ci(maestro): pin actions#105 SHA + fix web Metro cache env poisoning#559
Conversation
Bump the pay-tests, setup, and permit2-reset maestro action refs to the latest SHA on WalletConnect/actions#105 (30fd566). Draft — re-pin to the squash-merge SHA on main once #105 is merged. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Claude finished @ignaciosantise's task in 58s —— View job Review
✅ No issues found SHA bump of 3 composite action refs (
|
…oning Expo inlines EXPO_PUBLIC_* into the web bundle at Babel transform time, but Metro's transform cache (node_modules/.cache) is not keyed on env values. Callers that inject per-run ephemeral creds (e.g. a rotating wallet private key/address) therefore restored a cache built with a different .env and shipped the previous run's address baked into the bundle. Hash the written .env into the cache key and drop restore-keys: the prefix fallback matched any older cache regardless of .env, so an exact-key miss re-poisoned from a stale entry. Exact-match-only makes it safe. Stable-creds callers keep a full cache hit (identical .env => identical key); per-run-creds callers cold-build each run, as intended. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
#105 merged (4cec02a). Re-pin pay-tests/setup/permit2-reset off the now-deleted branch SHA to the permanent commit on master and drop the "still open" notes. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the shared walletkit-build-and-maestro composite CI action to (1) pin Maestro-related WalletConnect actions to the merged SHA of WalletConnect/actions#105 and (2) prevent Expo web/Metro transform-cache reuse across differing .env values that would otherwise inline stale EXPO_PUBLIC_* values into the exported bundle.
Changes:
- Pin
WalletConnect/actions/maestro/*usages to the squash-merge commit4cec02a4c535c254581471df287099a26d5eeffb. - Make the Metro web cache key include a hash of the written
.env(alongsideyarn.lock) to avoid env-induced cache poisoning. - Remove
restore-keysfor the web Metro cache to prevent unsafe prefix-fallback restores across differing.envcontents.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
Two changes to
.github/actions/walletkit-build-and-maestro/action.yml, bundled so downstream repos can test both against a single branch/SHA.1. Pin maestro actions to the merged WalletConnect/actions#105 SHA
d291974→4cec02a4c535c254581471df287099a26d5eeffb(the squash-merge commit of WalletConnect/actions#105 onmaster) for:WalletConnect/actions/maestro/pay-testsWalletConnect/actions/maestro/setupWalletConnect/actions/maestro/permit2-reset#105 added the web-only pay flows (in-app IC form) and the
pay-onchaintags the web leg's parallel/serial split relies on.2. Fix web Metro cache env poisoning
The web
Cache Metro web build cachestep warmsnode_modules/.cache(Expo/Metro's transformFileStore). Expo inlinesEXPO_PUBLIC_*into the bundle at Babel transform time, and Metro's transform cache is not keyed on env values.Callers that inject per-run ephemeral credentials — e.g. a downstream repo rotating
EXPO_PUBLIC_TEST_PRIVATE_KEY(and thus the wallet address) every run — restored a cache built with a different.envand shipped the previous run's address baked into the exported bundle, so Maestro ran against the wrong account.Fix:
.envinto the cache key (alongsideyarn.lock).restore-keys— the<os>-web-metro-prefix fallback matched any older cache regardless of.env, so an exact-key miss still re-poisoned from a stale entry. Exact-match-only is what makes it safe.Effect:
.envdiffers every run → key always misses → cold build → correct address inlined..envidentical across runs → exact key hit → full transform-cache speedup preserved.Follow-up to #555 (Expo web leg).
🤖 Generated with Claude Code