Skip to content

ci(maestro): pin actions#105 SHA + fix web Metro cache env poisoning#559

Merged
ignaciosantise merged 3 commits into
mainfrom
chore/maestro-pin-actions-105-latest
Jul 1, 2026
Merged

ci(maestro): pin actions#105 SHA + fix web Metro cache env poisoning#559
ignaciosantise merged 3 commits into
mainfrom
chore/maestro-pin-actions-105-latest

Conversation

@ignaciosantise

@ignaciosantise ignaciosantise commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

Two changes to .github/actions/walletkit-build-and-maestro/action.yml, bundled so downstream repos can test both against a single branch/SHA.

1. Pin maestro actions to the merged WalletConnect/actions#105 SHA

d2919744cec02a4c535c254581471df287099a26d5eeffb (the squash-merge commit of WalletConnect/actions#105 on master) for:

  • WalletConnect/actions/maestro/pay-tests
  • WalletConnect/actions/maestro/setup
  • WalletConnect/actions/maestro/permit2-reset

#105 added the web-only pay flows (in-app IC form) and the pay-onchain tags the web leg's parallel/serial split relies on.

2. Fix web Metro cache env poisoning

The web Cache Metro web build cache step warms node_modules/.cache (Expo/Metro's transform FileStore). Expo inlines EXPO_PUBLIC_* into the bundle at Babel transform time, and Metro's transform cache is not keyed on env values.

Callers that inject per-run ephemeral credentials — e.g. a downstream repo rotating EXPO_PUBLIC_TEST_PRIVATE_KEY (and thus the wallet address) every run — restored a cache built with a different .env and shipped the previous run's address baked into the exported bundle, so Maestro ran against the wrong account.

Fix:

  • Hash the written .env into the cache key (alongside yarn.lock).
  • Remove restore-keys — the <os>-web-metro- prefix fallback matched any older cache regardless of .env, so an exact-key miss still re-poisoned from a stale entry. Exact-match-only is what makes it safe.

Effect:

  • Per-run-creds callers: .env differs every run → key always misses → cold build → correct address inlined.
  • Stable-creds callers (this repo's E2E CI): .env identical across runs → exact key hit → full transform-cache speedup preserved.

Follow-up to #555 (Expo web leg).

🤖 Generated with Claude Code

Bump the pay-tests, setup, and permit2-reset maestro action refs to the
latest SHA on WalletConnect/actions#105 (30fd566). Draft — re-pin to the
squash-merge SHA on main once #105 is merged.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
deposit-app-demo Error Error Jul 1, 2026 7:40pm
pos-demo Ready Ready Preview, Comment Jul 1, 2026 7:40pm

Request Review

@claude

claude Bot commented Jul 1, 2026

Copy link
Copy Markdown

Claude finished @ignaciosantise's task in 58s —— View job


Review

  • Gather context & read changed files
  • Run breaking changes subagent
  • Run data classification subagent
  • Compile and post review

✅ No issues found

SHA bump of 3 composite action refs (pay-tests, setup, permit2-reset) from d29197430fd5666325425f3a01e596e882625c7e96df540, plus the matching inline comment update. No contract surface changed (inputs, outputs, step IDs, env var names). Both breaking-change and data-classification checks returned clean.

⚠️ As noted in the PR description: this is pinned to a branch SHA on an open WalletConnect/actions#105. Remember to re-pin to the squash-merge SHA once #105 lands on main.

…oning

Expo inlines EXPO_PUBLIC_* into the web bundle at Babel transform time,
but Metro's transform cache (node_modules/.cache) is not keyed on env
values. Callers that inject per-run ephemeral creds (e.g. a rotating
wallet private key/address) therefore restored a cache built with a
different .env and shipped the previous run's address baked into the
bundle.

Hash the written .env into the cache key and drop restore-keys: the
prefix fallback matched any older cache regardless of .env, so an
exact-key miss re-poisoned from a stale entry. Exact-match-only makes it
safe. Stable-creds callers keep a full cache hit (identical .env =>
identical key); per-run-creds callers cold-build each run, as intended.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ignaciosantise ignaciosantise changed the title ci(maestro): re-pin actions to latest WalletConnect/actions#105 SHA ci(maestro): re-pin actions#105 SHA + fix web Metro cache env poisoning Jul 1, 2026
#105 merged (4cec02a). Re-pin pay-tests/setup/permit2-reset off the
now-deleted branch SHA to the permanent commit on master and drop the
"still open" notes.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ignaciosantise ignaciosantise marked this pull request as ready for review July 1, 2026 19:39
Copilot AI review requested due to automatic review settings July 1, 2026 19:39
@ignaciosantise ignaciosantise changed the title ci(maestro): re-pin actions#105 SHA + fix web Metro cache env poisoning ci(maestro): pin actions#105 SHA + fix web Metro cache env poisoning Jul 1, 2026
@ignaciosantise ignaciosantise merged commit 2a1014a into main Jul 1, 2026
14 of 16 checks passed
@ignaciosantise ignaciosantise deleted the chore/maestro-pin-actions-105-latest branch July 1, 2026 19:40

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the shared walletkit-build-and-maestro composite CI action to (1) pin Maestro-related WalletConnect actions to the merged SHA of WalletConnect/actions#105 and (2) prevent Expo web/Metro transform-cache reuse across differing .env values that would otherwise inline stale EXPO_PUBLIC_* values into the exported bundle.

Changes:

  • Pin WalletConnect/actions/maestro/* usages to the squash-merge commit 4cec02a4c535c254581471df287099a26d5eeffb.
  • Make the Metro web cache key include a hash of the written .env (alongside yarn.lock) to avoid env-induced cache poisoning.
  • Remove restore-keys for the web Metro cache to prevent unsafe prefix-fallback restores across differing .env contents.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants