feat: migrate to soldeer#29
Merged
Merged
Conversation
Replaces git-submodule plumbing with soldeer dependencies: - forge-std@1.16.1 - @openzeppelin-contracts@5.6.1 (was 5.5.0 submodule) - rain-extrospection@0.1.0 - rain-deploy@0.1.2 Drops `lib/` submodules, `.gitmodules`, `foundry.lock`, the `remappings = [...]` line, the `libs = ['lib']`, and the `no_match_path = "lib/**/test/**"` exclusion. soldeer auto-generates `remappings.txt` (gitignored). Imports rewritten: - `rain.X/lib/...` → `rain-X-<ver>/src/lib/...` - `forge-std/...` → `forge-std-1.16.1/src/...` - `openzeppelin-contracts/contracts/...` → `@openzeppelin-contracts-5.6.1/...` CI workflow modernized: drops the pre-soldeer `rainix.yaml` matrix (which still used `submodules: recursive` + `DeterminateSystems/nix-installer-action` + `rainix-sol-prelude`) in favour of a one-line wrapper calling the upstream `rainix-sol` composite reusable. Adds `publish-soldeer.yaml` so v* tags push the package to soldeer.xyz via rainix's reusable. .soldeerignore mirrors rain.math.float's: excludes CI/dev config, audit prose, build caches, and the soldeer-managed dependencies/ directory itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
WalkthroughThis PR migrates the repository from git submodules to Soldeer package management. It removes ChangesSoldeer Dependency Migration
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related issues
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Slither was flagging too-many-digits inside dependencies/@openzeppelin-contracts-5.6.1/proxy/Clones.sol — the post-migration soldeer location. The old filter targeted lib/openzeppelin-contracts, which no longer exists. Replaces with the soldeer-pinned paths (dependencies/forge-std-1.16.1, dependencies/@openzeppelin-contracts-5.6.1). Drops `test` from filter_paths — CLAUDE.md rule: do not exclude test/ from slither analysis. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
reuse lint flagged the new soldeer metadata files as missing copyright/license info. Add them to the umbrella annotation alongside .gitignore, foundry.lock, etc. — same shape as float's REUSE.toml. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish-soldeer.yaml:
- Around line 7-8: Replace the mutable ref in the reusable workflow invocation
(the line using
"rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main") with an
immutable ref such as a commit SHA or a verified release tag (e.g., change the
"@main" suffix to a specific commit SHA or release ref) so the "uses" entry is
pinned; keep "secrets: inherit" as needed but do not rely on branch names for
trust boundaries and update any documentation or PR notes to indicate the pinned
ref used.
In @.github/workflows/rainix-sol.yaml:
- Around line 5-6: Replace the mutable reference "uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main" with a specific
commit SHA to pin the reusable workflow; locate the "uses" line in the file (the
line that currently ends with "@main"), determine the commit SHA you trust
(e.g., from the upstream repo's commit history or GitHub UI), and update the
"uses" value to "…@<commit-sha>" so the workflow runs a fixed revision while
leaving "secrets: inherit" as-is.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: df1980c4-0aee-422f-af88-aba811b36204
⛔ Files ignored due to path filters (2)
foundry.lockis excluded by!**/*.locksoldeer.lockis excluded by!**/*.lock
📒 Files selected for processing (18)
.github/workflows/publish-soldeer.yaml.github/workflows/rainix-sol.yaml.github/workflows/rainix.yaml.gitignore.gitmodules.soldeerignoreREUSE.tomlfoundry.tomllib/forge-stdlib/openzeppelin-contractslib/rain.deploylib/rain.extrospectionscript/Deploy.solslither.config.jsonsrc/concrete/CloneFactory.soltest/src/concrete/CloneFactory.t.soltest/src/lib/LibCloneFactoryDeploy.t.soltest/src/lib/LibCloneFactoryDeployProd.t.sol
💤 Files with no reviewable changes (6)
- lib/rain.deploy
- lib/rain.extrospection
- lib/forge-std
- .gitmodules
- .github/workflows/rainix.yaml
- lib/openzeppelin-contracts
Comment on lines
+7
to
+8
| uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main | ||
| secrets: inherit |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify mutable reusable-workflow refs that should be pinned.
rg -nP '^\s*uses:\s*rainlanguage/rainix/.+@main\b' .github/workflows -C2Repository: rainlanguage/rain.factory
Length of output: 602
🏁 Script executed:
#!/bin/bash
# Check for security policies, guidelines, or documentation about GitHub Actions pinning
find . -maxdepth 2 -type f \( -name "SECURITY.md" -o -name "CONTRIBUTING.md" -o -name ".github/GOVERNANCE.md" -o -name "README.md" \) | head -10Repository: rainlanguage/rain.factory
Length of output: 81
🏁 Script executed:
#!/bin/bash
# Look for any comments or documentation in workflow files about pinning strategy
rg -l 'pin|immutable|sha|security|commit' .github/workflows/ | head -20Repository: rainlanguage/rain.factory
Length of output: 51
🏁 Script executed:
#!/bin/bash
# Check README for any mentions of Actions, security practices, or pinning
rg -i 'action|workflow|pin|security|sha' README.mdRepository: rainlanguage/rain.factory
Length of output: 98
🏁 Script executed:
#!/bin/bash
# Check all workflow files to see what pinning strategy is used elsewhere
rg -h 'uses:.*@' .github/workflows/ | head -20Repository: rainlanguage/rain.factory
Length of output: 689
🏁 Script executed:
#!/bin/bash
# Check all workflow files to see what pinning strategy is used elsewhere
rg 'uses:.*@' .github/workflows/ | head -30Repository: rainlanguage/rain.factory
Length of output: 567
🏁 Script executed:
#!/bin/bash
# Verify the exact state of the file at lines 7-8
cat -n .github/workflows/publish-soldeer.yaml | head -10Repository: rainlanguage/rain.factory
Length of output: 291
Pin reusable workflow to an immutable commit SHA.
Using @main for a reusable workflow while inheriting secrets creates a mutable trust boundary. Pin to a commit SHA (or an immutable, verified release ref) to prevent upstream ref drift from changing privileged CI behavior.
Suggested change
- uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main
+ uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@<commit-sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/publish-soldeer.yaml around lines 7 - 8, Replace the
mutable ref in the reusable workflow invocation (the line using
"rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main") with an
immutable ref such as a commit SHA or a verified release tag (e.g., change the
"@main" suffix to a specific commit SHA or release ref) so the "uses" entry is
pinned; keep "secrets: inherit" as needed but do not rely on branch names for
trust boundaries and update any documentation or PR notes to indicate the pinned
ref used.
Comment on lines
+5
to
+6
| uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main | ||
| secrets: inherit |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -name "rainix-sol.yaml" -type fRepository: rainlanguage/rain.factory
Length of output: 105
🏁 Script executed:
git ls-files | grep -E "\.github/workflows"Repository: rainlanguage/rain.factory
Length of output: 186
🏁 Script executed:
cat -n .github/workflows/rainix-sol.yaml 2>/dev/null || echo "File not found in standard location"Repository: rainlanguage/rain.factory
Length of output: 249
🏁 Script executed:
grep -r "uses:.*@main\|uses:.*@v[0-9]" .github/workflows/ --include="*.yaml" --include="*.yml"Repository: rainlanguage/rain.factory
Length of output: 567
🏁 Script executed:
grep -l "secrets: inherit" .github/workflows/*.yaml 2>/dev/nullRepository: rainlanguage/rain.factory
Length of output: 142
Pin the reusable workflow to a specific commit SHA instead of using @main.
Line 5 uses @main, a mutable branch reference. Combined with secrets: inherit on line 6, this allows unreviewed upstream changes to execute with privileged access. Pin to a specific commit SHA to prevent unauthorized modifications.
- uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main
+ uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<commit-sha>🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/rainix-sol.yaml around lines 5 - 6, Replace the mutable
reference "uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main"
with a specific commit SHA to pin the reusable workflow; locate the "uses" line
in the file (the line that currently ends with "@main"), determine the commit
SHA you trust (e.g., from the upstream repo's commit history or GitHub UI), and
update the "uses" value to "…@<commit-sha>" so the workflow runs a fixed
revision while leaving "secrets: inherit" as-is.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Migrates rain.factory from git submodules to soldeer deps (forge-std 1.16.1, @openzeppelin-contracts 5.6.1, rain-extrospection 0.1.0, rain-deploy 0.1.2). Drops the pre-soldeer CI workflow; uses upstream rainix-sol composite reusable. Adds publish-soldeer wrapper. Unblocks rain.tofu.erc20-decimals + chain. Tracked under S01-Issuer/st0x.deploy#175.
Summary by CodeRabbit
New Features
Chores