refactor setup/action.yml to use setup-compact-action

.github/actions/setup/action.yml

@@ -6,27 +6,10 @@ inputs:
     description: "Skip Compact compiler installation"
     required: false
     default: "false"
-  gh-token:
-    description: "The GITHUB_TOKEN created by the calling workflow"
-    required: true
-
-outputs:
-  compact-home:
-    description: "Path to Compact compiler installation"
-    value: ${{ steps.compact-outputs.outputs.compact-home }}
-  compact-version:
-    description: "Installed Compact compiler version"
-    value: ${{ steps.compact-outputs.outputs.version }}
 
 runs:
   using: "composite"
   steps:
-    - name: Set shared environment variables
-      shell: bash
-      run: |
-        echo "COMPILER_VERSION=0.26.0" >> $GITHUB_ENV
-        echo "LANGUAGE_VERSION=0.18.0" >> $GITHUB_ENV
-
     - name: Enable corepack
       shell: bash
       run: corepack enable
@@ -35,18 +18,9 @@ runs:
       uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
       with:
         path: .turbo
-        key: ${{ runner.os }}-turbo-${{ hashFiles('.turbo/*') }}-${{ github.sha }}
+        key: ${{ runner.os }}-turbo-${{ github.sha }}
         restore-keys: |
-          ${{ runner.os }}-turbo-${{ hashFiles('.turbo/*') }}
-
-    - name: Cache Compact compiler
-      if: inputs.skip-compact != 'true'
-      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
-      id: compact-cache
-      with:
-        path: |
-          ~/.local/bin/compact
-        key: compact-compiler-${{ env.COMPILER_VERSION }}-${{ runner.os }}
+          ${{ runner.os }}-turbo-
 
     - name: Setup Node.js
       uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
@@ -65,80 +39,8 @@ runs:
         TURBO_TELEMETRY_DISABLED: 1
       run: npm install turbo@${{ env.TURBO_MAJOR_VERSION }} -g
 
-    - name: Install Compact compiler
-      env:
-        GITHUB_TOKEN: ${{ inputs.gh-token }} # avoid rate limiting
-      if: inputs.skip-compact != 'true' && steps.compact-cache.outputs.cache-hit != 'true'
-      shell: bash
-      run: |
-        set -euo pipefail
-        COMPACT_HOME="$HOME/.local/bin"
-        mkdir -p "$COMPACT_HOME"
-
-        # Require COMPACT_INSTALLER_URL to be provided by the caller
-        if [ -z "${COMPACT_INSTALLER_URL:-}" ]; then
-          echo "::error::COMPACT_INSTALLER_URL is required but not set. Provide it via env or secrets."
-          exit 1
-        fi
-
-        echo "🔧 Installing Compact compiler from $COMPACT_INSTALLER_URL ..."
-        curl --proto '=https' --tlsv1.2 -LsSf "$COMPACT_INSTALLER_URL" | sh
-
-        echo "🔧 Updating Compact compiler to $COMPILER_VERSION..."
-        "$COMPACT_HOME/compact" update "$COMPILER_VERSION"
-
-        echo "✅ Compact compiler installed"
-
-    - name: Setup Compact environment
-      if: inputs.skip-compact != 'true'
-      shell: bash
-      run: |
-        COMPACT_HOME="$HOME/.local/bin"
-        echo "📁 Setting Compact environment variables..."
-        echo "COMPACT_HOME=$COMPACT_HOME" >> "$GITHUB_ENV"
-        echo "$COMPACT_HOME" >> "$GITHUB_PATH"
-
-        if [ -f "$COMPACT_HOME/compact" ]; then
-          echo "✅ Compact compiler is installed at $COMPACT_HOME"
-        else
-          echo "::error::❌ Compact compiler not found in $COMPACT_HOME"
-          exit 1
-        fi
-
-    - name: Set Compact outputs
-      if: inputs.skip-compact != 'true'
-      id: compact-outputs
-      shell: bash
-      run: |
-        echo "compact-home=$HOME/.local/bin" >> $GITHUB_OUTPUT
-        echo "version=$COMPILER_VERSION" >> $GITHUB_OUTPUT
-
-    - name: Check compiler and language version
-      if: inputs.skip-compact != 'true'
-      shell: bash
-      run: |
-        set -euo pipefail
-
-        echo "🔧 Updating Compact compiler to $COMPILER_VERSION..."
-        "$COMPACT_HOME/compact" update "$COMPILER_VERSION"
-
-        echo "🔍 Checking Compact compiler version..."
-        COMPILER_OUTPUT=$("$COMPACT_HOME/compact" compile --version)
-        COMPUTED_COMPILER_VERSION=$(echo "$COMPILER_OUTPUT" | grep -oP '\b0\.[0-9]+\.[0-9]+\b' | head -n 1)
-
-        if [ "$COMPUTED_COMPILER_VERSION" != "$COMPILER_VERSION" ]; then
-          echo "::error::❌ Compiler version mismatch!%0AExpected: $COMPILER_VERSION%0AGot: $COMPUTED_COMPILER_VERSION"
-          exit 1
-        fi
-        echo "✅ Compiler version matches: $COMPUTED_COMPILER_VERSION"
-
-        echo "🔍 Checking Compact language version..."
-        LANGUAGE_OUTPUT=$("$COMPACT_HOME/compact" compile --language-version)
-        COMPUTED_LANGUAGE_VERSION=$(echo "$LANGUAGE_OUTPUT" | grep -oP '\b0\.[0-9]+\.[0-9]+\b' | tail -n 1)
-
-        if [ "$COMPUTED_LANGUAGE_VERSION" != "$LANGUAGE_VERSION" ]; then
-          echo "::error::❌ Language version mismatch!%0AExpected: $LANGUAGE_VERSION%0AGot: $COMPUTED_LANGUAGE_VERSION"
-          exit 1
-        fi
-        echo "✅ Language version matches: $COMPUTED_LANGUAGE_VERSION"
-
+    - name: Setup Compact Compiler
+      if: ${{ inputs.skip-compact != 'true' }}
+      uses: midnightntwrk/setup-compact-action@4130145456ad3f45934788dd4a65647eb283e658
+      with:
+        compact-version: "0.26.0"

.github/workflows/checks.yml

@@ -13,11 +13,15 @@ jobs:
   checks:
     name: Run Checks
     runs-on: ubuntu-24.04
-
-    env:
-      COMPACT_INSTALLER_URL: ${{ vars.COMPACT_INSTALLER_URL }}
+    permissions:
+      contents: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
@@ -26,8 +30,7 @@ jobs:
       - name: Setup Environment
         uses: ./.github/actions/setup
         with:
-          skip-compact: 'true'
-          gh-token: ${{ secrets.GITHUB_TOKEN }} # secrets must be passed to composite actions
+          skip-compact: "true"
 
       - name: Format & Lint
         run: turbo fmt-and-lint:ci

.github/workflows/codeql.yml

@@ -22,10 +22,12 @@ jobs:
       matrix:
         language: ["javascript-typescript", "actions"]
 
-    env:
-      COMPACT_INSTALLER_URL: ${{ vars.COMPACT_INSTALLER_URL }}
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Check out code
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
@@ -34,7 +36,6 @@ jobs:
       - name: Setup Environment
         uses: ./.github/actions/setup
         with:
-          gh-token: ${{ secrets.GITHUB_TOKEN }} # secrets must be passed to composite actions
           skip-compact: "true"
 
