Skip to content

soldeer migration #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thedavidmeister merged 1 commit into from
May 14, 2026
Merged

soldeer migration #6

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/workflows/publish-soldeer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
name: Publish to Soldeer
on:
push:
tags: ["v*"]
jobs:
publish:
uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main
secrets: inherit
Comment on lines +7 to +8
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find reusable workflow/action references that are not pinned to immutable SHAs.
rg -nP '^\s*uses:\s*.+@(?:main|master|v?\d+(?:\.\d+){0,2})\s*$' .github/workflows

Repository: rainlanguage/rain.verify.interface

Length of output: 294

Pin reusable workflow to an immutable commit SHA.

Line 7 currently references @main. With secrets: inherit on line 8, upstream changes can alter privileged execution unexpectedly. Pin to a specific commit SHA instead.

Suggested change 
-    uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main
+    uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@<commit-sha>
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-soldeer.yaml around lines 7 - 8, The reusable
workflow reference currently uses a mutable ref ("uses:
rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main") while also
inheriting secrets; replace the branch ref with an immutable commit SHA by
finding the desired commit SHA in the rainlanguage/rainix repo (e.g., the tip of
main you trust) and update the uses line to "uses:
rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@<COMMIT_SHA>" so the
workflow cannot change unexpectedly; keep the existing "secrets: inherit" line
as-is after updating the ref.

45 changes: 4 additions & 41 deletions .github/workflows/rainix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,43 +1,6 @@
name: Rainix CI
name: rainix-sol
on: [push]

jobs:
rainix:
strategy:
matrix:
os: [ubuntu-latest]
task: [rainix-sol-test, rainix-sol-static, rainix-sol-legal]
fail-fast: false
runs-on: ${{ matrix.os }}
env:
DEPLOYMENT_KEY: ${{ github.ref == 'refs/heads/main' && secrets.PRIVATE_KEY || secrets.PRIVATE_KEY_DEV }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0

- uses: nixbuild/nix-quick-install-action@v30
with:
nix_conf: |
keep-env-derivations = true
keep-outputs = true
- name: Restore and save Nix store
uses: nix-community/cache-nix-action@v6
with:
# restore and save a cache using this key
primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
# if there's no cache hit, restore a cache by this prefix
restore-prefixes-first-match: nix-${{ runner.os }}-
# collect garbage until the Nix store size (in bytes) is at most this number
# before trying to save a new cache
# 1G = 1073741824
gc-max-store-size-linux: 1G

- run: nix develop -c rainix-sol-prelude
- name: Run ${{ matrix.task }}
env:
ETH_RPC_URL: ${{ secrets.CI_DEPLOY_RPC_URL }}
ETHERSCAN_API_KEY: ${{ secrets.EXPLORER_VERIFICATION_KEY }}
RPC_URL_FLARE_FORK: ${{ secrets.RPC_URL_FLARE_FORK }}
run: nix develop -c ${{ matrix.task }}
rainix-sol:
uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main
secrets: inherit
Comment on lines +5 to +6
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

# First, check if the file exists and read the relevant lines
if [ -f ".github/workflows/rainix.yaml" ]; then
  echo "=== File content (lines 1-20) ==="
  head -20 .github/workflows/rainix.yaml | cat -n
  echo ""
  echo "=== Lines 5-6 specifically ==="
  sed -n '5,6p' .github/workflows/rainix.yaml | cat -n
else
  echo "File not found"
fi

Repository: rainlanguage/rain.verify.interface

Length of output: 428

🏁 Script executed:

# Search for all reusable workflow references in the repo to understand the pattern
echo "=== All uses: references in workflows ==="
fd -e yaml -e yml . .github/workflows 2>/dev/null | xargs grep -n "uses:" | head -20

Repository: rainlanguage/rain.verify.interface

Length of output: 336

🌐 Web query:

GitHub Actions reusable workflows security @main commit SHA inherit secrets

💡 Result:

In GitHub Actions reusable workflows, the recommended/secure approach is: 1) Pin the reusable workflow reference (the {ref} after uses: owner/repo/.../.github/workflows/<file>@{ref}) to a full commit SHA instead of @main (or tags), because using a commit SHA is described as the safest option for stability and security [1][2]. 2) Secrets are not automatically passed to reusable workflows. To pass secrets from the caller to the directly-called reusable workflow, the caller must use either secrets: inherit (pass all caller secrets) or explicitly pass named secrets via secrets.<NAME>: ${{ secrets.<NAME> }} in the calling job [1]. 3) If you use secrets: inherit, the caller’s secrets are available to the directly called workflow (and not automatically farther down the chain unless you keep passing them along). GitHub notes that in a chain A > B > C, workflow C only receives secrets from A if they were passed from A to B and then from B to C [1]. 4) Security impact of secrets: inherit: it can be broader than you need. Least-privilege guidance applies to secrets usage and GitHub documents secrets: inherit as a way to implicitly pass all caller secrets, so you should prefer explicitly passing only the secrets a reusable workflow declares/needs when possible [1][3]. Key snippets Calling workflow (pin to SHA + inherit secrets): jobs: call-workflow: uses: octo-org/example-repo/.github/workflows/reusable-workflow.yml@ secrets: inherit This is the documented pattern for passing secrets using secrets: inherit, combined with the documented guidance to use a commit SHA as the safest reference [1][2].

