fix: skip trust check for plain .tool-versions in task list#8876
fix: skip trust check for plain .tool-versions in task list#8876
Conversation
Greptile SummaryThis PR fixes a false-positive trust error for plain Confidence Score: 5/5Safe to merge — the fix is minimal, logically correct, and consistent with how the rest of the codebase handles .tool-versions files. All remaining findings are P2 or lower. The implementation correctly skips all .tool-versions files from the task-trust check since they can never contain task definitions. The E2E test covers the basic regression case. e2e/tasks/test_tool_versions_trust — the test exercises mise task ls rather than mise run , which means it doesn't directly call err_no_task (the modified function). This is a minor coverage gap but does not block merge. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[mise run task-name] --> B[get_task_lists]
B --> C{task found?}
C -- yes --> D[Execute task]
C -- no --> E[err_no_task]
E --> F{tasks empty?}
F -- no --> G[Return task-not-found error]
F -- yes --> H[config_files_in_dir]
H --> I{is_tool_versions_file?}
I -- yes --> J[Skip — .tool-versions cannot define tasks]
I -- no --> K{is_trusted?}
K -- yes --> L[Skip trusted file]
K -- no --> M[Collect as untrusted]
M --> N{any untrusted?}
N -- yes --> O[bail: Config files not trusted]
N -- no --> P[Continue with other diagnostics]
Reviews (8): Last reviewed commit: "[autofix.ci] apply automated fixes" | Re-trigger Greptile |
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the task resolution logic to ignore .tool-versions files when checking for untrusted configuration files, as these files are declarative and cannot define tasks. The reviewer suggests simplifying this logic by skipping all .tool-versions files based on the filename alone, rather than reading file contents to check for template syntax, and recommends reusing existing helper functions to avoid code duplication.
| for syscall in [libc::SYS_socket, libc::SYS_socketpair] { | ||
| rules.insert( | ||
| syscall as i64, | ||
| syscall, |
|
The extra file read to check for template syntax is wasteful. This comment was generated by Claude Code. |
dportalesr
force-pushed
the
fix/skip-trust-plain-tool-versions
branch
from
a6186a1 to
44c8b6a
Compare
There was a problem hiding this comment.
PR Review: fix: skip trust check for .tool-versions in task list
Verdict: Approve (confidence 5/5) — Safe to merge.
Summary
Fixes a regression from #8675 where .tool-versions files incorrectly triggered a trust error in mise run. The fix filters out .tool-versions files (using the configurable MISE_DEFAULT_TOOL_VERSIONS_FILENAME) from the untrusted-config check in err_no_task, since these files cannot define tasks regardless of content. A new assert_fail_not_contains helper and an e2e test covering both plain and template-syntax .tool-versions files are included.
File Analysis
| File | Confidence | Summary |
|---|---|---|
src/task/task_list.rs |
5/5 | Adds filename filter to skip .tool-versions files (via MISE_DEFAULT_TOOL_VERSIONS_FILENAME) in the untrusted-config check inside err_no_task |
e2e/tasks/test_tool_versions_trust |
5/5 | New e2e test verifying .tool-versions files never trigger trust errors in the task runner, for both plain and template-syntax variants |
e2e/assert.sh |
5/5 | Adds assert_fail_not_contains helper, mirroring the existing assert_fail_contains pattern |
Logic Flow
The err_no_task function now filters config files before checking trust:
mise run nonexistent→ task not found → task list empty?- If yes → check cwd config files → filter out any file named
MISE_DEFAULT_TOOL_VERSIONS_FILENAME(can't define tasks) - Remaining files →
is_trustedcheck → if untrusted → bail with 'not trusted' error
Key Observations
-
Implementation correctly uses
MISE_DEFAULT_TOOL_VERSIONS_FILENAME(not a hardcoded".tool-versions"string), which respects the env var override — consistent with how the rest of the codebase handles this configurable filename. -
All
.tool-versionsfiles are skipped, not just plain ones. This is semantically correct:.tool-versionsfiles cannot define tasks regardless of content, so they should never block the task runner with a trust error. -
Test coverage is solid —
e2e/tasks/test_tool_versions_trustcovers both the plain and template cases usingMISE_PARANOID=1 MISE_YES=0, which bypasses the CI trust shortcut and exercises the real trust logic. -
No P0 or P1 issues found. The fix is minimal, correct, and well-tested.
Safety Assessment
Safe to merge — the fix is minimal, correct, and tested.
This comment was generated by Claude Code.
dportalesr
force-pushed
the
fix/skip-trust-plain-tool-versions
branch
from
2360c2f to
53dfb86
Compare
PR jdx#8675 added trust checks for .tool-versions files containing Tera templates, but the error path in task_list.rs still checks trust on all config files regardless of type or content. This causes plain .tool-versions files (no templates) to trigger trust errors. Skip trust verification for .tool-versions files that don't contain template syntax ({{, {%, {#}), consistent with the parsing logic.
dportalesr
force-pushed
the
fix/skip-trust-plain-tool-versions
branch
2 times, most recently
from
5bdc3f7 to
92e8942
Compare
dportalesr
force-pushed
the
fix/skip-trust-plain-tool-versions
branch
from
92e8942 to
a5dc4c4
Compare
jdx
left a comment
jdx
left a comment
There was a problem hiding this comment.
A couple suggestions:
-
The test uses
ruby 3.3.3in.tool-versions, butmise run nonexistentwill try to install ruby before failing — that'll be very slow in CI. Other e2e tests usetiny 3.1.0ordummy 1as lightweight stand-ins. -
Rather than asserting on a failing command (
assert_fail_not_contains "mise run nonexistent" "not trusted"), it might be cleaner to use a command that loads config but doesn't require a task, likemise lsormise task ls, and check its output doesn't contain "not trusted". That avoids the indirection of a deliberately-failing command.
Something like:
echo "tiny 3.1.0" >.tool-versions
assert_not_contains "MISE_YES=0 mise task ls" "not trusted"This comment was generated by Claude Code.
.tool-versions files can't define tasks regardless of content, so skip them by filename instead of reading the file to check for templates. Add assert_fail_not_contains helper and e2e test coverage.
dportalesr
force-pushed
the
fix/skip-trust-plain-tool-versions
branch
from
a5dc4c4 to
f0fba22
Compare
### 🚀 Features - **(ci)** auto-convert external PRs to draft mode by @jdx in [#8896](#8896) - **(deps)** add `depends` field for user-specified tool dependencies by @cprecioso in [#8776](#8776) - **(dotnet)** support runtime-only installs by @fragon10 in [#8524](#8524) - **(npm)** apply install_before to transitive dependencies by @risu729 in [#8851](#8851) - **(task)** allow passing arguments to task dependencies via {{usage.*}} templates by @jdx in [#8893](#8893) - add options field to BackendListVersionsCtx by @esteve in [#8875](#8875) ### 🐛 Bug Fixes - **(backend)** filter PEP 440 .dev versions in fuzzy version matching by @richardthe3rd in [#8849](#8849) - **(ci)** update COPR BuildRequires rust version to match MSRV 1.88 by @jdx in [#8911](#8911) - **(ci)** add Ruby build dependencies to e2e Docker image by @jdx in [#8910](#8910) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8912](#8912) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8914](#8914) - **(ci)** use Node 24 LTS for corepack e2e test by @jdx in [#8915](#8915) - **(ci)** add libxml2 and pkg-config to e2e Docker image by @jdx in [#8917](#8917) - **(ci)** add libxml2-dev to e2e image and disable Swift SPM tests by @jdx in [#8918](#8918) - **(docs)** use sans-serif font for badges by @jdx in [#8887](#8887) - **(env)** parse --env=VALUE and -E=VALUE flag forms correctly by @jdx in [#8889](#8889) - **(exec)** use i64::from() for seccomp syscall numbers to survive autofix by @jdx in [#8882](#8882) - **(github)** preserve tool options like filter_bins when version specified via CLI by @jdx in [#8888](#8888) - **(github)** use alias-specific options when tool_alias has its own config by @jdx in [#8892](#8892) - **(install)** add locked_verify_provenance setting and detect github attestations at lock time by @jdx in [#8901](#8901) - **(lock)** prune stale version entries during filtered `mise lock <tool>` runs by @altendky in [#8599](#8599) - **(python)** use lockfile URL for precompiled installs by @hehaoqian in [#8750](#8750) - **(release)** verify all build targets succeed before releasing by @jdx in [#8886](#8886) - **(ruby)** support build revisions for precompiled binaries in mise.lock by @jdx in [#8900](#8900) - **(swift)** fall back to Ubuntu 24.04 for unsupported Ubuntu versions by @jdx in [#8916](#8916) - **(zsh)** avoid duplicate trust warning after cd by @timothysparg in [#8898](#8898) - update flake.lock and add fix for rust-bindgen to default.nix by @esteve in [#8874](#8874) - when direnv diff is empty, do not try to parse it by @yaleman in [#8857](#8857) - skip trust check for plain .tool-versions in task list by @dportalesr in [#8876](#8876) ### 🚜 Refactor - **(go)** rename go_* settings to go.* namespace by @jdbruijn in [#8598](#8598) ### 📚 Documentation - **(tasks)** clarify task_config.includes behavior by @risu729 in [#8905](#8905) ### 🧪 Testing - **(ci)** run e2e tests inside Docker containers by @jdx in [#8899](#8899) ### 📦️ Dependency Updates - bump ubi from 0.8 to 0.9 by @jdx in [#8906](#8906) - bump zip from 3 to 8 by @jdx in [#8908](#8908) - update lockfile deps (hold back rattler) by @jdx in [#8909](#8909) - update bun.lock by @jdx in [#8913](#8913) ### 📦 Registry - add turso ([github:tursodatabase/turso-cli](https://github.com/tursodatabase/turso-cli)) by @kenn in [#8884](#8884) - remove carp test by @jdx in [#8894](#8894) ### Chore - **(ci)** add workflow to warn PRs modifying vendored aqua-registry by @jdx in [#8897](#8897) - **(ci)** use github.token for draft conversion in auto-draft workflow by @jdx in [#8903](#8903) - remove deprecated settings older than 12 months by @jdx in [#8904](#8904) ### New Contributors - @dportalesr made their first contribution in [#8876](#8876) - @timothysparg made their first contribution in [#8898](#8898) - @hehaoqian made their first contribution in [#8750](#8750) - @jdbruijn made their first contribution in [#8598](#8598) - @cprecioso made their first contribution in [#8776](#8776) - @yaleman made their first contribution in [#8857](#8857) - @kenn made their first contribution in [#8884](#8884) - @fragon10 made their first contribution in [#8524](#8524) ## 📦 Aqua Registry Updates #### New Packages (6) - [`ahkohd/oyo`](https://github.com/ahkohd/oyo) - [`bellicose100xp/jiq`](https://github.com/bellicose100xp/jiq) - [`kurama/dealve-tui`](https://github.com/kurama/dealve-tui) - [`micahkepe/jsongrep`](https://github.com/micahkepe/jsongrep) - [`textfuel/lazyjira`](https://github.com/textfuel/lazyjira) - [`ubugeeei/vize`](https://github.com/ubugeeei/vize) #### Updated Packages (1) - [`sigstore/cosign`](https://github.com/sigstore/cosign)
2 participants
Summary
PR #8675 added trust gating for
.tool-versionsfiles containing Tera template syntax, buttask_list.rsstill callsis_trusted()on all config files when checking for untrusted configs. This causes plain.tool-versionsfiles (just tool names and versions, no templates) to trigger trust errors like:This skips the trust check for
.tool-versionsfiles that don't contain template syntax ({{,{%,{#), consistent with the parsing logic added in #8675.Changes
src/task/task_list.rs: Addedis_plain_tool_versions()helper that checks if a path is a.tool-versionsfile without Tera template markers. Theerr_no_tasktrust check now skips these files since they can't define tasks or execute code.Test plan
.tool-versions(e.g.ruby 3.3.3\nnodejs 14.21.3) no longer triggers trust error.tool-versionswith template syntax (e.g.nodejs {{ exec("echo 20") }}) still requires trust.mise.tomltrust behavior unchanged