Updated with PR comments

Author: russell-stern

.github/workflows/template-compatibility-comment.yml

@@ -1,20 +1,21 @@
 name: Template Compatibility Comment
 
 # Triggered when the unprivileged "Template Compatibility Check" workflow
-# completes. This workflow has pull-requests: write so it can post PR comments,
-# but it never checks out or executes any external code — it only reads the
-# artifact produced by the check workflow.
+# completes. This workflow has pull-requests: write so it can post PR comments.
+# It checks out the default branch (only) to load scripts/template-compatibility-comment.js,
+# then reads the artifact produced by the check workflow.
 #
 # SECURITY: workflow_run always runs on the default branch, so this workflow
-# definition itself cannot be tampered with by a PR contributor. Artifact
-# contents are treated as untrusted strings and sanitized before use.
+# definition and checked-out script cannot be tampered with by a PR contributor.
+# Artifact contents are treated as untrusted strings and sanitized before use.
 
 on:
   workflow_run:
     workflows: ["Template Compatibility Check"]
     types: [completed]
 
 permissions:
+  contents: read
   pull-requests: write
   actions: read # required to download artifacts from another workflow run
 
@@ -23,6 +24,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
       - name: Download results artifact
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
         with:
@@ -35,92 +39,6 @@ jobs:
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
           script: |
-            const fs = require('fs');
-
-            const read = (filename) => {
-              try { return fs.readFileSync(`/tmp/compat-results/${filename}`, 'utf8').trim(); }
-              catch { return ''; }
-            };
-
-            // Validate PR number — must be a positive integer.
-            const prNumber = parseInt(read('pr-number.txt'), 10);
-            if (!Number.isInteger(prNumber) || prNumber <= 0) {
-              console.log('Invalid or missing PR number in artifact; skipping comment.');
-              return;
-            }
-
-            const exitCode    = read('exit-code.txt');
-            const fullOutput  = read('output.txt');
-            // Sanitize values read from the artifact before embedding in markdown
-            // to prevent injection (e.g. a malicious branch name or script output
-            // containing markdown syntax that escapes a code fence).
-            const templatesRef = read('templates-ref.txt').replace(/[^a-zA-Z0-9._\/-]/g, '');
-            const headRef      = read('head-ref.txt').replace(/[^a-zA-Z0-9._\/-]/g, '');
-
-            const marker = '<!-- template-compat-comment -->';
-
-            const { data: comments } = await github.rest.issues.listComments({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              issue_number: prNumber,
-            });
-            const existing = comments.find(c => c.body.includes(marker));
-
-            if (exitCode === '0') {
-              // Templates pass — remove any stale failure comment.
-              if (existing) {
-                await github.rest.issues.deleteComment({
-                  owner: context.repo.owner,
-                  repo: context.repo.repo,
-                  comment_id: existing.id,
-                });
-              }
-              return;
-            }
-
-            // Extract just the "Results" and "Failure Details" sections from output.
-            const resultsMatch = fullOutput.match(/={8,}\nResults:.*\n={8,}[\s\S]*/);
-            const failureSummary = resultsMatch ? resultsMatch[0].trim() : fullOutput.trim();
-
-            const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.payload.workflow_run.id}`;
-            const refNote = templatesRef === 'main'
-              ? 'tested against `cre-templates:main`'
-              : `tested against \`cre-templates:${templatesRef}\` (compat branch)`;
-
-            const body = [
-              '## ⚠️ Template Compatibility Failures',
-              '',
-              `This PR breaks one or more templates in [cre-templates](https://github.com/smartcontractkit/cre-templates) (${refNote}).`,
-              '',
-              '```',
-              failureSummary,
-              '```',
-              '',
-              `[View full output →](${runUrl})`,
-              '',
-              '<details>',
-              '<summary>What should I do?</summary>',
-              '',
-              '- **Accidental break:** Fix the SDK change so existing templates continue to compile.',
-              `- **Intentional breaking change:** Create a branch in \`cre-templates\` named \`compat/${headRef}\` with the template fixes applied. This job will automatically retest against that branch.`,
-              '',
-              '</details>',
-            ].join('\n');
-
-            const commentBody = `${marker}\n${body}`;
-
-            if (existing) {
-              await github.rest.issues.updateComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                comment_id: existing.id,
-                body: commentBody,
-              });
-            } else {
-              await github.rest.issues.createComment({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                issue_number: prNumber,
-                body: commentBody,
-              });
-            }
+            const path = require('path');
+            const run = require(path.join(process.env.GITHUB_WORKSPACE, 'scripts', 'template-compatibility-comment.js'));
+            await run({ github, context });

.github/workflows/template-compatibility.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     types: [opened, synchronize, reopened]
 
+concurrency:
+  group: template-compat-${{ github.head_ref || github.ref }}
+  cancel-in-progress: true
+
 # This job is informational — it is intentionally NOT a required status check
 # so that breaking SDK changes (major version bumps) can still be merged.
 # When templates break, a comment is posted on the PR with details.
@@ -17,6 +21,7 @@ permissions:
 jobs:
   template-compatibility:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
 
     defaults:
       run:

scripts/template-compatibility-comment.js

@@ -0,0 +1,100 @@
+/**
+ * Used by .github/workflows/template-compatibility-comment.yml.
+ * Reads /tmp/compat-results from the prior workflow's artifact and posts or
+ * removes a PR comment via the GitHub API.
+ */
+module.exports = async ({ github, context }) => {
+  const fs = require('fs');
+
+  const read = (filename) => {
+    try {
+      return fs.readFileSync(`/tmp/compat-results/${filename}`, 'utf8').trim();
+    } catch {
+      return '';
+    }
+  };
+
+  // Validate PR number — must be a positive integer.
+  const prNumber = parseInt(read('pr-number.txt'), 10);
+  if (!Number.isInteger(prNumber) || prNumber <= 0) {
+    console.log('Invalid or missing PR number in artifact; skipping comment.');
+    return;
+  }
+
+  const exitCode = read('exit-code.txt');
+  const fullOutput = read('output.txt');
+  // Sanitize values read from the artifact before embedding in markdown
+  // to prevent injection (e.g. a malicious branch name or script output
+  // containing markdown syntax that escapes a code fence).
+  const templatesRef = read('templates-ref.txt').replace(/[^a-zA-Z0-9._\/-]/g, '');
+  const headRef = read('head-ref.txt').replace(/[^a-zA-Z0-9._\/-]/g, '');
+
+  const marker = '<!-- template-compat-comment -->';
+
+  const { data: comments } = await github.rest.issues.listComments({
+    owner: context.repo.owner,
+    repo: context.repo.repo,
+    issue_number: prNumber,
+  });
+  const existing = comments.find((c) => c.body.includes(marker));
+
+  if (exitCode === '0') {
+    // Templates pass — remove any stale failure comment.
+    if (existing) {
+      await github.rest.issues.deleteComment({
+        owner: context.repo.owner,
+        repo: context.repo.repo,
+        comment_id: existing.id,
+      });
+    }
+    return;
+  }
+
+  // Extract just the "Results" and "Failure Details" sections from output.
+  const resultsMatch = fullOutput.match(/={8,}\nResults:.*\n={8,}[\s\S]*/);
+  const failureSummary = resultsMatch ? resultsMatch[0].trim() : fullOutput.trim();
+
+  const runUrl = `${context.serverUrl}/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.payload.workflow_run.id}`;
+  const refNote =
+    templatesRef === 'main'
+      ? 'tested against `cre-templates:main`'
+      : `tested against \`cre-templates:${templatesRef}\` (compat branch)`;
+
+  const body = [
+    '## ⚠️ Template Compatibility Failures',
+    '',
+    `This PR breaks one or more templates in [cre-templates](https://github.com/smartcontractkit/cre-templates) (${refNote}).`,
+    '',
+    '```',
+    failureSummary,
+    '```',
+    '',
+    `[View full output →](${runUrl})`,
+    '',
+    '<details>',
+    '<summary>What should I do?</summary>',
+    '',
+    '- **Accidental break:** Fix the SDK change so existing templates continue to compile.',
+    `- **Intentional breaking change:** Create a branch in \`cre-templates\` named \`compat/${headRef}\` with the template fixes applied. This job will automatically retest against that branch.`,
+    '',
+    '</details>',
+  ].join('\n');
+
+  const commentBody = `${marker}\n${body}`;
+
+  if (existing) {
+    await github.rest.issues.updateComment({
+      owner: context.repo.owner,
+      repo: context.repo.repo,
+      comment_id: existing.id,
+      body: commentBody,
+    });
+  } else {
+    await github.rest.issues.createComment({
+      owner: context.repo.owner,
+      repo: context.repo.repo,
+      issue_number: prNumber,
+      body: commentBody,
+    });
+  }
+};

scripts/test-templates.sh

@@ -140,24 +140,44 @@ info ""
 info "Packing SDK..."
 
 cd packages/cre-sdk-javy-plugin
-JAVY_TARBALL=$(npm pack --quiet 2>/dev/null)
-if [ -z "$JAVY_TARBALL" ]; then
+_pack_log=$(mktemp)
+if ! bun pm pack --quiet >"$_pack_log" 2>&1; then
   info "❌ Failed to pack Javy plugin."
+  info "$(cat "$_pack_log")"
+  rm -f "$_pack_log"
   exit 1
 fi
+JAVY_TARBALL=$(grep -oE '[^[:space:]]+\.tgz' "$_pack_log" | tail -n1 | tr -d '\r\n')
+if [ -z "$JAVY_TARBALL" ] || [ ! -f "$(pwd)/$JAVY_TARBALL" ]; then
+  info "❌ Failed to pack Javy plugin (no .tgz produced or name not found)."
+  info "$(cat "$_pack_log")"
+  rm -f "$_pack_log"
+  exit 1
+fi
+rm -f "$_pack_log"
 JAVY_TARBALL_PATH="$(pwd)/$JAVY_TARBALL"
 SDK_TARBALLS+=("$JAVY_TARBALL_PATH")
 vlog "  Javy plugin: $JAVY_TARBALL_PATH"
 
 cd ../cre-sdk
 cp package.json package.json.bak
-npm pkg set dependencies."@chainlink/cre-sdk-javy-plugin"="file:$JAVY_TARBALL_PATH"
+bun pm pkg set "dependencies.@chainlink/cre-sdk-javy-plugin=file:$JAVY_TARBALL_PATH"
 
