[pull] main from jdx:main#115
Merged
pull[bot] merged 2 commits intoAmadeusITGroup:mainfrom Feb 10, 2026
Merged
Conversation
This fixes the following issue with github:docker/buildx@0.31.1: DEBUG No GitHub attestations found for github:docker/buildx@0.31.1, trying SLSA INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance INFO github:docker/buildx@0.31.1 [2/3] download buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance Error: 0: Failed to install github:docker/buildx@0.31: SLSA verification error for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance Location: src/toolset/toolset_install.rs:230 Version: 2026.2.9 linux-x64 (2026-02-10) Before this fix: 1. verify_slsa_provenance() is called with the buildx raw provenance file 2. The sigstore crate can't parse it as a sigstore bundle/DSSE envelope — it's just a raw in-toto statement with no signatures 3. Returns AttestationError::Verification("File does not contain valid attestations or SLSA provenance") 4. The old code at line 1261 mapped this to Err(VerificationStatus::Error(e.to_string())) which becomes "Verification failed: File does not contain valid attestations or SLSA provenance" 5. That propagated to line 1112: "SLSA verification error for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance" — the exact error in error.txt After this fix: 1. Same as above — AttestationError::Verification("File does not contain valid attestations or SLSA provenance") 2. is_slsa_format_issue() checks msg.contains("does not contain valid attestations") → matches 3. Returns Err(VerificationStatus::NoAttestations) instead, which is the graceful fallback path (installation proceeds without provenance verification) The buildx provenance file confirms why — it's a raw BuildKit in-toto Statement (v0.1) with SLSA v1 provenance predicate, but has no sigstore signatures, no DSSE envelope, no certificates. It's provenance metadata, not a cryptographically signed attestation bundle. Some provenance files (e.g., BuildKit raw provenance) exist but aren't in a sigstore-verifiable format. After this fix: COLORBT_SHOW_HIDDEN=1 RUST_BACKTRACE=1 mise use github:docker/buildx@0.31.1 --verbose DEBUG ARGS: mise use github:docker/buildx@0.31.1 --verbose DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/config.toml DEBUG [vfox] Getting metadata for yarn DEBUG GET https://api.github.com/repos/docker/buildx/releases DEBUG starting new connection: https://api.github.com/ DEBUG connecting to 20.26.156.210:443 DEBUG connected to 20.26.156.210:443 DEBUG GET https://api.github.com/repos/docker/buildx/releases 200 OK DEBUG pooling idle connection for ("https", api.github.com) INFO github:docker/buildx@0.31.1 [1/3] install DEBUG GET https://api.github.com/repos/docker/buildx/releases/tags/v0.31.1 DEBUG reuse idle connection for ("https", api.github.com) DEBUG GET https://api.github.com/repos/docker/buildx/releases/tags/v0.31.1 200 OK DEBUG pooling idle connection for ("https", api.github.com) DEBUG using GitHub API digest for checksum verification DEBUG HEAD https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 DEBUG starting new connection: https://github.com/ DEBUG connecting to 20.26.156.215:443 DEBUG connected to 20.26.156.215:443 DEBUG pooling idle connection for ("https", github.com) DEBUG starting new connection: https://release-assets.githubusercontent.com/ DEBUG connecting to 185.199.111.133:443 DEBUG connected to 185.199.111.133:443 DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) DEBUG HEAD https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 200 OK INFO github:docker/buildx@0.31.1 [1/3] download buildx-v0.31.1.linux-amd64 DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64 DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] checksum buildx-v0.31.1.linux-amd64 INFO github:docker/buildx@0.31.1 [2/3] verify GitHub attestations DEBUG starting new connection: https://api.github.com/ DEBUG connecting to 20.26.156.210:443 DEBUG connected to 20.26.156.210:443 DEBUG pooling idle connection for ("https", api.github.com) DEBUG No GitHub attestations found for github:docker/buildx@0.31.1, trying SLSA INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance INFO github:docker/buildx@0.31.1 [2/3] download buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET Downloading https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json to /mise/downloads/github-docker-buildx/0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json DEBUG reuse idle connection for ("https", github.com) DEBUG pooling idle connection for ("https", github.com) DEBUG reuse idle connection for ("https", release-assets.githubusercontent.com) DEBUG GET https://github.com/docker/buildx/releases/download/v0.31.1/buildx-v0.31.1.linux-amd64.provenance.json 200 OK DEBUG pooling idle connection for ("https", release-assets.githubusercontent.com) INFO github:docker/buildx@0.31.1 [2/3] verify SLSA provenance DEBUG SLSA provenance file not in verifiable format for github:docker/buildx@0.31.1: Verification failed: File does not contain valid attestations or SLSA provenance DEBUG No SLSA provenance found for github:docker/buildx@0.31.1 INFO github:docker/buildx@0.31.1 ✓ installed DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/config.toml DEBUG [github:docker/buildx@0.31.1] list_bin_paths: ["/mise/installs/github-docker-buildx/0.31.1"] DEBUG [vfox] Getting metadata for yarn DEBUG [vfox] Getting metadata for yarn DEBUG config: /mise/mise.toml DEBUG config: /mise/config.toml DEBUG updating 1 lockfiles --- Resolves: - #8093 Signed-off-by: Gerhard Lazu <gerhardlazu@loopholelabs.io>
## Issue On a clean setup, env modules backed by vfox can fail during config loading with: `Plugin directory not found ...` This happens because `[env]` module evaluation can run before the plugin directory exists. ## Fix - Ensure plugin installation once in `EnvResults::module()` before invoking vfox hooks. - Keep `module()` flow as: - `ensure_installed(...)` - `mise_env(...)` - `mise_path(...)` - Remove ineffective per-instance install cache from `VfoxPlugin`: - dropped `env_module_ensured` - removed `ensure_installed_for_env_module` wrapper - Simplify vfox hook methods: - `VfoxPlugin::mise_env()` / `mise_path()` no longer take `config` - no install side effects inside these methods - Normalize new e2e file mode to repo convention (`100644`, non-executable). ## Why this approach - Fixes clean-install failures by guaranteeing plugin availability before hook execution. - Avoids duplicate install checks within one module resolution without introducing unnecessary caching state. - Keeps hook methods focused on hook execution and moves orchestration to module resolution. ## Testing - Added: `e2e/env/test_env_module_auto_install` (uses real plugin URL and exercises auto-install path). - Verified with: - `mise run test:e2e e2e/env/test_env_module_auto_install` - `mise run lint` --------- Co-authored-by: Cursor <cursoragent@cursor.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )