refactor(ci): simplify workflows, update deps

[emnul]

This PR updates workflow dependencies, simplifies setup/action.yml, and refactors its dependent workflows

Summary by CodeRabbit

• Chores
  • Updated CI/CD infrastructure to newer Ubuntu runners (24.04) for improved stability and security.
  • Bumped GitHub Actions to latest versions for enhanced security and performance.
  • Optimized build system with Turbo-based caching for faster build times.
  • Streamlined environment setup process.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

This pull request updates GitHub Actions workflows and refactors the setup action to modernize the CI infrastructure. Changes include upgrading to Ubuntu 24.04, updating action versions, introducing corepack and Turbo-based caching, and integrating a dedicated compact compiler setup action.

Changes

Cohort / File(s)	Summary
Setup Action Refactoring \.github/actions/setup/action.yml	Major refactoring of setup steps: replaced manual environment variables with corepack enable, introduced Turbo-based caching (.turbo directory), switched from manual compact build to dedicated compact setup action (midnightntwrk/setup-compact-action), added TURBO_MAJOR_VERSION and TURBO_TELEMETRY_DISABLED variables, updated action version references to commit hashes, and standardized YAML quote formatting.
CI Workflow Infrastructure Updates \.github/workflows/apps.yml, \.github/workflows/checks.yml, \.github/workflows/contracts.yml, \.github/workflows/scorecard.yml	Ubuntu runner upgraded from 22.04 to 24.04 across all workflows; GitHub Actions versions bumped (hardened-runner v2.13.2→v2.13.3, checkout updated, typos v1.39.0→v1.40.0, codeql-action v3.29.5→v4.31.7); removed compiler version check in contracts.yml; action references switched to commit hashes; minor formatting adjustments.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Setup action refactoring: Verify the new Turbo caching strategy, corepack integration, and midnightntwrk/setup-compact-action compatibility; confirm environment variables are correctly propagated.
• Removed compiler validation: Review impact of removing the explicit "Check compiler version" step in contracts.yml—ensure this validation is redundant or handled elsewhere.
• Action version updates: Verify no breaking changes introduced by bumped action versions, particularly the codeql-action major version upgrade (v3→v4).
• Runner compatibility: Confirm workflows function correctly on Ubuntu 24.04 with any tool or environment differences.

Poem

🐇 A turbo spins, corepack glows, *
Ubuntu fresh, the pipeline flows,
Compact compiler takes the stage,
Caching swift on the modern page!
Infrastructure blooms, faster than snow. 🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly reflects the main changes: CI workflow refactoring and dependency updates across multiple GitHub Actions files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 5

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0a40570 and 9e15477.

📒 Files selected for processing (5)

• .github/actions/setup/action.yml (1 hunks)
• .github/workflows/apps.yml (2 hunks)
• .github/workflows/checks.yml (2 hunks)
• .github/workflows/contracts.yml (1 hunks)
• .github/workflows/scorecard.yml (2 hunks)

🧰 Additional context used

🪛 GitHub Check: CodeQL

.github/workflows/contracts.yml

[warning] 11-32: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

.github/workflows/checks.yml

[warning] 15-47: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

.github/workflows/apps.yml

[warning] 15-79: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (10)

.github/workflows/checks.yml (1)

15-15: Runner and action version updates look good.

Upgrading to ubuntu-24.04, harden-runner v2.13.3, and typos v1.40.0 maintains modern tooling. The version choices are consistent with other workflows in the PR.

Also applies to: 19-19, 39-39

.github/workflows/contracts.yml (1)

11-11: Runner and action updates are consistent.

The ubuntu-24.04 upgrade and harden-runner v2.13.3 bump align with the modernization across the PR.

Verify that the removal of the "Check compiler version" validation step is properly handled by the new Setup Compact Compiler action (.github/actions/setup/action.yml, line 45-49). The setup action now manages compiler setup, but ensure the CI still validates compiler availability/correctness.

Also applies to: 16-16

.github/workflows/apps.yml (2)

25-25: Checkout action version inconsistent with other workflows.

Line 25 uses actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1, but other workflows in the PR (checks.yml, contracts.yml, scorecard.yml) use v5.0.0. This inconsistency may be unintended.

Verify whether v6.0.1 is intentional for apps.yml or should be unified with v5.0.0 across all workflows. If v6.0.1 is required for this workflow, document the reason to help future maintainers understand the divergence.

Also applies to: 25-25

---

15-15: Runner, harden-runner, and fetch-depth updates are appropriate.

Ubuntu-24.04 modernization and harden-runner v2.13.3 are consistent with other workflows. Setting fetch-depth to 2 aligns with Turbo team recommendations.

Also applies to: 20-20, 27-27

.github/workflows/scorecard.yml (2)

18-18: Excellent permissions configuration.

This workflow correctly declares permissions: read-all at the workflow level and granular permissions at the job level. This is a security best practice and serves as a reference example for the other workflows that are missing permissions blocks.

Also applies to: 22-30

---

22-22: Runner and action updates are consistent with broader PR modernization.

Ubuntu-24.04 upgrade and all action version bumps align with the tooling modernization across the repository.

Also applies to: 33-33, 38-38, 43-43, 52-52, 59-59

.github/actions/setup/action.yml (4)

13-15: Corepack enable ordering is correct, but verify Node.js includes corepack.

Corepack is enabled before Node.js setup (line 13), then Node.js is installed (line 29). The ordering is sound since corepack became part of Node.js 16.13+.

Verify that the Node.js 22.x version on ubuntu-24.04 includes corepack. If corepack is not available by default, you may need to explicitly install it or adjust the step order. The current setup assumes corepack is available as part of the Node.js runtime.

Also applies to: 29-29

---

38-43: Turbo global installation pattern is reasonable, telemetry consolidation is good.

Installing Turbo globally with pnpm install turbo@${{ env.TURBO_MAJOR_VERSION }} -g is an appropriate pattern. The consolidation of TURBO_TELEMETRY_DISABLED from contracts.yml into this action is a good refactor that simplifies workflow configuration.

---

1-1: Node.js, pnpm, and corepack setup updates are appropriate for modernization.

Quoting the action name/description, updating pnpm/action-setup to v4.2.0, actions/setup-node to v6.1.0, and setting node-version to "22.x" with pnpm caching are all consistent with modern best practices.

Also applies to: 2-2, 26-26, 29-29, 31-31, 32-32

---

47-47: The referenced commit hash is valid and appears to be actively maintained (dated October 17, 2025). However, the midnightntwrk/setup-compact-action repository does not publish version tags or releases—it relies on commit hashes as its standard versioning approach. If the upstream project maintains this pattern by design, using the commit hash is appropriate. Consider documenting why commit-based pinning is used here if it differs from other action references in the workflow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/actions/setup/action.yml

Repository: OpenZeppelin/midnight-apps

Length of output: 1856

---

🏁 Script executed:

# Search for usage of skip-compile input within the action file itself
rg 'skip-compile|skip-compact' .github/actions/setup/action.yml -n

Repository: OpenZeppelin/midnight-apps

Length of output: 137

---

🏁 Script executed:

# Find all workflow files that call this setup action
fd -t yaml . .github/workflows | head -20

Repository: OpenZeppelin/midnight-apps

Length of output: 241

---

🏁 Script executed:

# Look for how skip-compile/skip-compact is referenced in callers
rg 'uses:.*setup' .github/workflows -A 5 -B 1 -t yaml

Repository: OpenZeppelin/midnight-apps

Length of output: 1182

---

🏁 Script executed:

# Check if there are additional inputs defined or if skip-compact is defined
rg 'skip-compact' .github/actions/setup/ -r

Repository: OpenZeppelin/midnight-apps

Length of output: 483

---

🏁 Script executed:

# Verify if there's any git history showing a previous version
git log --oneline -n 20 -- .github/actions/setup/action.yml 2>/dev/null | head -10

Repository: OpenZeppelin/midnight-apps

Length of output: 143

---

🏁 Script executed:

# Check the full context around the input section
head -50 .github/actions/setup/action.yml | tail -30

Repository: OpenZeppelin/midnight-apps

Length of output: 1060

---

Input name mismatch prevents skip-compile flag from working correctly.

The action defines an input named skip-compile (line 5), but the condition at line 46 references inputs.skip-compact which does not exist. This mismatch means the skip-compile input is ignored entirely—the condition will always evaluate to true (step always runs) because inputs.skip-compact is undefined.

To fix: Either rename the input to skip-compact or update the condition to reference inputs.skip-compile.

🤖 Prompt for AI Agents

In .github/actions/setup/action.yml around lines 8 and 46, the action defines an
input named "skip-compile" but the condition references "inputs.skip-compact",
causing the skip flag to be ignored; update the condition at line ~46 to
reference "inputs.skip-compile" (or alternatively rename the input to
"skip-compact") so the intended skip-compile input is actually used, and ensure
any other references in the file use the same exact input name.

[0xisk]

line 5, is skip-compact not skip-compile

[coderabbitai]

@0xisk You're absolutely right, and I apologize for the confusion. Looking at the full file content after this PR, line 5 indeed shows skip-compact, not skip-compile.

The diff was showing the change FROM skip-compile (old) TO skip-compact (new), and I misread it. Your PR is actually fixing the mismatch by renaming the input to skip-compact to match the condition at line 46 that references inputs.skip-compact. This is the correct change.

Thank you for the correction!

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Check if .turbo directory exists in the repository
find . -type d -name '.turbo' 2>/dev/null | head -20

# Check if .turbo is in .gitignore
if [ -f .gitignore ]; then
  echo "=== Checking .gitignore for .turbo ===" 
  grep -n "\.turbo" .gitignore || echo "No .turbo entry found in .gitignore"
fi

# Check git status of .turbo if it exists
if [ -d .turbo ]; then
  echo "=== Git status of .turbo ===" 
  git status .turbo 2>/dev/null || echo "Cannot check git status"
fi

Repository: OpenZeppelin/midnight-apps

Length of output: 119

---

🏁 Script executed:

# Read the full action.yml file to understand context
cat -n .github/actions/setup/action.yml

Repository: OpenZeppelin/midnight-apps

Length of output: 1856

---

🏁 Script executed:

# Verify GitHub Actions hashFiles behavior with non-existent paths
# by checking documentation or common patterns
web_search
GitHub Actions hashFiles empty directory non-existent path behavior

Repository: OpenZeppelin/midnight-apps

Length of output: 165

---

Turbo cache key generates empty hash because .turbo/ directory is git-ignored and doesn't exist.

The .turbo/ directory is listed in .gitignore (line 151) and is not committed to the repository. Since the cache step (lines 17-23) runs before any build commands that would create this directory, hashFiles('.turbo/*') will return an empty string, resulting in inconsistent cache keys. This causes the cache key to depend only on runner.os and github.sha, reducing cache effectiveness and potentially causing cache collisions across different workflow runs with the same commit.

Consider either: (1) committing a .turbo/.gitkeep placeholder file, (2) adding a step to create .turbo/ with content before the cache action, or (3) adjusting the cache key strategy to account for missing directories.

🤖 Prompt for AI Agents

In .github/actions/setup/action.yml around lines 17-23 the cache key uses
hashFiles('.turbo/*') which returns empty because .turbo/ is git-ignored and not
present at cache time; fix by either (A) add a committed placeholder file (e.g.
.turbo/.gitkeep) so the hash is stable, (B) insert a prior workflow step that
creates the .turbo directory and writes a deterministic file before the cache
action, or (C) change the cache key to use a stable file(s) (e.g. package.json,
turbo config) or include a fallback static value so the key isn’t empty — pick
and implement one of these options and update the cache step accordingly.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add explicit permissions block to workflow.

The workflow lacks a permissions block, which is a security best practice. GitHub Actions workflows default to broad permissions if not explicitly declared.

Apply this diff to add minimal read-only permissions:

 jobs:
   pipeline:
+    permissions:
+      contents: read
     runs-on: ubuntu-24.04
     timeout-minutes: 20

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	runs-on: ubuntu-24.04
	jobs:
	pipeline:
	permissions:
	contents: read
	runs-on: ubuntu-24.04
	timeout-minutes: 20

🧰 Tools

🪛 GitHub Check: CodeQL

[warning] 15-79: Workflow does not contain permissions
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {{contents: read}}

🤖 Prompt for AI Agents

.github/workflows/apps.yml around line 15: the workflow is missing an explicit
permissions block; add a top-level permissions block granting minimal read-only
access (for example at least contents: read and any other specific read
permissions your jobs need) to restrict default broad permissions, placing it at
the root of the workflow file just below name/on.

[andrew-fleming]

Looking good @emnul! I left some comments :)

[andrew-fleming]

Indents are going from 2 spaces to 4. Personally, 4 spaces creates too much empty space for my taste, that's why I like 2 spaces. If I'm outvoted and everyone prefers 4, let's create a separate PR focused just on that and not let it creep into a CI/deps PR

[andrew-fleming]

When I ran biome's migration feature to bump it, I got the same thing with all the "root": false. Correct me if I'm wrong, but I don't think we need it. That's what's proposed in this PR anyway #274

[andrew-fleming]

Suggested change

	}
	}

[andrew-fleming]

Suggested change

	}
	}

[andrew-fleming]

Suggested change

	"@biomejs/biome": "2.3.8",
	"@biomejs/biome": "2.3.9",

Released a couple days ago

[andrew-fleming]

Suggested change

	"$schema": "https://biomejs.dev/schemas/2.3.5/schema.json",
	"$schema": "https://biomejs.dev/schemas/2.3.9/schema.json",

or 8 if you don't want to use the latest

[andrew-fleming]

Suggested change

	}
	}

[andrew-fleming]

We have pnpm/action-setup so AFAICT corepack is redundant and can be removed

[andrew-fleming]

Suggested change

	node-version: "22.x"
	node-version-file: ".nvmrc"

[andrew-fleming]

turbo is already listed as a dep in the manifest so I don't think we need to install it again

[0xisk]

@emnul We merged this fix PR here: #274 aiming to fix the issues here, I see that only the checks pipeline is failing could you please check that?