chore(deps): update mise tools

[renovate]

This PR contains the following updates:

Package	Update	Change	Pending
act	patch	0.2.87 → 0.2.88
gh	minor	2.89.0 → 2.92.0
github:minamijoyo/hcledit	patch	0.2.17 → v0.2.18
trivy	minor	0.69.3 → 0.70.0
uv	patch	0.11.7 → 0.11.14	0.11.16 (+1)

---

Release Notes

nektos/act (act)

v0.2.88

Compare Source

Changelog

Other

• 48822e4 chore: bump VERSION to 0.2.88
• bd86152 build(deps): bump go.opentelemetry.io/otel/sdk from 1.40.0 to 1.43.0 (#​6070)

cli/cli (gh)

v2.92.0: GitHub CLI 2.92.0

Compare Source

Security

A security vulnerability has been identified, and fixed, that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed.

Users are advised to update gh to version v2.92.0 as soon as possible.

For more information see: GHSA-crc3-h8v6-qh57

Support GitHub Enterprise Cloud (GHEC) in skill commandset

Now gh skill subcommands (install, preview, publish, search, update) are able to work with GHEC hosts with data residency.

Add --allow-hidden-dirs flag to skill preview

Following the addition of --allow-hidden-dirs to skill install in the previous release, now the flag is also supported in skill preview, allowing users to preview skills located in hidden (dot-prefixed) directories such as .claude/skills/, .agents/skills/, and .github/skills/.

What's Changed

✨ Features

• feat(skills): add --allow-hidden-dirs flag to preview command by @​SamMorrowDrums in #​13265
• feat(skills): support GHEC with data residency hosts by @​SamMorrowDrums in #​13264

🐛 Fixes

• Fix SetSampleRate not updating sample_rate dimension by @​williammartin in #​13259
• Fix log terminal injection by @​williammartin in #​13272
• Add "Resource not accessible" to ProjectsV2IgnorableError by @​maxbeizer in #​13281

📚 Docs & Chores

• fix: using variable interpolation `${{ in deployment.yml... by @​orbisai0security in #​13258
• docs: correct typo in Linux Homebrew copy by @​cassidyjames in #​13273
• Install skills flat by Name, not namespaced InstallName by @​SamMorrowDrums in #​13266
• chore: fix zsh completion on debian by @​babakks in #​13274
• Add trust disclaimer to extension help text by @​travellertales in #​13296
• Bump Go to 1.26.2 by @​github-actions[bot] in #​13301

Dependencies

• chore(deps): bump github.com/mattn/go-isatty from 0.0.20 to 0.0.21 by @​dependabot[bot] in #​13161
• chore(deps): bump github.com/google/go-containerregistry from 0.21.4 to 0.21.5 by @​dependabot[bot] in #​13162
• chore(deps): bump charm.land/lipgloss/v2 from 2.0.2 to 2.0.3 by @​dependabot[bot] in #​13163
• chore(deps): bump charm.land/bubbletea/v2 from 2.0.2 to 2.0.6 by @​dependabot[bot] in #​13206
• chore(deps): bump github.com/gdamore/tcell/v2 from 2.13.8 to 2.13.9 by @​dependabot[bot] in #​13241
• chore(deps): bump github.com/mattn/go-isatty from 0.0.21 to 0.0.22 by @​dependabot[bot] in #​13298

New Contributors

• @​orbisai0security made their first contribution in #​13258
• @​cassidyjames made their first contribution in #​13273
• @​travellertales made their first contribution in #​13296

Full Changelog: cli/cli@v2.91.0...v2.92.0

v2.91.0: GitHub CLI 2.91.0

Compare Source

GitHub CLI now collects pseudonymous telemetry

To better understand how features are used in practice, especially as agentic adoption grows, GitHub CLI now sends pseudonymous telemetry.

See Telemetry for more details on what's collected, why, and how to opt out.

Support more agents in gh skill

Thanks to community feedback, gh now supports a large number of agent hosts. Run gh skill install --help for the list of available agents.

Improve skill discovery

gh skill install now adds the --allow-hidden-dirs flag to support discovering skills in hidden (dot-prefixed) directories such as .claude/skills/, .agents/skills/, and .github/skills/.

Detect skills re-published from other sources

GitHub CLI now detects if the skill to be installed is re-published from an upstream source and offers the option to install it from there. The --upstream flag is also added for non-interactive use cases.

What's Changed

✨ Features

• Add support for installation in multiple agent hosts in gh skills install by @​tommaso-moro in #​13209
• Add --allow-hidden-dirs flag to gh skill install by @​SamMorrowDrums in #​13213
• Make skill discovery less strict: support nested skills/ directories by @​SamMorrowDrums in #​13235
• feat(skills): detect re-published skills and offer upstream install by @​SamMorrowDrums in #​13236

🐛 Fixes

• Fix skills publish --fix to not publish by @​SamMorrowDrums in #​13237
• fix(skills): match skills by install name in preview command by @​SamMorrowDrums in #​13249

📚 Docs & Chores

• Remove misleading text by @​tommaso-moro in #​13203
• Add sampled command telemetry by @​williammartin in #​13191
• Do not send telemetry for aliases by @​williammartin in #​13192
• Add skills specific telemetry by @​williammartin in #​13204
• Record CI context in telemetry by @​williammartin in #​13210
• Record official extension telemetry by @​williammartin in #​13205
• Add telemetry command by @​williammartin in #​13253
• Log when there is no telemetry by @​williammartin in #​13255
• docs(skills): add gh and gh-skill agent skills by @​BagToad in #​13244
• Enable telemetry without env var by @​williammartin in #​13254

Full Changelog: cli/cli@v2.90.0...v2.91.0

v2.90.0: GitHub CLI 2.90.0

Compare Source

Manage agent skills with gh skill (Public Preview)

Agent skills are portable sets of instructions, scripts, and resources that teach AI coding agents how to perform specific tasks. The new gh skill command makes it easy to discover, install, manage, and publish agent skills from GitHub repositories - right from the CLI.

# Discover skills
gh skill search copilot

# Preview a skill without installing
gh skill preview github/awesome-copilot documentation-writer

# Install a skill
gh skill install github/awesome-copilot documentation-writer

# Pin to a specific version
gh skill install github/awesome-copilot documentation-writer --pin v1.2.0

# Check installed skills for updates
gh skill update --all

# Validate and publish your own skills
gh skill publish --dry-run

Skills are automatically installed to the correct directory for your agent host. gh skill supports GitHub Copilot, Claude Code, Cursor, Codex, Gemini CLI, and Antigravity. Target a specific agent and scope with --agent and --scope flags.

gh skill publish validates skills against the Agent Skills specification and checks remote settings like tag protection and immutable releases to improve supply chain security.

Read the full announcement on the GitHub Blog.

gh skill is launching in public preview and is subject to change without notice.

Official extension suggestions

When you run a command that matches a known official extension that isn't installed (e.g. gh stack), the CLI now offers to install it instead of showing a generic "unknown command" error.

This feature is available for github/gh-aw and github/gh-stack.

When possible, you'll be prompted to install immediately. When prompting isn't possible, the CLI prints the gh extension install command to run.

gh extension install no longer requires authentication

gh extension install previously required a valid auth token even though it only needs to download a public release asset. The auth check has been removed, so you can install extensions without being logged in.

What's Changed

✨ Features

• Add gh skill command group: install, preview, search, update, publish by @​SamMorrowDrums and @​tommaso-moro in #​13165
• Suggest and install official extensions for unknown commands by @​BagToad in #​13175
• gh skill publish: auto-push unpushed commits before publish by @​SamMorrowDrums in #​13171
• Disable auth check for gh extension install by @​BagToad in #​13176

🐛 Fixes

• Fix infinite loop in gh release list --limit 0 by @​Bahtya in #​13097
• Ensure api and auth commands record agentic invocations by @​williammartin in #​13046
• Disable auth check for local-only skill flags by @​SamMorrowDrums in #​13173
• URL-encode parentPath in skills discovery API call by @​SamMorrowDrums in #​13172
• Fix: use target directory remotes in skills publish by @​SamMorrowDrums in #​13169
• Fix: preserve namespace in skills search deduplication by @​SamMorrowDrums in #​13170

📚 Docs & Chores

• docs: include PGP key fingerprints by @​babakks in #​13112
• docs: add sha/md5 checksums of keyring files by @​babakks in #​13150
• docs: fix SHA512 checksum for GPG key by @​timsu92 in #​13157
• docs(skill): polish skill commandset docs by @​babakks in #​13183
• Document dependency CVE policy in SECURITY.md by @​BagToad in #​13119
• Replace github.com/golang/snappy with klauspost/compress/snappy by @​thaJeztah in #​13048
• chore: bump to go1.26.2 by @​babakks in #​13116
• chore: delete experimental script/debian-devel by @​babakks in #​13127
• Suggest first party extensions by @​williammartin in #​13182
• Add cli/skill-reviewers as CODEOWNERS for skills packages by @​BagToad in #​13189
• Add @​cli/code-reviewers to all CODEOWNERS rules by @​BagToad in #​13190
• Address post-merge review feedback for skills commands by @​SamMorrowDrums in #​13185
• Fix skills-publish-dry-run acceptance test error message mismatch by @​SamMorrowDrums in #​13187
• Skills: replace real git in publish tests with CommandStubber by @​SamMorrowDrums in #​13188
• Remove redundant nil-client fallback in skills publish by @​SamMorrowDrums in #​13168
• Publish: use shared discovery logic instead of requiring skills/ directory by @​SamMorrowDrums in #​13167

Dependencies

• chore(deps): bump github.com/klauspost/compress from 1.18.4 to 1.18.5 by @​dependabot[bot] in #​13071
• chore(deps): bump github.com/yuin/goldmark from 1.7.16 to 1.8.2 by @​dependabot[bot] in #​13045
• chore(deps): bump charm.land/bubbles/v2 from 2.0.0 to 2.1.0 by @​dependabot[bot] in #​13051
• chore(deps): bump github.com/sigstore/timestamp-authority/v2 from 2.0.3 to 2.0.6 by @​dependabot[bot] in #​13152
• chore(deps): bump github.com/google/go-containerregistry from 0.21.3 to 0.21.4 by @​dependabot[bot] in #​13129
• chore(deps): bump github.com/sigstore/protobuf-specs from 0.5.0 to 0.5.1 by @​dependabot[bot] in #​13128
• chore(deps): bump github.com/in-toto/attestation from 1.1.2 to 1.2.0 by @​dependabot[bot] in #​13044
• chore(deps): bump advanced-security/filter-sarif from 1.0.1 to 1.1 by @​dependabot[bot] in #​12918
• chore(deps): bump google.golang.org/grpc from 1.79.3 to 1.80.0 by @​dependabot[bot] in #​13076
• chore(deps): bump github.com/hashicorp/go-version from 1.8.0 to 1.9.0 by @​dependabot[bot] in #​13065

New Contributors

• @​thaJeztah made their first contribution in #​13048
• @​Bahtya made their first contribution in #​13097
• @​timsu92 made their first contribution in #​13157
• @​SamMorrowDrums made their first contribution in #​13173
• @​tommaso-moro made their first contribution in #​13165

Full Changelog: cli/cli@v2.89.0...v2.90.0

minamijoyo/hcledit (github:minamijoyo/hcledit)

v0.2.18

Compare Source

Changelog

• a341d32 Bump version to v0.2.18
• 3fef86c Update goreleaser-action to v7
• e1d1a99 Update create-github-app-token to v3
• 3bebe9d Update actions/checkout to v6
• cecc21f Fix lint issues
• 732da81 Update golangci-lint to v2
• d40b0ab Update setup-go to v6
• 76e583e Update Go to v1.26
• 5213688 Update hcl to v2.24.0
• 73cec71 Pin all GitHub Actions

aquasecurity/trivy (trivy)

v0.70.0

Compare Source

⚡ Highlights ⚡

👉 https://redirect.github.com/aquasecurity/trivy/discussions/10546

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0700-2026-04-16

astral-sh/uv (uv)

v0.11.14

Compare Source

Released on 2026-05-12.

Enhancements

• Add Astral mirror URL override (#​19206)
• Ignore top_level.txt entries in uninstall that are not valid Python identifiers (#​19340)

Bug fixes

• Avoid applying .env files in parent process (#​19343)
• Filter ANSI codes in logging output (#​19311)
• Fix uv tree showing extra-conditional deps for packages required without extras (#​19332)
• Respect build options (e.g., --no-build) during lock validation (#​19366)

v0.11.13

Compare Source

Released on 2026-05-10.

Bug fixes

• Include data files in editable builds (#​19312)
• Respect --require-hashes when installing from pylock.toml files (#​19334)

Python

• Add CPython 3.14.5

v0.11.12

Compare Source

Released on 2026-05-08.

Python

• Add CPython 3.15.0b1

Enhancements

• Add --no-editable support to uv pip install (#​19306)
• Require git refs in URLs to be percent-encoded (#​19320)

Bug fixes

• Respect --no-dev over UV_DEV=1 (#​19313)

• Don't suggest non-existent --no-frozen flag (#​19290) (#​19294)

Documentation

• Fix bug from inconsistent workflow name in GHA-PyPI guide example (#​19309)

v0.11.11

Compare Source

Released on 2026-05-06.

Bug fixes

• Accept legacy ID format from pre-0.11.9 cache entries (#​19301)

v0.11.10

Compare Source

Released on 2026-05-05.

