ci(manual-sol-artifacts): declare workflow_call secrets for cross-org callers

[thedavidmeister]

Problem

rainix-manual-sol-artifacts.yaml reads ${{ secrets.PRIVATE_KEY }} (→ DEPLOYMENT_KEY) and the RPC / explorer / cachix secrets directly in its deploy step, but its on.workflow_call block declared only inputs.suite — no secrets:. That works for same-org callers using secrets: inherit, but secrets: inherit does not forward a caller's org secrets across organizations. A cross-org caller (e.g. S01-Issuer/st0x.deploy) therefore got an empty PRIVATE_KEY → empty DEPLOYMENT_KEY → forge script reverted at vm.envUint("DEPLOYMENT_KEY") before broadcasting any transaction.

Fix

Declare the consumed secrets under on.workflow_call.secrets (all required: false), mirroring the existing declaration in rainix-sol.yaml, so cross-org callers can pass them explicitly.

Backward-compatible: same-org callers using secrets: inherit (e.g. rain.vats) are unaffected — inherit still forwards everything, and all entries are optional with the existing || vars.* || '' fallbacks intact.

Consumer follow-up

S01-Issuer/st0x.deploy's manual-sol-artifacts.yaml switches from secrets: inherit to explicit passing once this merges.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated the manual artifact workflow to accept a broader set of optional secrets when called externally.
  • Improved compatibility for cross-organization and automated callers by making network and verification credentials available through the workflow interface.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bf7e09ef-17b1-481e-b8e6-0d1cc25c121b

📥 Commits

Reviewing files that changed from the base of the PR and between 6b43e60 and 8a11f14.

📒 Files selected for processing (1)

• .github/workflows/rainix-manual-sol-artifacts.yaml

---

📝 Walkthrough

Walkthrough

Adds an explicit workflow_call.secrets block to .github/workflows/rainix-manual-sol-artifacts.yaml declaring PRIVATE_KEY, CACHIX_AUTH_TOKEN, EXPLORER_VERIFICATION_KEY, several RPC_URL_*_FORK endpoints, and per-network CI_DEPLOY_*_ETHERSCAN_API_KEY secrets, all marked required: false.

Sol Artifacts Workflow Secrets

Layer / File(s)	Summary
workflow_call secrets declaration .github/workflows/rainix-manual-sol-artifacts.yaml	Adds 13 optional secret entries under on.workflow_call.secrets so cross-org callers can pass them explicitly; existing env fallback chain remains unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• rainlanguage/rainix#219: Also modifies the same workflow to add EXPLORER_VERIFICATION_KEY and CI_DEPLOY_*_ETHERSCAN_API_KEY to the Etherscan verification env fallback logic.

Poem

🐇 A secret declared is a secret well-shared,
No more guessing what keys must be bared.
PRIVATE_KEY, RPC, Etherscan too,
All optional, required: false — hooray, we're through!
The workflow now whispers the names that it needs. 🌿

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the workflow_call secret declarations added for cross-organization callers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/declare-manual-sol-artifacts-secrets

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[thedavidmeister]

Reviewed 8a11f14: approved — YAML-only workflow_call.secrets declaration (all required:false, mirrors rainix-sol.yaml); backward-compatible for same-org inherit callers; all substantive checks green.

[github-actions]

@coderabbitai assess this PR size classification for the totality of the PR with the following criterias and report it in your comment:

S/M/L PR Classification Guidelines:

This guide helps classify merged pull requests by effort and complexity rather than just line count. The goal is to assess the difficulty and scope of changes after they have been completed.

Small (S)

Characteristics:

• Simple bug fixes, typos, or minor refactoring
• Single-purpose changes affecting 1-2 files
• Documentation updates
• Configuration tweaks
• Changes that require minimal context to review

Review Effort: Would have taken 5-10 minutes

Examples:

• Fix typo in variable name
• Update README with new instructions
• Adjust configuration values
• Simple one-line bug fixes
• Import statement cleanup

Medium (M)

Characteristics:

• Feature additions or enhancements
• Refactoring that touches multiple files but maintains existing behavior
• Breaking changes with backward compatibility
• Changes requiring some domain knowledge to review

Review Effort: Would have taken 15-30 minutes

Examples:

• Add new feature or component
• Refactor common utility functions
• Update dependencies with minor breaking changes
• Add new component with tests
• Performance optimizations
• More complex bug fixes

Large (L)

Characteristics:

• Major feature implementations
• Breaking changes or API redesigns
• Complex refactoring across multiple modules
• New architectural patterns or significant design changes
• Changes requiring deep context and multiple review rounds

Review Effort: Would have taken 45+ minutes

Examples:

• Complete new feature with frontend/backend changes
• Protocol upgrades or breaking changes
• Major architectural refactoring
• Framework or technology upgrades

Additional Factors to Consider

When deciding between sizes, also consider:

• Test coverage impact: More comprehensive test changes lean toward larger classification
• Risk level: Changes to critical systems bump up a size category
• Team familiarity: Novel patterns or technologies increase complexity

Notes:

• the assessment must be for the totality of the PR, that means comparing the base branch to the last commit of the PR
• the assessment output must be exactly one of: S, M or L (single-line comment) in format of: SIZE={S/M/L}
• do not include any additional text, only the size classification
• your assessment comment must not include tips or additional sections
• do NOT tag me or anyone else on your comment

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

SIZE=S