github backend mismatches platform when selecting attestation

[polarathene]

TL;DR:

• The github backend selected a mismatched *.provenance.json that differs by platform (darwin when expected windows) from the selected asset (*.tar.gz). Reproduction below.
• There should probably be a backend agnostic ENV equivalent of MISE_GITHUB_GITHUB_ATTESTATIONS and MISE_AQUA_GITHUB_ATTESTATIONS.

---

I've been trying mise recently, during which the switch to detect and implicitly opt-in for verifying attestations/provenance became the new default for aqua and github backends.

I'm not sure if it's due to an oversight from the LLM driven development process, or PRs bypassing any additional human review (while also ignoring failing checks), but I noticed the following:

• Resolved - Not a bug

  Can be ignored mise docs are clear on when attestation doesn't apply (dependent upon the upstream aqua registry.yaml for a package to configure).

  aqua backend: No errors thrown here, but the logs show only containerd was verifying, buildkit was skipped from verifying attestations (even when it was the only asset to install).

  Different discovery logic I assume 🤷‍♂️ (EDIT: Confirmed, the equivalent BuildKit registry.yaml lacks a github_artifact_attestations field, hence no verification)

  Github Actions log output (aqua backend)

  Running mise --version
    C:\Users\runneradmin\AppData\Local\mise\bin\mise.exe --version
    2025.12.12 windows-x64 (2025-12-18)
  Running mise install aqua:containerd/containerd aqua:moby/buildkit
    C:\Users\runneradmin\AppData\Local\mise\bin\mise.exe install aqua:containerd/containerd aqua:moby/buildkit
    mise 2025.12.12 by @jdx install
    mise aqua:containerd/[email protected] install
    mise aqua:containerd/[email protected] download containerd-2.2.1-windows-amd64.tar.gz
    mise aqua:moby/[email protected] install
    mise aqua:containerd/[email protected] verify GitHub attestations
    mise aqua:moby/[email protected] download buildkit-v0.26.3.windows-amd64.tar.gz
    mise aqua:moby/[email protected] checksum buildkit-v0.26.3.windows-amd64.tar.gz
    mise aqua:moby/[email protected] extract buildkit-v0.26.3.windows-amd64.tar.gz
    mise aqua:moby/[email protected] ✓ installed
    mise aqua:containerd/[email protected] ✓ GitHub attestations verified
    mise aqua:containerd/[email protected] checksum containerd-2.2.1-windows-amd64.tar.gz
    mise aqua:containerd/[email protected] extract containerd-2.2.1-windows-amd64.tar.gz
    mise aqua:containerd/[email protected] ✓ installed
    mise 2025.12.12 by @jdx ✓ done
  

• github backend: For some reason it's resolving the wrong provenance (buildkit-v0.26.3.darwin-amd64.provenance.json) to verify against the binary asset selected? (buildkit-v0.26.3.windows-amd64.tar.gz)

  Github Actions log output (github backend)

  Running mise --version
    C:\Users\runneradmin\AppData\Local\mise\bin\mise.exe --version
    2025.12.12 windows-x64 (2025-12-18)
  Running mise install github:moby/buildkit github:containerd/containerd
    C:\Users\runneradmin\AppData\Local\mise\bin\mise.exe install github:moby/buildkit github:containerd/containerd
    mise 2025.12.12 by @jdx install
    mise github:containerd/[email protected] install
    mise github:containerd/[email protected] download containerd-2.2.1-windows-amd64.tar.gz
    mise github:containerd/[email protected] checksum containerd-2.2.1-windows-amd64.tar.gz
    mise github:moby/[email protected] install
    mise github:containerd/[email protected] verify GitHub attestations
    mise github:moby/[email protected] download buildkit-v0.26.3.windows-amd64.tar.gz
    mise github:moby/[email protected] checksum buildkit-v0.26.3.windows-amd64.tar.gz
    mise github:moby/[email protected] verify GitHub attestations
    mise github:moby/[email protected] verify SLSA provenance
    mise github:moby/[email protected] download buildkit-v0.26.3.darwin-amd64.provenance.json
    mise github:moby/[email protected] verify SLSA provenance
    mise github:containerd/[email protected] extract containerd-2.2.1-windows-amd64.tar.gz
    mise github:containerd/[email protected] ✓ installed
    mise ERROR Failed to install github:moby/buildkit@latest: SLSA verification error for github:moby/[email protected]: Verification failed: File does not contain valid attestations or SLSA provenance
    mise ERROR Run with --verbose or MISE_VERBOSE=1 for more information
  Error: The process 'C:\Users\runneradmin\AppData\Local\mise\bin\mise.exe' failed with exit code 1
  

• I am aware of the opt-out via MISE_GITHUB_GITHUB_ATTESTATIONS and MISE_AQUA_GITHUB_ATTESTATIONS environment vars, although I'm curious why there isn't a backend agnostic ENV 🤔

Reproduction

Github Actions workflow:

name: Build Windows Image

on:
  workflow_dispatch:

jobs:
  build:
    runs-on: windows-2025
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - uses: jdx/mise-action@v3
        with:
          cache: false
          install_args: "github:moby/buildkit github:containerd/containerd"

      # ...