       - name: Initialize CodeQL

.github/workflows/prepare-release.yml

@@ -13,83 +13,88 @@ jobs:
     runs-on: ubuntu-24.04
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v6
-
-    - name: Enable Corepack
-      run: corepack enable
-
-    - name: Setup Node.js
-      uses: actions/setup-node@v6
-      with:
-        node-version-file: ".nvmrc"
-        cache: "yarn"
-
-    - name: Extract current version
-      run: |
-        CURRENT_VERSION=$(node -p "require('./contracts/package.json').version")
-        echo "CURRENT_VERSION=$CURRENT_VERSION" >> "$GITHUB_ENV"
-
-    - name: Extract new version number
-      run: echo "NEW_VERSION=${GITHUB_REF#refs/heads/release-v}" >> "$GITHUB_ENV"
-
-    - name: Validate new version
-      run: |
-        BRANCH="${GITHUB_REF#refs/heads/}"
-        echo "Branch: $BRANCH"
-        echo "Current version: $CURRENT_VERSION"
-        echo "New version: $NEW_VERSION"
-
-        # 1) Branch must match release-v<semver>
-        if ! echo "$BRANCH" | grep -Eq '^release-v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$'; then
-          echo "Error: Branch '$BRANCH' must match 'release-v<semver>' (e.g., release-v1.2.3)." >&2
-          exit 1
-        fi
-
-        # 2) NEW_VERSION must be valid semver
-        node -e "const v=process.env.NEW_VERSION; const semver=/^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?$/; if(!semver.test(v)){ console.error('Error: NEW_VERSION is not valid semver:', v); process.exit(1); }"
-        if [ $? -ne 0 ]; then
-          exit 1
-        fi
-
-        # 3) NEW_VERSION must differ from CURRENT_VERSION
-        if [ "$NEW_VERSION" = "$CURRENT_VERSION" ]; then
-          echo "Error: NEW_VERSION equals CURRENT_VERSION ($CURRENT_VERSION). Nothing to release." >&2
-          exit 1
-        fi
-
-    - name: Replace version in files
-      env:
-        NEW_VERSION: ${{ env.NEW_VERSION }}
-      run: |
-        echo "Current version: $CURRENT_VERSION"
-        echo "New version: $NEW_VERSION"
-
-        # Update package.json version field
-        node -e '
-          const fs = require("fs");
-          const path = "./contracts/package.json";
-          const pkg = JSON.parse(fs.readFileSync(path, "utf8"));
-          pkg.version = process.env.NEW_VERSION;
-          fs.writeFileSync(path, JSON.stringify(pkg, null, 2) + "\n");
-        '
-
-        # Escape special characters for sed
-        ESCAPED_CURRENT=$(printf '%s' "$CURRENT_VERSION" | sed -e 's/[\/&]/\\&/g')
-        ESCAPED_NEW=$(printf '%s' "$NEW_VERSION" | sed -e 's/[\/&]/\\&/g')
-
-        # Pattern to match version + optional prerelease (-alpha.1) and build (+build) suffixes
-        VERSION_SUFFIX='(-[A-Za-z0-9.]+)?(\+[A-Za-z0-9.]+)?'
-
-        # Replace version in contracts/src/
-        find ./contracts/src/ -type d -name '.*' -prune -o \
-          -type f -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} +
-
-        # Replace version in docs/, excluding package-lock.json
-        find ./docs/ -type d -name '.*' -prune -o \
-          -type f ! -name 'package-lock.json' -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} +
-
-    - name: Auto-commit changes
-      uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 #v7.0.0
-      with:
-        commit_message: Bump version to ${{ env.NEW_VERSION }}
+      - name: Harden Runner
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+
+      - name: Enable Corepack
+        run: corepack enable
+
+      - name: Setup Node.js
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
+        with:
+          node-version-file: ".nvmrc"
+          cache: "yarn"
+
+      - name: Extract current version
+        run: |
+          CURRENT_VERSION=$(node -p "require('./contracts/package.json').version")
