback by @risu729 in [#7143](#7143) - switch tanzu to github backend by @jdx in [#7124](#7124) - switch android-sdk to vfox plugin by @jdx in [#7127](#7127) - add vfox backend for ag (The Silver Searcher) by @jdx in [#7122](#7122) ### Chore - **(registry)** ignore deleted tools in test-tool workflow by @risu729 in [#7081](#7081) - **(release)** show registry section last in changelog by @jdx in [#7156](#7156) - update mise.lock with checksums by @jdx in [71e9123](71e9123) - disable cancel-in-progress for test workflow on main branch by @risu729 in [#7152](#7152) ## 📦 Aqua Registry Updates #### Updated Packages (1) - [`orf/gping`](https://github.com/orf/gping)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Enable
mise lockto include SHA256 checksums for all platforms by leveraging:Changes
resolve_lock_infoinstead of discarding it; addfetch_checksum_from_file()for tools with checksum configresolve_lock_infoto include digest from GitHub API; addresolve_asset_url_for_target()for cross-platform resolutionlookup_platform_key_for_target()helperdetect_asset_for_target()helperAquaChecksumtypeExample Output
Test plan
cargo buildsucceedscargo testpasses (372 tests)cargo clippypassesmise lock --platform linux-x64,macos-arm64,windows-x64with aqua tools (ripgrep, jq, terraform, watchexec) - checksums appear for all platforms🤖 Generated with Claude Code
Note
Adds cross-platform lockfile checksums by using GitHub API digests and parsing Aqua checksum files, plus backend utilities for target-specific asset resolution.
PlatformInfowithout downloads using GitHub API digests or Aqua checksum files.src/backend/aqua.rs)resolve_lock_infoto return URL/name and checksum (GitHub asset digest or parsed from checksum files).fetch_checksum_from_file,parse_checksum_from_content, anddownload_url_to_pathhelpers.is_platform_supportedandresolve_repo_info; reuse in minisign/SLSA/cosign flows.src/backend/github.rs)resolve_lock_infoandresolve_asset_url_for_targetfor target-specific asset resolution with digests.template_string_for_targetand platform-aware lookups.static_helpers.rs: addlookup_platform_key_for_targetand target aliasing.asset_detector.rs: adddetect_asset_for_targetfor target-based asset choice.AquaChecksumtype for checksum configuration.Written by Cursor Bugbot for commit fc2bdbb. This will update automatically on new commits. Configure here.