commit f727032fae7ded10471927a2aadf6f6356291360
parent e0e3c897b2919b4c1130bc7cf97d525bd655bff4
Author: triesap <tyson@radroots.org>
Date: Fri, 13 Mar 2026 01:34:13 +0000
ci: remove flake warnings and node24 deprecations
- add explicit descriptions for flake apps so app evaluations stop warning on missing metadata
- move sdk-typescript bun validation behind a pinned flake app instead of the node20 setup action
- update workflow checkout and artifact pins to node24-compatible shas and drop the unsupported magic nix cache step
- keep the nix command map aligned with the new validation app and reviewed workflow surface
Diffstat:
10 files changed, 58 insertions(+), 49 deletions(-)
diff --git a/.github/workflows/nix-flake-ci.yml b/.github/workflows/nix-flake-ci.yml
@@ -9,7 +9,6 @@ on:
permissions:
contents: read
- id-token: write
jobs:
flake-check:
@@ -22,7 +21,7 @@ jobs:
runs-on: ${{ matrix.runner }}
steps:
- name: checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: install nix
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
@@ -30,8 +29,5 @@ jobs:
extra_nix_config: |
experimental-features = nix-command flakes
- - name: prime nix cache
- uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39
-
- name: run flake check
run: nix flake check
diff --git a/.github/workflows/publish-crates.yml b/.github/workflows/publish-crates.yml
@@ -18,7 +18,6 @@ on:
permissions:
contents: read
- id-token: write
concurrency:
group: publish-crates
@@ -29,7 +28,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: install nix
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
@@ -37,9 +36,6 @@ jobs:
extra_nix_config: |
experimental-features = nix-command flakes
- - name: prime nix cache
- uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39
-
- name: verify workspace
run: nix run .#check
diff --git a/.github/workflows/release-preflight.yml b/.github/workflows/release-preflight.yml
@@ -5,14 +5,13 @@ on:
permissions:
contents: read
- id-token: write
jobs:
preflight:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: install nix
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
@@ -20,9 +19,6 @@ jobs:
extra_nix_config: |
experimental-features = nix-command flakes
- - name: prime nix cache
- uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39
-
- name: run repo guards
run: nix run .#guards
@@ -30,7 +26,7 @@ jobs:
run: nix run .#release-preflight
- name: upload release preflight artifacts
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
with:
name: release-preflight
path: |
diff --git a/.github/workflows/sdk-contract-ci.yml b/.github/workflows/sdk-contract-ci.yml
@@ -8,14 +8,13 @@ on:
permissions:
contents: read
- id-token: write
jobs:
contract:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: install nix
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
@@ -23,14 +22,11 @@ jobs:
extra_nix_config: |
experimental-features = nix-command flakes
- - name: prime nix cache
- uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39
-
- name: run contract lane
run: nix run .#contract
- name: upload export manifest
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
with:
name: sdk-export-manifest
path: target/sdk-export-ci/ts/export-manifest.json
diff --git a/.github/workflows/sdk-core-sync-pr.yml b/.github/workflows/sdk-core-sync-pr.yml
@@ -23,14 +23,13 @@ on:
permissions:
contents: read
- id-token: write
jobs:
sync-models:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: install nix
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
@@ -38,9 +37,6 @@ jobs:
extra_nix_config: |
experimental-features = nix-command flakes
- - name: prime nix cache
- uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39
-
- name: run repo guards
run: nix run .#guards
@@ -76,14 +72,14 @@ jobs:
- name: upload sdk export artifact
if: steps.sync_token.outputs.configured == 'true'
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
with:
name: sdk-export-ts-bundle
path: ${{ runner.temp }}/sdk-export/ts
- name: checkout sdk-typescript
if: steps.sync_token.outputs.configured == 'true'
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
with:
repository: radrootslabs/sdk-typescript
ref: master
@@ -107,24 +103,13 @@ jobs:
rsync -a --delete "${wasm_src}/" sdk-typescript/packages/events-codec-wasm/dist/
fi
- - name: setup bun
- if: steps.sync_token.outputs.configured == 'true'
- uses: oven-sh/setup-bun@ecf28ddc73e819eb6fa29df6b34ef8921c743461
- with:
- bun-version: 1.3.9
-
- name: validate sdk-typescript
if: steps.sync_token.outputs.configured == 'true'
- working-directory: sdk-typescript
- run: |
- bun install --frozen-lockfile
- bun run typecheck
- bun run build
- bun run test
+ run: nix run .#validate-sdk-typescript -- sdk-typescript
- name: create pull request
if: steps.sync_token.outputs.configured == 'true'
- uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e
+ uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0
with:
token: ${{ secrets.RADROOTS_SDK_SYNC_TOKEN }}
path: sdk-typescript
diff --git a/.github/workflows/sdk-coverage-ci.yml b/.github/workflows/sdk-coverage-ci.yml
@@ -17,14 +17,13 @@ on:
permissions:
contents: read
- id-token: write
jobs:
coverage-report:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: install nix
uses: cachix/install-nix-action@1ca7d21a94afc7c957383a2d217460d980de4934
@@ -32,14 +31,11 @@ jobs:
extra_nix_config: |
experimental-features = nix-command flakes
- - name: prime nix cache
- uses: DeterminateSystems/magic-nix-cache-action@565684385bcd71bad329742eefe8d12f2e765b39
-
- name: run sdk coverage report set
run: nix run .#coverage-report
- name: upload sdk coverage reports
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02
+ uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
with:
name: sdk-coverage-reports
path: |
diff --git a/.github/workflows/update-flake-lock.yml b/.github/workflows/update-flake-lock.yml
@@ -16,7 +16,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: checkout
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
- name: install determinate nix
uses: DeterminateSystems/determinate-nix-action@131015bad844610e5e6300f8a143bf625d3e74f4
diff --git a/docs/nix.md b/docs/nix.md
@@ -87,6 +87,7 @@ nix run .#export-ts
nix run .#coverage-report
nix run .#wasm-builds
nix run .#release-preflight
+nix run .#validate-sdk-typescript -- ./sdk-typescript
nix run .#publish-dry-run
nix run .#publish-crates -- --dry-run
```
@@ -102,6 +103,7 @@ nix run .#publish-crates -- --dry-run
Repo-aware flows stay behind `nix run` apps because they need a real checkout:
- `sdk export-ts` writes into repo-local `target/`
+- sdk sync validation runs `bun` against a checked-out `sdk-typescript` repo path
- coverage refresh and release preflight produce repo-local artifacts
- wasm packaging writes package output directories
- publish commands read runtime tokens and the live checkout state
diff --git a/nix/apps.nix b/nix/apps.nix
@@ -5,6 +5,7 @@ let
mkRepoApp =
{
name,
+ description ? "Run ${name} in the radroots workspace",
runtimeInputs,
command,
env ? common.exportSharedEnv,
@@ -30,23 +31,27 @@ let
{
type = "app";
program = "${script}/bin/${name}";
+ meta.description = description;
};
in
{
check = mkRepoApp {
name = "check";
+ description = "Run cargo check across the radroots workspace";
runtimeInputs = common.runtimeInputs.stable;
command = common.checkCommand;
};
contract = mkRepoApp {
name = "contract";
+ description = "Run the sdk contract lane and export validation";
runtimeInputs = common.runtimeInputs.stable;
command = common.contractCommand;
};
coverage-report = mkRepoApp {
name = "coverage-report";
+ description = "Generate sdk coverage reports and blocking gate artifacts";
runtimeInputs = common.runtimeInputs.coverage;
command = common.coverageReportCommand;
env = common.exportCoverageEnv;
@@ -55,6 +60,7 @@ in
export-ts = mkRepoApp {
name = "export-ts";
+ description = "Export generated typescript sdk artifacts";
runtimeInputs = common.runtimeInputs.stable;
command = ''
cargo run -q -p xtask -- sdk export-ts "$@"
@@ -63,6 +69,7 @@ in
guards = mkRepoApp {
name = "guards";
+ description = "Run repository guard scripts";
runtimeInputs = common.runtimeInputs.stable;
command = ''
./scripts/ci/guard_committed_ts_artifacts.sh
@@ -72,6 +79,7 @@ in
fmt = mkRepoApp {
name = "fmt";
+ description = "Format rust, nix, shell, and toml files";
runtimeInputs = common.runtimeInputs.stable ++ [
config.treefmt.build.wrapper
];
@@ -83,6 +91,7 @@ in
publish-crates = mkRepoApp {
name = "publish-crates";
+ description = "Publish crates through the workspace release script";
runtimeInputs = common.runtimeInputs.release;
command = ''
./publish-crates.sh "$@"
@@ -93,6 +102,7 @@ in
publish-dry-run = mkRepoApp {
name = "publish-dry-run";
+ description = "Run a dry-run crates publish through the workspace release script";
runtimeInputs = common.runtimeInputs.release;
command = ''
./publish-crates.sh --dry-run "$@"
@@ -103,14 +113,23 @@ in
release-preflight = mkRepoApp {
name = "release-preflight";
+ description = "Run release coverage refresh and preflight validation";
runtimeInputs = common.runtimeInputs.coverage;
command = common.releasePreflightCommand;
env = common.exportCoverageEnv;
pathPrefix = coveragePath;
};
+ validate-sdk-typescript = mkRepoApp {
+ name = "validate-sdk-typescript";
+ description = "Validate the synced sdk-typescript checkout with bun";
+ runtimeInputs = common.runtimeInputs.sync;
+ command = common.validateSdkTypescriptCommand;
+ };
+
wasm-builds = mkRepoApp {
name = "wasm-builds";
+ description = "Build the wasm packages defined by the workspace makefile";
runtimeInputs = common.runtimeInputs.wasm;
command = common.wasmBuildsCommand;
};
diff --git a/nix/common.nix b/nix/common.nix
@@ -54,6 +54,9 @@ let
pkg-config
python3
] ++ darwinBuildInputs;
+ syncRuntimeInputs = stableRuntimeInputs ++ [
+ pkgs.bun
+ ];
coverageRuntimeInputs = stableRuntimeInputs ++ [
toolchains.coverage
pkgs.cargo-llvm-cov
@@ -164,6 +167,24 @@ let
releasePreflightCommand = ''
./scripts/ci/release_preflight.sh
'';
+ validateSdkTypescriptCommand = ''
+ if [ "$#" -ne 1 ]; then
+ echo "usage: validate-sdk-typescript <path-to-sdk-typescript-checkout>" >&2
+ exit 1
+ fi
+
+ target_dir="$1"
+ if [ ! -d "$target_dir" ]; then
+ echo "sdk-typescript checkout not found at $target_dir" >&2
+ exit 1
+ fi
+
+ cd "$target_dir"
+ bun install --frozen-lockfile
+ bun run typecheck
+ bun run build
+ bun run test
+ '';
coverageReportCommand = ''
mkdir -p target/sdk-coverage
: > target/sdk-coverage/coverage-report-status.txt
@@ -319,6 +340,7 @@ in
releasePreflightCommand
sdkContractCargoArgs
sharedEnv
+ validateSdkTypescriptCommand
version
wasmBuildsCommand
xtaskPackage;
@@ -328,6 +350,7 @@ in
runtimeInputs = {
stable = stableRuntimeInputs;
+ sync = syncRuntimeInputs;
coverage = coverageRuntimeInputs;
release = releaseRuntimeInputs;
wasm = wasmRuntimeInputs;
