Skip to content

feat: migrate to soldeer + bump rainix to rainlanguage/rainix main #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
thedavidmeister merged 4 commits into from
May 21, 2026
Merged

feat: migrate to soldeer + bump rainix to rainlanguage/rainix main #56

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a6c3cf7
feat: migrate from submodules to soldeer
thedavidmeister May 21, 2026
bff6a97
chore: bump rainix to rainlanguage/rainix main + switch CI to reusabl…
thedavidmeister May 21, 2026
b1f3f7b
fix: appease reuse + slither in the bumped CI
thedavidmeister May 21, 2026
b7ffa9f
fix: forge fmt the rewrited imports
thedavidmeister May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/publish-soldeer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
name: Publish to Soldeer
on:
push:
tags:
- "v*"
jobs:
publish:
uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin the reusable workflow to a specific commit hash.

The workflow reference uses @main instead of a commit SHA. Static analysis flags this as violating a blanket policy and enabling supply chain attacks. If the external workflow is modified (maliciously or accidentally), this workflow will automatically use the new version without review.

🔒 Recommended fix 
-    uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main
+    uses: rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@<commit-sha>

Replace <commit-sha> with the full commit hash of the desired version from rainlanguage/rainix. You can find this by visiting the repository and copying the commit SHA of the workflow file you want to use.

🧰 Tools
🪛 zizmor (1.25.2)

[error] 8-8: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[warning] 8-8: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-soldeer.yaml at line 8, Update the reusable
workflow reference that currently reads "uses:
rainlanguage/rainix/.github/workflows/publish-soldeer.yaml@main" to pin to a
specific commit SHA instead of `@main`: locate the uses entry in
.github/workflows/publish-soldeer.yaml and replace the branch suffix (`@main`)
with the full commit hash from the rainlanguage/rainix repo (e.g.,
@<commit-sha>) so the workflow uses an immutable, reviewable version.

secrets: inherit
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Consider restricting inherited secrets.

secrets: inherit passes all repository secrets to the external workflow. Combined with the unpinned workflow reference on line 8, this increases the risk surface—any change to the external workflow immediately gains access to all secrets.

Once the workflow is pinned to a commit hash, this pattern may be acceptable depending on organizational standards. Alternatively, explicitly pass only required secrets.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-soldeer.yaml at line 9, The workflow currently
uses "secrets: inherit" which exposes all repo secrets to the external workflow;
replace this by either pinning the referenced external workflow (use a commit
SHA in the uses: reference) and then explicitly listing only the needed secrets
(e.g., with "secrets: { MY_SECRET: ${{ secrets.MY_SECRET }}, OTHER_SECRET: ${{
secrets.OTHER_SECRET }} }") instead of "secrets: inherit", or if you cannot pin
yet, remove inherit and explicitly pass only the required secret names; update
the step that contains "secrets: inherit" to the explicit secrets mapping and
pin the external workflow reference in the uses: field.

46 changes: 4 additions & 42 deletions .github/workflows/rainix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,6 @@
name: Rainix CI
name: rainix
on: [push]

jobs:
standard-tests:
strategy:
matrix:
os: [ubuntu-latest]
task: [rainix-sol-test, rainix-sol-static, rainix-sol-legal]
fail-fast: false
runs-on: ${{ matrix.os }}
env:
DEPLOYMENT_KEY: ${{ github.ref == 'refs/heads/main' && secrets.PRIVATE_KEY || secrets.PRIVATE_KEY_DEV }}
steps:
- uses: actions/checkout@v4
with:
submodules: recursive
fetch-depth: 0

- uses: nixbuild/nix-quick-install-action@v30
with:
nix_conf: |
keep-env-derivations = true
keep-outputs = true
- name: Restore and save Nix store
uses: nix-community/cache-nix-action@v6
with:
# restore and save a cache using this key
primary-key: nix-${{ runner.os }}-${{ hashFiles('**/*.nix', '**/flake.lock') }}
# if there's no cache hit, restore a cache by this prefix
restore-prefixes-first-match: nix-${{ runner.os }}-
# collect garbage until the Nix store size (in bytes) is at most this number
# before trying to save a new cache
# 1G = 1073741824
gc-max-store-size-linux: 1G

- run: nix develop -c rainix-sol-prelude

- name: Run ${{ matrix.task }}
env:
ETH_RPC_URL: ${{ secrets.CI_DEPLOY_RPC_URL }}
ETHERSCAN_API_KEY: ${{ secrets.EXPLORER_VERIFICATION_KEY }}
DEPLOY_VERIFIER: ''
run: nix develop -c ${{ matrix.task }}
rainix:
uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

ls -la .github/workflows || true
sed -n '1,120p' .github/workflows/rainix.yaml
echo "----"
rg -n --hidden --no-ignore -S "uses:\s*rainlanguage/rainix/\.github/workflows/.*@[^[:space:]]+" .github/workflows/rainix.yaml || true
rg -n --hidden --no-ignore -S "uses:\s*rainlanguage/rainix/\.github/workflows/.*@[^[:space:]]+" .github/workflows || true

Repository: rainlanguage/rain.raindex.interface

Length of output: 807

Pin the reusable workflow reference(s) to an immutable commit SHA
.github/workflows/rainix.yaml references rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main, making CI behavior mutable. Pin it to a full commit SHA instead of @main (same @main pattern exists in .github/workflows/publish-soldeer.yaml).

Suggested fix 
-    uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main
+    uses: rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<full_commit_sha>
🧰 Tools
🪛 zizmor (1.25.2)

[error] 5-5: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[warning] 5-5: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rainix.yaml at line 5, Replace the mutable reusable
workflow reference that uses
"rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main" with an immutable
commit SHA; locate the "uses:
rainlanguage/rainix/.github/workflows/rainix-sol.yaml@main" entry in
.github/workflows/rainix.yaml (and the analogous "uses: ...@main" entry in
.github/workflows/publish-soldeer.yaml), get the correct full commit SHA from
the rainlanguage/rainix repository, and update the "uses:" value to
"rainlanguage/rainix/.github/workflows/rainix-sol.yaml@<COMMIT_SHA>" (and
similarly replace the other `@main`) so the workflow is pinned to that exact
commit.

secrets: inherit
5 changes: 4 additions & 1 deletion .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
cache
dependencies
out
.fixes
.fixes
.env
.pre-commit-config.yaml
3 changes: 0 additions & 3 deletions .gitmodules
View file
Open in desktop

This file was deleted.

28 changes: 15 additions & 13 deletions REUSE.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,21 @@ version = 1

[[annotations]]
path = [
".gas-snapshot",
".github/workflows/**/",
".gitignore",
".gitmodules",
"CLAUDE.md",
"README.md",
"audit/**/",
"flake.lock",
"flake.nix",
"foundry.toml",
"slither.config.json",
"REUSE.toml",
"foundry.lock",
".gas-snapshot",
".github/workflows/**/",
".gitignore",
".gitmodules",
"CLAUDE.md",
"README.md",
"audit/**/",
"flake.lock",
"flake.nix",
"foundry.toml",
"slither.config.json",
"REUSE.toml",
"foundry.lock",
"remappings.txt",
"soldeer.lock",
]
SPDX-FileCopyrightText = "Copyright (c) 2020 thedavidmeister"
SPDX-License-Identifier = "LicenseRef-DCL-1.0"
131 changes: 103 additions & 28 deletions flake.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 11 additions & 8 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,19 @@
description = "Flake for development workflows.";

inputs = {
rainix.url = "github:rainprotocol/rainix";
rainix.url = "github:rainlanguage/rainix";
flake-utils.url = "github:numtide/flake-utils";
};

outputs = {self, flake-utils, rainix }:
flake-utils.lib.eachDefaultSystem (system:
{
packages = rainix.packages.${system};
devShells = rainix.devShells.${system};
}
);
outputs =
{
flake-utils,
rainix,
...
}:
flake-utils.lib.eachDefaultSystem (system: {
packages = rainix.packages.${system};
devShells = rainix.devShells.${system};
});

}
15 changes: 12 additions & 3 deletions foundry.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[profile.default]
src = 'src'
out = 'out'
libs = ['lib']
libs = ['dependencies']

# See more config options https://github.com/foundry-rs/foundry/tree/master/config

Expand All @@ -24,8 +24,17 @@ cbor_metadata = false
evm_version = "cancun"

remappings = [
"rain.math.float/=lib/rain.interpreter.interface/lib/rain.math.float/src/"
"rain.interpreter.interface/=dependencies/rain-interpreter-interface-0.1.0/src/",
"rain.math.float/=dependencies/rain-math-float-0.1.1/src/",
]

[dependencies]
forge-std = "1.16.1"
rain-interpreter-interface = "0.1.0"
rain-math-float = "0.1.1"

[soldeer]
recursive_deps = false

[fuzz]
runs = 2048
runs = 2048
1 change: 0 additions & 1 deletion lib/rain.interpreter.interface
Open in desktop
Submodule rain.interpreter.interface deleted from 583865
3 changes: 3 additions & 0 deletions remappings.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
forge-std-1.16.1/=dependencies/forge-std-1.16.1/
rain-interpreter-interface-0.1.0/=dependencies/rain-interpreter-interface-0.1.0/
rain-math-float-0.1.1/=dependencies/rain-math-float-0.1.1/
Loading
Loading