From 04daecca699a4ea3c67c9c4ecae3ecb1e0c3da7e Mon Sep 17 00:00:00 2001 From: David Meister Date: Mon, 15 Jun 2026 17:19:44 +0000 Subject: [PATCH 1/4] ci(nix-cachix-setup): parameterize gc-max-store-size-linux The composite hardcoded the cache-nix-action linux GC budget at 8G, so a consumer with a smaller (docs/subgraph) or larger (webapp) build could not reuse the composite without re-running cache-nix-action itself and re-pinning that action inline. Expose `gc-max-store-size-linux` (default 8G, unchanged behavior) alongside the existing `gc-max-store-size-macos` input so callers pass their own budget and the cache-nix-action SHA stays single-sourced here. Co-Authored-By: Claude Opus 4.8 --- .github/actions/nix-cachix-setup/action.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/actions/nix-cachix-setup/action.yml b/.github/actions/nix-cachix-setup/action.yml index 8cfe1ff..2df6e0b 100644 --- a/.github/actions/nix-cachix-setup/action.yml +++ b/.github/actions/nix-cachix-setup/action.yml @@ -31,6 +31,14 @@ inputs: it itself. required: false default: 'true' + gc-max-store-size-linux: + description: >- + `gc-max-store-size-linux` for the bundled cache-nix-action: the store is + garbage-collected down to this size before a new cache is saved. Defaults + to `8G`; a caller running a smaller or larger build passes its own budget + (e.g. `1G` for a docs/subgraph build, `10G` for a webapp build). + required: false + default: 8G gc-max-store-size-macos: description: >- Optional `gc-max-store-size-macos` for the bundled cache-nix-action. Left @@ -80,5 +88,5 @@ runs: with: primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }} restore-prefixes-first-match: nix-${{ runner.os }}- - gc-max-store-size-linux: 8G + gc-max-store-size-linux: ${{ inputs.gc-max-store-size-linux }} gc-max-store-size-macos: ${{ inputs.gc-max-store-size-macos }} From ad68f0df9a26063f7cd0a3116c0b2c7d17c37cfc Mon Sep 17 00:00:00 2001 From: David Meister Date: Tue, 16 Jun 2026 14:26:35 +0000 Subject: [PATCH 2/4] style: yamlfmt rust-cache action description to satisfy CI Co-Authored-By: Claude Opus 4.8 --- .github/actions/rust-cache/action.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.github/actions/rust-cache/action.yml b/.github/actions/rust-cache/action.yml index 9ba2c58..136bf2e 100644 --- a/.github/actions/rust-cache/action.yml +++ b/.github/actions/rust-cache/action.yml @@ -1,17 +1,10 @@ name: rust-cache description: >- - Single-source wrapper around `Swatinem/rust-cache`. GitHub Actions can't - parameterize a `uses:` ref, so wrapping the step in a composite is the only - way to pin the action's SHA in ONE place across every rainix workflow that - caches Rust build artifacts. The `prefix-key` input covers the one call site - (vercel) that namespaces its cache per-workflow; every other site uses the - action's default key. + Single-source wrapper around `Swatinem/rust-cache`. GitHub Actions can't parameterize a `uses:` ref, so wrapping the step in a composite is the only way to pin the action's SHA in ONE place across every rainix workflow that caches Rust build artifacts. The `prefix-key` input covers the one call site (vercel) that namespaces its cache per-workflow; every other site uses the action's default key. inputs: prefix-key: description: >- - Optional `prefix-key` for `Swatinem/rust-cache` (e.g. one namespaced per - workflow via the github context). Empty (the default) leaves the action's - own default prefix in place. + Optional `prefix-key` for `Swatinem/rust-cache` (e.g. one namespaced per workflow via the github context). Empty (the default) leaves the action's own default prefix in place. required: false default: '' runs: From afd637ed9cf198bee451e597d75de13d6f1c769d Mon Sep 17 00:00:00 2001 From: David Meister Date: Tue, 16 Jun 2026 14:39:37 +0000 Subject: [PATCH 3/4] style: yamlfmt action.yml files via repo pinned pre-commit to satisfy CI Co-Authored-By: Claude Opus 4.8 --- .github/actions/cache/action.yml | 9 ++----- .github/actions/checkout/action.yml | 11 ++------- .github/actions/gh-release/action.yml | 12 +++------ .github/actions/nix-cachix-setup/action.yml | 27 +++++---------------- 4 files changed, 13 insertions(+), 46 deletions(-) diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 6c642f0..429ea6c 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -1,10 +1,6 @@ name: cache description: >- - Single-source wrapper around `actions/cache`. GitHub Actions can't - parameterize a `uses:` ref, so wrapping the step in a composite is the only - way to pin the action's SHA in ONE place across every rainix workflow that - caches build outputs. Each call site passes its own `path` / `key` / - `restore-keys` (the Foundry build cache, the npm cache, etc.). + Single-source wrapper around `actions/cache`. GitHub Actions can't parameterize a `uses:` ref, so wrapping the step in a composite is the only way to pin the action's SHA in ONE place across every rainix workflow that caches build outputs. Each call site passes its own `path` / `key` / `restore-keys` (the Foundry build cache, the npm cache, etc.). inputs: path: description: A list of files, directories, and patterns to cache and restore. @@ -14,8 +10,7 @@ inputs: required: true restore-keys: description: >- - An ordered multiline string listing the prefix-matched keys used to - restore a stale cache if no cache hit occurred for `key`. + An ordered multiline string listing the prefix-matched keys used to restore a stale cache if no cache hit occurred for `key`. required: false default: '' runs: diff --git a/.github/actions/checkout/action.yml b/.github/actions/checkout/action.yml index 6118a1e..f5608a6 100644 --- a/.github/actions/checkout/action.yml +++ b/.github/actions/checkout/action.yml @@ -1,17 +1,10 @@ name: checkout description: >- - Single-source wrapper around `actions/checkout`. GitHub Actions can't - parameterize a `uses:` ref with an env expression, so the only way to pin - the checkout SHA in ONE place across every rainix workflow is to wrap it in a - composite. The `ssh-key` input covers the one call site (autopublish) that - needs a deploy-key checkout; every other site uses the default token checkout. + Single-source wrapper around `actions/checkout`. GitHub Actions can't parameterize a `uses:` ref with an env expression, so the only way to pin the checkout SHA in ONE place across every rainix workflow is to wrap it in a composite. The `ssh-key` input covers the one call site (autopublish) that needs a deploy-key checkout; every other site uses the default token checkout. inputs: ssh-key: description: >- - Optional deploy key (e.g. `secrets.PUBLISH_PRIVATE_KEY`) for a checkout - whose pushes should trigger downstream workflows. A composite action - cannot read `secrets.*`, so the caller must plumb the secret through here. - Empty (the default) falls back to the standard GITHUB_TOKEN checkout. + Optional deploy key (e.g. `secrets.PUBLISH_PRIVATE_KEY`) for a checkout whose pushes should trigger downstream workflows. A composite action cannot read `secrets.*`, so the caller must plumb the secret through here. Empty (the default) falls back to the standard GITHUB_TOKEN checkout. required: false default: '' runs: diff --git a/.github/actions/gh-release/action.yml b/.github/actions/gh-release/action.yml index 1d854a8..f0b8fe1 100644 --- a/.github/actions/gh-release/action.yml +++ b/.github/actions/gh-release/action.yml @@ -1,10 +1,6 @@ name: gh-release description: >- - Single-source wrapper around `softprops/action-gh-release`. GitHub Actions - can't parameterize a `uses:` ref, so wrapping the step in a composite is the - only way to pin the action's SHA in ONE place across the (npm / soldeer) - GitHub Release steps in the autopublish workflow. Each call site passes its - own `tag-name` / `name` / `files`. + Single-source wrapper around `softprops/action-gh-release`. GitHub Actions can't parameterize a `uses:` ref, so wrapping the step in a composite is the only way to pin the action's SHA in ONE place across the (npm / soldeer) GitHub Release steps in the autopublish workflow. Each call site passes its own `tag-name` / `name` / `files`. inputs: tag-name: description: The git tag to create the release against (passed to `tag_name`). @@ -15,14 +11,12 @@ inputs: default: '' files: description: >- - Newline- or comma-separated globs of files to upload as release assets. - Empty (the default) creates a release with no attached assets. + Newline- or comma-separated globs of files to upload as release assets. Empty (the default) creates a release with no attached assets. required: false default: '' github-token: description: >- - GitHub token used to create the release. A composite action cannot read - `secrets.*`, so the caller must plumb `secrets.GITHUB_TOKEN` through here. + GitHub token used to create the release. A composite action cannot read `secrets.*`, so the caller must plumb `secrets.GITHUB_TOKEN` through here. required: true runs: using: composite diff --git a/.github/actions/nix-cachix-setup/action.yml b/.github/actions/nix-cachix-setup/action.yml index 2df6e0b..f46180c 100644 --- a/.github/actions/nix-cachix-setup/action.yml +++ b/.github/actions/nix-cachix-setup/action.yml @@ -1,16 +1,10 @@ name: nix-cachix-setup description: >- - Shared 'nix + cachix CI' preamble for the rainix reusable workflows: checkout, - nix-quick-install, the Cachix substituter/pusher, and the cache-nix-action Nix - store restore/save. This composite is the single source of truth for the - pinned third-party action SHAs used by that preamble — each SHA lives here once - instead of being copy-pasted across the reusables. + Shared 'nix + cachix CI' preamble for the rainix reusable workflows: checkout, nix-quick-install, the Cachix substituter/pusher, and the cache-nix-action Nix store restore/save. This composite is the single source of truth for the pinned third-party action SHAs used by that preamble — each SHA lives here once instead of being copy-pasted across the reusables. inputs: cachix-auth-token: description: >- - Cachix auth token. A composite action cannot read `secrets.*`, so the - caller reusable must plumb `secrets.CACHIX_AUTH_TOKEN` through to here. - Empty (the default) degrades to a read-only/anonymous Cachix pull. + Cachix auth token. A composite action cannot read `secrets.*`, so the caller reusable must plumb `secrets.CACHIX_AUTH_TOKEN` through to here. Empty (the default) degrades to a read-only/anonymous Cachix pull. required: false default: '' cachix-name: @@ -19,31 +13,22 @@ inputs: default: rainlanguage checkout: description: >- - Run the bundled `actions/checkout` (default). Set to 'false' if the - caller needs a non-default checkout (e.g. an ssh-key deploy-key checkout) - and runs `actions/checkout` itself before calling this composite. + Run the bundled `actions/checkout` (default). Set to 'false' if the caller needs a non-default checkout (e.g. an ssh-key deploy-key checkout) and runs `actions/checkout` itself before calling this composite. required: false default: 'true' cache-nix: description: >- - Run the bundled `cache-nix-action` Nix store restore/save (default). Set - to 'false' if the caller pins a different cache-nix-action version and runs - it itself. + Run the bundled `cache-nix-action` Nix store restore/save (default). Set to 'false' if the caller pins a different cache-nix-action version and runs it itself. required: false default: 'true' gc-max-store-size-linux: description: >- - `gc-max-store-size-linux` for the bundled cache-nix-action: the store is - garbage-collected down to this size before a new cache is saved. Defaults - to `8G`; a caller running a smaller or larger build passes its own budget - (e.g. `1G` for a docs/subgraph build, `10G` for a webapp build). + `gc-max-store-size-linux` for the bundled cache-nix-action: the store is garbage-collected down to this size before a new cache is saved. Defaults to `8G`; a caller running a smaller or larger build passes its own budget (e.g. `1G` for a docs/subgraph build, `10G` for a webapp build). required: false default: 8G gc-max-store-size-macos: description: >- - Optional `gc-max-store-size-macos` for the bundled cache-nix-action. Left - empty (the action's own default) unless a caller needs to cap the macOS - store before saving. + Optional `gc-max-store-size-macos` for the bundled cache-nix-action. Left empty (the action's own default) unless a caller needs to cap the macOS store before saving. required: false default: '' runs: From 0b1b13c9428e9301a2a194bdcde293635edbd3e2 Mon Sep 17 00:00:00 2001 From: David Meister Date: Fri, 19 Jun 2026 17:23:39 +0000 Subject: [PATCH 4/4] merge(main): resolve conflicts [merge-update]