Pump and Publish using Docker

[ljttl3q04t]

Summary by CodeRabbit

• New Features

  • Introduced a new script to automate version updates and publishing within a Docker container.

• Chores

  • Updated the package version to 11.1.0-minswap.32.
  • Modified workflow to use Docker for version bump and publish steps, improving automation and consistency.
  • Adjusted scripts to separate versioning and publishing processes.

[coderabbitai]

Walkthrough

A new Docker-based workflow was introduced for version bumping and publishing, replacing direct dependency installation on the runner. A dedicated script (docker-pump-version.sh) was added to handle version updates and publishing inside the Docker container. The existing version bump script was adjusted to remove publishing steps. Version numbers in package.json and Cargo.toml were updated.

Changes

File(s)	Change Summary
.github/workflows/pump-version.yml	Refactored workflow to build and use a Docker image for version bumping and publishing steps.
docker-pump-version.sh	New script added to automate version updates and publishing inside Docker; accepts version as argument.
scripts/pump-version.sh	Removed JS publishing commands; script now only handles version bumping and git operations.
package.json, rust/Cargo.toml	Updated version numbers from 11.1.0-minswap.29 to 11.1.0-minswap.32.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub Actions
    participant Docker Builder
    participant Container (docker-pump-version.sh)
    participant NPM Registry

    GitHub Actions->>Docker Builder: Build cardano-csl-builder image
    GitHub Actions->>Container (docker-pump-version.sh): Run docker-pump-version.sh with version arg
    Container (docker-pump-version.sh)->>Container (docker-pump-version.sh): Update version in files
    Container (docker-pump-version.sh)->>NPM Registry: Publish NodeJS and Browser packages
    GitHub Actions->>scripts/pump-version.sh: Run version bump script (no publish)

Loading

Poem

A Docker ship sets sail today,
To bump our versions, smooth the way.
With scripts anew and numbers bright,
Our packages publish through the night.
The bunny hops, the build is done—
Three cheers for progress, everyone!
🐇🚢✨

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[ljttl3q04t]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[ljttl3q04t]

@coderabbitai i just force pushed, please full review

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@ljttl3q04t

✅ Actions performed

Full review triggered after force push.

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

docker-pump-version.sh (1)

14-16: .npmrc is written twice (workflow + here).

Remove one of the writes to keep the pipeline DRY and avoid confusion about which config is in effect.

🧹 Nitpick comments (3)

.github/workflows/pump-version.yml (1)

24-28: Consider publishing a pre-built base image instead of building on every run.

Building cardano-csl-builder on the runner takes several minutes and offers an unnecessary attack surface repetition.
Push the image to GHCR (or Docker Hub) once and docker pull it here; rebuild only when the Dockerfile changes.

docker-pump-version.sh (2)

5-5: Fail fast if no version argument is supplied.

set -u will already abort, but a friendlier message helps CI triage.

-version=$1
+if [[ $# -ne 1 ]]; then
+  echo "Usage: $0 <new-version>" >&2
+  exit 1
+fi
+version=$1

---

19-20: Publishing steps run heavy builds twice per job.

npm install + wasm-pack are invoked earlier and again inside the publish scripts.
Consider a single build artefact reused across js:publish-* to cut ~3–4 min per run.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8046ef5 and d02ad9c.

⛔ Files ignored due to path filters (2)

• package-lock.json is excluded by !**/package-lock.json
• rust/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (5)

• .github/workflows/pump-version.yml (1 hunks)
• docker-pump-version.sh (1 hunks)
• package.json (1 hunks)
• rust/Cargo.toml (1 hunks)
• scripts/pump-version.sh (0 hunks)

💤 Files with no reviewable changes (1)

• scripts/pump-version.sh

🧰 Additional context used

🧠 Learnings (2)

rust/Cargo.toml (2)

Learnt from: ljttl3q04t
PR: minswap/cardano-serialization-lib#45
File: rust/src/serialization.rs:1983-1985
Timestamp: 2025-07-01T03:57:39.056Z
Learning: In the minswap/cardano-serialization-lib repository, using panic! for unknown/unused CertificateEnum variants in serialization is acceptable as a simple solution when those certificate types are never used in the codebase.

Learnt from: ljttl3q04t
PR: minswap/cardano-serialization-lib#45
File: rust/src/lib.rs:1050-1074
Timestamp: 2025-07-01T03:53:00.482Z
Learning: In the minswap/cardano-serialization-lib repository, dummy/placeholder structs for certificate types (like CommitteeHotAuth, CommitteeColdResign, etc.) are acceptable when they are not currently used and are intended as placeholders for future implementation.

package.json (1)

Learnt from: ljttl3q04t
PR: minswap/cardano-serialization-lib#45
File: rust/src/serialization.rs:1983-1985
Timestamp: 2025-07-01T03:57:39.056Z
Learning: In the minswap/cardano-serialization-lib repository, using panic! for unknown/unused CertificateEnum variants in serialization is acceptable as a simple solution when those certificate types are never used in the codebase.

🔇 Additional comments (2)

rust/Cargo.toml (1)

3-3: Version bump looks fine.

No functional impact beyond metadata. ✅

package.json (1)

3-3: Consistent version bump.

Matches the Rust crate version – good.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Secrets are mounted into a container built from repo code – review threat model.

Because the image is built from the PR’s Dockerfile, malicious code could be baked into the image and exfiltrate NPM_TOKEN / GITHUB_TOKEN when this step runs.
If untrusted contributors can modify the Dockerfile, restrict this job to protected branches or use a vetted image.

---

To confirm whether cardano-csl-builder is built from the PR’s Dockerfile (and thus can be tampered with) or pulled as a prebuilt image, let’s inspect the workflow for any build steps:

---

🏁 Script executed:

#!/bin/bash
set -e

echo "Looking for docker build steps in pump-version.yml:"
rg -n "docker build" -n .github/workflows/pump-version.yml || echo "→ No docker build found in workflow."

echo
echo "Listing references to cardano-csl-builder:"
rg -n "cardano-csl-builder" -n .github/workflows/pump-version.yml || echo "→ No references found."

echo
echo "Full workflow file preview:"
sed -n '1,200p' .github/workflows/pump-version.yml

Length of output: 2463

---

Harden secret usage in Docker workflow

The workflow builds cardano-csl-builder from PR-supplied Dockerfile and then mounts ${{ secrets.NPM_TOKEN }} and ${{ secrets.GITHUB_TOKEN }} into that image. A malicious PR could modify the Dockerfile or included scripts to exfiltrate these tokens.

Locations to address:

• .github/workflows/pump-version.yml
  • Line 26: docker build -t cardano-csl-builder .
  • Lines 41–55: docker run … cardano-csl-builder …

Recommendations:

• Use a pre-built, versioned image from a trusted registry instead of building from PR code.
• Or restrict this job to a protected branch (e.g. if: github.ref == 'refs/heads/minswap-11' with branch protection enabled) so untrusted PRs cannot modify the image.
• Alternatively, split “build” and “publish” into separate workflows: build on PRs, but only publish/run with secrets on merges to protected branches.

🤖 Prompt for AI Agents

In .github/workflows/pump-version.yml around lines 26 and 41-55, the workflow
builds the Docker image from PR-supplied code and runs it with secrets mounted,
risking secret exposure. To fix this, either use a pre-built, versioned Docker
image from a trusted registry instead of building from PR code, or restrict the
job to run only on protected branches by adding a condition like `if: github.ref
== 'refs/heads/minswap-11'`. Alternatively, separate the build and publish steps
into different workflows so that secrets are only used in workflows triggered by
merges to protected branches.

[coderabbitai]

🛠️ Refactor suggestion

sed patterns are over-greedy and may touch unintended matches.

1. .+minswap.+ spans across quotes and will replace every “version” field that contains minswap, even in nested dependencies of package-lock.json.
2. A single -i run rewrites all occurrences, so unsafe replacements have no easy rollback.

Prefer precise semver‐aware replacements via jq / cargo set-version, or at least tighten the regex:

-sed -i -E 's/"version": ".+minswap.+"/"version": "'"$version"'"/' package.json
+sed -i -E 's/"version": "[0-9]+\.[0-9]+\.[0-9]+-minswap\.[0-9]+"/"version": "'"$version"'"/' package.json

Repeat for the other files.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	echo "update version field"
	sed -i -E 's/"version": ".+minswap.+"/"version": "'"$version"'"/' package.json
	sed -i -E 's/"version": ".+minswap.+"/"version": "'"$version"'"/' package-lock.json
	sed -i -E 's/version = ".+minswap.+"/version = "'"$version"'"/' rust/Cargo.toml
	sed -i -E 's/version = ".+minswap.+"/version = "'"$version"'"/' rust/Cargo.lock
	echo "update version field"
	sed -i -E 's/"version": "[0-9]+\.[0-9]+\.[0-9]+-minswap\.[0-9]+"/"version": "'"$version"'"/' package.json
	sed -i -E 's/"version": ".+minswap.+"/"version": "'"$version"'"/' package-lock.json
	sed -i -E 's/version = ".+minswap.+"/version = "'"$version"'"/' rust/Cargo.toml
	sed -i -E 's/version = ".+minswap.+"/version = "'"$version"'"/' rust/Cargo.lock

🤖 Prompt for AI Agents

In docker-pump-version.sh around lines 7 to 13, the sed patterns are too broad
and replace all version fields containing "minswap," including nested
dependencies, which is unsafe. Replace these with more precise commands: use jq
to update the version field in package.json and package-lock.json, and use cargo
set-version to update the version in Cargo.toml and Cargo.lock. This approach
ensures only the intended version fields are updated safely without affecting
nested dependencies or requiring complex regex.