Skip to content

chore: modernize to latest rainix (flake + CI) #141

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
thedavidmeister wants to merge 8 commits into
base: main
Choose a base branch
from
Open

chore: modernize to latest rainix (flake + CI) #141

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
a65b0f7
chore: modernize to latest rainix (flake + CI)
thedavidmeister Jun 3, 2026
b86cc5e
fix: clippy lints under rust 1.94
thedavidmeister Jun 3, 2026
cff67b3
fix: align js bindings with rainix wasm-bindgen 0.2.122
thedavidmeister Jun 15, 2026
d79cab0
chore: use shared rainix nix+cachix composites in js-bindings CI
thedavidmeister Jun 15, 2026
487a698
ci: retrigger against fixed rainix main
thedavidmeister Jun 16, 2026
b6feae7
ci: autopublish on merge (rainix-autopublish), drop manual release
thedavidmeister Jun 18, 2026
809dc5a
fix(ci): package-release yamlfmt blank-line [3b-attempt]
thedavidmeister Jun 20, 2026
76df6f1
Merge remote-tracking branch 'origin/main' into 2026-06-03-modernize-…
thedavidmeister Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 2 additions & 9 deletions .eslintrc.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,23 +8,16 @@
"root": true,
"extends": [
"eslint:recommended",
"plugin:@typescript-eslint/recommended",
"plugin:prettier/recommended"
"plugin:@typescript-eslint/recommended"
],
"parser": "@typescript-eslint/parser",
"plugins": [
"@typescript-eslint"
],
"rules": {
"prettier/prettier": [
"error",
{
"printWidth": 100,
"tabWidth": 4
}
],
"no-cond-assign": "off",
"no-empty-function": "off",
"@typescript-eslint/no-empty-function": "off",
"@typescript-eslint/no-unused-vars": "off",
"@typescript-eslint/no-explicit-any": "off",
"@typescript-eslint/no-non-null-assertion": "off",
Expand Down
160 changes: 0 additions & 160 deletions .github/workflows/manual-release.yaml
View file
Open in desktop

This file was deleted.

16 changes: 16 additions & 0 deletions .github/workflows/package-release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Package Release
on:
push:
branches:
- main
jobs:
release:
# Auto-publishes the dotrain crates to crates.io and the @rainlanguage/dotrain
# npm package on every merge to main, version-bumped in lockstep by the shared
# rainix-autopublish reusable — the same merge-driven model every other rain repo
# uses. Replaces the old manual `workflow_dispatch` release.
uses: rainlanguage/rainix/.github/workflows/rainix-autopublish.yaml@main

@coderabbitai coderabbitai Bot Jun 20, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find the latest commit hash for the rainix repository's main branch
git ls-remote https://github.com/rainlanguage/rainix.git main | awk '{print $1}'

Repository: rainlanguage/dotrain

Length of output: 105

Pin the reusable workflow to a specific commit hash instead of using @main.

Line 12 uses @main, which allows upstream changes to the reusable workflow in rainlanguage/rainix to alter publish behavior without explicit review. Pin to a specific commit hash:

uses: rainlanguage/rainix/.github/workflows/rainix-autopublish.yaml@f6bca081825f0fed57a8885e58feb4296307da20

This ensures the workflow definition is immutable and prevents unreviewed behavioral changes.

🧰 Tools
🪛 zizmor (1.25.2)

[error] 12-12: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[warning] 12-12: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/package-release.yaml at line 12, The reusable workflow
reference in the rainix-autopublish.yaml uses statement is pinned to `@main`
instead of a specific commit hash, which allows upstream changes to execute
without explicit review. Replace the `@main` reference in the uses statement with
the specific commit hash f6bca081825f0fed57a8885e58feb4296307da20 to ensure the
workflow definition remains immutable and prevent unreviewed behavioral changes
from the rainlanguage/rainix repository.

with:
crates: dotrain dotrain-lsp
npm-package: "@rainlanguage/dotrain"
secrets: inherit
1 change: 0 additions & 1 deletion .github/workflows/pr-assessment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ on:
pull_request:
types:
- closed

jobs:
assess-pr-size-on-merge:
uses: rainlanguage/github-chore/.github/workflows/pr-assessment.yml@main
Expand Down
55 changes: 21 additions & 34 deletions .github/workflows/rainix.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,38 +1,25 @@
name: Rainix CI
name: rainix-rs
on: [push]

jobs:
Comment on lines +1 to 3

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Declare explicit least-privilege permissions.

This workflow currently relies on default GITHUB_TOKEN permissions for all jobs. Set explicit minimal scopes (for this CI workflow, typically read-only) to avoid permission drift.

Suggested hardening 
 name: rainix-rs
 on: [push]
+permissions:
+  contents: read
 jobs:
   static:
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
name: rainix-rs
on: [push]
jobs:
name: rainix-rs
on: [push]
permissions:
contents: read
jobs:
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 1-26: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

[warning] 2-2: insufficient job-level concurrency limits (concurrency-limits): workflow is missing concurrency setting

(concurrency-limits)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rainix.yaml around lines 1 - 3, The rainix-rs workflow in
.github/workflows/rainix.yaml lacks explicit permission declarations, relying on
default GITHUB_TOKEN permissions which can drift over time. Add a top-level
`permissions` section immediately after the `on` trigger declaration to declare
only the minimal scopes required for this CI workflow. Since this is a read-only
build/test workflow, set permissions to read-only at the workflow level (such as
read for contents, packages, and id-token if needed), and override specific jobs
only if they require different permissions. This follows the principle of least
privilege and prevents unintended permission escalation.

Source: Linters/SAST tools

rainix:
strategy:
matrix:
os: [ubuntu-latest, macos-latest]
task: [rainix-rs-test, rainix-rs-artifacts]
include:
# We don't need to do rust static analysis on multiple platforms
- os: ubuntu-latest
task: rainix-rs-static
fail-fast: false
runs-on: ${{ matrix.os }}

static:
uses: rainlanguage/rainix/.github/workflows/rainix-rs-static.yaml@main
secrets: inherit
test:
uses: rainlanguage/rainix/.github/workflows/rainix-rs-test.yaml@main
secrets: inherit
js-bindings:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Shared rainix nix + cachix CI preamble (checkout, nix-quick-install,
# Cachix, cache-nix-action) — the pinned action SHAs live once in the
# composite, matching every rainix reusable. The build/test/docs commands
# below are dotrain-specific flake devShell tasks (npm + wasm-bindgen CLI
# over the js-api crate, mocha tests, api-extractor docs), so there is no
# rainix reusable workflow that runs them; only the preamble is shared.
- uses: rainlanguage/rainix/.github/actions/nix-cachix-setup@main
with:
submodules: recursive
fetch-depth: 0

- uses: DeterminateSystems/nix-installer-action@v4
- uses: DeterminateSystems/magic-nix-cache-action@v2

- run: nix develop -c rainix-rs-prelude

- name: Run ${{ matrix.task }}
run: nix develop -c ${{ matrix.task }}

- name: Build JS Bindings
run: nix develop -c build-js-bindings

- name: Run JS Tests
run: nix develop -c test-js-bindings

- name: Test JS Doc Generation
run: nix develop -c js-bindings-docs
cachix-auth-token: ${{ secrets.CACHIX_AUTH_TOKEN }}
- uses: rainlanguage/rainix/.github/actions/rust-cache@main
Comment on lines +5 to +22

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find .github/workflows -type f -name "*.yaml" -o -name "*.yml" | head -20

Repository: rainlanguage/dotrain

Length of output: 169

🏁 Script executed:

cat -n .github/workflows/rainix.yaml

Repository: rainlanguage/dotrain

Length of output: 1354

🏁 Script executed:

cat -n .github/workflows/manual-release.yaml

Repository: rainlanguage/dotrain

Length of output: 6932

Pin all action and reusable workflow references to immutable commit SHAs, not @main or semver tags. This prevents upstream ref drift and supply-chain attacks in trusted CI and release paths.

  • .github/workflows/rainix.yaml (lines 5, 8, 19, 22): Replace @main refs with full commit SHAs for both reusable workflows and actions.
  • .github/workflows/manual-release.yaml: Pin all actions—including actions/checkout@v4, nixbuild/nix-quick-install-action@v30, nix-community/cache-nix-action@v6, actions/setup-node@v4, JS-DevTools/npm-publish@v1, and softprops/action-gh-release@v2 (lines 23–40, 80, 87, 145)—to commit SHAs. Semver tags like @v4 remain mutable and can be rewritten by maintainers.
🧰 Tools
🪛 zizmor (1.25.2)

[warning] 7-9: overly broad permissions (excessive-permissions): default permissions used due to no permissions: block

(excessive-permissions)

[error] 5-5: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 8-8: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[error] 22-22: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

[warning] 5-5: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

[warning] 8-8: secrets unconditionally inherited by called workflow (secrets-inherit): this reusable workflow

(secrets-inherit)

[info] 10-10: workflow or action definition without a name (anonymous-definition): this job

(anonymous-definition)

📍 Affects 2 files
  • .github/workflows/rainix.yaml#L5-L22 (this comment)
  • .github/workflows/manual-release.yaml#L23-L40
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/rainix.yaml around lines 5 - 22, Pin all GitHub Actions
and reusable workflow references to immutable full commit SHAs instead of
mutable refs. In .github/workflows/rainix.yaml (lines 5, 8, 19, 22), replace all
`@main` references in rainix-rs-static.yaml, rainix-rs-test.yaml,
nix-cachix-setup, and rust-cache with their corresponding full commit SHAs. In
.github/workflows/manual-release.yaml (lines 23-40, 80, 87, 145), replace all
semver tag references including `actions/checkout@v4`,
`nixbuild/nix-quick-install-action@v30`, `nix-community/cache-nix-action@v6`,
`actions/setup-node@v4`, `JS-DevTools/npm-publish@v1`, and
`softprops/action-gh-release@v2` with their full commit SHAs to prevent upstream
drift and supply-chain vulnerabilities.

Source: Linters/SAST tools

- run: nix develop -c build-js-bindings
- run: nix develop -c test-js-bindings
- run: nix develop -c js-bindings-docs
2 changes: 1 addition & 1 deletion .rustfmt.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ reorder_imports = false
reorder_modules = false
# group_imports = "StdExternalCrate"
# imports_layout = "HorizontalVertical"
# unstable_features = true
# unstable_features = true
39 changes: 15 additions & 24 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading
Loading