Citations:

Pin the reusable workflow to a specific commit SHA instead of @main.

Using a mutable reference (@main) with secrets: inherit is a security risk. When inheriting secrets, always pin to a full commit SHA to prevent unintended upstream changes from accessing your secrets. This is GitHub's documented best practice for stability and security.

Suggested change 
-    uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main
+    uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<commit-sha>
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rainix.yaml around lines 5 - 6, The workflow currently
references the reusable workflow with a mutable ref ("uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main") while also
inheriting secrets, which is unsafe; replace the "@main" ref with the full
commit SHA of the target repo (e.g., "@<full-commit-sha>") so the "uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<sha>" is pinned and keep
"secrets: inherit" as-is; obtain the SHA from the upstream repo's commit history
and update the uses line (refer to the uses string and secrets: inherit in the
diff) to the immutable commit SHA.

3 changes: 2 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,3 @@
cache
out
out
dependencies
3 changes: 0 additions & 3 deletions .gitmodules
View file
Open in desktop

This file was deleted.

28 changes: 28 additions & 0 deletions .soldeerignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
.DS_Store
.cargo
.coderabbit.yaml
.devcontainer.json
.envrc
.gas-snapshot
.git
.github
.gitignore
.gitmodules
.pre-commit-config.yaml
.prettierignore
.soldeerignore
.vscode
CLAUDE.md
/audit
/cache
/dependencies
/flake.lock
/flake.nix
/foundry.lock
/foundry.toml
/lib
/out
/remappings.txt
/slither.config.json
/soldeer.lock
/REUSE.toml
5 changes: 3 additions & 2 deletions REUSE.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,15 @@ path = [
".github/workflows/**/",
".gas-snapshot",
".gitignore",
".gitmodules",
".soldeerignore",
"audit/**/",
"README.md",
"flake.lock",
"flake.nix",
"foundry.toml",
"remappings.txt",
"slither.config.json",
"foundry.lock",
"soldeer.lock",
]
SPDX-FileCopyrightText = "Copyright (c) 2020 Rain Open Source Software Ltd"
SPDX-License-Identifier = "LicenseRef-DCL-1.0"
5 changes: 0 additions & 5 deletions foundry.lock
View file
Open in desktop

This file was deleted.

9 changes: 8 additions & 1 deletion foundry.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
[profile.default]
libs = ['dependencies']

# See more config options https://github.com/foundry-rs/foundry/tree/master/config

Expand All @@ -10,4 +11,10 @@ optimizer_runs = 100000
evm_version = "cancun"

bytecode_hash = "none"
cbor_metadata = false
cbor_metadata = false

[dependencies]
forge-std = "1.16.1"

[soldeer]
recursive_deps = false
1 change: 0 additions & 1 deletion lib/forge-std
Open in desktop
Submodule forge-std deleted from 1801b0
1 change: 1 addition & 0 deletions remappings.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
forge-std-1.16.1/=dependencies/forge-std-1.16.1/
6 changes: 6 additions & 0 deletions soldeer.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
[[dependencies]]
name = "forge-std"
version = "1.16.1"
url = "https://soldeer-revisions.s3.amazonaws.com/forge-std/1_16_1_08-05-2026_08:51:16_forge-std-1.16.zip"
checksum = "839b61832925c7152c7b6dffbfa4998d9e606211179bd8f604733124e8a7cb57"
integrity = "60e55d10150354ca4a1e2985c5456c834b92b82ef85ab0e1d92a7786cddbd219"
2 changes: 1 addition & 1 deletion test/src/concrete/VerifyAlwaysApproved.accountStatusAtTime.t.sol
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
// SPDX-FileCopyrightText: Copyright (c) 2020 Rain Open Source Software Ltd
pragma solidity =0.8.25;

import {Test} from "forge-std/Test.sol";
import {Test} from "forge-std-1.16.1/src/Test.sol";

import {VerifyAlwaysApproved} from "src/concrete/VerifyAlwaysApproved.sol";
import {VerifyStatus, VERIFY_STATUS_APPROVED} from "src/interface/IVerifyV1.sol";
Expand Down
Loading