Conversation
Adds a version-alignment CI job that validates uniffi and Rust toolchain channel versions against org-level CI variables (UNIFFI_VERSION, RUST_TOOLCHAIN_CHANNEL). Reuses the composite action defined in worldcoin/bedrock rather than duplicating the logic here.
| "log", | ||
| "mockito", | ||
| "rand 0.9.2", | ||
| "rand 0.8.5", |
There was a problem hiding this comment.
do we know why this dep is being downgraded?
There was a problem hiding this comment.
rand wasn't intentionally downgraded. It was already pinned to ^0.8 in Cargo.toml. The 0.9.2 entry in the previous Cargo.lock came from a transitive dependency resolving to a newer version, but it wasn't something we directly depended on at that version.
This commit just brought the lock file back in line with what we actually declare.
There was a problem hiding this comment.
There was a problem hiding this comment.
Pull request overview
Adds CI enforcement to keep the repo’s Rust toolchain and UniFFI versions aligned with organization-level GitHub Actions variables, and updates local toolchain/dependency versions accordingly.
Changes:
- Bumps
rust-toolchain.tomlchannel to1.94.1. - Normalizes the workspace
membersformatting and pinsuniffito0.31.0. - Adds a new
version-alignmentCI job that reuses the composite action fromworldcoin/bedrock.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
rust-toolchain.toml |
Updates the pinned Rust toolchain channel. |
Cargo.toml |
Formats workspace members and aligns uniffi version string with org variables. |
Cargo.lock |
Updates locked dependency graph (notably rand resolution for some workspace crates). |
.github/workflows/ci.yml |
Introduces a “Version Alignment” job using the Bedrock composite action. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
|
|
||
| - uses: worldcoin/bedrock/.github/actions/version-alignment@main |
There was a problem hiding this comment.
The workflow references the Bedrock composite action by branch (worldcoin/bedrock/.github/actions/version-alignment@main). For supply-chain safety and reproducibility, pin this to an immutable ref (a release tag or full commit SHA) instead of main, otherwise CI behavior can change (or be compromised) without any change in this repo.
| - uses: worldcoin/bedrock/.github/actions/version-alignment@main | |
| - uses: worldcoin/bedrock/.github/actions/version-alignment@<FULL_40_CHAR_COMMIT_SHA> |
| - name: Checkout code | ||
| uses: actions/checkout@v6 | ||
|
|
There was a problem hiding this comment.
actions/checkout@v6 is referenced by a mutable tag. To make CI runs reproducible and reduce action supply-chain risk, pin this to a specific commit SHA (or at least a specific major+minor tag if your org policy allows).
There was a problem hiding this comment.
I agree with this and we do pin to sha in other repos. I think it's more acceptable to reference a branch for repositories that belong to us like bedrock but for those actions that we don't own, it's safer to pin.
There was a problem hiding this comment.
@aurel-fr ^ Specified a commit SHA of the upstream repo (version alignment script)
Avoids relying on a mutable branch ref (main) for the upstream bedrock composite action, preventing unexpected CI behavior changes from upstream.
Adds a version-alignment CI job that validates uniffi and Rust toolchain channel versions against org-level CI variables (UNIFFI_VERSION, RUST_TOOLCHAIN_CHANNEL). Reuses the composite action defined in worldcoin/bedrock rather than duplicating the logic here.