do

Author: Raj-StepSecurity

dist/index.js

@@ -9,26 +9,6 @@ import * as os from 'os'
 import * as path from 'path'
 import axios, { isAxiosError } from 'axios'
 
-function validateVersion(version: string): string {
-  if (!version) {
-    throw new Error('Version cannot be empty')
-  }
-
-  // Allow only numbers and dots for mise versions (e.g., 2024.12.7, 2.8.0)
-  if (!/^[0-9.]+$/.test(version)) {
-    throw new Error(
-      `Invalid version format: ${version}. Only numbers and dots are allowed.`
-    )
-  }
-
-  // Additional length check to prevent excessive input
-  if (version.length > 20) {
-    throw new Error('Version string too long')
-  }
-
-  return version.replace(/^v/, '') // Remove 'v' prefix if present
-}
-
 async function validateSubscription(): Promise<void> {
   const API_URL = `https://agent.api.stepsecurity.io/v1/github/${process.env.GITHUB_REPOSITORY}/actions/subscription`
 
@@ -60,7 +40,8 @@ async function run(): Promise<void> {
     }
 
     const version = core.getInput('version')
-    await setupMise(version)
+    const fetchFromGitHub = core.getBooleanInput('fetch_from_github')
+    await setupMise(version, fetchFromGitHub)
     await setEnvVars()
     if (core.getBooleanInput('reshim')) {
       await miseReshim()
@@ -178,7 +159,10 @@ async function restoreMiseCache(): Promise<string | undefined> {
   core.info(`mise cache restored from key: ${cacheKey}`)
 }
 
-async function setupMise(version: string): Promise<void> {
+async function setupMise(
+  version: string,
+  fetchFromGitHub = false
+): Promise<void> {
   const miseBinDir = path.join(miseDir(), 'bin')
   const miseBinPath = path.join(
     miseBinDir,
@@ -195,12 +179,15 @@ async function setupMise(version: string): Promise<void> {
           : (await zstdInstalled())
             ? '.tar.zst'
             : '.tar.gz'
-
-    // Validate version input to prevent injection attacks
-    const rawVersion = version || (await latestMiseVersion())
-    const validatedVersion = validateVersion(rawVersion)
-
-    const url = `https://github.com/jdx/mise/releases/download/v${validatedVersion}/mise-v${validatedVersion}-${await getTarget()}${ext}`
+    let resolvedVersion = version || (await latestMiseVersion())
+    resolvedVersion = resolvedVersion.replace(/^v/, '')
+    let url: string
+    if (!fetchFromGitHub && !version) {
+      // Only for latest version
+      url = `https://mise.jdx.dev/mise-latest-${await getTarget()}${ext}`
+    } else {
+      url = `https://github.com/jdx/mise/releases/download/v${resolvedVersion}/mise-v${resolvedVersion}-${await getTarget()}${ext}`
+    }
     const archivePath = path.join(os.tmpdir(), `mise${ext}`)
     switch (ext) {
       case '.zip':
@@ -277,7 +264,7 @@ const testMise = async (): Promise<number> => mise(['--version'])
 const miseInstall = async (): Promise<number> =>
   mise([`install ${core.getInput('install_args')}`])
 const miseLs = async (): Promise<number> => mise([`ls`])
-const miseReshim = async (): Promise<number> => mise([`reshim`, `--all`])
+const miseReshim = async (): Promise<number> => mise([`reshim`, `-f`])
 const mise = async (args: string[]): Promise<number> =>
   core.group(`Running mise ${args.join(' ')}`, async () => {
     const cwd =