Skip to content

ci: use upstream rainix-rs-static reusable #198

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thedavidmeister merged 10 commits into from
May 10, 2026
Merged

ci: use upstream rainix-rs-static reusable #198

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
405d6ba
ci: use upstream rainix-rs-static reusable
thedavidmeister May 10, 2026
3b1ae06
ci: commit forge artifacts under crates/float/abi for rust consumption
thedavidmeister May 10, 2026
5ecbf04
ci: skip prettier on committed forge artifacts; drop unused doc comment
thedavidmeister May 10, 2026
b0ba3fc
test: forge test that committed artifacts match freshly built
thedavidmeister May 10, 2026
7d6e641
style: forge fmt on CopyArtifacts.t.sol
thedavidmeister May 10, 2026
0a05628
ci: commit only the deterministic subset of forge artifacts
thedavidmeister May 10, 2026
3dca49d
ci: drop unused fetch-depth: 0 from copy-artifacts.yaml
thedavidmeister May 10, 2026
2983ae7
ci: surface staleness fix instructions on copy-artifacts failure
thedavidmeister May 10, 2026
3cbb675
chore: cover .prettierignore in REUSE.toml
thedavidmeister May 10, 2026
4f43e13
Merge branch 'main' into 2026-05-10-use-rs-static-reusable
thedavidmeister May 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/copy-artifacts.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
name: copy-artifacts
on: [push]
jobs:
copy-artifacts:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: nixbuild/nix-quick-install-action@v30
with:
nix_conf: |
keep-env-derivations = true
keep-outputs = true
Comment on lines +10 to +12
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial | 💤 Low value

Consider removing unnecessary Nix configuration.

The keep-env-derivations and keep-outputs settings preserve build outputs and environments, which are typically useful for debugging or inspecting build artifacts. For this CI workflow that only needs to build and verify, these settings may add overhead without benefit.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/copy-artifacts.yaml around lines 12 - 14, Remove the
unnecessary Nix configuration entries from the workflow: delete the
keep-env-derivations and keep-outputs keys under the nix_conf block so the CI
run uses default Nix behavior and avoids preserving build outputs/environments;
update the nix_conf section (the block containing keep-env-derivations and
keep-outputs) to only include required options or be omitted entirely.

- name: Restore and save Nix store
uses: nix-community/cache-nix-action@v6
with:
primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
restore-prefixes-first-match: nix-${{ runner.os }}-
gc-max-store-size-linux: 1G
- name: Install soldeer dependencies
if: hashFiles('soldeer.lock') != ''
run: nix develop github:rainlanguage/rainix#sol-shell -c forge soldeer install
- name: Build solidity artifacts
run: nix develop github:rainlanguage/rainix#sol-shell -c forge build
- name: Copy forge artifacts into committed location
run: nix develop github:rainlanguage/rainix#sol-shell -c forge script ./script/CopyArtifacts.sol
- name: Assert committed artifacts match freshly built
run: |
if ! git diff --exit-code; then
echo "::error::Committed artifacts in crates/float/abi/ are stale. Run 'forge script script/CopyArtifacts.sol' and commit the updated files."
exit 1
fi
5 changes: 5 additions & 0 deletions .github/workflows/rainix-rs-static.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
name: rainix-rs-static
on: [push]
jobs:
rs-static:
uses: rainlanguage/rainix/.github/workflows/rainix-rs-static.yaml@main
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot May 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -nP '^\s*uses:\s*[^#\n]+@(?:main|master|[A-Za-z0-9._/-]+)$' .github/workflows

Repository: rainlanguage/rain.math.float

Length of output: 1019

🏁 Script executed:

# Check for any comments or documentation about workflow pinning strategy
find .github -name "*.md" -o -name "*.txt" -o -name "*.yaml" -o -name "*.yml" | head -20

Repository: rainlanguage/rain.math.float

Length of output: 371

🏁 Script executed:

# Look for README or documentation files that might explain the workflow strategy
find . -maxdepth 2 -name "README*" -o -name "CONTRIBUTING*" | head -10

Repository: rainlanguage/rain.math.float

Length of output: 84

🏁 Script executed:

# Check if there are any comments in workflow files about the pinning strategy
rg -A 2 "uses:.*@main" .github/workflows/ -t yaml

Repository: rainlanguage/rain.math.float

Length of output: 1097

🏁 Script executed:

# Check the README for any guidance on workflow versions
cat README.md | head -100

Repository: rainlanguage/rain.math.float

Length of output: 4414

🏁 Script executed:

# Check the actual content of the rainix-rs-static.yaml file to confirm context
cat -n .github/workflows/rainix-rs-static.yaml

Repository: rainlanguage/rain.math.float

Length of output: 235

Pin the reusable workflow to an immutable commit SHA.

Using @main makes CI behavior mutable and weakens supply-chain guarantees. Pin this reusable workflow to a full commit SHA for reproducibility and tamper resistance.

Suggested change 
 jobs:
   rs-static:
-    uses: rainlanguage/rainix/.github/workflows/rainix-rs-static.yaml@main
+    uses: rainlanguage/rainix/.github/workflows/rainix-rs-static.yaml@<full_commit_sha>
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rainix-rs-static.yaml at line 5, Replace the mutable
branch reference in the workflow invocation "uses:
rainlanguage/rainix/.github/workflows/rainix-rs-static.yaml@main" with an
immutable full commit SHA; locate the line containing that exact "uses:
rainlanguage/rainix/.github/workflows/rainix-rs-static.yaml@main" string and
update the tail after '@' to the repository commit SHA (e.g.,
@<full-commit-sha>) to pin the reusable workflow to a specific commit for
reproducible CI.

3 changes: 0 additions & 3 deletions .github/workflows/rainix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,6 @@ jobs:
os: [ubuntu-latest, macos-latest]
task: ["cargo test"]
include:
# We don't need to do rust static analysis on multiple platforms
- os: ubuntu-latest
task: rainix-rs-static
# We don't need to do build for wasm32 on multiple platforms
- os: ubuntu-latest
task: test-wasm-build
Expand Down
1 change: 1 addition & 0 deletions .prettierignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
crates/float/abi/
1 change: 1 addition & 0 deletions REUSE.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ path = [
".envrc",
".gas-snapshot",
".github/workflows/**/",
".prettierignore",
".vscode/**/",
".soldeerignore",
"audit/**/",
Expand Down
Loading
Loading