From 1f1dd5a45492d44d1512bc95a6153a040224c71a Mon Sep 17 00:00:00 2001 From: David Meister Date: Sun, 28 Jun 2026 15:57:49 +0000 Subject: [PATCH] chore(ci): remove the no-op nix access-tokens experiment (#239-#243) Pure deletion (34 lines). The access-tokens approach to the org-wide nix CI 429 was proven a no-op (the line never landed in the effective nix.conf; the 429 is GitHub's secondary burst limit auth can't bypass). The real fix is pinning the flake rev (#245). Removes the github-token input + access-tokens nix_conf line + debug step from nix-cachix-setup, and the github-token plumbing from 12 reusables. No behavior change; legitimate gh-release github-token usages kept. Co-Authored-By: Claude Opus 4.8 --- .github/actions/nix-cachix-setup/action.yml | 22 ------------------- .github/workflows/rainix-autopublish.yaml | 1 - .github/workflows/rainix-copy-artifacts.yaml | 1 - .../rainix-manual-sol-artifacts.yaml | 1 - .github/workflows/rainix-rs-static.yaml | 1 - .github/workflows/rainix-rs-test.yaml | 1 - .github/workflows/rainix-rs-wasm-test.yaml | 1 - .github/workflows/rainix-rs-wasm.yaml | 1 - .github/workflows/rainix-sol-legal.yaml | 1 - .github/workflows/rainix-sol-static.yaml | 1 - .github/workflows/rainix-sol-test.yaml | 1 - .github/workflows/rainix-subgraph-test.yaml | 1 - .github/workflows/rainix-vercel.yaml | 1 - 13 files changed, 34 deletions(-) diff --git a/.github/actions/nix-cachix-setup/action.yml b/.github/actions/nix-cachix-setup/action.yml index 80ec236..860cb26 100644 --- a/.github/actions/nix-cachix-setup/action.yml +++ b/.github/actions/nix-cachix-setup/action.yml @@ -26,16 +26,6 @@ inputs: Optional `gc-max-store-size-macos` for the bundled cache-nix-action. Left empty (the action's own default) unless a caller needs to cap the macOS store before saving. required: false default: '' - github-token: - description: >- - GitHub token used to authenticate nix's GitHub API calls (flake - resolution), so they use the run-token rate limit (~1000/hr) instead of - the unauthenticated 60/hr/IP cap that 429s under CI bursts. `github.token` - does NOT populate inside a composite invoked across the org boundary, so a - cross-org reusable caller MUST pass its own `github.token` here; - same-org callers may omit it and fall back to the composite's own token. - required: false - default: '' runs: using: composite steps: @@ -59,18 +49,6 @@ runs: nix_conf: | keep-env-derivations = true keep-outputs = true - # Authenticate nix GitHub API calls (flake resolution) so they - # use the run token rate limit (~1000/hr) instead of the - # unauthenticated 60/hr/IP cap, which 429s under CI bursts. - access-tokens = github.com=${{ inputs.github-token || github.token }} - # TEMPORARY: log token lengths (never values) to diagnose the cross-org - # flake-fetch 429. Remove once the wiring is confirmed. - - name: Debug token wiring - shell: bash - env: - INPUT_TOK: ${{ inputs.github-token }} - BARE_TOK: ${{ github.token }} - run: echo "WIRING inputs.github-token len=${#INPUT_TOK} bare-github.token len=${#BARE_TOK}" # Substitute prebuilt rainix derivations from the shared Cachix binary # cache instead of rebuilding toolchain crates from source (rainix#196). # Pushes new paths when the auth token is set; continue-on-error so a diff --git a/.github/workflows/rainix-autopublish.yaml b/.github/workflows/rainix-autopublish.yaml index 9750b14..01d4e62 100644 --- a/.github/workflows/rainix-autopublish.yaml +++ b/.github/workflows/rainix-autopublish.yaml @@ -65,7 +65,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} checkout: 'false' # Resolve the crate list once (crates, else the back-compat singular crate). - name: Resolve crates diff --git a/.github/workflows/rainix-copy-artifacts.yaml b/.github/workflows/rainix-copy-artifacts.yaml index 77141e6..f209385 100644 --- a/.github/workflows/rainix-copy-artifacts.yaml +++ b/.github/workflows/rainix-copy-artifacts.yaml @@ -11,7 +11,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} # No Foundry build cache here on purpose: this is a clean-build determinism # check, so out/ must be regenerated fresh — and caching only cache/ (not # out/) gives no real speedup, since forge recompiles to rebuild the diff --git a/.github/workflows/rainix-manual-sol-artifacts.yaml b/.github/workflows/rainix-manual-sol-artifacts.yaml index 1ad9d76..c64e551 100644 --- a/.github/workflows/rainix-manual-sol-artifacts.yaml +++ b/.github/workflows/rainix-manual-sol-artifacts.yaml @@ -51,7 +51,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} # Cache Foundry's incremental compilation cache + artifacts so unchanged # contracts aren't recompiled (forge build is the dominant CI cost). - name: Cache Foundry build diff --git a/.github/workflows/rainix-rs-static.yaml b/.github/workflows/rainix-rs-static.yaml index 6aad123..b657907 100644 --- a/.github/workflows/rainix-rs-static.yaml +++ b/.github/workflows/rainix-rs-static.yaml @@ -13,7 +13,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} - uses: rainlanguage/rainix/.github/actions/rust-cache@main - run: nix develop github:rainlanguage/rainix#rust-shell -c rainix-rs-static # Run the rainix pre-commit hook bundle (taplo, the nix hooks, yamlfmt, diff --git a/.github/workflows/rainix-rs-test.yaml b/.github/workflows/rainix-rs-test.yaml index 24a22d4..d8dd043 100644 --- a/.github/workflows/rainix-rs-test.yaml +++ b/.github/workflows/rainix-rs-test.yaml @@ -16,7 +16,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} gc-max-store-size-macos: 1G - uses: rainlanguage/rainix/.github/actions/rust-cache@main - run: nix develop github:rainlanguage/rainix#rust-shell -c cargo test diff --git a/.github/workflows/rainix-rs-wasm-test.yaml b/.github/workflows/rainix-rs-wasm-test.yaml index 100a1f6..9604fd1 100644 --- a/.github/workflows/rainix-rs-wasm-test.yaml +++ b/.github/workflows/rainix-rs-wasm-test.yaml @@ -11,6 +11,5 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} - uses: rainlanguage/rainix/.github/actions/rust-cache@main - run: nix develop github:rainlanguage/rainix#rust-shell -c bash -c "CARGO_TARGET_WASM32_UNKNOWN_UNKNOWN_RUNNER=wasm-bindgen-test-runner cargo test --target wasm32-unknown-unknown --workspace" diff --git a/.github/workflows/rainix-rs-wasm.yaml b/.github/workflows/rainix-rs-wasm.yaml index aa1a082..046b50f 100644 --- a/.github/workflows/rainix-rs-wasm.yaml +++ b/.github/workflows/rainix-rs-wasm.yaml @@ -11,6 +11,5 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} - uses: rainlanguage/rainix/.github/actions/rust-cache@main - run: nix develop github:rainlanguage/rainix#rust-shell -c cargo build -r --target wasm32-unknown-unknown --lib --workspace diff --git a/.github/workflows/rainix-sol-legal.yaml b/.github/workflows/rainix-sol-legal.yaml index d81d0df..34a2c9e 100644 --- a/.github/workflows/rainix-sol-legal.yaml +++ b/.github/workflows/rainix-sol-legal.yaml @@ -11,7 +11,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} - name: Install soldeer dependencies if: hashFiles('soldeer.lock') != '' run: nix develop github:rainlanguage/rainix#sol-shell -c forge soldeer install diff --git a/.github/workflows/rainix-sol-static.yaml b/.github/workflows/rainix-sol-static.yaml index 8387cd5..68d538c 100644 --- a/.github/workflows/rainix-sol-static.yaml +++ b/.github/workflows/rainix-sol-static.yaml @@ -11,7 +11,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} # Cache Foundry's incremental compilation cache + artifacts so unchanged # contracts aren't recompiled (forge build is the dominant CI cost). - name: Cache Foundry build diff --git a/.github/workflows/rainix-sol-test.yaml b/.github/workflows/rainix-sol-test.yaml index 5a85595..abf52ff 100644 --- a/.github/workflows/rainix-sol-test.yaml +++ b/.github/workflows/rainix-sol-test.yaml @@ -40,7 +40,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} # Cache Foundry's incremental compilation cache + artifacts so unchanged # contracts aren't recompiled (forge build is the dominant CI cost). - name: Cache Foundry build diff --git a/.github/workflows/rainix-subgraph-test.yaml b/.github/workflows/rainix-subgraph-test.yaml index d2766a9..22f5bed 100644 --- a/.github/workflows/rainix-subgraph-test.yaml +++ b/.github/workflows/rainix-subgraph-test.yaml @@ -11,5 +11,4 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} - run: nix develop github:rainlanguage/rainix#subgraph-shell -c subgraph-test diff --git a/.github/workflows/rainix-vercel.yaml b/.github/workflows/rainix-vercel.yaml index 59b2525..438877e 100644 --- a/.github/workflows/rainix-vercel.yaml +++ b/.github/workflows/rainix-vercel.yaml @@ -82,7 +82,6 @@ jobs: - uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main with: cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }} - github-token: ${{ github.token }} checkout: 'false' - uses: rainlanguage/rainix/.github/actions/rust-cache@main with: