chore: Upstream f891afd merge (#1172)

* fix: specialize eth_getAccountInfo in fork mode (#11634)

* fix: specialize eth_getAccountInfo in fork mode

* typo

* refactor: extract inline config from lint (#11620)

* refactor: extract inline config from lint

* bless

* feat: remove loose

Not needed anymore, we actually look at the next AST item instead of
weird heuristics that required it.

* bless

* comment

* chore: replace anvil delegation capability types with alloy's (#11610)

* replace

* fix test compile

* bet

* lint

* update docs

* chore

* replace Capabilities with alloy's

* chore: rm more

* chore: fix

---------

Co-authored-by: Matthias Seitz <[email protected]>

* Update flake.lock (#11641)

flake.lock: Update

Flake lock file updates:

• Updated input 'fenix':
    'github:nix-community/fenix/22cabbc275cf8b258ec6e2be58553853e2ee005d?narHash=sha256-etrTo3sL%2BaHWeG9ct9NGJpgW4qv84ajwQRKv4gGmkao%3D' (2025-09-06)
  → 'github:nix-community/fenix/1458349a1bd55105f917e962dca4b328ac0a55e8?narHash=sha256-P9VX/P2mN96MkFN8hwCYUQ%2BLV1bfH57UJ/pGwjd0Olc%3D' (2025-09-13)
• Updated input 'fenix/rust-analyzer-src':
    'github:rust-lang/rust-analyzer/a53b44412d4643cdec41005129735b38737eb296?narHash=sha256-JMLa0ZsbEd3%2B3E0/PQj/igVi9%2Bpb98TgxaOEEw%2Bt1bo%3D' (2025-09-05)
  → 'github:rust-lang/rust-analyzer/9edc9cbe5d8e832b5864e09854fa94861697d2fd?narHash=sha256-/PAhxheUq4WBrW5i/JHzcCqK5fGWwLKdH6/Lu1tyS18%3D' (2025-09-08)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/c6a788f552b7b7af703b1a29802a7233c0067908?narHash=sha256-6n/n1GZQ/vi%2BLhFXMSyoseKdNfc2QQaSBXJdgamrbkE%3D' (2025-09-03)
  → 'github:NixOS/nixpkgs/6d7ec06d6868ac6d94c371458fc2391ded9ff13d?narHash=sha256-fEvTiU4s9lWgW7mYEU/1QUPirgkn%2BodUBTaindgiziY%3D' (2025-09-13)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* chore(deps): weekly `cargo update` (#11642)

Updating git repository `https://github.com/rust-cli/rexpect`
     Locking 44 packages to latest compatible versions
   Unchanged alloy-evm v0.20.1 (available: v0.21.0)
    Updating alloy-hardforks v0.3.0 -> v0.3.1
   Unchanged alloy-op-evm v0.20.1 (available: v0.21.0)
    Updating alloy-op-hardforks v0.3.0 -> v0.3.1
    Removing android-tzdata v0.1.1
    Updating annotate-snippets v0.12.3 -> v0.12.4
    Updating aws-lc-rs v1.13.3 -> v1.14.0
    Updating aws-lc-sys v0.30.0 -> v0.31.0
    Updating aws-sdk-kms v1.86.0 -> v1.87.0
    Updating aws-sdk-sso v1.83.0 -> v1.84.0
    Updating aws-sdk-ssooidc v1.84.0 -> v1.85.0
    Updating aws-sdk-sts v1.85.0 -> v1.86.0
    Updating aws-smithy-runtime v1.9.1 -> v1.9.2
    Updating bindgen v0.69.5 -> v0.72.1
    Updating cc v1.2.36 -> v1.2.37
    Updating chrono v0.4.41 -> v0.4.42
    Updating comfy-table v7.2.0 -> v7.2.1
    Updating console v0.16.0 -> v0.16.1
   Unchanged dialoguer v0.11.0 (available: v0.12.0)
    Updating errno v0.3.13 -> v0.3.14
    Updating iana-time-zone v0.1.63 -> v0.1.64
   Unchanged idna_adapter v1.1.0 (available: v1.2.1)
    Updating indexmap v2.11.0 -> v2.11.1
    Removing itertools v0.12.1
    Removing lazycell v1.3.0
    Updating linux-raw-sys v0.9.4 -> v0.11.0
   Unchanged matchit v0.8.4 (available: v0.8.6)
    Updating normpath v1.3.0 -> v1.4.0
    Updating nybbles v0.4.3 -> v0.4.4
   Unchanged op-alloy-consensus v0.19.1 (available: v0.20.0)
   Unchanged op-alloy-rpc-types v0.19.1 (available: v0.20.0)
    Updating pest v2.8.1 -> v2.8.2
    Updating pest_derive v2.8.1 -> v2.8.2
    Updating pest_generator v2.8.1 -> v2.8.2
    Updating pest_meta v2.8.1 -> v2.8.2
   Unchanged protobuf v3.3.0 (available: v3.7.2)
   Unchanged protobuf-support v3.3.0 (available: v3.7.2)
   Unchanged rand v0.8.5 (available: v0.9.2)
    Updating revm-inspectors v0.29.1 -> v0.29.2
    Removing rustc-hash v1.1.0
    Updating rustix v1.0.8 -> v1.1.2
    Updating rustls-webpki v0.103.4 -> v0.103.5
    Updating schannel v0.1.27 -> v0.1.28
    Updating security-framework v3.3.0 -> v3.4.0
    Updating security-framework-sys v2.14.0 -> v2.15.0
    Updating serde v1.0.219 -> v1.0.221
      Adding serde_core v1.0.221
    Updating serde_derive v1.0.219 -> v1.0.221
    Updating serde_json v1.0.143 -> v1.0.144
    Updating tempfile v3.21.0 -> v3.22.0
    Updating term v1.1.0 -> v1.2.0
    Updating unicode-ident v1.0.18 -> v1.0.19
   Unchanged unicode-width v0.2.0 (available: v0.2.1)
   Unchanged vergen v8.3.2 (available: v9.0.6)
    Updating wasi v0.14.4+wasi-0.2.4 -> v0.14.5+wasi-0.2.4
      Adding wasip2 v1.0.0+wasi-0.2.4
    Removing which v4.4.2
    Updating winapi-util v0.1.10 -> v0.1.11
      Adding windows-core v0.62.0
      Adding windows-result v0.4.0
      Adding windows-strings v0.5.0
note: to see how you depend on a package, run `cargo tree --invert --package <dep>@<ver>`

Co-authored-by: mattsse <[email protected]>

* fix(forge): color bug in `Display` impl for  `TestResult` (#11635)

fix(forge): color bug in `Display` impl for   `TestResult`

- Applied `wrap()` to `Painted` string to handle correctly the "nested paints"

* fix(release): install cross from main, pin rev (#11649)

* fix(forge): ensure broadcast account is touched (#11650)

* feat(coverage): analyze with solar (#11565)

* feat(coverage): analyze with solar

* chore: walk stmts normally, sort items

* wip

* chore: display all items with relevant source in debug format

* wip

* upd

* chore: clippy

* test: update do_while_lcov

The `++i` line was reported first, so with the old check all previous
lines were ignored. Now we track all lines regardless, so this change is
more correct.

* fix: legacy: do not recurse into emit, revert

Fixes branch_with_calldata_reads test.

* correct span

* fix: inline config path

* fix: resolve function kinds, ignore type conversions / struct ctors

* fix: walk only functions

* fix: push stmt for yul stmt expr early

* test: add a test case for if (..) return

If statements like `if (x) return y;` were missed by the
previous `has_statements` function.

* test: hoist contract instantiations out of test fns

* test: add test case for single if with continue/break

Same as previous test with `return`.

* fix(anvil): use RUST_LOG only in explicit or blanket filter (#11630)

* fix: Replace unsafe mnemonic fallback with secure random generation (#11644)

* Update cmd.rs

* Update crates/anvil/src/cmd.rs

Co-authored-by: onbjerg <[email protected]>

* Update cmd.rs

* Update cmd.rs

---------

Co-authored-by: onbjerg <[email protected]>

* chore(common): deprecate ProjectCompiler::verify and fix compile_target docs (#11636)

* chore(common): deprecate ProjectCompiler::verify and fix compile_target docs

* fmt

* Update compile.rs

* fmt

* Update compile.rs

* chore: remove klkvr from CODEOWNERS (#11657)

Update CODEOWNERS

* feat: harden `npm` publish & make installer leaner (#11600)

Co-authored-by: zerosnacks <[email protected]>

* chore: switch node back (#11660)

* fix(forge): determine if broadcasted tx is fixed gas limit using opcodes (#11599)

* fix(forge): determine if fixed gas limit when simulate

* Reset gas if next opcode is not CALL

* Rename var

* chore: bump version 1.3.6 (#11658)

* fix(release): build docker images with cargo instead cross (#11659)

fix(release): build docker x86_64 using host cross

* chore(common): add serde skip for compute_units_per_second in EvmArgs (#11662)

* chore(common): add serde skip for compute_units_per_second in EvmArgs

* add tests

* chore: check compatibility of evm_version and solc (#11418)

* chore: check compatibility of evm_version and solc

* use 'eprintln' instead

* remove unnecessary expect

* add unit test

* fix test

* final fix

---------

Co-authored-by: 0xrusowsky <[email protected]>

* chore: fix ci, remove unwrap on test (#11666)

chore: remove unwrap test

* chore(common): clean RuntimeTransport derive and remove dead LockError (#11669)

* feat(cheatcodes): Add vm.signWithNonce(privateKey, digest, nonce) cheatcode (Crypto) (#11267)

* feat: adding sign_wih_nonce in cheatcodes crates

* test: adding sign with nonce solidity unit tests

* style: formatting

* test: fixing solidity invalid nonce test

* style: fix formatting in Sign.t.sol

* ci: fix cheatcode specs test problem

* Update crates/cheatcodes/spec/src/vm.rs

review modification

Co-authored-by: onbjerg <[email protected]>

* Update crates/cheatcodes/src/crypto.rs

review modification (better format)

Co-authored-by: onbjerg <[email protected]>

* refactor: changing cheatcode name (append Unsafe to it)

---------

Co-authored-by: onbjerg <[email protected]>

* feat(anvil): calculate max_transactions based on block gas capacity (#11670)

* Update config.rs

* Revert "Update config.rs"

This reverts commit 7c7bd60ad3f1a8853bd070f51512c314c26ec49e.

* Update config.rs

---------

Co-authored-by: User <[email protected]>
Co-authored-by: Matthias Seitz <[email protected]>

* chore(anvil): Remove stale TODO in optimism deposit test (#11678)

* feat(cast): add abi-encode-event command (#11300)

* feat(cast): add abi-encode-event command

* test(cast): add test for abi-encode-event command

* fix: cargo fmt, clippy

* refactor(cast): return bytes from abi_encode_event

* refactor: change return type to LogData for abi_encode_event

* fix: remove explicit darwin SDK from flake.nix as it's deprecated (#11684)

* feat(debugger): remove dead tick polling; use blocking read and forward (#11674)

* Update flake.lock (#11685)

flake.lock: Update

Flake lock file updates:

• Updated input 'fenix':
    'github:nix-community/fenix/1458349a1bd55105f917e962dca4b328ac0a55e8?narHash=sha256-P9VX/P2mN96MkFN8hwCYUQ%2BLV1bfH57UJ/pGwjd0Olc%3D' (2025-09-13)
  → 'github:nix-community/fenix/b60fe116b9495df516f57837bb04a4f89f3aa7ed?narHash=sha256-p2FIwAaUCoKY9mZSPAMQYQ7CwwhfvGC4VIfLapAdfOE%3D' (2025-09-17)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/6d7ec06d6868ac6d94c371458fc2391ded9ff13d?narHash=sha256-fEvTiU4s9lWgW7mYEU/1QUPirgkn%2BodUBTaindgiziY%3D' (2025-09-13)
  → 'github:NixOS/nixpkgs/08b8f92ac6354983f5382124fef6006cade4a1c1?narHash=sha256-TjqVmbpoCqWywY9xIZLTf6ANFvDCXdctCjoYuYPYdMI%3D' (2025-09-16)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* refactor: remove event loop from debugger (#11686)

* refactor: remove event loop from debugger

Similar to #11674, the event loop is entirely unneeded,
so we don't need to spin up a separate thread.

* Update crates/debugger/src/tui/mod.rs

---------

Co-authored-by: DaniPopes <[email protected]>

* feat(cast): add --data --from-file --no-hash options for `wallet verify` for feature parity with `wallet sign` (#11646)

* feat(cast): handle invalid JSON in recover-authority without panic (#11690)

* chore(`ci`): harden ci + harden default workflow templates + pin actions on hash (#11676)

* lower permissions packages codeql

* scope permissions, test.yml and test-isolate.yml

* set default permissions

* restrict permissions: nix.yml

* bump deps

* pin deps: test.yml

* avoid any caching for releases, improve string handling

* avoid writing to GITHUB_ENV

* harden nix.yml

* pin deps nextest, harden

* pin deps

* restore matrix.flags

* add dependabot

* pin dep

* harden default workflow template

* unpin setup-node, nit

* rescope to minimal permissions

* fix workflow

* grant docker-publish workflow the permissions it requires

* do not cache in docker-publish

* use printf in docker-publish, revert shell defaulting in release.yml

* chore(deps): bump actions/github-script from 7 to 8 (#11694)

* chore(deps): bump actions/download-artifact from 4 to 5 (#11693)

* fix: Rust breaking change (#11698)

* fix: request ABI in solar_project (#11697)

* fix: request ABI in solar_project

We need to request something so that we populate the artifacts in
the cache in case it is the first compiler invocation. Requesting
nothing at all will not return anything in the output, and so we
would have no artifacts in the cache entry, resulting in incorrect
"nothing to compile" results after the first run.

* test

* chore(`ci`): fix release workflow (#11699)

increase permissions to allow release flow to create a tag, lower permisions for creating an issue

* chore(deps): bump taiki-e/install-action from 2.61.7 to 2.61.9 (#11692)

Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.61.7 to 2.61.9.
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@e5f8d33...8ea3248)

---
updated-dependencies:
- dependency-name: taiki-e/install-action
  dependency-version: 2.61.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: zerosnacks <[email protected]>

* fix(cheatcodes): expectEmit(count: 0) should not fail on a different log (#11663)

* fix(cheatcodes): expectEmit(count: 0) should not fail on a different log

* nit

* nit

---------

Co-authored-by: grandizzy <[email protected]>

* fix(forge): don't check Cargo.toml on module bindgen (#11704)

* perf: avoid project output clone (#11707)

* perf: lazy cheatcodes SignaturesIdentifier, save only if online (#11708)

* feat(forge): introduce network custom features, sunset Odyssey (#11675)

* feat(forge): add precompiles crate

* Nit - NetowrkPrecompiles

* Consolidate networks

* Remove anvil odyssey

* Consolidate forge networks

* More reuse

* Broader netwroks scope than precompiles

* Remove odyssey

* Add comment re optimism skipped from forge config

* perf: link in parallel (#11710)

* chore(lint): correctly show solar errors (#11713)

* fix: ethgetaccinfo (#11715)

* chore: cargo lock rayon for foundry-linking (#11717)

* chore: cargo lock rayon for foundry-linking

* fix clippy

* fix(`verification`): BSC chain id is incorrect, verification fails with `missing or unsupported chainid parameter` (#11716)

* bump to alloy-chains 0.2.10

* mumbai -> amoy, deprecated

* clippy fix

* feat(cast): apply network precompiles for cast run and call (#11720)

feat(cast): apply precompiles for cast run and call

* feat: print traces and logs in calltracer (#11722)

* chore: fix isolate tests (#11718)

* fix: properly format markdown lists in @dev NatSpec tags (#11696)

* Update as_doc.rs

* Update buf_writer.rs

* Update crates/doc/src/writer/buf_writer.rs

Co-authored-by: onbjerg <[email protected]>

* Update buf_writer.rs

* Update buf_writer.rs

* Update buf_writer.rs

* fmt

---------

Co-authored-by: onbjerg <[email protected]>

* chore(cast): avoid panic when decoding constructor args and add bounds check (#11700)

* feat(forge): deprecate `generate` (#11723)

* fix(forge): Add unused_attributes to allow list for generated bindings (#11725)

* Added unused_attributes to allow list for generated bindings

* chore: fmt

---------

Co-authored-by: Oliver Nordbjerg <[email protected]>

* chore: deprecate `generate-fig-spec` commands; use `completions fig` (#11727)

* chore: deprecate `generate-fig-spec` commands; use `completions fig` instead

* fix: use `sh_eprintln` to make clippy happy

* fix: bump to `alloy-chains` `0.2.11` for Katana urls update (#11728)

bump to 0.2.11 for katana urls

* fix: bump alloy-chains 0.2.12 (#11729)

bump alloy-chains 0.2.12

* feat(lint): fail on configured diagnostic level (#11445)

* fix(common): use proper ESC in spinner erase-line sequence (#11733)

* feat(forge-inspect): add ability to inspect libraries (#11732)

* chore(deps): weekly `cargo update` (#11736)

Updating git repository `https://github.com/rust-cli/rexpect`
     Locking 10 packages to latest compatible versions
   Unchanged alloy-evm v0.20.1 (available: v0.21.1)
   Unchanged alloy-op-evm v0.20.1 (available: v0.21.1)
    Updating anyhow v1.0.99 -> v1.0.100
    Updating blst v0.3.15 -> v0.3.16
    Updating clap v4.5.47 -> v4.5.48
    Updating clap_builder v4.5.47 -> v4.5.48
   Unchanged dialoguer v0.11.0 (available: v0.12.0)
   Unchanged idna_adapter v1.1.0 (available: v1.2.1)
   Unchanged matchit v0.8.4 (available: v0.8.6)
   Unchanged op-alloy-consensus v0.19.1 (available: v0.20.0)
   Unchanged op-alloy-rpc-types v0.19.1 (available: v0.20.0)
    Updating proptest v1.7.0 -> v1.8.0
   Unchanged protobuf v3.3.0 (available: v3.7.2)
   Unchanged protobuf-support v3.3.0 (available: v3.7.2)
   Unchanged rand v0.8.5 (available: v0.9.2)
    Updating serde v1.0.225 -> v1.0.226
    Updating serde_core v1.0.225 -> v1.0.226
    Updating serde_derive v1.0.225 -> v1.0.226
    Updating serde_with v3.14.0 -> v3.14.1
    Updating serde_with_macros v3.14.0 -> v3.14.1
   Unchanged unicode-width v0.2.0 (available: v0.2.1)
   Unchanged vergen v8.3.2 (available: v9.0.6)
note: to see how you depend on a package, run `cargo tree --invert <dep>@<ver>`

Co-authored-by: mattsse <[email protected]>

* refactor(cli): move `EvmArgs` to foundry_cli (#11741)

* chore(deps): drop foundry-compilers feature full (#11739)

* chore: pass project root to spinner (#11740)

* chore: reenable tests (#11748)

* chore: fix cargo deny, bump ammonia (#11749)

* chore: move `clap.rs` from `foundry-common` to `foundry-cli` (#11747)

Move clap.rs from foundry-common to foundry-cli

Co-authored-by: onbjerg <[email protected]>

* refactor(anvil): replace `DepositReceipt` withl `op-alloy`'s (#11640)

* bet

* bet

* fix(anvil): handle Deposit receipts in transaction processing

* style: lint checks

* refactor(anvil): replace generic param with concrete types TypedReceipt and TypedReceiptRpc

* style: linter

---------

Co-authored-by: Tuan Tran <[email protected]>

* Fix: Secure temporary file creation in chisel edit_session (#11744)

* Update dispatcher.rs

* Update Cargo.toml

* Update dispatcher.rs

* Update Cargo.toml

* feat: cast storage `--solc-version` CLI argument (#11321)

* feat: storage solc version option

* feat(cast): add storage solc version unwrapping test

* feat(cast): add valid and invalid solc versions for cast storage tests

* feat(cast): collapse if statement

* chore: format

* feat(cast): warn if provided version is less than min solc

* feat(cast): test for min solc version warning on provided storage solc version

---------

Co-authored-by: grandizzy <[email protected]>
Co-authored-by: onbjerg <[email protected]>

* chore: don't depend on config in common (#11756)

* chore: don't depend on config in common

* feats

* Update flake.lock (#11735)

flake.lock: Update

Flake lock file updates:

• Updated input 'fenix':
    'github:nix-community/fenix/b60fe116b9495df516f57837bb04a4f89f3aa7ed?narHash=sha256-p2FIwAaUCoKY9mZSPAMQYQ7CwwhfvGC4VIfLapAdfOE%3D' (2025-09-17)
  → 'github:nix-community/fenix/bfa40349cb508ebec2a8d0f89d65022967d28dc4?narHash=sha256-xpbGgQ6ymKvz/LQ3RrUTHdbRKWznZAbdaNAH7TdbKZs%3D' (2025-09-20)
• Updated input 'fenix/rust-analyzer-src':
    'github:rust-lang/rust-analyzer/9edc9cbe5d8e832b5864e09854fa94861697d2fd?narHash=sha256-/PAhxheUq4WBrW5i/JHzcCqK5fGWwLKdH6/Lu1tyS18%3D' (2025-09-08)
  → 'github:rust-lang/rust-analyzer/b12a1293473d4c1c74a63752184b8d21d32a6bde?narHash=sha256-PXDZtnSSNXIlTlytspxkTm/RENaQKdTJ44RGqm/LPLA%3D' (2025-09-19)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/08b8f92ac6354983f5382124fef6006cade4a1c1?narHash=sha256-TjqVmbpoCqWywY9xIZLTf6ANFvDCXdctCjoYuYPYdMI%3D' (2025-09-16)
  → 'github:NixOS/nixpkgs/12bd230118a1901a4a5d393f9f56b6ad7e571d01?narHash=sha256-aBGl3XEOsjWw6W3AHiKibN7FeoG73dutQQEqnd/etR8%3D' (2025-09-19)

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

* test: add some debug calls (#11762)

* chore(deps): bump Swatinem/rust-cache from 2.8.0 to 2.8.1 (#11767)

Bumps [Swatinem/rust-cache](https://github.com/swatinem/rust-cache) from 2.8.0 to 2.8.1.
- [Release notes](https://github.com/swatinem/rust-cache/releases)
- [Changelog](https://github.com/Swatinem/rust-cache/blob/master/CHANGELOG.md)
- [Commits](Swatinem/rust-cache@98c8021...f13886b)

---
updated-dependencies:
- dependency-name: Swatinem/rust-cache
  dependency-version: 2.8.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* chore(deps): bump taiki-e/install-action from 2.61.9 to 2.62.2 (#11766)

Bumps [taiki-e/install-action](https://github.com/taiki-e/install-action) from 2.61.9 to 2.62.2.
- [Release notes](https://github.com/taiki-e/install-action/releases)
- [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md)
- [Commits](taiki-e/install-action@8ea3248...cd39cb0)

---
updated-dependencies:
- dependency-name: taiki-e/install-action
  dependency-version: 2.62.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* feat(`forge`): backtraces (#11547)

* basic backtrace impl

* cleanup + remove frame kind

* nit

* cleanup

* nit

* display backtrace after traces

* move backtrace extraction

* fix inversion

* tests

* remove unused fields and args

* nit

* nit

* cleanup: extract_backtrace

* fix: don't set incorrect source location if we're unable to locate it

* don't collect creation source map

* use typed Path instead of String

* unify the HashMap keyed by artifact id

* mv source maps collection from multi_runner

* more cleanup

* feat: collect sources by build_id to work across fresh and cached compiler runs

* add mixed compilation test

* fork tests

* clippy

* feat: detect internal library calls using ast

* test_library_backtrace

* feat: detect external libraries

* cleanup: consolidate logic in the Backtrace type

* collect and store libs once not per source + add offset in SourceLocation to identify multiple contract / libs accurately

* lazy source data collection

* cleanup

* resolve labels using known_contracts

* fmt

* feat: BacktraceBuilder

* consolidate in backtrace builder

* don't clone library sources

* remove source_data from Backtrace

* fix breaking tests

* nit

* nit

* unify source and lib collection

* use parsed_libraries

* nit

* cleanup

* docs nits

* fix

* nit

* nit

* remove: contract_by_address from runner

* nit

* TraceMode::Debug for steps tracing when -vvv

* rm redundant clone

* rm unused deployed_bytecode from TestContract

* rm redundant verbosity from mcr

* nit

* nit

* fix tests

* don't enable ast

* minify json test fixture

* fix test svg

* ignore windows

* fix

* ignore win msg

* win fix, Forge fmt new backtraces tests

* defer source data collection + collect only required sources

* rm artifact_ids from BacktraceBuilder

* rm ast from SourceData

* avoid source data cloning

* defer BacktraceBuilder instatiation only in case of failure + pass required fields from config

* nit

* fix: oom due to TraceMode::Debug being set on verbosity >= 3

* fix backtrace tests - removal of internal lib detection

* fix

* fix: can_run_test_with_json_output_verbose

* fix: ext tests by setting verbosity for forge-std and sablier

* verbosity

* minify

* fix

* fix(backtraces): reduce TraceMode level + don't hold sources in memory + avoid cloning  (#11648)

* defer source data collection + collect only required sources

* rm artifact_ids from BacktraceBuilder

* rm ast from SourceData

* avoid source data cloning

* defer BacktraceBuilder instatiation only in case of failure + pass required fields from config

* nit

* fix: oom due to TraceMode::Debug being set on verbosity >= 3

* fix backtrace tests - removal of internal lib detection

* fix

* fix: can_run_test_with_json_output_verbose

* fix: ext tests by setting verbosity for forge-std and sablier

* verbosity

* minify

* fix

* check for silent and verbosity outside iter + use with_capacity

* flattened - use filter_map outside

* rm unused solidity file

* make fns private + push to frames directly

* nit

* cleanup extract_frames

* cleanup retrieving names from trace.decoded

* format nit

* nit

Co-authored-by: DaniPopes <[email protected]>

* use output.artifact_ids to chain cached and compiled

* format nits

* feat: disable detecting source location on via-ir

* cleanup collect_source_data - rm redundant sorting

* rm redundant loop and ptr comparios in from_traces

* rm redundant prefix stripping

* fix

* unify resolving addresses for artifacts

* nits + move format to Display

* don't check linked libs if artifact already found

* internalize extract_frames + make BacktraceFrame private

* move to evm::traces

* init backtrace builder outside loop

* use memchr_iter

* maintain source_cache in builder to avoid collect sources on multiple failures + pass SourceData by reference

* cache by build_id in BacktraceBuilder to fetch sources for a build_id only once

* non_exhaustive Backtrace

* feat(traces): new TraceMode::Steps - enabled on -vvv

* nits

* fix: can_run_test_with_json_output_verbose

---------

Co-authored-by: grandizzy <[email protected]>
Co-authored-by: grandizzy <[email protected]>
Co-authored-by: DaniPopes <[email protected]>

* Harden foundryup temp handling: secure mktemp and quote tar paths (#11771)

Update foundryup

* feat: add --use and --no-auto-detect flags to verify-contract (#11743)

* feat: add --use and --no-auto-detect flags to verify-contract

* include the new fields no_auto_detect and use_solc

* feat: add --use and --no-auto-detect flags to verify-contract

* refactor: move `handle_traces` into `cast` (#11775)

* ci: link with mold (#11776)

Add `rui314/setup-mold` to set `mold` as the default linker wherever
we build any code. This makes linking a lot faster for dylibs (proc macros)
and the final binaries.

* chore: rm dead code (#11777)

* test: improve linker test infra (#11778)

* test: extract get_compiled to utils (#11779)

* feat(anvil): add PreStateTracer support for debug_traceTransaction (#11709)

* feat(anvil): add PreStateTracer support for debug_traceTransaction

* feat(anvil): add PreStateTracer support to debug_traceTransaction via transaction replay

* Fix clippy

---------

Co-authored-by: Matthias Seitz <[email protected]>
Co-authored-by: grandizzy <[email protected]>
Co-authored-by: grandizzy <[email protected]>

* fix: use next fee blob basefee for missing blob fee (#11782)

fix: use fee blob basefee for missing blob fee

* feat: add trace transaction opts (#11781)

* feat: add trace transaction opts

* chore: rm comment

* chore: rm newline

---------

Co-authored-by: onbjerg <[email protected]>

* feat(fmt): rewrite formatter using Solar and a structured algorithm (#10907)

* init

* wip

* wip

* add dbg from prettyplease

* wip

* fixes, pragma&imports

* feat: using, types, literals

* feat: contract

* rm duplicate testdata

* wip: finish items; exprs, stmts

* wips

* feat: line_length, tab_width

* feat: contract_new_lines

* wip: single_line_statement_blocks

* tweaks

* chore: bump solar to latest main

* fix: test dir

* bump

* fix docs

* fix: adjust '()' for modifier calls

* test: typed yul does not exist anymore

argotorg/solidity#15329

* test: function parameters cannot be empty

* fix: adjust '()' for modifier calls for real

* fix: forge fmt hates '*' imports

* test: fix some invalid syntax

* test: disable-stop does not exist

* test: fix all parse errors

* fix: literal touchups

* bump

* test: add snapshotting

* test: update NumberLiteralUnderscore

* fixes

* struct space

* test: fix StructDefinition; empty structs are not allowed anyway

* test: update EventDefinition; matches Solidity style guide

* test: update EnumDefinition; same as StructDefinition

* test: update StructDefinition 2

* fix: comments in structs/enums

* test: update ErrorDefinition; matches Solidity style guide

* feat: print docs with other comments; update EnumVariants

* chore: update EnumDefinition, StructDefinition

* chore: readd post_break

* chore: rename is_hardbreak_tok

* feat: cleanups, more impls

* test: fix some compile errors

* feat: add FormatterResult with more variants

* stuff

* refactor: move print_item arms into their own functions

* chore: consolidate item hardbreaks

* fix: inline config parsing for block comments

* wip: rm FunctionLike, wip functions

* fix: clamp margin to max as well

* megawip

* feat: most of yul

* wip: try-catch

* wip: try-catch

* feat: print compact tuple

* wip: inline comments

* wip: try-cactch

* bump solar to have try-catch spans (#10832)

* wip comment fmt

* wip: array expr

* finish arrays

* block comments

* doc block comments

* ternary operators

* wip: fn header

* wip: fn header

* fix: doc block comments + block braces

* refactor state to organize helpers

* fix commasep with initial trailing cmnt

* fix: improve contract fmt

* fix: block comments + contract definition

* fix: wrap trailing comments

* fix fn alingment

* fix: rmv unecessary check

* working fn headers!!!

* block with comments at the beginning

* bump solar

* inline if statements based on user config

* operator expr

* finish binary operators + housekeeping

* housekeeping

* feat: binary expressions

* fix: string literals

* refactor comments + finish mappings

* named functions

* item spacing

* more flexible comments + return stmts

* var definition and flexible comments (#11093)

* comment wrapping

* sorted imports

* middle cmnts for arrays and literals with subdenominations

* revert: solar won't have spanned dataloc + subdenom

* refactor inline config + almost finished impl

* finish inline disable

* finish inline disable

* wip inline disable for repros

* passing repros

* almost working yul

* chore: remove unrelated changes / merge artifacts

* chore: remove unrelated changes / merge artifacts 2

* chore: remove unrelated changes / merge artifacts 3

* update fmt files to reflect current status

* enable both passes

* undo repros changes

* config: style = tabs

* test: inline config

* style: drop "lint" references in favor of "ids"

* function header config

* finish fn header config!

* re-enable 2nd pass

* finish fn header style

* feat: yul

* test: update tracking cmnts

* fix: yul repros

* chore: small comment

* chore: random + typos

* chore: rm dead code

* chore: rm unused vars

* chore: clippy --fix

* chore: some manual clippying

* chore: final clippy --fix

* refactor: tidy up

* yul: inline blocks

* yul: inline fn params

* ensure all tests are successful

* chore(fmt): merge new compiler setup (#11487)

* patch/impl/test pending repros

* style: typos

* docs: update readme

* docs: readme feedback

* style: clippy

* fix: merge conflicts

* fix: disable legacy fmt tests

* fix: config test

* fix(win): normalize breaks

* style: clippy

* fix(win): normalize escaped quotes

* fix(win): normalize multiline strings

* fix(win): only normalize line breaks for expected data

* chore: solar-powered fmt rollout (#11570)

* fix: comment spans for asm + try blocks

* fix: don't fmt yul addresses

* fix: empty buffer due to really long comment

* add repro

* Revert "fix: empty buffer due to really long comment"

This reverts commit f6768b43d24064c11418c88dd2f6c9b0d11257e6.

* fix: advance cursor correctly in print_comment

* fix: bin op indentation in complex exprs

* docs

Co-authored-by: DaniPopes <[email protected]>

* chore: clean up

* refactor: inline config

* chore: share inline config

* feat: remove HIR inline config visitor

* test: bless

* style: clippy

* feat(fmt): call chain awareness (#11611)

* wip: better call chains + return stmts + more tests

* fix: more yul cmnts

* fix: modifier cmnts + more yul cmnts

* fix: returns with bin ops

* fix breaks, still pending indentation

* wip: call cahins and nested... getting closer

* call stack to fmt complex calls

* fix: more yul cmnts

* Fix config test, typos

* wip

* fix: new call alignement cases

* Fix tests

* fix: return + bin ops + calls

* style: clippy

* feat: wrap long comments and merge with next line

* fix: stale test

* style: rmv comments

* fmt nits (#11750)

* nits

* Try no format

* chore: simplify call logic

* fix: reenable 2nd pass

* chore: cleanup

* docs: solar cmnt

* format testdata with new style

* fix: extra space in function type

* Readd relevant todo

* style: use span builder methods

* Review changes

* fix: remove outdated cmnt

* fix: test spacing

* Revert "fix: test spacing"

This reverts commit 541f4c8f20dd4e648c2092d637daf55240e697e8.

---------

Co-authored-by: 0xrusowsky <[email protected]>

---------

Co-authored-by: DaniPopes <[email protected]>
Co-authored-by: grandizzy <[email protected]>
Co-authored-by: grandizzy <[email protected]>

* chore: bump alloy crates to 1.36 (#11788)

* chore: update alloy crates

* chore: remove unused crate for now

* chore: remove unused crate for now

* refactor: rm forge-fmt from foundry-cli (#11790)

* chore: profile.dev cargo warning (#11792)

* fix(forge): decrement runs when fuzz input rejected (#11791)

* chore(deps): bump breaking deps (#11794)

* perf(coverage): reserve some space for hits early (#11793)

* deps: explicit features for some deps (#11795)

* deps: explicit features for jiff

* deps: explicit features for futures

* chore: rm dead code (#11796)

* fix(forge): populate the git submodule url from git config (#11437)

* update mod.rs

* populate the git submodule url

* revert cmd.rs

* ci: use depot (#11758)

* ci: use 1 partition (#11798)

* ci: use 1 partition

* ci: merge configs

* chore: simplify InvariantConfig (#11799)

* chore(test): clear gas report traces (#11800)

* fix(coverage): sync implementation with forge test (#11801)

Coverage was calling a low level function of forge test args, which
does not setup stuff like config.fuzz.gas_report_samples, EvmArgs, etc.,
as well as missing options in the test runner builder etc.

This means that `forge coverage` falls out of sync gradually with
`forge test`. One of the options which was thus missed,
`gas_report_samples`, controls how many traces are saved from fuzz
and invariant tests, which with the recent addition of tracing for
backtraces means we are storing a lot of traces unnecessarily,
massively increasing memory usage.

* ci: fix matrix names (#11803)

* ci: rm cores from depot macos runner (#11805)

* test: redact gas for isolate-by-default (#11806)

* test: remove libraries (#11802)

* test: remove libraries

* fix

* test: pass --quick to cast run celo precompile (#11804)

* test: pass --quick to cast run celo precompile

* update assert

* chore: fix flaky fuzz test, pin seed (#11808)

* ci: update release runners (#11810)

* Update to soldeer 0.7.1 (#11811)

release soldeer 0.7.1

* chore: bump version 1.4 (#11814)

* fix: cross docker image not compat with arm (#11813)

* ci: tweak runners, depot 16 (#11815)

* Add cast command to convert beacon payload to execution payload `b2e-payload` (#11629)

* feat: add v1 cast commande b2epayload

* feat: add v1 cast commande b2epayload

* chore: fmt

* chore: use pathbuf

* fix: restore long name

* chore: fmt

* chore: update lock

* refactor: use ex payload alloy helper

* refactor: use raw input source str

* refactor: remove right now json rpc format output

* test: add test for malformated input

* chore: remove unused dep

* chore: fmt

* fix(fmt): underscore for hex literals (#11822)

* docs(cast): add description for `cast rpc --decode-internal` (#11825)

* fix(fmt): estimate size + account for all blocks (#11824)

* chore: revert evm version / solc incompat warning (#11831)

* revert evm version incompat warning

* Add tests to ensure forge clean doesn't warn

* chore: remove fig (#11830)

* feat(anvil): add support for `anvil_getBlobSidecarsByBlockId` (#11828)

* feat(beacon): add support for `anvil_getBlobSidecarsByBlockId`

- Added primitive Engine REST API

* refactor: Exclude Beacon Rest API from PR scope

* refactor: return `BlobTransactionSidecar` instead of `BeaconBlobBundle`

* refactor: return a single `BlobTransactionSidecar` instead of a vector

* chore: remove feature(doc_auto_cfg) (#11852)

* Update flake.lock (#11850)

* chore(deps): weekly `cargo update` (#11851)

* chore(anvil): fixed broken link (#11858)

Fixed broken link in crates/anvil/rpc/src/error.rs

* chore(anvil): return JoinHandle from `TaskManager::spawn_blocking` for proper task control (#11857)

* Update mod.rs

* Update mod.rs

* fix(forge): use global json arg everywhere (#11860)

- removed json args shadowing global json arg for the following subcommands:
  - eip712
  - lint

- geiger subcommand (alias to lint) now complies to global json arg

* fix(fmt): don't break exprs that overflow but fit assignement (#11837)

* fix(fmt): don't break exprs that overflow but fit assignement

* fix(fmt): account for bin operators in `fn estimate_size`

* fix(CI): disable win test for 0x-settler to avoid panic

---------

Co-authored-by: grandizzy <[email protected]>
Co-authored-by: grandizzy <[email protected]>

* fix(fmt): indent calls with single member that fits but breaks when args (#11854)

* fix(fmt): indent calls with single member that fits but breaks when args
don't

* fix: break fn params with custom structs

* test: link issues to repros

* Nits

---------

Co-authored-by: grandizzy <[email protected]>
Co-authored-by: grandizzy <[email protected]>

* fix(lint): allow custom types in "constant fn getters" (#11866)

* fix(forge): support broadcast from `vm.deployCode` (#11864)

fix(forge): support broadcast from vm.deployCode

* feat(anvil): improve historic state access (#10420)

* refactor logic to set separate locking

* update tests for state cache

* fix formatting

* refactor rollback logic to fix deadlock

* fix deadlock in with_database_at

* format

* add documentation

* remove redundant get method

* remove redundant has_on_disk_state method

* complete rebase

* update

* update trace_tx_with_js_tracer to use upgradable lock

* rm redundant has_state

* rm unwrap

---------

Co-authored-by: Nnamdi Aninye <[email protected]>
Co-authored-by: Yash Atreya <[email protected]>

* Update to soldeer 0.8.0 (#11863)

Release v0.8.0

* fix(fs): flush BufWriter after GzEncoder::finish() in write_json_gzip_file (#11827)

* feat(forge): no warning on external config sections (#11869)

feat(forge): no warning on external sections

* Update rust version and fix clippy

* Restore workflows

* restore gas limit behavior

* Forge fmt

* added missing deploy_code logic and fix config output.

* Add ignore to test failing on main also

* Remove old comment

* Revert "Add ignore to test failing on main also"

This reverts commit ed41306.

* Add ignore attribute to tx_using_sender_and_nonce test due to current issues with reth

* Refactor tx_using_sender_and_nonce test for improved readability and structure

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: Matthias Seitz <[email protected]>
Co-authored-by: DaniPopes <[email protected]>
Co-authored-by: Tuan Tran <[email protected]>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: mattsse <[email protected]>
Co-authored-by: Mablr <[email protected]>
Co-authored-by: grandizzy <[email protected]>
Co-authored-by: 0xferrous <[email protected]>
Co-authored-by: viktorking7 <[email protected]>
Co-authored-by: onbjerg <[email protected]>
Co-authored-by: radik878 <[email protected]>
Co-authored-by: Arsenii Kulikov <[email protected]>
Co-authored-by: o-az <[email protected]>
Co-authored-by: zerosnacks <[email protected]>
Co-authored-by: Forostovec <[email protected]>
Co-authored-by: wellna <[email protected]>
Co-authored-by: 0xrusowsky <[email protected]>
Co-authored-by: Galoretka <[email protected]>
Co-authored-by: Ectario <[email protected]>
Co-authored-by: forkfury <[email protected]>
Co-authored-by: User <[email protected]>
Co-authored-by: phrwlk <[email protected]>
Co-authored-by: Shiyas Mohammed <[email protected]>
Co-authored-by: Alexey Shekhirin <[email protected]>
Co-authored-by: GarmashAlex <[email protected]>
Co-authored-by: Detoo <[email protected]>
Co-authored-by: VolodymyrBg <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Yash Atreya <[email protected]>
Co-authored-by: Gengar <[email protected]>
Co-authored-by: MozirDmitriy <[email protected]>
Co-authored-by: AndreasKoestler <[email protected]>
Co-authored-by: Oliver Nordbjerg <[email protected]>
Co-authored-by: sw4sy <[email protected]>
Co-authored-by: josé v <[email protected]>
Co-authored-by: ongyimeng <[email protected]>
Co-authored-by: FT <[email protected]>
Co-authored-by: zug <[email protected]>
Co-authored-by: grandizzy <[email protected]>
Co-authored-by: w1tcher <[email protected]>
Co-authored-by: Kien Trinh <[email protected]>
Co-authored-by: Léa Narzis <[email protected]>
Co-authored-by: m4rio <[email protected]>
Co-authored-by: Cypher Pepe <[email protected]>
Co-authored-by: Nnamdi Aninye <[email protected]>
Co-authored-by: Nnamdi Aninye <[email protected]>
Co-authored-by: sashass1315 <[email protected]>

Author: 45 people

.cargo/config.toml

@@ -1,6 +1,7 @@
 [alias]
 cheats = "test -p foundry-cheatcodes-spec --features schema tests::"
 test-debugger = "test -p forge --test cli manual_debug_setup -- --include-ignored --nocapture"
+bless-lints = "test -p forge --test ui -- --bless"
 
 # Increase the stack size to 10MB for Windows targets, which is in line with Linux
 # (whereas default for Windows is 1MB).

.config/nextest.toml

@@ -1,5 +1,4 @@
 [test-groups]
-chisel-serial = { max-threads = 1 }
 
 [profile.default]
 retries = { backoff = "exponential", count = 2, delay = "5s", jitter = true }
@@ -9,6 +8,7 @@ slow-timeout = { period = "1m", terminate-after = 3 }
 filter = "test(/ext_integration|can_test_forge_std/)"
 slow-timeout = { period = "5m", terminate-after = 4 }
 
+# Do not re-run so that `cargo cheats` is ran locally.
 [[profile.default.overrides]]
 filter = "package(foundry-cheatcodes-spec)"
 retries = 0

.gitattributes

@@ -8,3 +8,5 @@ testdata/fixtures/**/* eol=lf
 
 dprint.json linguist-language=JSON-with-Comments
 .devcontainer/devcontainer.json linguist-language=JSON-with-Comments
+
+.env.example linguist-language=Dotenv

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/scripts/matrices.py

@@ -76,27 +76,15 @@ def __init__(
 
 config = [
     Case(
-        name="unit",
-        filter="!kind(test)",
+        name="all",
+        filter="!test(/\\bext_integration/)",
         n_partitions=1,
         pr_cross_platform=True,
     ),
     Case(
-        name="integration",
-        filter="kind(test) & !test(/\\b(issue|ext_integration)/)",
-        n_partitions=3,
-        pr_cross_platform=True,
-    ),
-    Case(
-        name="integration / issue-repros",
-        filter="package(=forge) & test(/\\bissue/)",
-        n_partitions=2,
-        pr_cross_platform=False,
-    ),
-    Case(
-        name="integration / external",
+        name="external",
         filter="package(=forge) & test(/\\bext_integration/)",
-        n_partitions=2,
+        n_partitions=1,
         pr_cross_platform=False,
     ),
 ]

.github/workflows/benchmarks.yml

@@ -1,5 +1,7 @@
 name: Foundry Benchmarks
 
+permissions: {}
+
 on:
   workflow_dispatch:
     inputs:
@@ -18,49 +20,52 @@ on:
         type: string
         default: "ithacaxyz/account:v0.3.2,Vectorized/solady:v0.1.22"
 
-permissions:
-  contents: write
-  pull-requests: write
-
 env:
   ITHACAXYZ_ACCOUNT: "ithacaxyz/account:v0.3.2"
   VECTORIZED_SOLADY: "Vectorized/solady:v0.1.22"
   DEFAULT_REPOS: "ithacaxyz/account:v0.3.2,Vectorized/solady:v0.1.22"
+  RUSTC_WRAPPER: "sccache"
 
 jobs:
   run-benchmarks:
     name: Run All Benchmarks
     runs-on: foundry-runner
+    permissions:
+      contents: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Install build dependencies
         run: |
           sudo apt-get update
           sudo apt-get install -y build-essential pkg-config
 
       - name: Setup Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-
-      - name: Cache Rust dependencies
-        uses: Swatinem/rust-cache@v2
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # master
         with:
-          workspaces: |
-            ./
+          toolchain: stable
+
+      - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1
+
+      - name: Run sccache-cache
+        uses: mozilla-actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad # v0.0.9
 
       - name: Setup Foundry
         env:
           FOUNDRY_DIR: ${{ github.workspace }}/.foundry
+          GITHUB_WORKSPACE: ${{ github.workspace }}
         run: |
           ./.github/scripts/setup-foundryup.sh
-          echo "${{ github.workspace }}/.foundry/bin" >> $GITHUB_PATH
+          printf '%s\n' "$GITHUB_WORKSPACE/.foundry/bin" >> "$GITHUB_PATH"
 
       - name: Build benchmark binary
         run: cargo build --release --bin foundry-bench
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: "24"
 
@@ -150,13 +155,18 @@ jobs:
   publish-results:
     name: Publish Results
     needs: run-benchmarks
-    runs-on: foundry-runner
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Download benchmark results
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: benchmark-results
           path: benches/
@@ -169,7 +179,7 @@ jobs:
 
       - name: Create PR for manual runs
         if: github.event_name == 'workflow_dispatch'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const branchName = '${{ needs.run-benchmarks.outputs.branch_name }}';
@@ -197,7 +207,7 @@ jobs:
 
       - name: Comment on PR
         if: github.event.inputs.pr_number != '' || github.event_name == 'pull_request'
-        uses: actions/github-script@v7
+        uses: actions/github-script@v8
         with:
           script: |
             const prNumber = ${{ github.event.inputs.pr_number || github.event.pull_request.number }};

.github/workflows/codeql.yml

@@ -1,5 +1,7 @@
 name: CodeQL
 
+permissions: {}
+
 on:
   push:
     branches: ["master"]
@@ -18,10 +20,9 @@ jobs:
     name: Analyze (${{ matrix.language }})
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
-      packages: read
       actions: read
-      contents: read
 
     strategy:
       fail-fast: false
@@ -33,6 +34,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3

.github/workflows/dependencies.yml

@@ -2,16 +2,12 @@
 
 name: dependencies
 
+permissions: {}
+
 on:
   schedule:
-    # Run weekly
-    - cron: "0 0 * * SUN"
-  workflow_dispatch:
-# Needed so we can run it manually
-
-permissions:
-  contents: write
-  pull-requests: write
+    - cron: "0 0 * * SUN" # Run weekly on Sundays at midnight UTC
+  workflow_dispatch: # Needed so we can run it manually
 
 jobs:
     update:

.github/workflows/nix.yml

@@ -1,11 +1,11 @@
 name: nix
 
+permissions: {}
+
 on:
   schedule:
-    # Run weekly
-    - cron: "0 0 * * SUN"
-  workflow_dispatch:
-# Needed so we can run it manually
+    - cron: "0 0 * * SUN" # Run weekly on Sundays at midnight UTC
+  workflow_dispatch: # Needed so we can run it manually
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -15,10 +15,15 @@ jobs:
   # Opens a PR with an updated flake.lock file
   update:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
-      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: DeterminateSystems/determinate-nix-action@dbda91f6efef3ee627f56175120aa9543687d830 # v3
       - uses: actions/checkout@v5
-      - uses: DeterminateSystems/update-flake-lock@main
+        with:
+          persist-credentials: false
+      - uses: DeterminateSystems/update-flake-lock@4d443398067153ddd6191a9d9c89533f9a100c26 # main
         with:
           pr-title: "Update flake.lock"
           pr-labels: |
@@ -30,9 +35,13 @@ jobs:
       matrix:
         runs-on: [ubuntu-latest, macos-latest]
     runs-on: ${{ matrix.runs-on }}
+    permissions:
+      contents: read
     steps:
-      - uses: DeterminateSystems/determinate-nix-action@v3
+      - uses: DeterminateSystems/determinate-nix-action@dbda91f6efef3ee627f56175120aa9543687d830 # v3
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Update flake.lock
         run: nix flake update