Bug fixes

• Allow pre-release Python requests with non-zero patch versions (#​19286)

v0.11.9

Compare Source

Released on 2026-05-04.

This release includes a special release candidate for the next Python 3.14 patch release. Python 3.14 included a new garbage collection implementation, which reduced pause times but caused significant unexpected memory pressure in production environments. In 3.14.5 and 3.15, the previous garbage collection implementation will be restored.

We would greatly appreciate if you tested the 3.14.5rc1 version included in this release. The stable version is expected to be released soon and any feedback on potential issues would be helpful to the Python development team.

For more context, see the announcement, issue, and pull request.

Issues with the new release can be reported in the uv or CPython issue trackers.

Python

• Upgrade PyPy to v7.3.22
• Add CPython 3.14.5rc1
• On macOS, CPython statically links libpython to match Linux

Enhancements

• Omit compatible release desugaring for pre-release hints (#​19267)
• Fix file locks on Android (#​18323)

Preview

• uv audit add reporting for adverse project statuses (#​19128)

Bug fixes

• Discover versioned Python executables when requires-python pins a version (#​18700)
• Fix URL prefix matching to require path boundaries (#​19154)
• Fix transitive Git path dependencies in lockfiles (#​19269)
• Handle incorrect unlock error in LockedFile::drop on Wine (#​19229)
• Prevent uninstalling site-packages for empty top_level.txt in .egg-info (#​19114)
• Use symlinks instead of junctions on Wine (#​19213)
• Fix floating-point environment handling on ARMv7 (#​19157)
• Redact credentials from remote requirements URL in offline errors (#​19216)
• Windows tramplolines no longer set PYTHONHOME and only set __PYVENV_LAUNCHER__ for virtual environments (#​19199)

Documentation

• Mark --native-tls and UV_NATIVE_TLS as deprecated (#​18705)
• Re-add pytorch-triton-rocm to PyTorch ROCm docs (#​19241)
• Tweak changelog entries for 0.11.8 (#​19188)
• Add 'Exporting lockfiles' to the Concepts->Projects index (#​19209)
• Clarify that uv init creates git files / folders in the projects guide (#​19183)

v0.11.8

Compare Source

Released on 2026-04-27.

Enhancements

• Add --python-downloads-json-url to python pin (#​19092)
• Fetch uv from Astral mirror during self-update (#​18682)
• Support pip uninstall -y (#​19082)
• Add UV_PYTHON_NO_REGISTRY (#​19035)
• Allow exclude-newer to be missing from the lockfile when exclude-newer-span is present (#​19024)
• Only show the version number in uv self version --short (#​19019)
• Silence warnings on empty SSL_CERT_DIR directory (#​19018)
• Use a sentinel timestamp for relative exclude-newer and exclude-newer-package values in lockfiles (#​19022, #​19101)

Configuration

• Add an environment variable for UV_NO_PROJECT (#​19052)
• Expose UV_PYTHON_SEARCH_PATH for Python discovery PATH overrides (#​19034)

Bug fixes

• Add rust-toolchain.toml to uv-build sdist (#​19131)
• Ensure uv invocations of git do not inherit repository location environment variables (#​19088)
• Redact pre-signed upload URLs in verbose output (#​19146)
• Handle transitive URL dependencies in PEP 517 build requirements (#​19076, #​19086)
• Support uv lock on a pyproject.toml that only contains dependency-groups (#​19087)
• Disable transparent Python upgrades in projects when a patch version is requested via .python-version (#​19102)
• Fix Python variant tagging in the Windows registry (#​19012)
• Use a single codepath for extracting a .tar.zst wheel, disallowing external symlinks (#​19144)

Documentation

• Bump astral-sh/setup-uv version in docs (#​19030)
• Update PyTorch documentation for PyTorch 2.11 (#​19095)
• Remove deprecated license classifiers from uv-build and add Python 3.14 classifier (#​19130)

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: mise.lock

mise ERROR error parsing config file: /tmp/renovate/repos/github/aignostics/foundry-python-core/mise.toml
mise ERROR Config files in /tmp/renovate/repos/github/aignostics/foundry-python-core/mise.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

Command failed: mise lock act gh github:minamijoyo/hcledit trivy uv
mise ERROR error parsing config file: /tmp/renovate/repos/github/aignostics/foundry-python-core/mise.toml
mise ERROR Config files in /tmp/renovate/repos/github/aignostics/foundry-python-core/mise.toml are not trusted.
Trust them with `mise trust`. See https://mise.en.dev/cli/trust.html for more information.
mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud