feat: lock install when mise.lock is present

[zeitlinger]

Summary

• automatically add --locked to mise install when a repo mise lock file is present
• only enable that behavior when the running mise version supports install --locked
• update mise.lock so it matches the repo's current mise.toml
• document the new lock-file behavior and regenerate the bundled action output

Why

When a repository contains mise.lock, plain mise install can update the lock file unexpectedly. This forces workflows to pass install_args: --locked as a workaround.

This repo also had a stale checked-in mise.lock: mise.toml requested aube = "v1.14.1", while mise.lock still pinned older aube metadata. That mismatch was already breaking CI/bootstrap paths that relied on repo-managed mise config.

Breaking-change / compatibility risk

This is a potentially breaking behavior change.

Workflows that previously relied on plain mise install continuing in unlocked mode, despite a repo lockfile being present, will now run in locked mode automatically on mise versions that support install --locked.

That means stale or incomplete lockfiles can now cause installs to fail earlier and more explicitly. In practice, this change makes lockfile drift visible instead of silently mutating the lockfile during CI, but it can still break existing workflows until their mise.lock is brought back in sync.

Impact

Users no longer need to manually add --locked in the common locked-install case; the action detects the lock file and does it automatically while still respecting explicit install_args and older mise versions that do not support --locked.

Updating mise.lock in this PR is intentional: it brings the repo lockfile back in sync with mise.toml, which is necessary for locked installs and for CI jobs that bootstrap through repo-managed mise configuration.

Validation

• npm ci
• npm run all
• verified compatibility fix for older mise versions that do not support install --locked

[gemini-code-assist]

Code Review

This pull request introduces automatic detection of mise lock files (such as mise.lock) in the working directory or its parent directories, automatically appending the --locked flag to the mise install command when a lock file is found. The feedback suggests optimizing the lock file detection logic by using fs.statSync with throwIfNoEntry: false to prevent throwing and catching ENOENT exceptions on non-existent directories, which can improve performance.

[greptile-apps]

Greptile Summary

This PR adds automatic --locked injection to mise install when a repo mise lock file is detected, with a version-capability check and opt-out for mise_toml/tool_versions inputs. It also syncs mise.lock to match the aube version declared in mise.toml.

• miseInstall now calls shouldUseLockedInstall(), which traverses ancestor directories for mise lock files and checks that the running mise binary supports --locked before injecting the flag.
• mise.lock is updated from aube v1.6.2 → v1.14.1 to resolve the mise.toml / lock-file mismatch that was breaking CI bootstrap paths.

Confidence Score: 5/5

Safe to merge; the auto-detection logic is well-guarded and falls back gracefully when mise lacks --locked support or when explicit inputs override it.

The core detection path is correct: the version capability check, the --locked deduplication regex, and the tool_versions/mise_toml opt-out all work as intended. The one pattern-set concern (ROOT patterns reused in inner subdirectories) requires an unusual file layout to trigger and does not affect the common case.

The directoryHasMiseLockFile function in src/index.ts (lines 593–613) is worth a second look for the subdirectory pattern spread.

Important Files Changed

Filename	Overview
src/index.ts	Adds lock-file auto-detection and --locked injection; core logic is sound but the pattern set applied to inner subdirectories is broader than mise's own recognized paths.
README.md	Documents the new lock-file auto-detection behavior and the install_args interaction; content matches the implementation.
action.yml	Updates install_args description to mention automatic --locked injection; no behavioral change.
mise.lock	Bumps aube from v1.6.2 to v1.14.1 to align mise.lock with the version declared in mise.toml.
dist/index.js	Regenerated bundle reflecting the src/index.ts changes; not reviewed directly.

_{Reviews (5): Last reviewed commit: "fix locked install compatibility" | Re-trigger Greptile}