test: bytecode change (SHOULD FAIL CI)

[larryob]

Summary

• Test PR to verify bytecode check CI fails when bytecode changes are detected
• Adds a test constant to Mailbox.sol

Expected Result

The "Check Bytecode Changes" workflow should FAIL on this PR.

DELETE THIS PR AND BRANCH AFTER TESTING

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated CI workflow triggers to run for pull requests targeting the main branch.
  • Added a test-only constant used for CI bytecode validation.
  • Adjusted CI build configuration to disable bytecode hashing during CI runs.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3c772a8

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[claude]

Claude finished @larryob's task in 47s —— View job

---

Security Analysis Complete

Task List

• Gather context and understand the PR changes
• Review the Solidity contract changes for security concerns
• Analyze for Trail of Bits security patterns
• Check for Hyperlane-specific security concerns
• Provide summary of findings

---

Summary

This is a test PR designed to verify that the bytecode change detection CI works correctly. The PR intentionally adds a constant to Mailbox.sol to trigger a bytecode change.

Changes Analyzed

solidity/contracts/Mailbox.sol (lines 34-35):

// Test constant for bytecode check CI test - DELETE ME
uint256 public constant TEST_BYTECODE_CHANGE = 12345;

.github/workflows/bytecode-analysis.yml (lines 5-6):

• Updated to only run on PRs targeting main branch

---

Security Review

Trail of Bits Security Patterns

Category	Finding
Reentrancy	No new reentrancy vectors introduced
Access Control	No changes to access control
Integer Overflow	N/A - constant declaration only
State Changes	No state variable modifications
External Calls	No new external calls introduced

Hyperlane-Specific Security Concerns

Concern	Status
Reentrancy in handle() callbacks	Not affected
Access control on privileged functions	Not affected
Merkle proof verification	Not affected
Domain ID validation	Not affected
ISM threshold and validator set security	Not affected
Warp route collateral accounting	Not affected

---

Findings

Severity	Issue	Location
INFO	Test constant added intentionally for CI testing	Mailbox.sol:34-35

Details:

• The change adds a public constant which will be compiled into the bytecode
• This is the expected behavior - the PR is designed to test the bytecode check CI
• The constant TEST_BYTECODE_CHANGE = 12345 has no security impact
• As noted in the PR description: DELETE THIS PR AND BRANCH AFTER TESTING

---

Invariant Analysis

No new invariants are required for this change. The existing Mailbox invariants remain intact:

• Message processing idempotency (deliveries mapping)
• Nonce monotonic increase
• ISM verification before message delivery

---

Verdict

No security issues detected. This is a test PR with minimal code changes that do not introduce any vulnerabilities. The bytecode change is intentional and expected to fail the bytecode check CI as described in the PR summary.

Reminder: This PR and branch should be deleted after testing is complete.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds a branches filter to the bytecode-analysis workflow to run on PRs targeting main, adds a test constant to the Mailbox Solidity contract for CI bytecode validation, and sets bytecode_hash = "none" in the CI Foundry profile.

Changes

Cohort / File(s)	Summary
CI/Workflow Configuration \.github/workflows/bytecode-analysis.yml	Added a branches filter under the pull_request trigger to only run the workflow for PRs targeting main.
Solidity Contract Constants solidity/contracts/Mailbox.sol	Added uint256 public constant TEST_BYTECODE_CHANGE = 12345; with a comment indicating it's for CI bytecode checks.
Foundry CI Profile solidity/foundry.toml	Added bytecode_hash = "none" under [profile.ci] to adjust bytecode hashing behavior during CI runs.

Sequence Diagram(s)

(omitted — changes are configuration and a single-constant addition; no multi-component control-flow to diagram)

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat: add bytecode analysis GitHub action #7500: Related change to the same .github/workflows/bytecode-analysis.yml workflow that introduced or modified it.
• fix(ci): skip bytecode check on release PRs and add foundry to CLI install #7588: Another PR adjusting when bytecode checks run in the same workflow.

Suggested reviewers

• ltyu
• yorhodes

Poem

A tweak in CI, a tiny constant placed,
The workflow knows its lane, no checks misplaced.
Small bits aligned like stones in a bog,
CI humming steady, not a single clog. 🧅

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The PR description explains the purpose and expected outcome, but doesn't follow the repository's template structure with required sections like Description, Drive-by changes, Related issues, Backward compatibility, and Testing.	Consider using the repository's PR description template to organize information into standard sections (Description, Drive-by changes, Related issues, Backward compatibility, Testing) for consistency.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main purpose of this test PR - to verify that the bytecode change CI check fails when bytecode changes are detected.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test-bytecode-change

---

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5fcb9ae and 3c772a8.

📒 Files selected for processing (1)

• solidity/foundry.toml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (70)

• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (ica-deploy)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (status)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: radix-sdk-e2e-run
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-radix-e2e-matrix (core-apply)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: pnpm-test-run
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: cli-install-test-run
• GitHub Check: coverage-run
• GitHub Check: infra-test
• GitHub Check: e2e-matrix (evm)
• GitHub Check: diff-check
• GitHub Check: agent-configs (mainnet3)
• GitHub Check: agent-configs (testnet4)
• GitHub Check: lint-prettier
• GitHub Check: diff-check
• GitHub Check: tob-security-skills
• GitHub Check: test-rs
• GitHub Check: fork-tests
• GitHub Check: lander-coverage
• GitHub Check: slither
• GitHub Check: lint-rs
• GitHub Check: diff-check

🔇 Additional comments (1)

solidity/foundry.toml (1)

18-22: Configuration's properly layered, like ogres and onions.

This bytecode_hash = "none" pairs up nicely with cbor_metadata = false — they're two sides of the same coin. When you tell the compiler to skip that CBOR metadata wrapper, you've gotta tell it to skip the hash too, or you get compiler grumpiness. It's in the spec, all nice and proper.

This setup makes sense for the CI profile so bytecode comparisons work reliably without all that metadata noise. Good pairing.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@solidity/contracts/Mailbox.sol`:
- Around line 34-36: Remove the temporary test constant and its "DELETE ME"
comment: delete the uint256 public constant TEST_BYTECODE_CHANGE = 12345;
declaration from Mailbox.sol and ensure there are no remaining references to
TEST_BYTECODE_CHANGE elsewhere (ABI/other contracts/tests); commit the change
and clean up the test PR/branch as described in the PR notes.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d90525a and 5fcb9ae.

📒 Files selected for processing (2)

• .github/workflows/bytecode-analysis.yml
• solidity/contracts/Mailbox.sol

🧰 Additional context used

📓 Path-based instructions (1)

solidity/**/*.sol

📄 CodeRabbit inference engine (CLAUDE.md)

solidity/**/*.sol: Use onlyOwner or appropriate access modifiers on privileged functions in Solidity
Validate all external inputs at system boundaries in Solidity contracts
Ensure backward compatibility for protocol upgrades in Solidity
Optimize for gas efficiency in Solidity by avoiding unnecessary storage writes
Check the contract inheritance hierarchy before implementing new Solidity contracts

Files:

• solidity/contracts/Mailbox.sol

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (70)

• GitHub Check: cli-evm-e2e-matrix (warp-apply-ism-updates)
• GitHub Check: cli-evm-e2e-matrix (core-init)
• GitHub Check: cli-evm-e2e-matrix (core-read)
• GitHub Check: cli-evm-e2e-matrix (warp-read)
• GitHub Check: cli-evm-e2e-matrix (ica-deploy)
• GitHub Check: cli-evm-e2e-matrix (warp-rebalancer)
• GitHub Check: cli-evm-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-1)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-1)
• GitHub Check: env-test-matrix (mainnet3, optimism, core)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-rebalancing-config)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-submitters)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-recovery)
• GitHub Check: cli-evm-e2e-matrix (warp-bridge-2)
• GitHub Check: cli-evm-e2e-matrix (status)
• GitHub Check: cli-evm-e2e-matrix (warp-check-4)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-config)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-hook-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-send)
• GitHub Check: cli-evm-e2e-matrix (warp-deploy-2)
• GitHub Check: cli-evm-e2e-matrix (warp-init)
• GitHub Check: cli-evm-e2e-matrix (warp-check-5)
• GitHub Check: cli-evm-e2e-matrix (warp-extend-basic)
• GitHub Check: env-test-matrix (mainnet3, ethereum, core)
• GitHub Check: cli-evm-e2e-matrix (warp-apply-simple-updates)
• GitHub Check: cli-evm-e2e-matrix (warp-check-1)
• GitHub Check: env-test-matrix (mainnet3, optimism, igp)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-apply)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, igp)
• GitHub Check: radix-sdk-e2e-run
• GitHub Check: cli-evm-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: cli-evm-e2e-matrix (core-check)
• GitHub Check: cli-cosmos-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (warp-check-3)
• GitHub Check: cli-evm-e2e-matrix (core-deploy)
• GitHub Check: cosmos-sdk-e2e-run
• GitHub Check: cli-evm-e2e-matrix (warp-check-2)
• GitHub Check: cli-radix-e2e-matrix (core-apply)
• GitHub Check: cli-evm-e2e-matrix (relay)
• GitHub Check: env-test-matrix (mainnet3, arbitrum, core)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-route-extension)
• GitHub Check: cli-cosmos-e2e-matrix (warp-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-check)
• GitHub Check: cli-cosmos-e2e-matrix (warp-deploy)
• GitHub Check: cli-radix-e2e-matrix (core-deploy)
• GitHub Check: env-test-matrix (mainnet3, ethereum, igp)
• GitHub Check: aleo-sdk-e2e-run
• GitHub Check: cli-radix-e2e-matrix (warp-deploy)
• GitHub Check: cli-cosmos-e2e-matrix (core-read)
• GitHub Check: cli-cosmos-e2e-matrix (core-deploy)
• GitHub Check: cli-cross-chain-e2e-matrix (warp-deploy)
• GitHub Check: env-test-matrix (testnet4, sepolia, core)
• GitHub Check: cli-radix-e2e-matrix (warp-apply-ownership-updates)
• GitHub Check: pnpm-test-run
• GitHub Check: cli-install-test-run
• GitHub Check: coverage-run
• GitHub Check: infra-test
• GitHub Check: diff-check
• GitHub Check: lander-coverage
• GitHub Check: test-rs
• GitHub Check: lint-prettier
• GitHub Check: lint-rs
• GitHub Check: tob-security-skills
• GitHub Check: diff-check
• GitHub Check: slither
• GitHub Check: fork-tests
• GitHub Check: agent-configs (testnet4)
• GitHub Check: e2e-matrix (evm)
• GitHub Check: agent-configs (mainnet3)
• GitHub Check: diff-check

