Skip to content

fix(ci): plumb github-token cross-org so the flake-fetch 429 fix works#240

Merged
thedavidmeister merged 1 commit into
mainfrom
fix/nix-access-tokens-cross-org
Jun 28, 2026
Merged

fix(ci): plumb github-token cross-org so the flake-fetch 429 fix works#240
thedavidmeister merged 1 commit into
mainfrom
fix/nix-access-tokens-cross-org

Conversation

@thedavidmeister

@thedavidmeister thedavidmeister commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

Problem

#239 added access-tokens = github.com=${{ github.token }} to the shared nix-cachix-setup preamble, but the 429 persisted for cross-org consumers — S01-Issuer's st0x deploy 429'd again ~40 min after #239 merged. Root cause: ${{ github.token }} evaluates to empty inside a composite invoked across the org boundary, so the access-token line was effectively github.com= (no token) and the rainix flake fetch stayed unauthenticated.

Fix

Add a github-token input to the composite and use access-tokens = github.com=${{ inputs.github-token || github.token }} — the explicit input wins, bare ${{ github.token }} is the same-org fallback. The 12 cross-org reusables pass github-token: ${{ github.token }} (which is populated in the reusable workflow's own context, unlike the composite's); check-shell.yml + test.yml (rainix's own same-org CI) omit it and ride the fallback. Consumers need no change — they already get a run token automatically.

Builds on #239.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • New Features

    • Added support for passing a GitHub token into the shared CI setup.
    • Updated multiple workflows to provide the built-in token during setup, improving reliability for GitHub API access in automated runs.
  • Bug Fixes

    • Reduced the chance of rate-limit issues during dependency resolution in CI, especially across repository boundaries.

…cross-org

#239 added access-tokens = github.com=${{ github.token }} to the
nix-cachix-setup preamble, but github.token evaluates to EMPTY inside a
composite invoked across the org boundary, so the access-token stayed empty and
the rainix flake fetch kept 429ing for cross-org consumers (S01-Issuer st0x).

Add a github-token input and use
access-tokens = github.com=${{ inputs.github-token || github.token }} -- input
wins, bare token is the same-org fallback. The 12 cross-org reusables pass
github-token: ${{ github.token }} (populated in the reusable's own context);
check-shell/test ride the fallback.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@thedavidmeister thedavidmeister self-assigned this Jun 28, 2026
@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Review Change Stack

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2a62788d-cf6a-4729-ba08-a630328afa9c

📥 Commits

Reviewing files that changed from the base of the PR and between 6147dbf and e938958.

📒 Files selected for processing (13)
  • .github/actions/nix-cachix-setup/action.yml
  • .github/workflows/rainix-autopublish.yaml
  • .github/workflows/rainix-copy-artifacts.yaml
  • .github/workflows/rainix-manual-sol-artifacts.yaml
  • .github/workflows/rainix-rs-static.yaml
  • .github/workflows/rainix-rs-test.yaml
  • .github/workflows/rainix-rs-wasm-test.yaml
  • .github/workflows/rainix-rs-wasm.yaml
  • .github/workflows/rainix-sol-legal.yaml
  • .github/workflows/rainix-sol-static.yaml
  • .github/workflows/rainix-sol-test.yaml
  • .github/workflows/rainix-subgraph-test.yaml
  • .github/workflows/rainix-vercel.yaml

📝 Walkthrough

Walkthrough

A new optional github-token input is added to the nix-cachix-setup composite action. When provided, this token is used for Nix's GitHub API authentication; otherwise it falls back to github.token. All caller workflows are updated to pass github.token into this new input.

Changes

GitHub Token Plumbing into nix-cachix-setup

Layer / File(s) Summary
Composite action input and token wiring
.github/actions/nix-cachix-setup/action.yml
Adds optional github-token input (default empty) and updates access-tokens to prefer inputs.github-token with fallback to github.token.
Workflow callers passing github-token
.github/workflows/rainix-autopublish.yaml, .github/workflows/rainix-copy-artifacts.yaml, .github/workflows/rainix-manual-sol-artifacts.yaml, .github/workflows/rainix-rs-*.yaml, .github/workflows/rainix-sol-*.yaml, .github/workflows/rainix-subgraph-test.yaml, .github/workflows/rainix-vercel.yaml
Each workflow's nix-cachix-setup step gains github-token: ${{ github.token }} in its with: inputs.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 A token for Nix, passed down the chain,
No more rate-limit tears in the rain.
Each workflow now speaks with proper auth,
The flakes resolve true, going forth.
Hop hop hooray, the tokens align! 🌟

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the core CI change: plumbing a GitHub token for cross-org flake-fetch rate-limit/auth fixes.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/nix-access-tokens-cross-org

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@thedavidmeister

Copy link
Copy Markdown
Contributor Author

Reviewed e938958: cross-org follow-up to #239. Adds a github-token input to nix-cachix-setup and sets access-tokens = github.com=${{ inputs.github-token || github.token }} (explicit input wins for cross-org callers; bare ${{ github.token }} is the same-org fallback), plumbing github-token: ${{ github.token }} through the 12 cross-org reusables. Fixes the persistent cross-org 429 — github.token is empty inside a composite invoked across the org boundary but populated in the reusable's own context. check-shell.yml/test.yml ride the fallback. CI-config only, builds on #239, low risk. Approve.

@thedavidmeister thedavidmeister merged commit 74c461f into main Jun 28, 2026
10 of 13 checks passed
@github-actions

Copy link
Copy Markdown

@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment:

S/M/L PR Classification Guidelines:

This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed.

Small (S)

Characteristics:

  • Simple bug fixes, typos, or minor refactoring
  • Single-purpose changes affecting 1-2 files
  • Documentation updates
  • Configuration tweaks
  • Changes that require minimal context to review

Review Effort: Would have taken 5-10 minutes

Examples:

  • Fix typo in variable name
  • Update README with new instructions
  • Adjust configuration values
  • Simple one-line bug fixes
  • Import statement cleanup

Medium (M)

Characteristics:

  • Feature additions or enhancements
  • Refactoring that touches multiple files but maintains existing behavior
  • Breaking changes with backward compatibility
  • Changes requiring some domain knowledge to review

Review Effort: Would have taken 15-30 minutes

Examples:

  • Add new feature or component
  • Refactor common utility functions
  • Update dependencies with minor breaking changes
  • Add new component with tests
  • Performance optimizations
  • More complex bug fixes

Large (L)

Characteristics:

  • Major feature implementations
  • Breaking changes or API redesigns
  • Complex refactoring across multiple modules
  • New architectural patterns or significant design changes
  • Changes requiring deep context and multiple review rounds

Review Effort: Would have taken 45+ minutes

Examples:

  • Complete new feature with frontend/backend changes
  • Protocol upgrades or breaking changes
  • Major architectural refactoring
  • Framework or technology upgrades

Additional Factors to Consider

When deciding between sizes, also consider:

  • Test coverage impact: More comprehensive test changes lean toward larger classification
  • Risk level: Changes to critical systems bump up a size category
  • Team familiarity: Novel patterns or technologies increase complexity

Notes:

  • the assessment must be for the totality of the PR, that means comparing the base branch to the last commit of the PR
  • the assessment output must be exactly one of: S, M or L (single-line comment) in format of: SIZE={S/M/L}
  • do not include any additional text, only the size classification
  • your assessment comment must not include tips or additional sections
  • do NOT tag me or anyone else on your comment

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant