soldeer migration

[thedavidmeister]

Summary

Migrate the only external dep (forge-std) from git submodule to soldeer.

• foundry.toml: [dependencies] block, [soldeer] recursive_deps = false, libs = ['dependencies'].
• Single source import rewritten to versioned soldeer path.
• lib/ submodule + .gitmodules + foundry.lock removed.
• Inline rainix.yaml replaced with upstream rainix-sol reusable.
• Added publish-soldeer.yaml.
• .soldeerignore + .gitignore + REUSE.toml updated.

Test plan

• CI green
• tag v0.1.0 → publish-soldeer succeeds (unblocks rain.vats soldeer migration)

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Added automated publishing workflow to Soldeer package registry.
  • Refactored CI/CD pipeline to use external reusable workflows for improved maintainability.
  • Updated project configuration to use Soldeer for dependency management instead of git submodules.
  • Updated build configuration files and import paths to reflect new dependency setup.

[coderabbitai]

Walkthrough

This PR migrates the repository from git submodules to Soldeer package management. It removes the forge-std submodule reference, adds Soldeer configuration (pinning forge-std v1.16.1), updates build paths and remappings, simplifies GitHub Actions workflows to use upstream reusable workflows, and updates repository metadata accordingly.

Changes

Soldeer Dependency Migration

Layer / File(s)	Summary
Soldeer configuration and forge-std pinning foundry.toml, remappings.txt, .soldeerignore	foundry.toml adds [dependencies] with forge-std = "1.16.1" and [soldeer] with recursive_deps = false, configures libs = ['dependencies'] path, and sets cbor_metadata = false. remappings.txt maps forge-std-1.16.1/ to dependencies/forge-std-1.16.1/. .soldeerignore is created to exclude common editor, build, and Soldeer-related files from packaging.
Dependency management transition .gitmodules, lib/forge-std	.gitmodules submodule entry for lib/forge-std is removed. The lib/forge-std submodule reference is updated to reflect the transition away from git submodules.
Repository ignore and build paths .gitignore	Updated to ignore out/ and dependencies/ directories used by Soldeer and Foundry.
Test import updates test/src/concrete/VerifyAlwaysApproved.accountStatusAtTime.t.sol	Test now imports Test from versioned forge-std-1.16.1/src/Test.sol instead of generic forge-std/Test.sol to match pinned dependency version.
Repository metadata updates REUSE.toml	Annotations path list updated to include .soldeerignore, foundry.toml, slither.config.json, and soldeer.lock; .gitignore is removed from the list.
CI workflow modernization .github/workflows/publish-soldeer.yaml, .github/workflows/rainix.yaml	New publish-soldeer.yaml workflow triggers on version tag pushes and delegates to upstream reusable workflow. rainix.yaml is simplified from a self-contained Nix CI job (with matrix, caching, environment setup) to a minimal wrapper that calls upstream rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main reusable workflow, reducing maintenance burden. Both inherit repository secrets.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

• Migrate dependency management from git submodules to soldeer rain.math.binary#10: Implements the exact Soldeer migration workflow (removing .gitmodules, adding Soldeer config, dependency pinning, and remappings).
• Migrate dependency management from git submodules to soldeer rain.solmem#32: Directly addresses the Soldeer-based dependency migration with matching changes to build configuration and workflows.
• Migrate dependency management from git submodules to soldeer rain.math.saturating#9: Implements the complete migration from git submodules to Soldeer package management as described in the issue.
• Migrate dependency management from git submodules to soldeer rain.deploy#6: Matches the Soldeer migration pattern including submodule removal, configuration additions, and CI updates.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'soldeer migration' accurately reflects the main objective of the changeset: migrating external dependencies from git submodules to Soldeer package management, as evidenced by foundry.toml changes, .soldeerignore addition, workflow updates, and submodule removal.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 2026-05-14-soldeer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish-soldeer.yaml:
- Around line 7-8: The reusable workflow reference currently uses a mutable ref
("uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main") while
also inheriting secrets; replace the branch ref with an immutable commit SHA by
finding the desired commit SHA in the rainlanguage/rainix repo (e.g., the tip of
main you trust) and update the uses line to "uses:
rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@<COMMIT_SHA>" so the
workflow cannot change unexpectedly; keep the existing "secrets: inherit" line
as-is after updating the ref.

In @.github/workflows/rainix.yaml:
- Around line 5-6: The workflow currently references the reusable workflow with
a mutable ref ("uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main") while also
inheriting secrets, which is unsafe; replace the "@main" ref with the full
commit SHA of the target repo (e.g., "@<full-commit-sha>") so the "uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<sha>" is pinned and keep
"secrets: inherit" as-is; obtain the SHA from the upstream repo's commit history
and update the uses line (refer to the uses string and secrets: inherit in the
diff) to the immutable commit SHA.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d77f24a1-8b32-4d33-8693-5605c7044b50

📥 Commits

Reviewing files that changed from the base of the PR and between 045a870 and e85dd54.

⛔ Files ignored due to path filters (2)

• foundry.lock is excluded by !**/*.lock
• soldeer.lock is excluded by !**/*.lock

📒 Files selected for processing (10)

• .github/workflows/publish-soldeer.yaml
• .github/workflows/rainix.yaml
• .gitignore
• .gitmodules
• .soldeerignore
• REUSE.toml
• foundry.toml
• lib/forge-std
• remappings.txt
• test/src/concrete/VerifyAlwaysApproved.accountStatusAtTime.t.sol

💤 Files with no reviewable changes (2)

• lib/forge-std
• .gitmodules

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find reusable workflow/action references that are not pinned to immutable SHAs.
rg -nP '^\s*uses:\s*.+@(?:main|master|v?\d+(?:\.\d+){0,2})\s*$' .github/workflows

Repository: rainlanguage/rain.verify.interface

Length of output: 294

---

Pin reusable workflow to an immutable commit SHA.

Line 7 currently references @main. With secrets: inherit on line 8, upstream changes can alter privileged execution unexpectedly. Pin to a specific commit SHA instead.

Suggested change

-    uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main
+    uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@<commit-sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-soldeer.yaml around lines 7 - 8, The reusable
workflow reference currently uses a mutable ref ("uses:
rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main") while also
inheriting secrets; replace the branch ref with an immutable commit SHA by
finding the desired commit SHA in the rainlanguage/rainix repo (e.g., the tip of
main you trust) and update the uses line to "uses:
rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@<COMMIT_SHA>" so the
workflow cannot change unexpectedly; keep the existing "secrets: inherit" line
as-is after updating the ref.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and read the relevant lines
if [ -f ".github/workflows/rainix.yaml" ]; then
  echo "=== File content (lines 1-20) ==="
  head -20 .github/workflows/rainix.yaml | cat -n
  echo ""
  echo "=== Lines 5-6 specifically ==="
  sed -n '5,6p' .github/workflows/rainix.yaml | cat -n
else
  echo "File not found"
fi

Repository: rainlanguage/rain.verify.interface

Length of output: 428

---

🏁 Script executed:

# Search for all reusable workflow references in the repo to understand the pattern
echo "=== All uses: references in workflows ==="
fd -e yaml -e yml . .github/workflows 2>/dev/null | xargs grep -n "uses:" | head -20

Repository: rainlanguage/rain.verify.interface

Length of output: 336

---

🌐 Web query:

GitHub Actions reusable workflows security @main commit SHA inherit secrets

💡 Result:

In GitHub Actions reusable workflows, the recommended/secure approach is: 1) Pin the reusable workflow reference (the {ref} after uses: owner/repo/.../.github/workflows/<file>@{ref}) to a full commit SHA instead of @main (or tags), because using a commit SHA is described as the safest option for stability and security [1][2]. 2) Secrets are not automatically passed to reusable workflows. To pass secrets from the caller to the directly-called reusable workflow, the caller must use either secrets: inherit (pass all caller secrets) or explicitly pass named secrets via secrets.<NAME>: ${{ secrets.<NAME> }} in the calling job [1]. 3) If you use secrets: inherit, the caller’s secrets are available to the directly called workflow (and not automatically farther down the chain unless you keep passing them along). GitHub notes that in a chain A > B > C, workflow C only receives secrets from A if they were passed from A to B and then from B to C [1]. 4) Security impact of secrets: inherit: it can be broader than you need. Least-privilege guidance applies to secrets usage and GitHub documents secrets: inherit as a way to implicitly pass all caller secrets, so you should prefer explicitly passing only the secrets a reusable workflow declares/needs when possible [1][3]. Key snippets Calling workflow (pin to SHA + inherit secrets): jobs: call-workflow: uses: octo-org/example-repo/.github/workflows/reusable-workflow.yml@ secrets: inherit This is the documented pattern for passing secrets using secrets: inherit, combined with the documented guidance to use a commit SHA as the safest reference [1][2].

Citations:

• 1: https://docs.github.com/en/actions/how-tos/reuse-automations/reuse-workflows
• 2: https://docs.github.com/en/actions/using-workflows/reusing-workflows?wt.mc_id=DT-MVP-5000590
• 3: https://docs.github.com/actions/reference/security/secure-use

---

Pin the reusable workflow to a specific commit SHA instead of @main.

Using a mutable reference (@main) with secrets: inherit is a security risk. When inheriting secrets, always pin to a full commit SHA to prevent unintended upstream changes from accessing your secrets. This is GitHub's documented best practice for stability and security.

Suggested change

-    uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main
+    uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<commit-sha>

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rainix.yaml around lines 5 - 6, The workflow currently
references the reusable workflow with a mutable ref ("uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main") while also
inheriting secrets, which is unsafe; replace the "@main" ref with the full
commit SHA of the target repo (e.g., "@<full-commit-sha>") so the "uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<sha>" is pinned and keep
"secrets: inherit" as-is; obtain the SHA from the upstream repo's commit history
and update the uses line (refer to the uses string and secrets: inherit in the
diff) to the immutable commit SHA.