🔇 Additional comments (1)

.github/workflows/bytecode-analysis.yml (1)

5-6: Lookin' good, this branch filter makes sense.

Adding the main branch filter keeps the bytecode analysis from runnin' on PRs that don't need it. Works nicely alongside the existing paths filter — no point doin' extra layers when you're only targetin' feature branches or whatnot.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

This test constant shouldn't make it into the swamp — er, main branch.

The comment says "DELETE ME" and the PR description confirms this is purely for testin' the bytecode check CI. Once you've verified the workflow fails as expected, this whole thing needs to go. Leavin' test artifacts in a production contract is like leavin' donkeys in places they don't belong.

Make sure to delete the PR and branch after the test, as noted in the objectives.

🤖 Prompt for AI Agents

In `@solidity/contracts/Mailbox.sol` around lines 34 - 36, Remove the temporary
test constant and its "DELETE ME" comment: delete the uint256 public constant
TEST_BYTECODE_CHANGE = 12345; declaration from Mailbox.sol and ensure there are
no remaining references to TEST_BYTECODE_CHANGE elsewhere (ABI/other
contracts/tests); commit the change and clean up the test PR/branch as described
in the PR notes.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.02%. Comparing base (d90525a) to head (3c772a8).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7803   +/-   ##
=======================================
  Coverage   77.02%   77.02%           
=======================================
  Files         117      117           
  Lines        2651     2651           
  Branches      244      244           
=======================================
  Hits         2042     2042           
  Misses        593      593           
  Partials       16       16           

Flag	Coverage Δ
solidity	77.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
core	87.80% <ø> (ø)
hooks	71.86% <ø> (ø)
isms	81.10% <ø> (ø)
token	86.67% <ø> (ø)
middlewares	84.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[claude]

Claude finished @larryob's task in 55s —— View job

---

PR Synchronization Analysis Complete

Task List

• Gather context and analyze the PR changes
• Understand the synchronization and new commits
• Review security implications
• Provide analysis summary

---

New Commits Since Last Review

Commit	Description
ffcc5f637	fix(solidity): add bytecode_hash to ci profile for valid compiler config
3c772a81b	Merge fix-bytecode-filter into test-bytecode-change

New Change: solidity/foundry.toml

[profile.ci]
verbosity = 4
# disable metadata for bytecode comparison
cbor_metadata = false
+bytecode_hash = "none"

Purpose: This addition sets bytecode_hash = "none" in the CI profile, which disables the inclusion of the bytecode hash (IPFS/Swarm hash) in the contract metadata. This ensures deterministic bytecode comparison by eliminating non-deterministic metadata that can change between builds.

Security Analysis

Category	Assessment
Security Impact	None - this is a compiler configuration change
Determinism	✅ Improves bytecode reproducibility
Production Impact	None - CI profile only

This is a valid compiler configuration change for the bytecode comparison CI workflow. Combined with cbor_metadata = false, it ensures that bytecode comparisons are deterministic and not affected by:

• CBOR-encoded metadata at the end of bytecode
• IPFS/Swarm content hashes that vary between builds

Overall PR Status

This test PR now has all necessary configuration for proper bytecode change detection:

1. Workflow filter (.github/workflows/bytecode-analysis.yml:5-6): Only runs on PRs targeting main
2. CI compiler config (solidity/foundry.toml:22): Ensures deterministic bytecode for comparison
3. Test constant (solidity/contracts/Mailbox.sol:34-35): Intentional bytecode change to trigger CI failure

CI Status

The "Check Bytecode Changes" workflow is currently running. As expected per the PR description, this workflow should fail to validate that the bytecode check CI is working correctly.

Reminder

As noted in the PR description: DELETE THIS PR AND BRANCH AFTER TESTING - the test constant in Mailbox.sol should not be merged to main.