fix(python): use lockfile URL for precompiled installs#8750
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a bug where the Python plugin in Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
hehaoqian
changed the title
hehaoqian
changed the title
Greptile SummaryThis PR fixes a bug where Key changes:
Confidence Score: 5/5Safe to merge — the fix is a minimal, well-targeted change with a concrete regression test The core logic change is correct: checking No files require special attention Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[install_precompiled called] --> B[get_platform_key]
B --> C{tv.lock_platforms\nhas URL for key?}
C -- Yes --> D[Use lockfile URL directly\nskip remote fetch]
C -- No --> E[fetch_precompiled_remote_versions]
E --> F{Match found\nfor tv.version?}
F -- Yes --> G[Build URL from tag + filename\nShow precompiled hint]
F -- No --> H{windows or\ncompile=false?}
H -- Yes --> I[bail! no precompiled found]
H -- No --> J[install_compiled fallback]
D --> K[download tarball from URL]
G --> K
K --> L[Record URL in lock_platforms]
L --> M[verify_checksum\nread/write checksum+size]
M --> N[verify_github_artifact_attestations]
N --> O{provenance\ndowngrade check}
O -- Pass --> P[untar + patch sysconfig]
O -- Fail --> Q[bail! downgrade attack]
Greploops — Automatically fix all review issues by running Reviews (2): Last reviewed commit: "test(python): add e2e test verifying loc..." | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
|
Not really ready. Fully AI generated. Better look at the bug manually when I have time. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances the Python plugin's lockfile handling by ensuring that mise prioritizes the download URL specified in the lockfile for a given platform over recomputing it. A new end-to-end test was added to validate this behavior by verifying that mise attempts to download from a deliberately corrupted lockfile URL, leading to a failure. Additionally, a new helper function lockfile_url_for_platform with comprehensive unit tests was introduced to facilitate this logic. There is no feedback to provide.
There was a problem hiding this comment.
Pull request overview
This PR fixes an issue where the core Python plugin could recompute the python-build-standalone download URL during install instead of using the URL already recorded in mise.lock, improving reproducibility and aligning installs with locked artifacts.
Changes:
- Prefer an existing per-platform URL from
tv.lock_platformswhen installing precompiled Python, falling back to computing the URL only when absent. - Add unit tests for the lockfile URL lookup helper.
- Extend the Python lockfile E2E test to ensure installs obey the lockfile URL (and fail when it’s deliberately corrupted).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
src/plugins/core/python.rs |
Uses lockfile-stored platform URL as the source of truth for precompiled Python downloads; adds helper + unit tests. |
e2e/lockfile/test_lockfile_python |
Adds an E2E regression check that a tampered lockfile URL is actually used during install. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Any update on this one? |
When a URL is already recorded in mise.lock for the current platform, use it directly instead of recomputing from the remote version index. This ensures locked installs are reproducible. Fixes jdx#8749 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jdx
force-pushed
the
copilot/fix-bug-in-discussion-8749
branch
from
b6d6247 to
586db4f
Compare
Corrupts the lockfile URL to a fake value and asserts that mise install fails trying to download from it, proving the lockfile URL is used instead of being recomputed. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jdx
changed the title
### 🚀 Features - **(ci)** auto-convert external PRs to draft mode by @jdx in [#8896](#8896) - **(deps)** add `depends` field for user-specified tool dependencies by @cprecioso in [#8776](#8776) - **(dotnet)** support runtime-only installs by @fragon10 in [#8524](#8524) - **(npm)** apply install_before to transitive dependencies by @risu729 in [#8851](#8851) - **(task)** allow passing arguments to task dependencies via {{usage.*}} templates by @jdx in [#8893](#8893) - add options field to BackendListVersionsCtx by @esteve in [#8875](#8875) ### 🐛 Bug Fixes - **(backend)** filter PEP 440 .dev versions in fuzzy version matching by @richardthe3rd in [#8849](#8849) - **(ci)** update COPR BuildRequires rust version to match MSRV 1.88 by @jdx in [#8911](#8911) - **(ci)** add Ruby build dependencies to e2e Docker image by @jdx in [#8910](#8910) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8912](#8912) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8914](#8914) - **(ci)** use Node 24 LTS for corepack e2e test by @jdx in [#8915](#8915) - **(ci)** add libxml2 and pkg-config to e2e Docker image by @jdx in [#8917](#8917) - **(ci)** add libxml2-dev to e2e image and disable Swift SPM tests by @jdx in [#8918](#8918) - **(docs)** use sans-serif font for badges by @jdx in [#8887](#8887) - **(env)** parse --env=VALUE and -E=VALUE flag forms correctly by @jdx in [#8889](#8889) - **(exec)** use i64::from() for seccomp syscall numbers to survive autofix by @jdx in [#8882](#8882) - **(github)** preserve tool options like filter_bins when version specified via CLI by @jdx in [#8888](#8888) - **(github)** use alias-specific options when tool_alias has its own config by @jdx in [#8892](#8892) - **(install)** add locked_verify_provenance setting and detect github attestations at lock time by @jdx in [#8901](#8901) - **(lock)** prune stale version entries during filtered `mise lock <tool>` runs by @altendky in [#8599](#8599) - **(python)** use lockfile URL for precompiled installs by @hehaoqian in [#8750](#8750) - **(release)** verify all build targets succeed before releasing by @jdx in [#8886](#8886) - **(ruby)** support build revisions for precompiled binaries in mise.lock by @jdx in [#8900](#8900) - **(swift)** fall back to Ubuntu 24.04 for unsupported Ubuntu versions by @jdx in [#8916](#8916) - **(zsh)** avoid duplicate trust warning after cd by @timothysparg in [#8898](#8898) - update flake.lock and add fix for rust-bindgen to default.nix by @esteve in [#8874](#8874) - when direnv diff is empty, do not try to parse it by @yaleman in [#8857](#8857) - skip trust check for plain .tool-versions in task list by @dportalesr in [#8876](#8876) ### 🚜 Refactor - **(go)** rename go_* settings to go.* namespace by @jdbruijn in [#8598](#8598) ### 📚 Documentation - **(tasks)** clarify task_config.includes behavior by @risu729 in [#8905](#8905) ### 🧪 Testing - **(ci)** run e2e tests inside Docker containers by @jdx in [#8899](#8899) ### 📦️ Dependency Updates - bump ubi from 0.8 to 0.9 by @jdx in [#8906](#8906) - bump zip from 3 to 8 by @jdx in [#8908](#8908) - update lockfile deps (hold back rattler) by @jdx in [#8909](#8909) - update bun.lock by @jdx in [#8913](#8913) ### 📦 Registry - add turso ([github:tursodatabase/turso-cli](https://github.com/tursodatabase/turso-cli)) by @kenn in [#8884](#8884) - remove carp test by @jdx in [#8894](#8894) ### Chore - **(ci)** add workflow to warn PRs modifying vendored aqua-registry by @jdx in [#8897](#8897) - **(ci)** use github.token for draft conversion in auto-draft workflow by @jdx in [#8903](#8903) - remove deprecated settings older than 12 months by @jdx in [#8904](#8904) ### New Contributors - @dportalesr made their first contribution in [#8876](#8876) - @timothysparg made their first contribution in [#8898](#8898) - @hehaoqian made their first contribution in [#8750](#8750) - @jdbruijn made their first contribution in [#8598](#8598) - @cprecioso made their first contribution in [#8776](#8776) - @yaleman made their first contribution in [#8857](#8857) - @kenn made their first contribution in [#8884](#8884) - @fragon10 made their first contribution in [#8524](#8524) ## 📦 Aqua Registry Updates #### New Packages (6) - [`ahkohd/oyo`](https://github.com/ahkohd/oyo) - [`bellicose100xp/jiq`](https://github.com/bellicose100xp/jiq) - [`kurama/dealve-tui`](https://github.com/kurama/dealve-tui) - [`micahkepe/jsongrep`](https://github.com/micahkepe/jsongrep) - [`textfuel/lazyjira`](https://github.com/textfuel/lazyjira) - [`ubugeeei/vize`](https://github.com/ubugeeei/vize) #### Updated Packages (1) - [`sigstore/cosign`](https://github.com/sigstore/cosign)
When installing precompiled Python,
install_precompiledwould always recompute the download URL from the remote version index, ignoring any URL already recorded inmise.lock. This broke reproducibility for locked installs.Now checks
lock_platformsfor an existing URL before fetching remote versions. If found, uses it directly.Fixes #8749