chore: reduce test.yml flake — pin mise tools, skip cargo-cooldown on CI#498
Conversation
Replace `latest` with exact versions for lefthook, cocogitto, bun, bat, and cargo:cargo-cooldown — each pin matches the corresponding entry in mise.lock today, so this is a zero-behavior-change tightening. The win is removing per-install version-resolution lookups against backend registries (aqua, cargo). Even when mise-action's cache HITs on the installs directory, mise still has to resolve `latest` against the registry to decide whether the cached version is current, which is a network round-trip on every CI run and a flake surface in its own right. `neovim` stays at `stable` — the vfox:mise-plugins/vfox-neovim backend does not record concrete versions in mise.lock, so there's no value to substitute. Documented inline. The weekly mise-tool-updates.yml workflow runs `mise upgrade` which respects minimum_release_age=7d and will keep these pins current, opening an auto-PR with both mise.toml and mise.lock bumps. Refs #484 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The lint job currently spends ~2 min on a cold-cache build of cargo-cooldown (~125 transitive crates from crates.io). That cold path is the actual flake surface — once installs/ is cached, the tool is free, but the build runs on every cache invalidation and on workflow matrix breadth changes. The policy cargo-cooldown enforces locally — refusing to consume package versions younger than the cooldown.toml window — is already enforced at PR boundary by scripts/check-lockfile-age.sh, which the dep-age-check job runs against Cargo.lock and bun.lock. cargo-cooldown itself wraps `cargo build|check|test|run|update`, which CI doesn't exercise interactively. The CI install therefore covers nothing that the lockfile-age check doesn't already cover. Setting MISE_DISABLE_TOOLS at the job level (not the step) is deliberate: later steps run `mise run clippy` and `mise run test:unit`, and we want the disable consistent across every mise invocation in the job. Job-level scope keeps the contract uniform. mise.toml continues to pin cargo:cargo-cooldown = "0.3.0" so local devs still get the supply-chain wrap on `cargo build|check|test|run|update`. Refs #484 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
/claude review |
|
Claude finished @avihut's task in 1m 27s —— View job Review
Both changes are correct and well-reasoned. No blocking issues. A few observations below.
|
| Tool | Pinned | Lock |
|---|---|---|
lefthook |
2.1.6 |
2.1.6 ✓ |
cocogitto |
7.0.0 |
7.0.0 ✓ |
bun |
1.3.13 |
1.3.13 ✓ |
bat |
0.26.1 |
0.26.1 ✓ |
cargo:cargo-cooldown |
0.3.0 |
0.3.0 ✓ |
neovim correctly stays at "stable" — mise.lock confirms the vfox backend records no concrete version or checksum for it (just a URL pointing to the stable tag). The inline comment explains the limitation accurately.
Minor: rust = "1.93" in mise.toml while mise.lock resolves it to "1.93.1". Pre-existing inconsistency, not introduced here, but a candidate for a follow-up pin (or leave it — patch pinning Rust is rarely meaningful).
test.yml — MISE_DISABLE_TOOLS on lint job
The implementation is correct:
cargo:backend prefix is required — barecargo-cooldownsilently no-ops in mise, as the comment notes. This is the one failure mode worth watching (V3 in the test plan).- Job-level scope is right — both
mise run clippy(line 160) andmise run test:unit(line 163) invoke mise, so step-level on one would be inconsistent. - Other jobs unaffected correctly —
msrv-check,windows-check,xtask-test, andbuilddon't usejdx/mise-actionat all;integration-testsdownloads a pre-built artifact. No stray cargo-cooldown installs to worry about.
Minor nit: The test.yml comment is 9 lines. For a CI workflow this length is understandable (non-obvious env var, silent failure mode), but it's on the verbose side given the PR description captures the same rationale permanently.
Supply-chain / dep-age compliance
Pinning to existing mise.lock values satisfies minimum_release_age = "7d" automatically — no new version resolution required, no allowlist entries needed.
Scope confirmation
bench.yml and mise-tool-updates.yml intentionally excluded — consistent with the stated scope. scripts/check-lockfile-age.sh covers the policy at PR boundary regardless.