-TARBALL=$(npm pack --quiet 2>/dev/null)
-if [ -z "$TARBALL" ]; then
+_pack_log=$(mktemp)
+if ! bun pm pack --quiet >"$_pack_log" 2>&1; then
   info "❌ Failed to pack SDK."
+  info "$(cat "$_pack_log")"
+  rm -f "$_pack_log"
+  exit 1
+fi
+TARBALL=$(grep -oE '[^[:space:]]+\.tgz' "$_pack_log" | tail -n1 | tr -d '\r\n')
+if [ -z "$TARBALL" ] || [ ! -f "$(pwd)/$TARBALL" ]; then
+  info "❌ Failed to pack SDK (no .tgz produced or name not found)."
+  info "$(cat "$_pack_log")"
+  rm -f "$_pack_log"
   exit 1
 fi
+rm -f "$_pack_log"
 TARBALL_PATH="$(pwd)/$TARBALL"
 SDK_TARBALLS+=("$TARBALL_PATH")
 vlog "  SDK:         $TARBALL_PATH"
@@ -173,7 +193,7 @@ info ""
 
 if [ ! -d "$TEMPLATES_DIR" ]; then
   info "❌ Templates directory not found: $TEMPLATES_DIR"
-  info "Override with: TEMPLATES_DIR=/path/to/cre-templates ./scripts/test-templates.sh"
+  info "Override with: TEMPLATES_DIR=/path/to/cre-templates bun run test:templates"
   exit 1
 fi
 
@@ -226,17 +246,17 @@ for pkg in "${ALL_PKGS[@]}"; do
   # Install dependencies
   vlog "  Installing dependencies..."
   _out=""
-  if ! run_captured _out npm install --no-audit --fund=false; then
+  if ! run_captured _out bun install; then
     info "  ❌ $PREFIX $DISPLAY_NAME"
     FAILED_TEMPLATES+=("$DISPLAY_NAME")
-    FAILURE_STEPS+=("npm install")
+    FAILURE_STEPS+=("bun install")
     FAILURE_OUTPUTS+=("$_out")
     continue
   fi
 
   # Inject local SDK tarball
   vlog "  Installing local SDK..."
-  if ! run_captured _out npm install --no-save --no-audit --fund=false "$TARBALL_PATH"; then
+  if ! run_captured _out bun install --no-save "@chainlink/cre-sdk@file:$TARBALL_PATH"; then
     info "  ❌ $PREFIX $DISPLAY_NAME"
     FAILED_TEMPLATES+=("$DISPLAY_NAME")
     FAILURE_STEPS+=("sdk install")
@@ -249,7 +269,7 @@ for pkg in "${ALL_PKGS[@]}"; do
   # Typecheck
   if grep -q '"typecheck"' package.json; then
     vlog "  Running typecheck..."
-    if ! run_captured _out npm run typecheck --silent; then
+    if ! run_captured _out bun run typecheck; then
       info "  ❌ $PREFIX $DISPLAY_NAME"
       FAILED_TEMPLATES+=("$DISPLAY_NAME")
       FAILURE_STEPS+=("typecheck")
@@ -268,7 +288,7 @@ for pkg in "${ALL_PKGS[@]}"; do
   if [ -f "main.ts" ]; then
     GENERATED_FILES+=("$WORKFLOW_DIR/main.js" "$WORKFLOW_DIR/main.wasm")
     vlog "  Running cre-compile..."
-    if ! run_captured _out npx --no cre-compile main.ts; then
+    if ! run_captured _out bunx cre-compile main.ts; then
       info "  ❌ $PREFIX $DISPLAY_NAME"
       FAILED_TEMPLATES+=("$DISPLAY_NAME")
       FAILURE_STEPS+=("cre-compile")
@@ -312,8 +332,8 @@ if [ $FAIL_COUNT -gt 0 ]; then
     info ""
     info "❌ ${FAILED_TEMPLATES[$i]} — ${FAILURE_STEPS[$i]}"
     info "--------"
-    # Print the captured output, stripping npm warn noise to highlight real errors
-    echo "${FAILURE_OUTPUTS[$i]}" | grep -v "^npm warn" | grep -v "^$" || true
+    # Print the captured output, stripping common PM noise to highlight real errors
+    echo "${FAILURE_OUTPUTS[$i]}" | grep -v "^npm warn" | grep -v "^bun install v" | grep -v "^$" || true
   done
 
   exit 1