fix(solidity): integrate soldeer with yarn build

[paulbalaji]

Summary

Fixes yarn build + Docker builds being broken after #7480 (Soldeer migration) by integrating forge soldeer install into the turbo build pipeline.

• fix: add deps:soldeer for the forge soldeer install
• fix: add deps:soldeer as a dependency for solidity build step in turbo.json
• driveby: trigger monorepo builds if changes made to yarn.lock and **/package.json
• fix: Dockerfile now works after soldeer migration

Summary by CodeRabbit

• Chores
  • Added an automated dependency-install step into the build so required tooling is installed before builds.
  • Build now runs this dependency step as a prerequisite, ensuring consistent build outputs.
  • CI workflow updated to trigger when dependency-related files change, ensuring dependency updates run in CI.
  • CI workflows now provision environment variables for turbo integration.
  • Container image updated to a Debian-slim base and expanded to include Foundry tooling and additional system packages.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: a85832d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Soldeer install npm script and Turbo task, wires the Turbo task into the Solidity build, exposes TURBO_TOKEN/TURBO_TEAM as workflow env vars in several Action workflows, expands monorepo-docker workflow triggers for dependency files, and replaces the Docker base image and setup to install Foundry and extra system tooling.

Changes

Cohort / File(s)	Summary
NPM scripts solidity/package.json	Added script "deps:soldeer": "forge soldeer install". No other script or runtime logic changes.
Turbo task configuration solidity/turbo.json	Added top-level task deps:soldeer with inputs foundry.toml, soldeer.lock and outputs dependencies/**; updated build task to dependOn ["deps:soldeer"].
GitHub Actions — workflow envs .github/workflows/bytecode-analysis.yml, .github/workflows/static-analysis.yml, .github/workflows/storage-analysis.yml	Introduced TURBO_TOKEN and TURBO_TEAM environment variables sourced from secrets at top-level or job-level; no step logic changes.
GitHub Actions — workflow triggers .github/workflows/monorepo-docker.yml	Expanded PR pruning/triggers to include yarn.lock and all package.json files so dependency-affecting changes trigger the workflow.
Docker image & build setup Dockerfile	Switched base from node:20-alpine to node:20-slim; replaced apk usage with apt-get, added system packages, installed Foundry (forge) and adjusted PATH; copied more workspace/package files, runs yarn install and yarn build as part of image build.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

• Dockerfile: verify package lists, caching, security (apt cleanup), Foundry install idempotency and PATH correctness.
• Turbo task: confirm inputs/outputs paths and downstream task/CI interactions won't deadlock builds.
• Workflows: ensure secrets usage scope is minimal and intended; check trigger patterns for false positives.
• Package.json script: validate forge soldeer install runs in CI image and produced soldeer.lock/dependencies locations.

Possibly related PRs

• build: Migrate Solidity dependencies from npm to Soldeer #7480 — Related Soldeer/Foundry migration and addition of deps:soldeer script/task.

Suggested reviewers

• ltyu
• yorhodes

Poem

A wee change in the forge and yarn,
Foundry wakes before the morn,
Turbo queues the dance just so,
CI keeps watch as locks all flow,
Docker hums and builds the morn ☘️

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'fix(solidity): integrate soldeer with yarn build' directly describes the main objective: integrating soldeer dependency management into the yarn/turbo build pipeline to fix a regression.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	The PR description covers all key template sections: describes what's included (soldeer integration fixes), includes drive-by changes (monorepo trigger updates), and explains testing approach.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pb/fix-soldeer

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/monorepo-docker.yml (1)

17-19: Verify the PR trigger scope is intentional.

The addition of **/package.json will trigger the monorepo Docker build whenever any workspace's package.json changes (Solidity, TypeScript SDK, Rust, etc.), not just Solidity. While this makes sense if the Docker image includes all workspaces, it could lead to unnecessary rebuilds if the image only needs Solidity or specific workspaces.

A few questions:

• Does the Docker image include all workspaces, or only specific ones (e.g., just typescript/infra)?
• Should the pattern be narrowed to only the affected workspace(s), like solidity/package.json, to reduce unnecessary builds?
• Does yarn.lock at the root sufficiently capture most dependency changes, making the **/package.json pattern redundant?

If this is intentional (e.g., Docker image bundles multiple workspaces), then the approach looks sound—just wanted to confirm the scope aligns with your goal.

If narrowing is desired, consider:

- solidity/package.json
- typescript/infra/package.json

Or keep it broad if all workspaces are bundled into the Docker image. Either way, a brief comment explaining why would be helpful for future maintainers.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between efc51232856eadecb3c858c5fba2ee88efc76db3 and d95c5b79b36ff18abdea18d2a1a77fbbed2d2a6e.

📒 Files selected for processing (1)

• .github/workflows/monorepo-docker.yml (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/testnet_config.json in future code reviews as requested by paulbalaji.

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/mainnet_config.json in future code reviews as requested by paulbalaji.

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Use Turbo for building all workspaces in the monorepo; use workspace-specific build commands for individual components (Solidity with Hardhat + Forge, TypeScript SDK, Rust agents with Cargo)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (57)

• GitHub Check: coverage-run
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-install-test-run
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: infra-test
• GitHub Check: e2e-matrix (evm)
• GitHub Check: lander-coverage
• GitHub Check: lint-rs
• GitHub Check: test-rs
• GitHub Check: slither

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (77524f7) to head (a85832d).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@          Coverage Diff          @@
##            main   #7529   +/-   ##
=====================================
  Coverage   0.00%   0.00%           
=====================================
  Files          1       1           
  Lines         14      14           
=====================================
  Misses        14      14           

Components	Coverage Δ
core	∅ <ø> (∅)
hooks	∅ <ø> (∅)
isms	∅ <ø> (∅)
token	∅ <ø> (∅)
middlewares	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d95c5b79b36ff18abdea18d2a1a77fbbed2d2a6e and 84a02e96e0e22cbcb6581eaf2a7af1849fec3fe3.

📒 Files selected for processing (4)

• .github/workflows/bytecode-analysis.yml (1 hunks)
• .github/workflows/static-analysis.yml (1 hunks)
• .github/workflows/storage-analysis.yml (1 hunks)
• Dockerfile (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/storage-analysis.yml

🧰 Additional context used

🧠 Learnings (4)

📓 Common learnings

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/testnet_config.json in future code reviews as requested by paulbalaji.

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6943
File: rust/main/config/mainnet_config.json:965-965
Timestamp: 2025-08-26T13:46:37.695Z
Learning: In the repository hyperlane-xyz/hyperlane-monorepo, skip reviewing the file rust/main/config/mainnet_config.json in future code reviews as requested by paulbalaji.

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Use Turbo for building all workspaces in the monorepo; use workspace-specific build commands for individual components (Solidity with Hardhat + Forge, TypeScript SDK, Rust agents with Cargo)

📚 Learning: 2025-11-24T17:19:38.362Z

Learnt from: CR
Repo: hyperlane-xyz/hyperlane-monorepo PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T17:19:38.362Z
Learning: Use Turbo for building all workspaces in the monorepo; use workspace-specific build commands for individual components (Solidity with Hardhat + Forge, TypeScript SDK, Rust agents with Cargo)

Applied to files:

• .github/workflows/static-analysis.yml

📚 Learning: 2025-11-25T17:10:33.369Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 7410
File: solidity/foundry.toml:8-8
Timestamp: 2025-11-25T17:10:33.369Z
Learning: In the hyperlane-xyz/hyperlane-monorepo repository, when using pnpm (instead of Yarn), Foundry's `allow_paths` in solidity/foundry.toml should be set to `["./node_modules"]` rather than `["../node_modules"]` because pnpm's default node_modules structure places dependencies locally in the workspace subdirectory, not requiring access to the parent directory's node_modules.

Applied to files:

• Dockerfile

📚 Learning: 2025-08-13T16:53:55.163Z

Learnt from: paulbalaji
Repo: hyperlane-xyz/hyperlane-monorepo PR: 6891
File: typescript/infra/config/environments/mainnet3/funding.ts:22-22
Timestamp: 2025-08-13T16:53:55.163Z
Learning: In Hyperlane mainnet3 configs, funding.ts uses 'gcr.io/abacus-labs-dev/hyperlane-monorepo' docker image while agent.ts uses 'gcr.io/abacus-labs-dev/hyperlane-agent' docker image. These are different images with independent tag cycles, so tag consistency across them is not expected.

Applied to files:

• Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: e2e-matrix (evm)
• GitHub Check: test-rs

🔇 Additional comments (3)

Dockerfile (3)

10-13: Foundry install placement is smart for layer caching.

You've placed the Foundry setup early in the Dockerfile, before copying source files. That's the right call — if your source code changes, Foundry's cached layer won't rebuild. Just make sure that installation URL is stable and monitored for security updates, since it's pulling executable code from the network.

---

43-52: Build pipeline correctly wired with Turbo.

The solidity/turbo.json properly configures the deps:soldeer task to output ["dependencies/**"] and the build task explicitly depends on it, ensuring correct cache layering. The Dockerfile's yarn build invocation will execute these tasks in the correct order.

---

1-8: Image size trade-off: Alpine → Debian slim is a heavier lift.

Switching from node:20-alpine (tiny) to node:20-slim (Debian-based) adds weight to the final image — and that's before all those system dependencies. It's worth it though, since Alpine tends to have compatibility issues with tooling like Foundry and the build stack you're layering on. The image will be substantially larger, but that's the price of having a proper foundation to build on. The Foundry installation endpoint (https://foundry.paradigm.xyz) is the official installer, and the COPY pattern for individual package.json files before yarn install is solid for Docker layer caching.

[hyper-gonk]

🐳 Monorepo Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-monorepo:pr-7529
gcr.io/abacus-labs-dev/hyperlane-monorepo:a85832d-20251204-115616

[yorhodes]

do we want to run against latest?

[paulbalaji]

this gives us latest stable, which is probably fine? (the foundry ci action defaults to latest stable too)

[paulbalaji]

actually wasn't too hard to pin to a specific version everywhere #7531