chore: single-source RAINIX_SHA across reusable workflows#249
chore: single-source RAINIX_SHA across reusable workflows#249thedavidmeister wants to merge 2 commits into
Conversation
Adds a top-level env.RAINIX_SHA to each of the 11 rainix-*.yaml reusable
workflow files and replaces the 35 hardcoded sha occurrences with
${{ env.RAINIX_SHA }}. A toolchain bump is now a find-replace of the
env.RAINIX_SHA line across files instead of 35 scattered run: strings.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughAll 11 reusable GitHub Actions workflows replace hardcoded ChangesRAINIX_SHA centralization across workflows and docs
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Co-Authored-By: Claude <noreply@anthropic.com>
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/rainix-autopublish.yaml (1)
157-164: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick winStop interpolating workflow inputs directly into
run:scripts.
inputs.npm-package,inputs.level, andinputs.soldeer-packageare expanded before bash parses these commands, so a caller can inject shell syntax here and execute arbitrary commands in the release job. Please pass them throughenv:and validate/quote them before use instead of embedding${{ inputs.* }}inline.Also applies to: 238-243, 317-324
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/rainix-autopublish.yaml around lines 157 - 164, The workflow step that uses nix develop is interpolating inputs.npm-package inline in a run script, which allows shell injection in the release job. Move inputs.npm-package, inputs.level, and inputs.soldeer-package into env for the affected steps, then reference those env vars inside the bash commands with proper quoting and any necessary validation. Update the repeated run blocks in this workflow so the same safe pattern is used consistently instead of embedding ${{ inputs.* }} directly.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/rainix-autopublish.yaml:
- Around line 157-164: The workflow step that uses nix develop is interpolating
inputs.npm-package inline in a run script, which allows shell injection in the
release job. Move inputs.npm-package, inputs.level, and inputs.soldeer-package
into env for the affected steps, then reference those env vars inside the bash
commands with proper quoting and any necessary validation. Update the repeated
run blocks in this workflow so the same safe pattern is used consistently
instead of embedding ${{ inputs.* }} directly.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 7c808249-c854-452f-8bf5-9c72ad7c66af
📒 Files selected for processing (12)
.github/workflows/rainix-autopublish.yaml.github/workflows/rainix-copy-artifacts.yaml.github/workflows/rainix-manual-sol-artifacts.yaml.github/workflows/rainix-rs-static.yaml.github/workflows/rainix-rs-test.yaml.github/workflows/rainix-rs-wasm-test.yaml.github/workflows/rainix-rs-wasm.yaml.github/workflows/rainix-sol-legal.yaml.github/workflows/rainix-sol-static.yaml.github/workflows/rainix-sol-test.yaml.github/workflows/rainix-subgraph-test.yamlCLAUDE.md
Closes #248
What
Adds a top-level
env: RAINIX_SHA:to each of the 11rainix-*.yamlreusable workflow files, then replaces all 35 hardcoded307bf27fcc5a410994f5a6a6a96527a64625c3daoccurrences inrun:steps with${{ env.RAINIX_SHA }}.Before: SHA appears 35 times across 11 files — a toolchain bump touches 35 lines and a missed occurrence silently drifts.
After: SHA appears once per file (the
env.RAINIX_SHA:definition); allrun:steps reference the same file-local variable. Bumping means updating 11env.RAINIX_SHA:lines instead of 35 scattered SHA strings.Also updates
CLAUDE.mdto describe the new single-source convention and removes the now-resolved#248parenthetical.Test plan
check-shell.ymlpasses (exercises nix flake + dev shell tool availability)test.ymlpasses (sol + rs tasks againsttest/fixture/)Summary by CodeRabbit
Bug Fixes
Documentation