Skip to content

chore(ci): pin rainix flake rev org-wide (kill the api.github.com 429 across all reusables)#247

Merged
thedavidmeister merged 3 commits into
mainfrom
chore/pin-rainix-flake-org-wide
Jun 28, 2026
Merged

chore(ci): pin rainix flake rev org-wide (kill the api.github.com 429 across all reusables)#247
thedavidmeister merged 3 commits into
mainfrom
chore/pin-rainix-flake-org-wide

Conversation

@thedavidmeister

@thedavidmeister thedavidmeister commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

What

Rolls the #245 flake-pin to the remaining 10 reusables, killing the org-wide nix CI 429 everywhere — not just the deploy path.

Pins all 32 github:rainlanguage/rainix#<attr> refs across the 10 reusables to the same sha 307bf27f the deploy reusable (#245) already uses. Pure sha-insertion, no other change. After this, all 35 rainix flake refs across all 11 reusables sit on one consistent sha.

By devshell attr: sol-shell ×16, rust-shell ×12, rust-node-shell ×3, subgraph-shell ×1.

Files: autopublish, copy-artifacts, rs-static, rs-test, rs-wasm-test, rs-wasm, sol-legal, sol-static, sol-test, subgraph-test.

Why

nix develop github:rainlanguage/rainix#… resolves HEAD via api.github.com/.../commits/HEAD, which GitHub burst-rate-limits (429, gzipped body nix mis-parses) — the chronic org-wide CI flake. An explicit sha makes nix skip that call and fetch the tarball directly. Authenticating the call does not help (proven in the #239#243 experiment, since reverted in #246).

Verified

  • Pure sha-insertion: diff is −32/+32, every line differs only by the inserted /<sha>, every devshell attr preserved.
  • 0 unpinned github:rainlanguage/rainix# refs remain; 0 refs on any other sha.
  • All 10 changed files parse as valid YAML.
  • nix flake show github:rainlanguage/rainix/307bf27f… confirms all four devshells (sol-shell, rust-shell, rust-node-shell, subgraph-shell) resolve at the pinned sha — so no reusable references a missing attr.

Maintenance tradeoff

This pins the toolchain for all rainix CI to 307bf27f (same as the deploy reusable). When the rainix toolchain changes, bump the sha — one find-replace of 307bf27f… across the reusables updates all of them. Trades "test CI tracks the very latest toolchain" for "reproducible, 429-free CI"; the 429 has been the dominant CI flake. check-shell.yml / test.yml are out of scope — their flakiness is nix flake check on the consumer's flake input, not a reusable flake ref.

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Documentation
    • Added guidance for keeping development environment references pinned in reusable workflows.
  • Chores
    • Standardized workflow environments to use a fixed version of the toolchain across builds, tests, releases, and artifact generation.
  • Bug Fixes
    • Improved CI stability by reducing the chance of flaky failures caused by changing external environment references.

…ables

Rolls the #245 pin to the rest of the reusables. Pins all 32
github:rainlanguage/rainix#<attr> refs to sha 307bf27 (the same sha the deploy
reusable uses), so nix skips the api.github.com HEAD-resolution that GitHub
burst-rate-limits (the org-wide CI 429). Pure sha-insertion; all 4 devshells
(sol/rust/rust-node/subgraph) confirmed to resolve at the pinned sha. Bump the
sha when the toolchain changes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@thedavidmeister thedavidmeister self-assigned this Jun 28, 2026
@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

All nix develop invocations across ten reusable GitHub Actions workflow files are updated to replace unpinned github:rainlanguage/rainix#<shell> references with a single pinned commit SHA (307bf27fcc5a410994f5a6a6a96527a64625c3da). A new CLAUDE.md section documents this pinning convention and its rationale.

Changes

Rainix Flake Ref Pinning

Layer / File(s) Summary
Pinning convention docs
CLAUDE.md
New subsection documents that all nix develop refs must use an explicit commit SHA to avoid GitHub API 429 rate limiting and nix JSON parse failures, with a pointer to issue #248.
Workflow nix develop ref pinning
.github/workflows/rainix-autopublish.yaml, .github/workflows/rainix-copy-artifacts.yaml, .github/workflows/rainix-rs-static.yaml, .github/workflows/rainix-rs-test.yaml, .github/workflows/rainix-rs-wasm.yaml, .github/workflows/rainix-rs-wasm-test.yaml, .github/workflows/rainix-sol-legal.yaml, .github/workflows/rainix-sol-static.yaml, .github/workflows/rainix-sol-test.yaml, .github/workflows/rainix-subgraph-test.yaml
Every nix develop call is updated from github:rainlanguage/rainix#<shell> to github:rainlanguage/rainix/307bf27fcc5a410994f5a6a6a96527a64625c3da#<shell>; build commands and surrounding logic are unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related issues

Possibly related PRs

  • rainlanguage/rainix#208: Overlaps with rainix-copy-artifacts.yaml changes where meta-artifact regeneration steps now use the pinned #sol-shell ref.
  • rainlanguage/rainix#245: Also pins nix develop Solidity shell refs to a specific rainlanguage/rainix commit SHA, directly addressing the same CI flake resolution behavior.

Poem

🐇 Hop, hop! No more floating refs today,
A commit SHA pins the nix shell in place.
No 429s to make the CI dismay,
One SHA to rule each workflow's space.
The rabbit stamps the hash and hops away~ ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: pinning the Rainix flake revision across reusable CI workflows to avoid GitHub API 429s.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/pin-rainix-flake-org-wide

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

thedavidmeister and others added 2 commits June 28, 2026 16:21
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/rainix-autopublish.yaml (1)

155-161: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Avoid interpolating workflow inputs directly into run: shells.

Lines 155, 236, and 315 expand ${{ inputs.npm-package }}, ${{ inputs.level }}, and ${{ inputs.soldeer-package }} into shell source before parsing, so a caller can break quoting or inject shell metacharacters/command substitutions. Pass these through env: and validate/whitelist before use.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rainix-autopublish.yaml around lines 155 - 161, The
workflow steps are interpolating untrusted inputs directly into shell source,
which can break quoting or allow shell injection. Update the affected steps that
use inputs.npm-package, inputs.level, and inputs.soldeer-package to pass those
values through env variables instead of embedding them in the run script, and
add validation or a whitelist before using them in commands. Keep the changes
localized to the shell blocks in the autopublish workflow so the existing logic
in the npm and soldeer publish steps still works safely.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/rainix-autopublish.yaml:
- Around line 155-161: The workflow steps are interpolating untrusted inputs
directly into shell source, which can break quoting or allow shell injection.
Update the affected steps that use inputs.npm-package, inputs.level, and
inputs.soldeer-package to pass those values through env variables instead of
embedding them in the run script, and add validation or a whitelist before using
them in commands. Keep the changes localized to the shell blocks in the
autopublish workflow so the existing logic in the npm and soldeer publish steps
still works safely.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 1f11ab0b-74a3-4ded-9554-8f05dc4e4e47

📥 Commits

Reviewing files that changed from the base of the PR and between 3196b1e and 7d8865c.

📒 Files selected for processing (11)
  • .github/workflows/rainix-autopublish.yaml
  • .github/workflows/rainix-copy-artifacts.yaml
  • .github/workflows/rainix-rs-static.yaml
  • .github/workflows/rainix-rs-test.yaml
  • .github/workflows/rainix-rs-wasm-test.yaml
  • .github/workflows/rainix-rs-wasm.yaml
  • .github/workflows/rainix-sol-legal.yaml
  • .github/workflows/rainix-sol-static.yaml
  • .github/workflows/rainix-sol-test.yaml
  • .github/workflows/rainix-subgraph-test.yaml
  • CLAUDE.md

@thedavidmeister

Copy link
Copy Markdown
Contributor Author

Reviewed 7d8865c: org-wide flake pin — 10 reusables, 32 refs pinned to sha 307bf27 (all four devshells confirmed to resolve via nix flake show), pure sha-insertion + CLAUDE.md pin-convention doc (deno-fmt'd to 80-col). CI now CLEAN; the earlier red was my own CLAUDE.md prose-wrap, since fixed. Merge authorized by thedavidmeister ('merge 247') — his approval. Merging.

@thedavidmeister thedavidmeister merged commit 69443e7 into main Jun 28, 2026
13 checks passed
@github-actions

Copy link
Copy Markdown

@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment:

S/M/L PR Classification Guidelines:

This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed.

Small (S)

Characteristics:

  • Simple bug fixes, typos, or minor refactoring
  • Single-purpose changes affecting 1-2 files
  • Documentation updates
  • Configuration tweaks
  • Changes that require minimal context to review

Review Effort: Would have taken 5-10 minutes

Examples:

  • Fix typo in variable name
  • Update README with new instructions
  • Adjust configuration values
  • Simple one-line bug fixes
  • Import statement cleanup

Medium (M)

Characteristics:

  • Feature additions or enhancements
  • Refactoring that touches multiple files but maintains existing behavior
  • Breaking changes with backward compatibility
  • Changes requiring some domain knowledge to review

Review Effort: Would have taken 15-30 minutes

Examples:

  • Add new feature or component
  • Refactor common utility functions
  • Update dependencies with minor breaking changes
  • Add new component with tests
  • Performance optimizations
  • More complex bug fixes

Large (L)

Characteristics:

  • Major feature implementations
  • Breaking changes or API redesigns
  • Complex refactoring across multiple modules
  • New architectural patterns or significant design changes
  • Changes requiring deep context and multiple review rounds

Review Effort: Would have taken 45+ minutes

Examples:

  • Complete new feature with frontend/backend changes
  • Protocol upgrades or breaking changes
  • Major architectural refactoring
  • Framework or technology upgrades

Additional Factors to Consider

When deciding between sizes, also consider:

  • Test coverage impact: More comprehensive test changes lean toward larger classification
  • Risk level: Changes to critical systems bump up a size category
  • Team familiarity: Novel patterns or technologies increase complexity

Notes:

  • the assessment must be for the totality of the PR, that means comparing the base branch to the last commit of the PR
  • the assessment output must be exactly one of: S, M or L (single-line comment) in format of: SIZE={S/M/L}
  • do not include any additional text, only the size classification
  • your assessment comment must not include tips or additional sections
  • do NOT tag me or anyone else on your comment

@coderabbitai

coderabbitai Bot commented Jun 28, 2026

Copy link
Copy Markdown

Tip

For best results, initiate chat on the files or code changes.

SIZE=M

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant