chore(ci): migrate from Shipfox to Namespace.so runners#75
chore(ci): migrate from Shipfox to Namespace.so runners#75
Conversation
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (5)
📒 Files selected for processing (74)
WalkthroughUpdated the x86_64-linux ChangesArtifact Hash Update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The previously pinned hash was masked by Shipfox's Nix store cache and broke when CI moved to Namespace runners (cold Nix store). Updating to the actual hash returned by github.com/speakeasy-api/speakeasy@v1.761.4.
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
flake.nix (2)
70-75:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winRemove debug
ls -alfrominstallPhase.This will emit a directory listing on every
nix build, adding noise to build logs.🧹 Proposed fix
installPhase = '' mkdir -p $out/bin unzip $src - ls -al install -m755 speakeasy $out/bin/ '';🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@flake.nix` around lines 70 - 75, The installPhase currently contains a debug command "ls -al" that pollutes build logs; remove that line from the installPhase block so only the necessary steps remain (mkdir -p $out/bin, unzip $src, and install -m755 speakeasy $out/bin/), ensuring the installPhase no longer emits a directory listing during nix build.
73-73:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winRemove debug
ls -alfrominstallPhase.This emits a directory listing on every
nix build, cluttering build logs with no functional value.🧹 Proposed fix
installPhase = '' mkdir -p $out/bin unzip $src - ls -al install -m755 speakeasy $out/bin/ '';🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@flake.nix` at line 73, Remove the debug directory listing from the installPhase by deleting the stray "ls -al" command so it no longer prints on every nix build; locate the installPhase block in flake.nix and remove the line containing ls -al (no replacement needed).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@flake.nix`:
- Line 44: The flake.nix currently pins a non-existent release v1.761.4 (the
listed SHA256 6a2d9a237bc4d7725c850bc85c1e85eb784924c64d0f2768350a0ede406f6c9b
is invalid); update the pinned version to an actual speakeasy-api release (e.g.,
v1.761.8 or v1.761.1) and then recalculate and replace the corresponding SHA-256
for the "x86_64-linux" entry. Locate the version pin and the "x86_64-linux" SHA
entry in flake.nix, change the version string to a released tag, fetch the
artifact (or run nix-prefetch-url/nix build) to obtain the correct hash, and
update the hash value accordingly so the flake validates.
- Line 44: The flake pins an incorrect speakeasyVersion ("1.761.4") that doesn't
exist; change speakeasyVersion to a valid release tag (e.g., "1.761.1" or
"1.761.8") and update the corresponding download URL/checksum to match that real
release so the fetch will succeed (look for the speakeasyVersion variable and
the download URL construction in the flake), remove the debug command `ls -al`
(the stray debug artifact) and delete the redundant `name = "speakeasy"` field
(since pname/version already provide it) to clean up the package definition.
---
Outside diff comments:
In `@flake.nix`:
- Around line 70-75: The installPhase currently contains a debug command "ls
-al" that pollutes build logs; remove that line from the installPhase block so
only the necessary steps remain (mkdir -p $out/bin, unzip $src, and install
-m755 speakeasy $out/bin/), ensuring the installPhase no longer emits a
directory listing during nix build.
- Line 73: Remove the debug directory listing from the installPhase by deleting
the stray "ls -al" command so it no longer prints on every nix build; locate the
installPhase block in flake.nix and remove the line containing ls -al (no
replacement needed).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: bf23b634-f4d1-40f8-84c1-c91e9fa1df20
⛔ Files ignored due to path filters (4)
.github/actions/default/action.ymlis excluded by!**/*.yml.github/actions/docker/action.ymlis excluded by!**/*.yml.github/workflows/main.ymlis excluded by!**/*.yml.github/workflows/release.ymlis excluded by!**/*.yml
📒 Files selected for processing (1)
flake.nix
| }; | ||
| speakeasyHashes = { | ||
| "x86_64-linux" = "4419bff16df35eef8f1460de51d28f22b1ba8cd74cc0fce55e5252e8c6801fe9"; | ||
| "x86_64-linux" = "6a2d9a237bc4d7725c850bc85c1e85eb784924c64d0f2768350a0ede406f6c9b"; |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Fetch and hash the artifact the same way Nix would (sha256, base16).
nix-prefetch-url \
"https://github.com/speakeasy-api/speakeasy/releases/download/v1.761.4/speakeasy_linux_amd64.zip" \
--type sha256Repository: formancehq/terraform-provider-stack
Length of output: 136
🌐 Web query:
speakeasy v1.761.4 release speakeasy_linux_amd64.zip github
💡 Result:
I could not find a Speakeasy CLI GitHub release tag v1.761.4 (and therefore no speakeasy_linux_amd64.zip asset for that exact version) in the official speakeasy-api/speakeasy repository releases/tags pages I located. The closest nearby published releases visible are v1.761.1 and v1.761.8, and the tags list shown includes v1.761.1, v1.761.0, v1.760.0, etc., but not v1.761.4 [1][2][3]. What I can confirm from official sources: - The repository is speakeasy-api/speakeasy releases on GitHub [1]. - Assets for release v1.761.8 include speakeasy_linux_amd64.zip [4]. If you meant a different version (e.g., v1.761.8) or a different repository/name (there is also an unrelated “mandiant/speakeasy” project on GitHub), tell me the exact intended version and I can fetch the corresponding speakeasy_linux_amd64.zip URL/asset details [5].
Citations:
- 1: https://github.com/speakeasy-api/speakeasy/releases
- 2: https://github.com/speakeasy-api/speakeasy/releases/tag/v1.761.1
- 3: https://github.com/speakeasy-api/speakeasy/tags
- 4: https://github.com/speakeasy-api/speakeasy/releases/tag/v1.761.8
- 5: https://github.com/mandiant/speakeasy/releases
🏁 Script executed:
#!/bin/bash
# Attempt to download and verify the hash using curl and standard tools
RELEASE_URL="https://github.com/speakeasy-api/speakeasy/releases/download/v1.761.4/speakeasy_linux_amd64.zip"
EXPECTED_HASH="6a2d9a237bc4d7725c850bc85c1e85eb784924c64d0f2768350a0ede406f6c9b"
# Try to download the file with a small timeout and get its hash
echo "Attempting to download and verify hash..."
if timeout 30 curl -L -o /tmp/speakeasy_linux_amd64.zip "$RELEASE_URL" 2>/dev/null; then
ACTUAL_HASH=$(sha256sum /tmp/speakeasy_linux_amd64.zip | awk '{print $1}')
echo "Expected hash: $EXPECTED_HASH"
echo "Actual hash: $ACTUAL_HASH"
if [ "$ACTUAL_HASH" = "$EXPECTED_HASH" ]; then
echo "✓ Hash verification PASSED"
else
echo "✗ Hash verification FAILED"
fi
rm -f /tmp/speakeasy_linux_amd64.zip
else
echo "Could not download the artifact"
fiRepository: formancehq/terraform-provider-stack
Length of output: 153
The version v1.761.4 does not exist in the speakeasy-api/speakeasy releases. Update to an actual release (nearest available are v1.761.1 or v1.761.8) and verify the corresponding SHA-256 hash against that version's artifact. The hash 6a2d9a237bc4d7725c850bc85c1e85eb784924c64d0f2768350a0ede406f6c9b cannot be validated because the pinned version has never been released.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@flake.nix` at line 44, The flake.nix currently pins a non-existent release
v1.761.4 (the listed SHA256
6a2d9a237bc4d7725c850bc85c1e85eb784924c64d0f2768350a0ede406f6c9b is invalid);
update the pinned version to an actual speakeasy-api release (e.g., v1.761.8 or
v1.761.1) and then recalculate and replace the corresponding SHA-256 for the
"x86_64-linux" entry. Locate the version pin and the "x86_64-linux" SHA entry in
flake.nix, change the version string to a released tag, fetch the artifact (or
run nix-prefetch-url/nix build) to obtain the correct hash, and update the hash
value accordingly so the flake validates.
🧩 Analysis chain
🌐 Web query:
speakeasy-api/speakeasy v1.761.4 release sha256 speakeasy_linux_amd64.zip
💡 Result:
I couldn’t find a published release tag for speakeasy-api/speakeasy v1.761.4 (and therefore can’t retrieve the sha256 for speakeasy_linux_amd64.zip) from the official GitHub releases pages via the searches I ran. The closest nearby official tags I found were v1.761.1 and v1.761.8, each of which provides a checksums.txt asset, but neither corresponds to v1.761.4. [1][2][3] If you can share the exact GitHub release URL for v1.761.4 (or confirm the version you meant), I can fetch the correct checksums entry for speakeasy_linux_amd64.zip and report the sha256. [1]
Citations:
- 1: https://github.com/speakeasy-api/speakeasy/releases
- 2: https://github.com/speakeasy-api/speakeasy/releases/tag/v1.761.8
- 3: https://github.com/speakeasy-api/speakeasy/releases/tag/v1.761.1
🏁 Script executed:
# First, let's examine the flake.nix file to confirm the speakeasy version
git ls-files | grep -i flakeRepository: formancehq/terraform-provider-stack
Length of output: 100
🌐 Web query:
site:github.com/speakeasy-api/speakeasy/releases v1.761.4
💡 Result:
I couldn’t find any authoritative source for a “v1.761.4” release/tag in the speakeasy-api/speakeasy GitHub releases. The closest versions I can see around that range are v1.761.1 (published 2026-04-02) and v1.761.8 (published 2026-04-17), and the repository release list does not surface a v1.761.4 entry in the available results I retrieved.[1][2][3] If you meant a different project (or a different “v1.761.4” scheme, e.g., a dependency version rather than the tool’s release tag), tell me the exact product name or link, and I can re-run the research for that specific artifact.
Citations:
- 1: https://github.com/speakeasy-api/speakeasy/releases/tag/v1.761.1
- 2: https://github.com/speakeasy-api/speakeasy/releases/tag/v1.761.8
- 3: https://github.com/speakeasy-api/speakeasy/releases
🏁 Script executed:
cat -n flake.nix | head -80Repository: formancehq/terraform-provider-stack
Length of output: 3010
Cannot verify hash: the release tag v1.761.4 does not exist on GitHub.
The PR pins speakeasyVersion = "1.761.4" (line 36) and updates hashes to match that version, but a web search of the speakeasy-api/speakeasy releases found no v1.761.4 tag. The nearest published releases are v1.761.1 (2026-04-02) and v1.761.8 (2026-04-17). The download URL on line 63 will fail because the release artifact does not exist.
Confirm the intended speakeasy version: either correct the version in flake.nix to an actual release tag, or verify that v1.761.4 is available under a different location.
Also remove the debug artifact ls -al on line 73 and the redundant name = "speakeasy" on line 77 (already provided by pname + version).
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@flake.nix` at line 44, The flake pins an incorrect speakeasyVersion
("1.761.4") that doesn't exist; change speakeasyVersion to a valid release tag
(e.g., "1.761.1" or "1.761.8") and update the corresponding download
URL/checksum to match that real release so the fetch will succeed (look for the
speakeasyVersion variable and the download URL construction in the flake),
remove the debug command `ls -al` (the stray debug artifact) and delete the
redundant `name = "speakeasy"` field (since pname/version already provide it) to
clean up the package definition.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #75 +/- ##
==========================================
+ Coverage 62.71% 63.12% +0.40%
==========================================
Files 21 21
Lines 1542 1532 -10
==========================================
Hits 967 967
+ Misses 424 415 -9
+ Partials 151 150 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
…nd flows through-account fields Pulls in upstream OpenAPI changes: - payments: new v3 List/Get Orders and Conversions endpoints - flows: new throughAccount, allowOverdraft, holdingAccount fields on stage send source/destination Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 participants
Summary
Migrate CI runners from Shipfox to Namespace.so as part of the org-wide CI infrastructure migration.
Per-workflow changes
runs-on: shipfox-Xvcpu-ubuntu-2404→runs-on: namespace-profile-linux-amd64-Xvcpuactions/checkout@v6→namespacelabs/nscloud-checkout-action@v7(git mirror caching)docker/setup-qemu-actionremoved (Namespace builds AMD64+ARM64 natively)docker/setup-buildx-action→namespacelabs/nscloud-setup-buildx-action@v0Composite changes
.github/actions/default/action.yml— Pattern A migrated:nix-community/cache-nix-action@v7removed (incompatible with Namespace),actions/cache@v5→namespacelabs/nscloud-cache-action@v1.github/actions/docker/action.yml—docker/setup-qemu-actionremoved,docker/setup-buildx-action→namespacelabs/nscloud-setup-buildx-action@v0flake.nix fix (commit 2)
The previously pinned
x86_64-linuxhash for speakeasyv1.761.4was masked by Shipfox's Nix store cache. On Namespace (cold cache), the actual upstream binary hash mismatched. Updated to the correct hash returned bygithub.com/speakeasy-api/speakeasy@v1.761.4.Pre-existing drift surfaced by this PR (out of scope)
The
Dirtyjob runsjust pre-commitwhich regenerates the Speakeasy SDK then asserts no diff. With Namespace's cold Nix cache, speakeasy v1.761.4 actually executes (vs presumably a stale cached v1.690.0 binary on Shipfox), producing a regenerated SDK that diverges from the committed code.Files showing drift:
openapi/{build.yaml, flows/openapi.yaml, payments/openapi.yaml, generate.json}— upstream openapi specs are re-downloadedpkg/stack/.speakeasy/gen.lockpkg/stack/pkg/models/shared/*.go(multiple)pkg/stack/docs/**/*.md(multiple)Fixing this drift requires:
SPEAKEASY_API_KEYto regenerateThis is unrelated to the Shipfox→Namespace migration and out of scope.
Test plan