Verdict: LGTM. The two changes are independent, narrowly scoped, and eliminate real flake surfaces without behavioral regression. V3 (CI log should not list cargo:cargo-cooldown as an install target) is the key thing to confirm on this PR's run.
1 participant
Summary
Two changes from #484 that reduce
test.yml's flake surface. The thirdticket-suggested change (explicit
actions/cache@v4step) is intentionallydeferred —
jdx/mise-action@v4already caches~/.local/share/misekeyedon
mise.toml+mise.lock, verified on run25909874748(
cache restored from key: mise-v1-linux-x64-69f084f..., install completedin ~3s). The cache amplifier diagnosis in the ticket body was wrong; ship
the two changes that do still help and gate the explicit cache step behind
post-merge observation (V4 below).
Commit 1 —
chore(mise): pin tool versions to lockfile valuesReplace
latestwith exactmise.lockvalues forlefthook,cocogitto,bun,bat, andcargo:cargo-cooldown. Zero-behavior-change tightening— each pin matches what these tools resolve to today. The win is removing
per-install version-resolution lookups against backend registries (aqua,
cargo); those round-trips happen even on cache HIT and are a flake surface
of their own.
neovimintentionally stays at"stable"— thevfox:mise-plugins/vfox-neovimbackend does not record concrete versionsin
mise.lock, so there's nothing valid to substitute. Inline commentexplains.
Weekly
mise-tool-updates.ymlrunsmise upgrade(respectsminimum_release_age = "7d") and will keep these current, auto-openingPRs that update
mise.toml+mise.locktogether.Commit 2 —
ci(test): skip cargo-cooldown install in lint jobSet
MISE_DISABLE_TOOLS: cargo:cargo-cooldownat thelintjob level intest.yml. Removes a ~2 min from-source cargo build (~125 transitivecrates from crates.io) on every cold-cache run — the exact flake surface
the cocogitto-style CDN 5xx came through.
scripts/check-lockfile-age.shalready enforces the same supply-chaincooldown policy at PR boundary on
Cargo.lockandbun.lock. Thecargo-cooldowntool wrapscargo build|check|test|run|update, which CIdoesn't exercise interactively, so the CI install covers nothing
scripts/check-lockfile-age.shdoesn't. Local devs still get the wrap —mise.tomlkeeps the pin.Job-level scope (not step-level) is deliberate: subsequent
mise run clippyandmise run test:unitsteps need the same disable to stayconsistent.
Verification
lintjobsinspected for
Restoring mise cacheoutcome. Run25909874748confirmed cache HIT.
mise run clippy,mise run test:unit,mise run fmt:checkall pass locally. CI on this PR will confirmInstall miselog no longer showslatestfor the 5 pinned tools.cargo:cargo-cooldownskip works on CI: this PR'slintjoblog should not list
cargo:cargo-cooldownin the mise installtool-list. (Backend-prefix matching is required — bare names silently
no-op.)
touch
mise.toml/mise.lock. Pass if ≥4/5 showcache restored from key:andInstall misefinishes in <5s. If <4/5, open a follow-up toadd the explicit
actions/cache@v4step.mise-tool-updates.yml: next dailymise upgraderunshould auto-PR pinned-version bumps (not
latestreverts).Test plan
Install miselog showslefthook 2.1.6,cocogitto 7.0.0,bun 1.3.13,bat 0.26.1,cargo:cargo-cooldown 0.3.0resolved (not
latest)Install miselog does not listcargo:cargo-cooldownas an install targetlintjob wall-clock vs pre-merge baselineunset MISE_DISABLE_TOOLS; mise install --dry-runstilllists
cargo:cargo-cooldown(local dev unaffected)Pitfalls noted
MISE_DISABLE_TOOLSvalue must include thecargo:backend prefix.Bare
cargo-cooldownsilently no-ops; V3 will catch.lintrun post-merge incurs one cold cache miss becausemise.tomlcontent changes the file-hash key segment.test.yml.bench.ymlandmise-tool-updates.ymlalso use
mise-actionbut were left alone to match ticket scope —separate ticket if their flake matters.
Fixes #484
🤖 Generated with Claude Code