chore(ci): pin rainix flake rev org-wide (kill the api.github.com 429 across all reusables)#247
Conversation
…ables Rolls the #245 pin to the rest of the reusables. Pins all 32 github:rainlanguage/rainix#<attr> refs to sha 307bf27 (the same sha the deploy reusable uses), so nix skips the api.github.com HEAD-resolution that GitHub burst-rate-limits (the org-wide CI 429). Pure sha-insertion; all 4 devshells (sol/rust/rust-node/subgraph) confirmed to resolve at the pinned sha. Bump the sha when the toolchain changes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📝 WalkthroughWalkthroughAll ChangesRainix Flake Ref Pinning
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related issues
Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/rainix-autopublish.yaml (1)
155-161: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winAvoid interpolating workflow inputs directly into
run:shells.Lines 155, 236, and 315 expand
${{ inputs.npm-package }},${{ inputs.level }}, and${{ inputs.soldeer-package }}into shell source before parsing, so a caller can break quoting or inject shell metacharacters/command substitutions. Pass these throughenv:and validate/whitelist before use.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/rainix-autopublish.yaml around lines 155 - 161, The workflow steps are interpolating untrusted inputs directly into shell source, which can break quoting or allow shell injection. Update the affected steps that use inputs.npm-package, inputs.level, and inputs.soldeer-package to pass those values through env variables instead of embedding them in the run script, and add validation or a whitelist before using them in commands. Keep the changes localized to the shell blocks in the autopublish workflow so the existing logic in the npm and soldeer publish steps still works safely.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/rainix-autopublish.yaml:
- Around line 155-161: The workflow steps are interpolating untrusted inputs
directly into shell source, which can break quoting or allow shell injection.
Update the affected steps that use inputs.npm-package, inputs.level, and
inputs.soldeer-package to pass those values through env variables instead of
embedding them in the run script, and add validation or a whitelist before using
them in commands. Keep the changes localized to the shell blocks in the
autopublish workflow so the existing logic in the npm and soldeer publish steps
still works safely.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 1f11ab0b-74a3-4ded-9554-8f05dc4e4e47
📒 Files selected for processing (11)
.github/workflows/rainix-autopublish.yaml.github/workflows/rainix-copy-artifacts.yaml.github/workflows/rainix-rs-static.yaml.github/workflows/rainix-rs-test.yaml.github/workflows/rainix-rs-wasm-test.yaml.github/workflows/rainix-rs-wasm.yaml.github/workflows/rainix-sol-legal.yaml.github/workflows/rainix-sol-static.yaml.github/workflows/rainix-sol-test.yaml.github/workflows/rainix-subgraph-test.yamlCLAUDE.md
|
Reviewed 7d8865c: org-wide flake pin — 10 reusables, 32 refs pinned to sha 307bf27 (all four devshells confirmed to resolve via nix flake show), pure sha-insertion + CLAUDE.md pin-convention doc (deno-fmt'd to 80-col). CI now CLEAN; the earlier red was my own CLAUDE.md prose-wrap, since fixed. Merge authorized by thedavidmeister ('merge 247') — his approval. Merging. |
|
@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment: S/M/L PR Classification Guidelines:This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed. Small (S)Characteristics:
Review Effort: Would have taken 5-10 minutes Examples:
Medium (M)Characteristics:
Review Effort: Would have taken 15-30 minutes Examples:
Large (L)Characteristics:
Review Effort: Would have taken 45+ minutes Examples:
Additional Factors to ConsiderWhen deciding between sizes, also consider:
Notes:
|
|
Tip For best results, initiate chat on the files or code changes. SIZE=M |
What
Rolls the #245 flake-pin to the remaining 10 reusables, killing the org-wide nix CI 429 everywhere — not just the deploy path.
Pins all 32
github:rainlanguage/rainix#<attr>refs across the 10 reusables to the same sha307bf27fthe deploy reusable (#245) already uses. Pure sha-insertion, no other change. After this, all 35 rainix flake refs across all 11 reusables sit on one consistent sha.By devshell attr:
sol-shell×16,rust-shell×12,rust-node-shell×3,subgraph-shell×1.Files: autopublish, copy-artifacts, rs-static, rs-test, rs-wasm-test, rs-wasm, sol-legal, sol-static, sol-test, subgraph-test.
Why
nix develop github:rainlanguage/rainix#…resolves HEAD viaapi.github.com/.../commits/HEAD, which GitHub burst-rate-limits (429, gzipped body nix mis-parses) — the chronic org-wide CI flake. An explicit sha makes nix skip that call and fetch the tarball directly. Authenticating the call does not help (proven in the #239–#243 experiment, since reverted in #246).Verified
/<sha>, every devshell attr preserved.github:rainlanguage/rainix#refs remain; 0 refs on any other sha.nix flake show github:rainlanguage/rainix/307bf27f…confirms all four devshells (sol-shell,rust-shell,rust-node-shell,subgraph-shell) resolve at the pinned sha — so no reusable references a missing attr.Maintenance tradeoff
This pins the toolchain for all rainix CI to
307bf27f(same as the deploy reusable). When the rainix toolchain changes, bump the sha — one find-replace of307bf27f…across the reusables updates all of them. Trades "test CI tracks the very latest toolchain" for "reproducible, 429-free CI"; the 429 has been the dominant CI flake.check-shell.yml/test.ymlare out of scope — their flakiness isnix flake checkon the consumer's flake input, not a reusable flake ref.🤖 Generated with Claude Code
Summary by CodeRabbit