+          echo "CURRENT_VERSION=$CURRENT_VERSION" >> "$GITHUB_ENV"
+
+      - name: Extract new version number
+        run: echo "NEW_VERSION=${GITHUB_REF#refs/heads/release-v}" >> "$GITHUB_ENV"
+
+      - name: Validate new version
+        run: |
+          BRANCH="${GITHUB_REF#refs/heads/}"
+          echo "Branch: $BRANCH"
+          echo "Current version: $CURRENT_VERSION"
+          echo "New version: $NEW_VERSION"
+
+          # 1) Branch must match release-v<semver>
+          if ! echo "$BRANCH" | grep -Eq '^release-v(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)\.(0|[1-9][0-9]*)(-[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?(\+[0-9A-Za-z-]+(\.[0-9A-Za-z-]+)*)?$'; then
+            echo "Error: Branch '$BRANCH' must match 'release-v<semver>' (e.g., release-v1.2.3)." >&2
+            exit 1
+          fi
+
+          # 2) NEW_VERSION must be valid semver
+          node -e "const v=process.env.NEW_VERSION; const semver=/^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?(?:\\+([0-9A-Za-z-]+(?:\\.[0-9A-Za-z-]+)*))?$/; if(!semver.test(v)){ console.error('Error: NEW_VERSION is not valid semver:', v); process.exit(1); }"
+          if [ $? -ne 0 ]; then
+            exit 1
+          fi
+
+          # 3) NEW_VERSION must differ from CURRENT_VERSION
+          if [ "$NEW_VERSION" = "$CURRENT_VERSION" ]; then
+            echo "Error: NEW_VERSION equals CURRENT_VERSION ($CURRENT_VERSION). Nothing to release." >&2
+            exit 1
+          fi
+
+      - name: Replace version in files
+        env:
+          NEW_VERSION: ${{ env.NEW_VERSION }}
+        run: |
+          echo "Current version: $CURRENT_VERSION"
+          echo "New version: $NEW_VERSION"
+
+          # Update package.json version field
+          node -e '
+            const fs = require("fs");
+            const path = "./contracts/package.json";
+            const pkg = JSON.parse(fs.readFileSync(path, "utf8"));
+            pkg.version = process.env.NEW_VERSION;
+            fs.writeFileSync(path, JSON.stringify(pkg, null, 2) + "\n");
+          '
+
+          # Escape special characters for sed
+          ESCAPED_CURRENT=$(printf '%s' "$CURRENT_VERSION" | sed -e 's/[\/&]/\\&/g')
+          ESCAPED_NEW=$(printf '%s' "$NEW_VERSION" | sed -e 's/[\/&]/\\&/g')
+
+          # Pattern to match version + optional prerelease (-alpha.1) and build (+build) suffixes
+          VERSION_SUFFIX='(-[A-Za-z0-9.]+)?(\+[A-Za-z0-9.]+)?'
+
+          # Replace version in contracts/src/
+          find ./contracts/src/ -type d -name '.*' -prune -o \
+            -type f -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} +
+
+          # Replace version in docs/, excluding package-lock.json
+          find ./docs/ -type d -name '.*' -prune -o \
+            -type f ! -name 'package-lock.json' -exec sed -Ei "s#${ESCAPED_CURRENT}${VERSION_SUFFIX}#$ESCAPED_NEW#g" {} +
+
+      - name: Auto-commit changes
+        uses: stefanzweifel/git-auto-commit-action@28e16e81777b558cc906c8750092100bbb34c5e3 #v7.0.0
+        with:
+          commit_message: Bump version to ${{ env.NEW_VERSION }}

.github/workflows/release.yml

@@ -11,17 +11,17 @@ jobs:
       contents: read
       id-token: write
 
-    env:
-      COMPACT_INSTALLER_URL: ${{ vars.COMPACT_INSTALLER_URL }}
-
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@df199fb7be9f65074067a9eb93f12bb4c5547cf2 # v2.13.3
+        with:
+          egress-policy: audit
+
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
       - name: Setup Environment
         uses: ./.github/actions/setup
-        with:
-          gh-token: ${{ secrets.GITHUB_TOKEN }} # secrets must be passed to composite actions
 
       - name: Build contracts
         run: turbo build --filter=!'docs'