Release 2.75.0

This partially reverts 5f3e9b7a2d.

.github/dependabot.yml

@@ -21,3 +21,7 @@ updates:
     commit-message:
       prefix: ''
     labels: []
+    groups:
+      github-actions:
+        patterns:
+          - '*'

.github/workflows/ci.yml

@@ -33,20 +33,20 @@ concurrency:
 
 jobs:
   miri:
-    uses: taiki-e/github-actions/.github/workflows/miri.yml@main
+    uses: taiki-e/github-actions/.github/workflows/miri.yml@606d6c78d69927c489d319133073a03157928a7a # main
     with:
       # NB: sync with test job's --exclude option
       args: --exclude install-action-internal-codegen
   msrv:
-    uses: taiki-e/github-actions/.github/workflows/msrv.yml@main
+    uses: taiki-e/github-actions/.github/workflows/msrv.yml@606d6c78d69927c489d319133073a03157928a7a # main
   test-manifest-schema:
-    uses: taiki-e/github-actions/.github/workflows/test.yml@main
+    uses: taiki-e/github-actions/.github/workflows/test.yml@606d6c78d69927c489d319133073a03157928a7a # main
     with:
       # NB: sync with miri job's --exclude option
       test-args: --exclude install-action-internal-codegen
       no-std: false
   tidy:
-    uses: taiki-e/github-actions/.github/workflows/tidy.yml@main
+    uses: taiki-e/github-actions/.github/workflows/tidy.yml@606d6c78d69927c489d319133073a03157928a7a # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # unused (used in `codegen-automerge: true` case)
@@ -95,7 +95,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - name: Generate tool list
@@ -154,7 +154,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - run: env
@@ -187,7 +187,7 @@ jobs:
     runs-on: ubuntu-24.04-arm
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - run: env
@@ -298,7 +298,7 @@ jobs:
         env:
           CONTAINER: ${{ matrix.container }}
         if: startsWith(matrix.container, 'centos')
-      - uses: taiki-e/checkout-action@v1
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
       # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
       - run: rm -- Cargo.toml
       - name: Generate tool list

.github/workflows/manifest.yml

@@ -33,7 +33,7 @@ concurrency:
 
 jobs:
   manifest:
-    uses: taiki-e/github-actions/.github/workflows/gen.yml@main
+    uses: taiki-e/github-actions/.github/workflows/gen.yml@606d6c78d69927c489d319133073a03157928a7a # main
     permissions:
       contents: write # for creating branch for pr
       pull-requests: write # for gh pr review --approve

.github/workflows/release.yml

@@ -38,8 +38,8 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: taiki-e/checkout-action@v1
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
+      - uses: taiki-e/install-action@7bc99eee1f1b8902a125006cf790a1f4c8461e63 # v2.69.8
         with:
           tool: parse-changelog
           fallback: none
@@ -62,19 +62,6 @@ jobs:
             printf '::error::%s\n' "$*"
             exit 1
           }
-          normalize_comma_or_space_separated() {
-            # Normalize whitespace characters into space because it's hard to handle single input contains lines with POSIX sed alone.
-            local list="${1//[$'\r\n\t']/ }"
-            if [[ "${list}" == *","* ]]; then
-              # If a comma is contained, consider it is a comma-separated list.
-              # Drop leading and trailing whitespaces in each element.
-              sed -E 's/ *, */,/g; s/^.//; s/,,$/,/' <<<",${list},"
-            else
-              # Otherwise, consider it is a whitespace-separated list.
-              # Convert whitespace characters into comma.
-              sed -E 's/ +/,/g; s/^.//' <<<" ${list} "
-            fi
-          }
           if { sed --help 2>&1 || true; } | grep -Eq -e '-i extension'; then
             in_place=(-i '')
           else
@@ -220,11 +207,16 @@ jobs:
     permissions:
       contents: write # for taiki-e/create-gh-release-action
     steps:
-      - uses: taiki-e/checkout-action@v1
-      - uses: taiki-e/install-action@v2
+      - uses: taiki-e/checkout-action@83ed61bfbe2b8abbb3c66e8b65b1335484c70009 # v1.4.1
+      - uses: taiki-e/install-action@7bc99eee1f1b8902a125006cf790a1f4c8461e63 # v2.69.8
         with:
           tool: parse-changelog
           fallback: none
+      - uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
+        id: push-token
+        with:
+          app-id: ${{ secrets.PUSH_TOKEN_APP_CLIENT_ID }}
+          private-key: ${{ secrets.PUSH_TOKEN_APP_PRIVATE_KEY }}
       - name: Create and push release commit and tag
         id: push
         run: |
@@ -430,8 +422,8 @@ jobs:
           BRANCH: main
           PREPARE_REV: ${{ needs.prepare.outputs.rev }}
           # Note that if we use secrets.GITHUB_TOKEN, the pushed commit/tag cannot trigger other workflows.
-          PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }}
-      - uses: taiki-e/create-gh-release-action@v1
+          PUSH_TOKEN: ${{ steps.push-token.outputs.token }}
+      - uses: taiki-e/create-gh-release-action@c5baa0b5dc700cf06439d87935e130220a6882d9 # v1.9.3
         with:
           changelog: CHANGELOG.md
           title: $version
@@ -440,13 +432,14 @@ jobs:
 
   release-manifest-schema:
     if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action-manifest-schema'
-    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@main
+    uses: taiki-e/github-actions/.github/workflows/rust-release.yml@606d6c78d69927c489d319133073a03157928a7a # main
     permissions:
       contents: write # for taiki-e/create-gh-release-action
       id-token: write # for rust-lang/crates-io-auth-action
       attestations: write # unused (used when options for uploading binaries are set)
     secrets:
-      PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }}
+      PUSH_TOKEN_APP_CLIENT_ID: ${{ secrets.PUSH_TOKEN_APP_CLIENT_ID }}
+      PUSH_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PUSH_TOKEN_APP_PRIVATE_KEY }}
     with:
       version: ${{ inputs.version }}
       tag-prefix: install-action-manifest-schema-

.github/zizmor.yml

@@ -4,7 +4,3 @@
 rules:
   anonymous-definition: { disable: true }
   dependabot-cooldown: { config: { days: 14 } }
-  unpinned-uses:
-    config:
-      policies:
-        taiki-e/*: any

CHANGELOG.md

@@ -10,6 +10,16 @@ Note: In this file, do not use the hard wrap in the middle of a sentence for com
 
 ## [Unreleased]
 
+## [2.75.0] - 2026-04-07
+
+- Support `cosign`. ([#1677](https://github.com/taiki-e/install-action/pull/1677))
+
+## [2.74.1] - 2026-04-07
+
+- Update `mise@latest` to 2026.4.5.
+
+- Update `tombi@latest` to 0.9.15.
+
 ## [2.74.0] - 2026-04-06
 
 - Support `cargo-deb`. ([#1669](https://github.com/taiki-e/install-action/pull/1669))
@@ -6155,7 +6165,9 @@ Note: This release is considered a breaking change because installing on version
 
 Initial release
 
-[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.74.0...HEAD
+[Unreleased]: https://github.com/taiki-e/install-action/compare/v2.75.0...HEAD
+[2.75.0]: https://github.com/taiki-e/install-action/compare/v2.74.1...v2.75.0
+[2.74.1]: https://github.com/taiki-e/install-action/compare/v2.74.0...v2.74.1
 [2.74.0]: https://github.com/taiki-e/install-action/compare/v2.73.0...v2.74.0
 [2.73.0]: https://github.com/taiki-e/install-action/compare/v2.72.0...v2.73.0
 [2.72.0]: https://github.com/taiki-e/install-action/compare/v2.71.3...v2.72.0

TOOLS.md

@@ -47,6 +47,7 @@ See the [Supported tools section in README.md](README.md#supported-tools) for ho
 | [**cargo-xwin**](https://github.com/rust-cross/cargo-xwin) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/rust-cross/cargo-xwin/releases) | Linux, macOS, Windows | [MIT](https://github.com/rust-cross/cargo-xwin/blob/main/LICENSE) |
 | [**cargo-zigbuild**](https://github.com/rust-cross/cargo-zigbuild) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/rust-cross/cargo-zigbuild/releases) | Linux, macOS, Windows | [MIT](https://github.com/rust-cross/cargo-zigbuild/blob/main/LICENSE) |
 | [**coreutils**](https://github.com/uutils/coreutils) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/uutils/coreutils/releases) | Linux, macOS, Windows | [MIT](https://github.com/uutils/coreutils/blob/main/LICENSE) |
+| [**cosign**](https://github.com/sigstore/cosign) | `$HOME/.install-action/bin` | [GitHub Releases](https://github.com/sigstore/cosign/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/sigstore/cosign/blob/main/LICENSE) |
 | [**covgate**](https://github.com/jesse-black/covgate) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/jesse-black/covgate/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/jesse-black/covgate/blob/main/LICENSE) |
 | [**cross**](https://github.com/cross-rs/cross) | `$CARGO_HOME/bin` | [GitHub Releases](https://github.com/cross-rs/cross/releases) | Linux, macOS, Windows | [MIT](https://github.com/cross-rs/cross/blob/main/LICENSE-MIT) OR [Apache-2.0](https://github.com/cross-rs/cross/blob/main/LICENSE-APACHE) |
 | [**cyclonedx**](https://github.com/CycloneDX/cyclonedx-cli) | `$HOME/.install-action/bin` | [GitHub Releases](https://github.com/CycloneDX/cyclonedx-cli/releases) | Linux, macOS, Windows | [Apache-2.0](https://github.com/CycloneDX/cyclonedx-cli/blob/main/LICENSE) |

main.sh

@@ -466,7 +466,13 @@ case "$(uname -s)" in
       host_env=gnu
       host_glibc_version=$(grep -E "GLIBC|GNU libc" <<<"${ldd_version}" | sed -E "s/.* //g")
     fi
-    if [[ -e /etc/os-release ]]; then
+    if [[ -e /etc/redhat-release ]]; then
+      # /etc/os-release is available on RHEL/CentOS 7+
+      base_distro=fedora
+    elif [[ -e /etc/debian_version ]]; then
+      # /etc/os-release is available on Debian 7+
+      base_distro=debian
+    elif [[ -e /etc/os-release ]]; then
       if grep -Eq '^ID_LIKE=' /etc/os-release; then
         base_distro=$(grep -E '^ID_LIKE=' /etc/os-release | cut -d= -f2)
         case "${base_distro}" in
@@ -480,12 +486,6 @@ case "$(uname -s)" in
         base_distro=$(grep -E '^ID=' /etc/os-release | cut -d= -f2)
       fi
       base_distro="${base_distro//\"/}"
-    elif [[ -e /etc/redhat-release ]]; then
-      # /etc/os-release is available on RHEL/CentOS 7+
-      base_distro=fedora
-    elif [[ -e /etc/debian_version ]]; then
-      # /etc/os-release is available on Debian 7+
-      base_distro=debian
     fi
     case "${base_distro}" in
       fedora)
@@ -875,8 +875,8 @@ for tool in "${tools[@]}"; do
       iai-callgrind-runner) ;;
       # cargo-zigbuild/cargo-insta has no --version flag on `cargo $tool_bin_stem` subcommand.
       cargo-zigbuild | cargo-insta) rx "${tool_bin_stem}" --version ;;
-      # deepsource has version command instead of --version flag.
-      deepsource | vacuum) rx "${tool_bin_stem}" version ;;
+      # these packages have version command instead of --version flag.
+      cosign | deepsource | vacuum) rx "${tool_bin_stem}" version ;;
       cargo-*)
         case "${tool_bin_stem}" in
           # cargo-valgrind 2.1.0's --version flag just calls cargo's --version flag

manifests/coreutils.json

@@ -5,6 +5,50 @@
   "latest": {
     "version": "0.6.0"
   },
+  "0.8.0": {
+    "x86_64_linux_musl": {
+      "url": "https://github.com/uutils/coreutils/releases/download/0.8.0/coreutils-0.8.0-x86_64-unknown-linux-musl.tar.gz",
+      "etag": "0x8DE941D3DECEE20",
+      "hash": "b8977997a49b677169f7ce65bfc2ad658d4943c4f02f0493b1a802137202b0bf",
+      "bin": "coreutils-0.8.0-x86_64-unknown-linux-musl/coreutils"
+    },
+    "x86_64_macos": {
+      "url": "https://github.com/uutils/coreutils/releases/download/0.8.0/coreutils-0.8.0-x86_64-apple-darwin.tar.gz",
+      "etag": "0x8DE941DCF25AA9A",
+      "hash": "8ac6299b298eb3ba995973b42aece162578e19f9243425a5945d9c4bd8135b0a",
+      "bin": "coreutils-0.8.0-x86_64-apple-darwin/coreutils"
+    },
+    "x86_64_windows": {
+      "url": "https://github.com/uutils/coreutils/releases/download/0.8.0/coreutils-0.8.0-x86_64-pc-windows-msvc.zip",
+      "etag": "0x8DE941D6E03C003",
+      "hash": "db464cf2a6ecbfd42c85f46ed2d749be574df4df47feca1f08988fd760f324f3",
+      "bin": "coreutils-0.8.0-x86_64-pc-windows-msvc/coreutils.exe"
+    },
+    "aarch64_linux_musl": {
+      "url": "https://github.com/uutils/coreutils/releases/download/0.8.0/coreutils-0.8.0-aarch64-unknown-linux-musl.tar.gz",
+      "etag": "0x8DE941C4BA7DC07",
+      "hash": "e592200ef784deecc5ac2328b0617422c89f62b9bb841eb114528ed938ccb725",
+      "bin": "coreutils-0.8.0-aarch64-unknown-linux-musl/coreutils"
+    },
+    "aarch64_macos": {
+      "url": "https://github.com/uutils/coreutils/releases/download/0.8.0/coreutils-0.8.0-aarch64-apple-darwin.tar.gz",
+      "etag": "0x8DE941D614F7398",
+      "hash": "add95b420f9f1b69a0a7cb7b2672648fc72cf1294384344791e8e064bdc5e8c2",
+      "bin": "coreutils-0.8.0-aarch64-apple-darwin/coreutils"
+    },
+    "aarch64_windows": {
+      "url": "https://github.com/uutils/coreutils/releases/download/0.8.0/coreutils-0.8.0-aarch64-pc-windows-msvc.zip",
+      "etag": "0x8DE941BAE10C59A",
+      "hash": "1dfa62f18b64c70b664936b06fb1be20f0f6afa9ff041dd95dda629e987435a9",
+      "bin": "coreutils-0.8.0-aarch64-pc-windows-msvc/coreutils.exe"
+    },
+    "riscv64_linux_musl": {
+      "url": "https://github.com/uutils/coreutils/releases/download/0.8.0/coreutils-0.8.0-riscv64gc-unknown-linux-musl.tar.gz",
+      "etag": "0x8DE941BF13F7832",
+      "hash": "6e6c8823d7319f0d83a932515e248df0eb531e07f3a9193aaf05fdfb9dd63698",
+      "bin": "coreutils-0.8.0-riscv64gc-unknown-linux-musl/coreutils"
+    }
+  },
   "0.7.0": {
     "x86_64_linux_musl": {
       "url": "https://github.com/uutils/coreutils/releases/download/0.7.0/coreutils-0.7.0-x86_64-unknown-linux-musl.tar.gz",

manifests/cosign.json

@@ -0,0 +1,243 @@
+{
+  "rust_crate": null,
+  "template": {
+    "x86_64_linux_musl": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-amd64"
+    },
+    "x86_64_macos": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-darwin-amd64"
+    },
+    "x86_64_windows": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-windows-amd64.exe"
+    },
+    "aarch64_linux_musl": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-arm64"
+    },
+    "aarch64_macos": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-darwin-arm64"
+    },
+    "powerpc64le_linux_musl": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-ppc64le"
+    },
+    "riscv64_linux_musl": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-riscv64"
+    },
+    "s390x_linux_musl": {
+      "url": "https://github.com/sigstore/cosign/releases/download/v${version}/cosign-linux-s390x"
+    }
+  },
+  "license_markdown": "[Apache-2.0](https://github.com/sigstore/cosign/blob/main/LICENSE)",
+  "latest": {
+    "version": "3.0.5"
+  },
+  "3": {
+    "version": "3.0.5"
+  },
+  "3.0": {
+    "version": "3.0.5"
+  },
+  "3.0.6": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE9427E4F4F66D",
+      "hash": "c956e5dfcac53d52bcf058360d579472f0c1d2d9b69f55209e256fe7783f4c74"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE942809604B8D",
+      "hash": "4c3e7af8372d3ca3296e62fa56f23fcbb5721cc6ac1827900d398f110d7cd280"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE9427FF1A8F49",
+      "hash": "9b85a88ebff2d9dd30ff4984a6f61f2cedc232dd87d81fa7f2ff3c0ed96c241c"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE94280251A997",
+      "hash": "bedac92e8c3729864e13d4a17048007cfafa79d5deca993a43a90ffe018ef2b8"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE9427F9B353E4",
+      "hash": "5fadd012ae6381a6a29ff86a7d39aa873878852f1073fc90b15995961ecfb084"
+    },
+    "powerpc64le_linux_musl": {
+      "etag": "0x8DE9427F2F77DC2",
+      "hash": "08c3e5e0a09c440f49e9a69d8639d37fbec522ec8c5c0ac805243b098e6ea512"
+    },
+    "riscv64_linux_musl": {
+      "etag": "0x8DE9427F6775D14",
+      "hash": "e25952e798958b0f9168d044153ccc353f5469ca4b71a1707dffad0534d27017"
+    },
+    "s390x_linux_musl": {
+      "etag": "0x8DE9427EF733685",
+      "hash": "3cf4b769258ed9cc3c2a93268c0d5c1cc3fbd094af8df21035cbac8fb0d7c088"
+    }
+  },
+  "3.0.5": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE6FF25F78B056",
+      "hash": "db15cc99e6e4837daabab023742aaddc3841ce57f193d11b7c3e06c8003642b2"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE6FF25A90279D",
+      "hash": "e032c44d3f7c247bbb2966b41239f88ffba002497a4516358d327ad5693c386f"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE6FF2745A020C",
+      "hash": "44e9e44202b67ddfaaf5ea1234f5a265417960c4ae98c5b57c35bc40ba9dd714"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE6FF265833D25",
+      "hash": "d098f3168ae4b3aa70b4ca78947329b953272b487727d1722cb3cb098a1a20ab"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE6FF25CFDD02F",
+      "hash": "4888c898e2901521a6bd4cf4f0383c9465588a6a46ecd2465ad34faf13f09eb7"
+    },
+    "powerpc64le_linux_musl": {
+      "etag": "0x8DE6FF26DA417A7",
+      "hash": "ccd07709a25fd549dc3987eb378c4fecc1d7b851c904a59528cae8144f725c36"
+    },
+    "riscv64_linux_musl": {
+      "etag": "0x8DE6FF27042D22A",
+      "hash": "9d108e72249dacb6ef5685320f34efcd0d85b842df90552b8fd7903a39a11c98"
+    },
+    "s390x_linux_musl": {
+      "etag": "0x8DE6FF26AFDC493",
+      "hash": "45ebd52e4cb3c1c5dc0661f76728fa9ee7a510ae211b0cde3c43e4d8bebade86"
+    }
+  },
+  "3.0.4": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE4FCA2BF218E5",
+      "hash": "10dab2fd2170b5aa0d5c0673a9a2793304960220b314f6a873bf39c2f08287aa"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE4FCA39840E0E",
+      "hash": "4dbafca16d29be06a6a740d517a9f63de67c78be3a64d048e42520401d88facc"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE4FCA28D7404D",
+      "hash": "a3a0dc4e8c745f9bd855ec18db346538b78ab2c4d6d510ae4186bb4a03f35438"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE4FCA1C26496E",
+      "hash": "c12fc6150195758ec0b1aeb1aade3381a1d3a299584982b66543f22bab04535b"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE4FCA3CB7AA05",
+      "hash": "7098c46809c0818d970e63f7acd10f44c6919d3b4a261a63972a60694a9c9f66"
+    },
+    "powerpc64le_linux_musl": {
+      "etag": "0x8DE4FCA2210A074",
+      "hash": "784dc5461a588dd8611e7969a4c988620f08bcb7f173beb77321b7acfc9a2b5f"
+    },
+    "riscv64_linux_musl": {
+      "etag": "0x8DE4FCA250DB25B",
+      "hash": "9ec0c4ec477aaed0dbf6d3a294405441b2cc93fff0d23482eba5c2e84af5aba4"
+    },
+    "s390x_linux_musl": {
+      "etag": "0x8DE4FCA35FC9609",
+      "hash": "0516fe2ea7d3c039cb6ed99aefbd86b69d661ff35956484c16fb480c29f3897d"
+    }
+  },
+  "3.0.3": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE378193840B57",
+      "hash": "052363a0e23e2e7ed53641351b8b420918e7e08f9c1d8a42a3dd3877a78a2e10"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE378184E3D243",
+      "hash": "6c75981e85e081a73f0b4087f58e0ad5fd4712c71b37fa0b6ad774c1f965bafa"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE37818A249E3E",
+      "hash": "2593655025b52b5b1c99e43464459b645a3acbe5d4a5a9f3a766e77beec5a441"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE37819892DC0D",
+      "hash": "81398231362031e3c7afd6a7508c57049460cd7e02736f1ebe89a452102253e5"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE378186BF54D2",
+      "hash": "38349e45a8bb0d1ed3a7affb8bdd2e9d597cee08b6800c395a926b4d9adb84d2"
+    },
+    "powerpc64le_linux_musl": {
+      "etag": "0x8DE37819135D5B6",
+      "hash": "6af9ed378d289ffd1bce9b6de02a47a25f9bf32d01a2f6b0f43f0fbb544f14c6"
+    },
+    "riscv64_linux_musl": {
+      "etag": "0x8DE3781829B3B92",
+      "hash": "86bbb2c0da0a80107fbe6d500da4148c3f84fa2595f76db68d4499664da2b90d"
+    },
+    "s390x_linux_musl": {
+      "etag": "0x8DE37818ED171E1",
+      "hash": "e8cda1bb6b6719e46fe72a89789852971a228d364063cc961d065c3cd4e3db4b"
+    }
+  },
+  "3.0.2": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE082BF53266ED",
+      "hash": "46dbdcb5467a3dfec2526923d0b3365e40c8d9dc00ec23d5aca3437449e8cbfd"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE082BF2D094CE",
+      "hash": "0fc2b6f16b900abdfda3153b11fc435a8cbe3830e8e820fe8ad5fe4149a5b472"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE082C03974CE8",
+      "hash": "7a137280d8686665ceb4d8565df2a0ac63f28031e014cdcae5d56891a6c8a400"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE082C0648458F",
+      "hash": "17fd784737ca54d7d8a343c82da6c5d6dbdee971e66644d923d1b057fb97d7ed"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE082C0064BD15",
+      "hash": "3823b044de184da21e300bc5e20dd29d3fa9243af3ba70c4a5da1712f3385d46"
+    },
+    "powerpc64le_linux_musl": {
+      "etag": "0x8DE082C0B62CF31",
+      "hash": "650aefe9d2bf0ee5282e8e40a7fc93ef6d66ef718a83ac3c3ec06b22b797ff00"
+    },
+    "riscv64_linux_musl": {
+      "etag": "0x8DE082C0E28E598",
+      "hash": "0ffd9125ada732d3d3f0f1702fefd8031c04383d070cda895c5df2dfaca6e7b8"
+    },
+    "s390x_linux_musl": {
+      "etag": "0x8DE082BFDC4C845",
+      "hash": "f45331cfa5dfb6f908a5ed4f20f6fda4f31716028d6f0dcff9c775f006d486df"
+    }
+  },
+  "3.0.1": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE05F22B41933C",
+      "hash": "23c9ff889672f03676b673539de07d5ad4e8efc8247a3ad55c9bc00169aa2305"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE05F23E3EC0F5",
+      "hash": "260c174b80d6401a7d2703109eb32f6a0bdbddd2ac91d3268dc96a51238d96ab"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE05F21CA08FF9",
+      "hash": "21843dbb2e910097531ca23e9f87d0ca2ae9a412e056009eae670b090418e8ed"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE05F232E5B6D9",
+      "hash": "8f5bb6899118d521d7b12252f06d5808fba4e6cb0a23ff120ed6c14d7c87863a"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE05F2419FF210",
+      "hash": "dad2a161d91fba199d1ebae7e5652a4c2dd412cbb1ab6b4cc8ad6a15378319fe"
+    },
+    "powerpc64le_linux_musl": {
+      "etag": "0x8DE05F2278FB689",
+      "hash": "82ed1e2c4b37927fc39c488dd1871f2a51ea40140a8c7911ed90026b8d8bf2cd"
+    },
+    "riscv64_linux_musl": {
+      "etag": "0x8DE05F23A221742",
+      "hash": "07b7ce941bf9918bf245153bf029d53873f4f0b1bc5e8f9141876b3523c1de0b"
+    },
+    "s390x_linux_musl": {
+      "etag": "0x8DE05F22438B32A",
+      "hash": "6e30ae5e33014197a888b9492728e49aaf72343e31e26da8f7b3720518e8f6df"
+    }
+  }
+}

manifests/mise.json

@@ -28,13 +28,13 @@
   },
   "license_markdown": "[MIT](https://github.com/jdx/mise/blob/main/LICENSE)",
   "latest": {
-    "version": "2026.4.4"
+    "version": "2026.4.5"
   },
   "2026": {
-    "version": "2026.4.4"
+    "version": "2026.4.5"
   },
   "2026.4": {
-    "version": "2026.4.4"
+    "version": "2026.4.5"
   },
   "2026.4.5": {
     "x86_64_linux_musl": {

manifests/shfmt.json

@@ -27,6 +27,28 @@
   "3.13": {
     "version": "3.13.0"
   },
+  "3.13.1": {
+    "x86_64_linux_musl": {
+      "etag": "0x8DE9425968D392A",
+      "hash": "fb096c5d1ac6beabbdbaa2874d025badb03ee07929f0c9ff67563ce8c75398b1"
+    },
+    "x86_64_macos": {
+      "etag": "0x8DE9425982BD0F0",
+      "hash": "6feedafc72915794163114f512348e2437d080d0047ef8b8fa2ec63b575f12af"
+    },
+    "x86_64_windows": {
+      "etag": "0x8DE942594A8E60E",
+      "hash": "60cd368533d0ad73fa86d93d5bbf95ef40587245ce684ed138c1b31557b5fe97"
+    },
+    "aarch64_linux_musl": {
+      "etag": "0x8DE942595A9A537",
+      "hash": "32d92acaa5cd8abb29fc49dac123dc412442d5713967819d8af2c29f1b3857c7"
+    },
+    "aarch64_macos": {
+      "etag": "0x8DE9425979B56CB",
+      "hash": "9680526be4a66ea1ffe988ed08af58e1400fe1e4f4aef5bd88b20bb9b3da33f8"
+    }
+  },
   "3.13.0": {
     "x86_64_linux_musl": {
       "etag": "0x8DE7DC7C27DBB2E",

manifests/tombi.json

@@ -22,10 +22,10 @@
   },
   "license_markdown": "[MIT](https://github.com/tombi-toml/tombi/blob/main/LICENSE)",
   "latest": {
-    "version": "0.9.14"
+    "version": "0.9.15"
   },
   "0.9": {
-    "version": "0.9.14"
+    "version": "0.9.15"
   },
   "0.9.15": {
     "x86_64_linux_musl": {

tools/codegen/base/cosign.json

@@ -0,0 +1,34 @@
+{
+  "repository": "https://github.com/sigstore/cosign",
+  "tag_prefix": "v",
+  "version_range": ">= 3.0.0",
+  "signing": {
+    "kind": "custom"
+  },
+  "platform": {
+    "x86_64_linux_musl": {
+      "asset_name": "${package}-linux-amd64"
+    },
+    "x86_64_macos": {
+      "asset_name": "${package}-darwin-amd64"
+    },
+    "x86_64_windows": {
+      "asset_name": "${package}-windows-amd64.exe"
+    },
+    "aarch64_linux_musl": {
+      "asset_name": "${package}-linux-arm64"
+    },
+    "aarch64_macos": {
+      "asset_name": "${package}-darwin-arm64"
+    },
+    "powerpc64le_linux_musl": {
+      "asset_name": "${package}-linux-ppc64le"
+    },
+    "riscv64_linux_musl": {
+      "asset_name": "${package}-linux-riscv64"
+    },
+    "s390x_linux_musl": {
+      "asset_name": "${package}-linux-s390x"
+    }
+  }
+}

tools/codegen/src/main.rs

@@ -385,6 +385,58 @@ fn main() {
                             );
                             eprintln!("done");
                         }
+                        "cosign" => {
+                            let [checksum, bundle] =
+                                ["cosign_checksums.txt", "cosign_checksums.txt.sigstore.json"].map(
+                                    |f| {
+                                        let asset = release
+                                            .assets
+                                            .iter()
+                                            .find(|asset| asset.name.ends_with(f))
+                                            .unwrap();
+                                        let download_cache =
+                                            download_cache_dir.join(format!("{version}-{f}"));
+                                        let url = &asset.browser_download_url;
+                                        eprint!(
+                                            "downloading {url} for signature verification ... "
+                                        );
+                                        if download_cache.is_file() {
+                                            eprintln!("already downloaded");
+                                        } else {
+                                            download_to_buf(url, &mut buf);
+                                            eprintln!("download complete");
+                                            fs::write(&download_cache, &buf).unwrap();
+                                            buf.clear();
+                                        }
+                                        download_cache
+                                    },
+                                );
+                            eprint!("verifying checksum file for {package}@{version} ... ");
+                            cmd!(
+                                "cosign",
+                                "verify-blob",
+                                &checksum,
+                                "--bundle",
+                                bundle,
+                                "--certificate-identity",
+                                "keyless@projectsigstore.iam.gserviceaccount.com",
+                                "--certificate-oidc-issuer",
+                                "https://accounts.google.com"
+                            )
+                            .run()
+                            .unwrap();
+                            verified_checksum = Some(
+                                fs::read_to_string(checksum)
+                                    .unwrap()
+                                    .lines()
+                                    .filter_map(|l| l.split_once("  "))
+                                    .map(|(h, f)| {
+                                        (f.trim_ascii().to_owned(), h.trim_ascii().to_owned())
+                                    })
+                                    .collect(),
+                            );
+                            eprintln!("done");
+                        }
                         "syft" => {
                             // Refs: https://oss.anchore.com/docs/installation/verification/
                             let [checksum, certificate, signature] =
@@ -572,10 +624,7 @@ fn main() {
                             );
                         };
                         let url = url.clone() + ".sig";
-                        let sig_download_cache = &download_cache.with_extension(format!(
-                            "{}.sig",
-                            download_cache.extension().unwrap_or_default().to_str().unwrap()
-                        ));
+                        let sig_download_cache = &download_cache.with_added_extension("sig");
                         eprint!("downloading {url} for signature validation ... ");
                         let sig = if sig_download_cache.is_file() {
                             eprintln!("already downloaded");

tools/tidy.sh

@@ -27,15 +27,14 @@ fi
 if [[ -n "${TIDY_DEV:-}" ]]; then
   image="ghcr.io/taiki-e/tidy:latest"
 else
-  image="ghcr.io/taiki-e/tidy@sha256:4552cbce9426e102f9650cd9f8381e836fc8fda081dcbddcc7f31b15d48d1654"
+  image="ghcr.io/taiki-e/tidy@sha256:bce85a4321f80c09f2b68420e9149bcf7c085130ab1e1fca54443f76833cd184"
 fi
 user="$(id -u):$(id -g)"
 workdir=$(pwd)
 tmp=$(mktemp -d)
 trap -- 'rm -rf -- "${tmp:?}"' EXIT
-mkdir -p -- "${tmp}/zizmor"
-touch -- "${tmp}/dummy"
-mkdir -- "${tmp}/dummy-dir"
+mkdir -p -- "${tmp}"/{pwsh-cache,pwsh-local,zizmor-cache,dummy-dir,tmp}
+touch -- "${tmp}"/dummy
 code=0
 color=''
 if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
@@ -84,22 +83,25 @@ docker_run() {
 set +e
 docker_run \
   --mount "type=bind,source=${workdir},target=${workdir}" --workdir "${workdir}" \
+  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
+  --mount "type=bind,source=${tmp}/pwsh-cache,target=/.cache/powershell" \
+  --mount "type=bind,source=${tmp}/pwsh-local,target=/.local/share/powershell" \
   --network=none \
   "${image}" \
   /checks/offline.sh
 # Some good audits requires access to GitHub API.
 docker_run \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
-  --mount "type=bind,source=${tmp}/zizmor,target=/.cache/zizmor" \
+  --mount "type=bind,source=${tmp}/zizmor-cache,target=/.cache/zizmor" \
   --env GH_TOKEN --env GITHUB_TOKEN --env ZIZMOR_GITHUB_TOKEN \
   "${image}" \
   /checks/zizmor.sh
 # We use remote dictionary.
 docker_run \
   --mount "type=bind,source=${workdir},target=${workdir},readonly" --workdir "${workdir}" \
-  --mount "type=bind,source=${workdir}/.cspell.json,target=${workdir}/.cspell.json" \
   --mount "type=bind,source=${workdir}/.github/.cspell/project-dictionary.txt,target=${workdir}/.github/.cspell/project-dictionary.txt" \
   --mount "type=bind,source=${workdir}/.github/.cspell/rust-dependencies.txt,target=${workdir}/.github/.cspell/rust-dependencies.txt" \
+  --mount "type=bind,source=${tmp}/tmp,target=/tmp/tidy" \
   "${image}" \
   /checks/cspell.sh