setup-mistkit: pin to resolved revision

[leogdion]

Summary

• setup-mistkit writes revision: "<sha>" into Package.swift instead of branch: "<name>" so swift-build@v1's package-hash invalidates when MistKit advances.
• Resolves the input branch via git ls-remote; falls back to branch: if resolution fails.
• Already shipped on v1.0.0-beta.2 (Tag and validate ambiguous FieldValue scalar types (#375) #377); this lands the same change on main so consumers referencing @main (BushelCloud, CelestraCloud) pick it up.

Why

CelestraCloud PR brightdigit/CelestraCloud#36 was failing on every Linux/Windows job with errors like value of type 'RecordInfo' has no member 'get' and type '_ErrorCodeProtocol' has no member 'recordOperationFailed'. Root cause: swift-build@v1 hashes swift package dump-package for the SPM cache key. With branch: pinning, that JSON is constant for a given branch name, so a stale .build/ from before #372 (RecordResult) landed kept being restored. Macros macOS passes because Xcode DerivedData cache also keys on github.sha.

Test plan

• CelestraCloud PR Reference Field Types #36 Ubuntu/Windows jobs pass on re-run after this PR merges
• Stale-cache scenario (push a no-op commit to a feature branch of MistKit, re-run a consumer workflow) — verify cache miss happens

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions setup workflow to provide more precise dependency pinning with automatic fallback mechanisms, improving build consistency and reliability across development platforms.

[coderabbitai]

📝 Walkthrough

Walkthrough

The setup-mistkit GitHub action is updated to resolve branch names to commit SHAs and pin MistKit dependencies by revision: for reproducible builds, with graceful fallback to branch: pinning when commit resolution fails. Both Unix and Windows shell implementations are provided.

Changes

MistKit Dependency Pinning via Commit SHA

Layer / File(s)

Summary

Action metadata and package dependency pinning logic .github/actions/setup-mistkit/action.yml

Action description updated to reflect remote pinning to the branch's current commit. The composite action resolves the selected branch to its HEAD commit via git ls-remote and injects it into Package.swift as a revision: pin; Unix (bash + sed) and Windows (PowerShell + regex) implementations both include fallback to branch: pinning on resolution failure. Package.resolved is removed before proceeding.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A rabbit resolved to pin and persist,
Branch names to commits—no more drift or gist,
From git ls-remote to revision: it goes,
Both bash and PowerShell—wherever code flows,
With fallback in place, the build stands so strong! 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'setup-mistkit: pin to resolved revision' directly and accurately describes the main change in the PR: updating the setup-mistkit action to pin MistKit dependencies to resolved SHA revisions instead of branch names.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch setup-mistkit-pin-revision

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review: PR #380 — setup-mistkit: pin to resolved revision

Overview

This PR fixes a stale SPM build-cache bug in consumer CI (CelestraCloud, BushelCloud). By resolving the branch to its current HEAD SHA and writing revision: "<sha>" instead of branch: "<name>", the swift package dump-package output — which swift-build@v1 hashes for its cache key — now changes whenever MistKit advances. The fallback to branch: on resolution failure is a sensible safety net.

The fix is correct and the motivation is well-understood. A few issues worth addressing before merge:

---

Bug: git ls-remote pattern is too broad

Unix step:

git ls-remote treats its last argument as a pattern matched against all ref names. Passing the bare branch name (e.g. "main") can match refs/heads/main, refs/tags/main, etc. With head -n1 you get whichever comes first — typically the branch, but not guaranteed if a same-named tag exists.

Recommendation: Scope to branches only:

Unix:

REF=$(git ls-remote https://github.com/brightdigit/MistKit.git "refs/heads/$BRANCH" | head -n1 | cut -f1)

PowerShell:

$ref = (git ls-remote https://github.com/brightdigit/MistKit.git "refs/heads/$branch" | Select-Object -First 1) -split "`t" | Select-Object -First 1

---

Minor: sed delimiter collision

The sed substitution uses | as its delimiter. If a branch name contains a literal | (technically valid in git), the $REQ value injected into the sed command would corrupt it. SHA values are always hex so the revision: path is safe; only the branch: fallback path is at risk. Using a different delimiter (e.g. @) removes this edge case entirely.

---

Observation: silent fallback degradation

The fallback to branch: pin on resolution failure silently reverts to the pre-fix behaviour. A ::warning:: annotation would surface this in the Actions UI and help diagnose unexpected cache hits in consumer repos:

echo "::warning::Could not resolve $BRANCH to a commit; falling back to branch pin (cache may be stale)"

---

Positive notes

• Both Unix and Windows implementations are updated consistently.
• Deleting Package.resolved after rewriting Package.swift is correct.
• The action description update accurately reflects the new behaviour.
• Echo statements (Pinning MistKit to ... @ ...) are useful for diagnosing cache behaviour in run logs.
• The fallback design is correct — a transient git ls-remote failure should not break the workflow.

---

Summary

Finding	Severity
git ls-remote bare branch name matches tags and other refs, not just the branch	Bug — a same-named tag silently pins to the wrong SHA
sed delimiter | collides with branch names containing |	Minor / edge case
Fallback degrades silently without a visible warning	Suggestion

The approach is correct. Scoping git ls-remote to refs/heads/ is the only change I would call blocking.

[coderabbitai]

🧹 Nitpick comments (1)

.github/actions/setup-mistkit/action.yml (1)

22-22: ⚡ Quick win

Reduce git ls-remote branch/tag ambiguity (currently low risk)

The MistKit remote currently shows no branch/tag name collisions, and git ls-remote ... main returns only refs/heads/main; so the head -n1 ambiguity concern is unlikely to occur in practice. Using refs/heads/$BRANCH is still a small intent-explicit improvement.

Suggested refinement for explicit branch matching

-        REF=$(git ls-remote https://github.com/brightdigit/MistKit.git "$BRANCH" | head -n1 | cut -f1)
+        REF=$(git ls-remote https://github.com/brightdigit/MistKit.git "refs/heads/$BRANCH" | head -n1 | cut -f1)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/actions/setup-mistkit/action.yml at line 22, The git ls-remote
invocation that sets REF should explicitly match branch refs to avoid tag/branch
ambiguity: update the command that assigns REF (the line using REF=$(git
ls-remote ... "$BRANCH" | head -n1 | cut -f1)) to query refs/heads/$BRANCH
instead of just "$BRANCH" so it only returns branch refs; keep the rest of the
pipeline (head -n1 | cut -f1) intact to extract the commit SHA into REF.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/actions/setup-mistkit/action.yml:
- Line 22: The git ls-remote invocation that sets REF should explicitly match
branch refs to avoid tag/branch ambiguity: update the command that assigns REF
(the line using REF=$(git ls-remote ... "$BRANCH" | head -n1 | cut -f1)) to
query refs/heads/$BRANCH instead of just "$BRANCH" so it only returns branch
refs; keep the rest of the pipeline (head -n1 | cut -f1) intact to extract the
commit SHA into REF.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c1256399-2782-4011-8819-dd2a3fd8f497

📥 Commits

Reviewing files that changed from the base of the PR and between 2537f39 and 9c64535.

📒 Files selected for processing (1)

• .github/actions/setup-mistkit/action.yml

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 67.66%. Comparing base (d11c6c5) to head (9c64535).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #380      +/-   ##
==========================================
- Coverage   68.95%   67.66%   -1.29%     
==========================================
  Files         111      111              
  Lines        2641     2641              
==========================================
- Hits         1821     1787      -34     
- Misses        820      854      +34     

Flag	Coverage Δ
mistdemo-spm-macos	?
mistdemo-swift-6.2-jammy	?
mistdemo-swift-6.2-noble	?
mistdemo-swift-6.3-jammy	?
mistdemo-swift-6.3-noble	?
spm	67.24% <ø> (+0.07%)	⬆️
swift-6.1-jammy	67.24% <ø> (+0.07%)	⬆️
swift-6.1-noble	67.43% <ø> (+0.18%)	⬆️
swift-6.2-jammy	67.24% <ø> (-0.04%)	⬇️
swift-6.2-noble	67.28% <ø> (-0.19%)	⬇️
swift-6.3-jammy	67.24% <ø> (-0.23%)	⬇️
swift-6.3-noble	67.47% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.